From ugob at camo-route.com Tue Aug 1 01:36:52 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Tue Aug 1 01:37:19 2006 Subject: SOLVED: RE: Some mail (up to 7 days old) is stuck in/var/spool/mqueue In-Reply-To: <8f54b4330607271417h2ba1b692ufcb6a59fc0e5c151@mail.gmail.com> References: <97FD54B5E57A1842AA1A4B232E4761172D8F0F@ati-ex-02.ati.local> <8f54b4330607271417h2ba1b692ufcb6a59fc0e5c151@mail.gmail.com> Message-ID: Nathan Olson wrote: > Worse comes to worse, stick a MailScanner box in front of the Exchange box. > > Nate > Yeah, none of my client's exchange server accept connexions from the net. They all have a mailscanner box in front of it. From ajos1 at onion.demon.co.uk Tue Aug 1 02:59:45 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Tue Aug 1 02:59:51 2006 Subject: Rules_Du_Jour Script at sandgnat.com Message-ID: - Rules_Du_Jour Script at sandgnat.com Has sandgnat.com disappeared... no web-access at the moment... I was wanting to see if the Rules_Du_Jour had been updated lately or not. From MailScanner at ecs.soton.ac.uk Tue Aug 1 09:14:51 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 1 09:15:51 2006 Subject: MailScanner ANNOUNCE: 4.55 stable released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Morning/Afternoon/Evening all! I have just released the latest stable release of MailScanner, 4.55. There are many minor changes this month, nothing earth-shattering, and a few fixes for you. One new feature you may find useful is the "--changed" command-line option, which will make MailScanner print out a table of all the settings you have changed from the defaults. This should help diagnosing problem much easier, as you won't have to read the MailScanner.conf and try to spot the changes any more. Just run "MailScanner --changed" and it will tell you all you need to know. Download as usual from www.mailscanner.info The full Change Log is here: * New Features and Improvements * 1 Added educ.ar and uba.ar to country.domains.conf for less strict phishing net. 1 Code tidy up in Message constructor. 1 Speed improvements to ZMailer attachment extraction to keep up with the other MTAs. 1 "Log Speed = no" now does what it says on the tin. (UK in-joke :-) 1 Added "stopms" option to Linux init.d scripts. 1 Improved behaviour when %percentvars% at start of MailScanner.conf have not been configured at all. It now uses the fully-qualified hostname to guess the domain name and website address. It used to refuse to run which was very impolite. 1 Added Sys::Hostname::Long to list of required modules to implement the above. 2 Documentation rationalisation. Most up to date versions are all on the web. 3 Now output lock type in use with "--lint". 4 Improvement to Sophos.install for Sophos Version 5 so that email logging is disabled. 4 Now use syslog "notice" priority instead of "info" when issuing messages that are nearly warnings. This helps you drastically reduce the amount of syslog output by just logging priorities greater than or equal to "notice". 5 Added a "Contact Us" web page instead of just a mailto: link. 6 Improved Help guidance in Contact Us web page. 6 New command-line option: "-c" or "--changed". This will print out a table of all the configuration settings that have been changed from the default values hard-coded into MailScanner. Note this may not be quite the same as the differences from the supplied default MailScanner.conf file. 6 Updated hard-coded defaults to better match MailScanner.conf settings. 6 Improved handling of broken Custom Functions. Having a broken Custom Function will now just result in the setting's default value being used. 7 Bugfix for "--changed" printing when using Custom Functions. 8 Improved syslog-ing code so it doesn't matter is syslogd dies. 8 Upgraded DBD-SQLite to version 1.12 as it builds a lot more easily. 8 Improved handling of Postfix virtual users. Thanks to jpabuyer@tecnoera.com. 9 Added catch to commercial virus scanning code to allow syslogd to die during a virus scan. 9 Improved speed logging to remove chatter. 9 Upgraded Sys::Syslog to 0.17 which builds okay, unlike 0.16. 9 MCP timings are no longer output if MCP checks are disabled. * Fixes * 1 Put back in the checks of free disk space that were in 4.53.1 but then lost. 1 Fix in check_MailScanner for MacOSX. 3 Default lock type for sendmail is now posix, as it should be. 4 Fix to phishing net so that links to "www.domain.com." are accepted as legal. 6 Fixed problem with dangerous filenames in TNEF archives when using the external TNEF expander. 8 Fixed problem with long SpamAssassin report in report files getting truncated at % signs. 8 Fixed phishing net problem with some cases of outbind://\d+/.... URLs. 9 Stopped logging code producing ridiculous numbers. 9 Improved Denial-of-service attack detector to handle multiple virus scanners more quickly. Now clears detection in 2 x Virus Scanner Timeout, as expected. 9 Fixed minor bug in TNEF handling of bad messages. 9 "service MailScanner reload" should work properly now. - -- Julian Field MailScanner@ecs.soton.ac.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: US-ASCII wj8DBQFEzw2LEfZZRxQVtlQRAkXgAJsGcNkLiq3fIciMmq6f6gbvouA6UgCg5ND9 DWtjaI46fNH1v4XPt9FK1Pk= =/a/k -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From rob at robhq.com Tue Aug 1 12:45:26 2006 From: rob at robhq.com (rob freeman) Date: Tue Aug 1 12:31:09 2006 Subject: Increase in spam getting through Message-ID: <32096235.1154432726754.JavaMail.root@gollum.robhq.com> Running MailScanner 4.53.8 on CentOS 4.3. It is a front end to our exchange 2003 server. Have rules_du_jour running with these rules: TRUSTED_RULESETS="SARE_STOCKS SARE_ADULT SARE_HTML0 SARE_OBFU TRIPWIRE SARE_EVILNUMBERS0 SARE_RANDOM SARE_REDIRECT_POST300 SARE_BAYES_POISON_NXM SARE_HTML1 SARE_HEADER0 SARE_HEADER1 SARE_SPECIFIC SARE_BML SARE_FRAUD SARE_SPOOF SARE_OEM SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_UNSUB SARE_URI"; Also have DCC, pyzor, razor, and bayes going. We have a rise on spam getting through in the past 2 weeks. Mostly looks like an image with words at the end. Here is the mail source:

Deals And Sale Items Keyword Group Product StoreAll Products View: GridSort Top Price

delicacy Before cm equipment amount floor referred washing machines hookups motors

achieve speeds beyond Notebook smaller slower capacity. whereas newest

startup rises decay younger fewer startstop better surviving literally drags Maxtor series

area Cup World pertinent

Partial Response Maximum algorithm Textured Landing Zones HDDs UltraDMA/ ATAPI releases barrier broken First

reports

merchants provided third parties purposes only.

Greek Award winning area Cup World pertinent info Cup. Over

From Katrina

width Neel Spikes granular opposite opposed spikes appear. These magnets align because cancel

eBooks variety subjects such as: novels

Barcode UNIX WebCam download: Most popular Releases Picks

sims Film video film emulateur google

warnings worldwide local groups climate severe news. browsers FTP Usenet readers

host page. knowledge HTML.

behind devices. FCAL connected fibre optics. networks protocols iSCSI Ethernet well.SATA pair receiving device.

audience member. Fact Day: pound

Buying Selling Models Cutting

Buy Yahoo YahooMail pageYahoo InNew User Sign Primary Clothing Garden My Lists CareHome

APIs powering Tech. paid Inc. Rights

name... eg. Solaris SunOS SCO

HDA. Almost designer Kenneth Haughton rifle suited protected center harsh delicacy Before cm equipment amount floor referred washing

NEWS Center Here will latest sites: English USA/UK German Spanish French Italian

this. Website Tools counters polls engines add homepage Website.

PSP audio MP... Studio WinTasks Uniblue Ltd WinBackup sluggish. engine... LI Controls Trial Deluxe

Beverage Genealogy Health Nutrition Parenting Science Animation Authoring Editing Media ActiveX Compilers Libraries Debugging

Players PlugIns Streaming Puzzles

basic rate. cases Small Interface ESDI always werent downward wouldnt

browsers

actual

him student Visa when others cannot PM Lifetime Fiscal approved

And the scores we get are: Subject: bresil But Date: Mon, 31 Jul 2006 09:48:28 -0200 MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_0003_01C6B486.796DE3A0" X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Thread-Index: Aca0hnlt/AzKFLsrRCKrOczif4fQrQ== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 Message-Id: X-fleetone.com-MailScanner-Information: Please contact the ISP for more information X-fleetone.com-MailScanner: Found to be clean X-fleetone.com-MailScanner-SpamCheck: not spam, SpamAssassin (score=2.963, required 6, ALL_TRUSTED 1.00, BAYES_50 0.00, DATE_IN_FUTURE_03_06 1.96, HTML_MESSAGE 0.00) X-fleetone.com-MailScanner-SpamScore: 2 X-fleetone.com-MailScanner-From: xbalmmoiw@direct-adsl.nl Return-Path: xbalmmoiw@direct-adsl.nl X-OriginalArrivalTime: 31 Jul 2006 08:05:33.0309 (UTC) FILETIME=[18E0AAD0:01C6B478] ------=_NextPart_000_0003_01C6B486.796DE3A0 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0004_01C6B486.796DE3A0" ------=_NextPart_001_0004_01C6B486.796DE3A0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit ------=_NextPart_001_0004_01C6B486.796DE3A0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable ------=_NextPart_001_0004_01C6B486.796DE3A0-- ------=_NextPart_000_0003_01C6B486.796DE3A0 Content-Type: image/gif; name="image001.gif" Content-Transfer-Encoding: base64 Content-ID: ------=_NextPart_000_0003_01C6B486.796DE3A0-- A MailScanner --lint does not return any problems on the server: [root@bouncy spamassassin]# /usr/sbin/MailScanner --lint Read 757 hostnames from the phishing whitelist Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Not sure why this is being sent on as non spam. Any thoughts? Rob From email at ace.net.au Tue Aug 1 12:34:15 2006 From: email at ace.net.au (Peter Nitschke) Date: Tue Aug 1 12:32:43 2006 Subject: Maximum Archive Depth Message-ID: <200608012104150699.5D3CB06E@smtp1.ace.net.au> Using MS 4.54.6-1 Setting "Maximum Archive Depth" to 1 is causing zip files with any safe content - eg a simple txt file, to be tagged with "Message contained archive nested too deeply". Setting to either 0 or 2 is fine however. Is there a reason why 1 should cause this problem? Peter From prandal at herefordshire.gov.uk Tue Aug 1 13:19:11 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Aug 1 13:36:35 2006 Subject: Increase in spam getting through Message-ID: <86144ED6CE5B004DA23E1EAC0B569B580E59ED06@isabella.herefordshire.gov.uk> Derek Harding posted this rule on the spamassassin-users mailing list: rawbody INLINE_IMAGE /src\s*=\s*["']cid:/i describe INLINE_IMAGE Inline Images score INLINE_IMAGE 1.5 That'll get all inline images, not just the spammy ones. I'm scoring it 2 at the moment (but our bayes is well trained and can compensate). Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of rob freeman > Sent: 01 August 2006 12:45 > To: MailScanner discussion > Subject: Increase in spam getting through > > Running MailScanner 4.53.8 on CentOS 4.3. It is a front end > to our exchange 2003 server. Have rules_du_jour running with > these rules: > > TRUSTED_RULESETS="SARE_STOCKS SARE_ADULT SARE_HTML0 SARE_OBFU > TRIPWIRE SARE_EVILNUMBERS0 SARE_RANDOM SARE_REDIRECT_POST300 > SARE_BAYES_POISON_NXM SARE_HTML1 SARE_HEADER0 SARE_HEADER1 > SARE_SPECIFIC SARE_BML SARE_FRAUD SARE_SPOOF SARE_OEM > SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_UNSUB SARE_URI"; > > Also have DCC, pyzor, razor, and bayes going. > > We have a rise on spam getting through in the past 2 weeks. > Mostly looks like an image with words at the end. Here is > the mail source: > > xmlns:o="urn:schemas-microsoft-com:office:office" > xmlns:w="urn:schemas-microsoft-com:office:word" > xmlns:st1="urn:schemas-microsoft-com:office:smarttags" > xmlns="http://www.w3.org/TR/REC-html40"> > > > namespaceuri="urn:schemas-microsoft-com:office:smarttags" > name="City"/> > namespaceuri="urn:schemas-microsoft-com:office:smarttags" > name="place"/> > > > > >
>

style='font-size:10.0pt; > font-family:Arial'> src="cid:image001.gif@01C6B486.796DE3A0"> size=2 face=Arial> lang=EN-US > style='font-size:10.0pt;font-family:Arial'>< > /font>

>

style='font-size:10.0pt;font-family:Arial'>Deals And Sale > Items Keyword Group Product StoreAll Products View: GridSort > Top Price

>

style='font-size:10.0pt;font-family:Arial'>delicacy Before cm > equipment amount floor referred washing machines hookups > motors

>

style='font-size:10.0pt;font-family:Arial'>achieve speeds > beyond Notebook smaller slower capacity. whereas > newest

>

style='font-size:10.0pt;font-family:Arial'>startup rises > decay younger fewer startstop better surviving literally > drags Maxtor series

>

style='font-size:10.0pt;font-family:Arial'>area Cup World > pertinent

>

style='font-size:10.0pt;font-family:Arial'>Partial Response > Maximum algorithm Textured Landing Zones HDDs UltraDMA/ ATAPI > releases barrier broken First

>

style='font-size:10.0pt;font-family:Arial'>reports< > /span>

>

style='font-size:10.0pt;font-family:Arial'>merchants provided > third parties purposes only.

>

style='font-size:10.0pt;font-family:Arial'>Greek Award > winning area Cup World pertinent info Cup. > Over

>

style='font-size:10.0pt;font-family:Arial'>From > Katrina

>

style='font-size:10.0pt;font-family:Arial'>width Neel Spikes > granular opposite opposed spikes appear. These magnets align > because cancel

>

style='font-size:10.0pt;font-family:Arial'>eBooks variety > subjects such as: novels

>

style='font-size:10.0pt;font-family:Arial'>Barcode UNIX > WebCam download: Most popular Releases > Picks

>

style='font-size:10.0pt;font-family:Arial'>sims Film video > film emulateur google

>

style='font-size:10.0pt;font-family:Arial'>warnings worldwide > local groups climate severe news. browsers FTP Usenet > readers

>

style='font-size:10.0pt;font-family:Arial'>host page. > knowledge HTML.

>

style='font-size:10.0pt;font-family:Arial'>behind devices. > FCAL connected fibre optics. networks protocols iSCSI > Ethernet well.SATA pair receiving device.

>

style='font-size:10.0pt;font-family:Arial'>audience member. > Fact Day: pound

>

style='font-size:10.0pt;font-family:Arial'>Buying Selling > Models Cutting

>

style='font-size:10.0pt;font-family:Arial'>Buy Yahoo > YahooMail pageYahoo InNew User Sign Primary Clothing Garden > My Lists CareHome

>

style='font-size:10.0pt;font-family:Arial'>APIs powering > Tech. paid Inc. Rights

>

style='font-size:10.0pt;font-family:Arial'>name... eg. > Solaris SunOS SCO

>

style='font-size:10.0pt;font-family:Arial'>HDA. Almost > designer Kenneth Haughton rifle suited protected center harsh > delicacy Before cm equipment amount floor referred > washing

>

style='font-size:10.0pt;font-family:Arial'>NEWS Center Here > will latest sites: English USA/UK German Spanish French > Italian

>

style='font-size:10.0pt;font-family:Arial'>this. Website > Tools counters polls engines add homepage > Website.

>

style='font-size:10.0pt;font-family:Arial'>PSP audio MP... > Studio WinTasks Uniblue Ltd WinBackup sluggish. engine... LI > Controls Trial Deluxe

>

style='font-size:10.0pt;font-family:Arial'>Beverage Genealogy > Health Nutrition Parenting Science Animation Authoring > Editing Media ActiveX Compilers Libraries > Debugging

>

style='font-size:10.0pt;font-family:Arial'>Players PlugIns > Streaming Puzzles

>

style='font-size:10.0pt;font-family:Arial'>basic rate. cases > Small Interface ESDI always werent downward > wouldnt

>

style='font-size:10.0pt;font-family:Arial'>browsers >

>

style='font-size:10.0pt;font-family:Arial'>actual span>

>

style='font-size:10.0pt;font-family:Arial'>him student Visa > when others cannot PM Lifetime Fiscal > approved

>
> > > > > And the scores we get are: > > Subject: bresil But > Date: Mon, 31 Jul 2006 09:48:28 -0200 > MIME-Version: 1.0 > Content-Type: multipart/related; > boundary="----=_NextPart_000_0003_01C6B486.796DE3A0" > X-Mailer: Microsoft Office Outlook, Build 11.0.5510 > Thread-Index: Aca0hnlt/AzKFLsrRCKrOczif4fQrQ== > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 > Message-Id: > X-fleetone.com-MailScanner-Information: Please contact the > ISP for more information > X-fleetone.com-MailScanner: Found to be clean > X-fleetone.com-MailScanner-SpamCheck: not spam, SpamAssassin > (score=2.963, > required 6, ALL_TRUSTED 1.00, BAYES_50 0.00, > DATE_IN_FUTURE_03_06 1.96, HTML_MESSAGE 0.00) > X-fleetone.com-MailScanner-SpamScore: 2 > X-fleetone.com-MailScanner-From: xbalmmoiw@direct-adsl.nl > Return-Path: xbalmmoiw@direct-adsl.nl > X-OriginalArrivalTime: 31 Jul 2006 08:05:33.0309 (UTC) > FILETIME=[18E0AAD0:01C6B478] > ------=_NextPart_000_0003_01C6B486.796DE3A0 > Content-Type: multipart/alternative; > boundary="----=_NextPart_001_0004_01C6B486.796DE3A0" > ------=_NextPart_001_0004_01C6B486.796DE3A0 > Content-Type: text/plain; > charset="us-ascii" > Content-Transfer-Encoding: 7bit > ------=_NextPart_001_0004_01C6B486.796DE3A0 > Content-Type: text/html; > charset="us-ascii" > Content-Transfer-Encoding: quoted-printable > > ------=_NextPart_001_0004_01C6B486.796DE3A0-- > ------=_NextPart_000_0003_01C6B486.796DE3A0 > Content-Type: image/gif; > name="image001.gif" > Content-Transfer-Encoding: base64 > Content-ID: > > ------=_NextPart_000_0003_01C6B486.796DE3A0-- > > A MailScanner --lint does not return any problems on the server: > > [root@bouncy spamassassin]# /usr/sbin/MailScanner --lint > Read 757 hostnames from the phishing whitelist > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > > Not sure why this is being sent on as non spam. Any thoughts? > > Rob > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From jaearick at colby.edu Tue Aug 1 14:03:57 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Tue Aug 1 14:07:12 2006 Subject: Increase in spam getting through In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B580E59ED06@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B580E59ED06@isabella.herefordshire.gov.uk> Message-ID: Thanks! I just rolled this into my spam.assassin.prefs.conf, and it is already whapping the spam. Jeff Earickson Colby College On Tue, 1 Aug 2006, Randal, Phil wrote: > Date: Tue, 1 Aug 2006 13:19:11 +0100 > From: "Randal, Phil" > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: RE: Increase in spam getting through > > Derek Harding posted this rule on the spamassassin-users mailing list: > > rawbody INLINE_IMAGE /src\s*=\s*["']cid:/i > describe INLINE_IMAGE Inline Images > score INLINE_IMAGE 1.5 > > That'll get all inline images, not just the spammy ones. > > I'm scoring it 2 at the moment (but our bayes is well trained and can > compensate). > > Phil > > -- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of rob freeman >> Sent: 01 August 2006 12:45 >> To: MailScanner discussion >> Subject: Increase in spam getting through >> >> Running MailScanner 4.53.8 on CentOS 4.3. It is a front end >> to our exchange 2003 server. Have rules_du_jour running with >> these rules: >> >> TRUSTED_RULESETS="SARE_STOCKS SARE_ADULT SARE_HTML0 SARE_OBFU >> TRIPWIRE SARE_EVILNUMBERS0 SARE_RANDOM SARE_REDIRECT_POST300 >> SARE_BAYES_POISON_NXM SARE_HTML1 SARE_HEADER0 SARE_HEADER1 >> SARE_SPECIFIC SARE_BML SARE_FRAUD SARE_SPOOF SARE_OEM >> SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_UNSUB SARE_URI"; >> >> Also have DCC, pyzor, razor, and bayes going. >> >> We have a rise on spam getting through in the past 2 weeks. >> Mostly looks like an image with words at the end. Here is >> the mail source: >> >> > xmlns:o="urn:schemas-microsoft-com:office:office" >> xmlns:w="urn:schemas-microsoft-com:office:word" >> xmlns:st1="urn:schemas-microsoft-com:office:smarttags" >> xmlns="http://www.w3.org/TR/REC-html40"> >> >> >> > namespaceuri="urn:schemas-microsoft-com:office:smarttags" >> name="City"/> >> > namespaceuri="urn:schemas-microsoft-com:office:smarttags" >> name="place"/> >> >> >> >> >>
>>

> style='font-size:10.0pt; >> font-family:Arial'>> src="cid:image001.gif@01C6B486.796DE3A0">> size=2 face=Arial>> lang=EN-US >> style='font-size:10.0pt;font-family:Arial'>< >> /font>

>>

> style='font-size:10.0pt;font-family:Arial'>Deals And Sale >> Items Keyword Group Product StoreAll Products View: GridSort >> Top Price

>>

> style='font-size:10.0pt;font-family:Arial'>delicacy Before cm >> equipment amount floor referred washing machines hookups >> motors

>>

> style='font-size:10.0pt;font-family:Arial'>achieve speeds >> beyond Notebook smaller slower capacity. whereas >> newest

>>

> style='font-size:10.0pt;font-family:Arial'>startup rises >> decay younger fewer startstop better surviving literally >> drags Maxtor series

>>

> style='font-size:10.0pt;font-family:Arial'>area Cup World >> pertinent

>>

> style='font-size:10.0pt;font-family:Arial'>Partial Response >> Maximum algorithm Textured Landing Zones HDDs UltraDMA/ ATAPI >> releases barrier broken First

>>

> style='font-size:10.0pt;font-family:Arial'>reports< >> /span>

>>

> style='font-size:10.0pt;font-family:Arial'>merchants provided >> third parties purposes only.

>>

> style='font-size:10.0pt;font-family:Arial'>Greek Award >> winning area Cup World pertinent info Cup. >> Over

>>

> style='font-size:10.0pt;font-family:Arial'>From >> Katrina

>>

> style='font-size:10.0pt;font-family:Arial'>width Neel Spikes >> granular opposite opposed spikes appear. These magnets align >> because cancel

>>

> style='font-size:10.0pt;font-family:Arial'>eBooks variety >> subjects such as: novels

>>

> style='font-size:10.0pt;font-family:Arial'>Barcode UNIX >> WebCam download: Most popular Releases >> Picks

>>

> style='font-size:10.0pt;font-family:Arial'>sims Film video >> film emulateur google

>>

> style='font-size:10.0pt;font-family:Arial'>warnings worldwide >> local groups climate severe news. browsers FTP Usenet >> readers

>>

> style='font-size:10.0pt;font-family:Arial'>host page. >> knowledge HTML.

>>

> style='font-size:10.0pt;font-family:Arial'>behind devices. >> FCAL connected fibre optics. networks protocols iSCSI >> Ethernet well.SATA pair receiving device.

>>

> style='font-size:10.0pt;font-family:Arial'>audience member. >> Fact Day: pound

>>

> style='font-size:10.0pt;font-family:Arial'>Buying Selling >> Models Cutting

>>

> style='font-size:10.0pt;font-family:Arial'>Buy Yahoo >> YahooMail pageYahoo InNew User Sign Primary Clothing Garden >> My Lists CareHome

>>

> style='font-size:10.0pt;font-family:Arial'>APIs powering >> Tech. paid Inc. Rights

>>

> style='font-size:10.0pt;font-family:Arial'>name... eg. >> Solaris SunOS SCO

>>

> style='font-size:10.0pt;font-family:Arial'>HDA. Almost >> designer Kenneth Haughton rifle suited protected center harsh >> delicacy Before cm equipment amount floor referred >> washing

>>

> style='font-size:10.0pt;font-family:Arial'>NEWS Center Here >> will latest sites: English USA/UK German Spanish French >> Italian

>>

> style='font-size:10.0pt;font-family:Arial'>this. Website >> Tools counters polls engines add homepage >> Website.

>>

> style='font-size:10.0pt;font-family:Arial'>PSP audio MP... >> Studio WinTasks Uniblue Ltd WinBackup sluggish. engine... LI >> Controls Trial Deluxe

>>

> style='font-size:10.0pt;font-family:Arial'>Beverage Genealogy >> Health Nutrition Parenting Science Animation Authoring >> Editing Media ActiveX Compilers Libraries >> Debugging

>>

> style='font-size:10.0pt;font-family:Arial'>Players PlugIns >> Streaming Puzzles

>>

> style='font-size:10.0pt;font-family:Arial'>basic rate. cases >> Small Interface ESDI always werent downward >> wouldnt

>>

> style='font-size:10.0pt;font-family:Arial'>browsers >>

>>

> style='font-size:10.0pt;font-family:Arial'>actual> span>

>>

> style='font-size:10.0pt;font-family:Arial'>him student Visa >> when others cannot PM Lifetime Fiscal >> approved

>>
>> >> >> >> >> And the scores we get are: >> >> Subject: bresil But >> Date: Mon, 31 Jul 2006 09:48:28 -0200 >> MIME-Version: 1.0 >> Content-Type: multipart/related; >> boundary="----=_NextPart_000_0003_01C6B486.796DE3A0" >> X-Mailer: Microsoft Office Outlook, Build 11.0.5510 >> Thread-Index: Aca0hnlt/AzKFLsrRCKrOczif4fQrQ== >> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 >> Message-Id: >> X-fleetone.com-MailScanner-Information: Please contact the >> ISP for more information >> X-fleetone.com-MailScanner: Found to be clean >> X-fleetone.com-MailScanner-SpamCheck: not spam, SpamAssassin >> (score=2.963, >> required 6, ALL_TRUSTED 1.00, BAYES_50 0.00, >> DATE_IN_FUTURE_03_06 1.96, HTML_MESSAGE 0.00) >> X-fleetone.com-MailScanner-SpamScore: 2 >> X-fleetone.com-MailScanner-From: xbalmmoiw@direct-adsl.nl >> Return-Path: xbalmmoiw@direct-adsl.nl >> X-OriginalArrivalTime: 31 Jul 2006 08:05:33.0309 (UTC) >> FILETIME=[18E0AAD0:01C6B478] >> ------=_NextPart_000_0003_01C6B486.796DE3A0 >> Content-Type: multipart/alternative; >> boundary="----=_NextPart_001_0004_01C6B486.796DE3A0" >> ------=_NextPart_001_0004_01C6B486.796DE3A0 >> Content-Type: text/plain; >> charset="us-ascii" >> Content-Transfer-Encoding: 7bit >> ------=_NextPart_001_0004_01C6B486.796DE3A0 >> Content-Type: text/html; >> charset="us-ascii" >> Content-Transfer-Encoding: quoted-printable >> >> ------=_NextPart_001_0004_01C6B486.796DE3A0-- >> ------=_NextPart_000_0003_01C6B486.796DE3A0 >> Content-Type: image/gif; >> name="image001.gif" >> Content-Transfer-Encoding: base64 >> Content-ID: >> >> ------=_NextPart_000_0003_01C6B486.796DE3A0-- >> >> A MailScanner --lint does not return any problems on the server: >> >> [root@bouncy spamassassin]# /usr/sbin/MailScanner --lint >> Read 757 hostnames from the phishing whitelist >> Checking for SpamAssassin errors (if you use it)... >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> SpamAssassin reported no errors. >> >> Not sure why this is being sent on as non spam. Any thoughts? >> >> Rob >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From chris at tac.esi.net Tue Aug 1 14:13:30 2006 From: chris at tac.esi.net (Chris Hammond) Date: Tue Aug 1 14:13:45 2006 Subject: A quick and easy performance improvement In-Reply-To: <44CE3A0A.9060102@mail.wvnet.edu> References: <1E293D3FF63A3740B10AD5AAD88535D20226D03D@UBIMAIL1.ubisoft.org> <44CE3A0A.9060102@mail.wvnet.edu> Message-ID: <44CF1B87.B662.0038.0@tac.esi.net> Daniel, would you share how you setup yours? Thanks Chris >>> Richard Lynch 07/31/06 1:12 PM >>> Daniel Maher wrote: > Hello, > > I actually hold the bayes files on a ram disk, and it is /much/ faster than putting in on a hard disk of any type, in any configuration. > > Julian's suggestion (a simple cp command) is, in fact, sufficient. I have successfully recovered from a system crash using the method. > > For reference, my mail servers handle around half a million pieces of mail per day, so the bayes databases are massive... > > Mine too. We do about 700,000/mpd and my bayesDBs grows to about 1.3G. I, too, like the ram disk idea but I don't have 1.5G of ram to spare. Moving bayes to /var was a huge improvement for me. I'd guess that using ram would be phenomenal! ~rich -- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Peter.Bates at lshtm.ac.uk Tue Aug 1 14:28:13 2006 From: Peter.Bates at lshtm.ac.uk (Peter Bates) Date: Tue Aug 1 14:28:46 2006 Subject: SpamAssassin 3.1.4 Message-ID: <44CF64FD020000760000654D@193.63.251.15> Hello all... Might just be a slow summer, but I don't recall having seen any mention of SA 3.1.4 on here. I'm guessing it's just a minor bugfix version, but are people out there using it? ... ---------------------------------------------------------------------------------------------------> Peter Bates, Systems Support Officer, IT Services. London School of Hygiene & Tropical Medicine. Telephone:0207-958 8353 / Fax: 0207- 636 9838 From daniel.maher at ubisoft.com Tue Aug 1 14:43:44 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Tue Aug 1 14:43:48 2006 Subject: A quick and easy performance improvement Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D04F@UBIMAIL1.ubisoft.org> Sure, it's actually quite simple. I just created a ramdisk in the standard way, and mounted it as /var/spool/MailScanner/incoming I then created a simple cronjob that runs every couple of hours, which runs sa-learn --sync, and then copies the /var/spool/MailScanner/incoming/bayes/* to a directory on a physical disk. I should point out that the contents of /bayes/ is around 500MB to 600MB on each of the servers in my mail pool, so the more RAM the better. :) -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Chris Hammond > Sent: August 1, 2006 9:14 AM > To: MailScanner discussion > Subject: Re: A quick and easy performance improvement > > Daniel, would you share how you setup yours? > > Thanks > Chris From chris at tac.esi.net Tue Aug 1 14:49:51 2006 From: chris at tac.esi.net (Chris Hammond) Date: Tue Aug 1 14:50:07 2006 Subject: A quick and easy performance improvement In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D04F@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D04F@UBIMAIL1.ubisoft.org> Message-ID: <44CF240C.B662.0038.0@tac.esi.net> Thanks Daniel, it does sound quite simple. I will look at trying this. Thanks Chris >>> "Daniel Maher" 08/01/06 9:43 AM >>> Sure, it's actually quite simple. I just created a ramdisk in the standard way, and mounted it as /var/spool/MailScanner/incoming I then created a simple cronjob that runs every couple of hours, which runs sa- learn -- sync, and then copies the /var/spool/MailScanner/incoming/bayes/* to a directory on a physical disk. I should point out that the contents of /bayes/ is around 500MB to 600MB on each of the servers in my mail pool, so the more RAM the better. :) -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. > ----- Original Message----- > From: mailscanner- bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Chris Hammond > Sent: August 1, 2006 9:14 AM > To: MailScanner discussion > Subject: Re: A quick and easy performance improvement > > Daniel, would you share how you setup yours? > > Thanks > Chris -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rgreen at trayerproducts.com Tue Aug 1 15:03:20 2006 From: rgreen at trayerproducts.com (Green, Rodney) Date: Tue Aug 1 15:04:24 2006 Subject: A quick and easy performance improvement In-Reply-To: <44CF240C.B662.0038.0@tac.esi.net> References: <1E293D3FF63A3740B10AD5AAD88535D20226D04F@UBIMAIL1.ubisoft.org> <44CF240C.B662.0038.0@tac.esi.net> Message-ID: <44CF5F28.6030203@trayerproducts.com> Here's a link to a howto on creating a ramdisk... http://www.vanemery.com/Linux/Ramdisk/ramdisk.html Chris Hammond wrote: > Thanks Daniel, it does sound quite simple. I will look at trying this. > > Thanks > Chris > > >>>> "Daniel Maher" 08/01/06 9:43 AM >>> >>>> > Sure, it's actually quite simple. > > I just created a ramdisk in the standard way, and mounted it as > /var/spool/MailScanner/incoming > > I then created a simple cronjob that runs every couple of hours, which > runs sa- learn -- sync, and then copies the > /var/spool/MailScanner/incoming/bayes/* to a directory on a physical > disk. > > I should point out that the contents of /bayes/ is around 500MB to > 600MB on each of the servers in my mail pool, so the more RAM the > better. :) > > -- > _ > ?v? Daniel Maher > /(_)\ Administrateur Syst?me Unix > ^ ^ Unix System Administrator > > Sentio aliquos togatos contra me conspirare. > >> ----- Original Message----- >> From: mailscanner- bounces@lists.mailscanner.info >> > [mailto:mailscanner- > >> bounces@lists.mailscanner.info] On Behalf Of Chris Hammond >> Sent: August 1, 2006 9:14 AM >> To: MailScanner discussion >> Subject: Re: A quick and easy performance improvement >> >> Daniel, would you share how you setup yours? >> >> Thanks >> Chris >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- Rodney Green Network Administrator Trayer Products, Inc. /rgreen@trayerproducts.com / /607-734-8124 Ext. 343 Security+ Certified / "Cross country skiing is great if you live in a small country." - Steven Wright Honor the Fallen -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steve.swaney at fsl.com Tue Aug 1 15:07:30 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Tue Aug 1 15:05:34 2006 Subject: SpamAssassin 3.1.4 In-Reply-To: <44CF64FD020000760000654D@193.63.251.15> Message-ID: <000501c6b573$d3b2ba50$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Peter Bates > Sent: Tuesday, August 01, 2006 9:28 AM > To: mailscanner@lists.mailscanner.info > Subject: SpamAssassin 3.1.4 > > > Hello all... > > Might just be a slow summer, but I don't recall having seen any mention > of SA 3.1.4 on here. > > I'm guessing it's just a minor bugfix version, but are people out there > using it? > > ... We've tested and found some of the SARE rules are generating errors: [21887] info: rules: meta test SARE_SUB_ACCEPT_CCARDS has undefined dependency ' __SARE_SUB_FROM_PAYPAL' [21887] info: rules: meta test SARE_SPEC_PROLEO_M2a has dependency 'MIME_QP_LONG _LINE' with a zero score [21887] info: rules: meta test TVD_EB_PHISH has dependency 'NORMAL_HTTP_TO_IP' w ith a zero score [21887] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SA FE_MKSHRT' [21887] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SA FE_GT' [21887] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SA FE_TINY' [21887] info: rules: meta test VIRUS_WARNING_DOOM_BNC has undefined dependency ' VIRUS_WARNING_MYDOOM4' [21887] info: rules: meta test SARE_OBFU_CIALIS has undefined dependency 'SARE_O BFU_CIALIS2' [21887] info: rules: meta test FP_MIXED_PORN3 has undefined dependency 'FP_PENET RATION' But these don't appear to be causing any problems. There are many comments on the Internet similar to: http://www.nabble.com/SpamAssassin-3.1.4-and-SARE-rules-t2009875.html Any SA list readers out there care to comment? Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From raymond at prolocation.net Tue Aug 1 15:14:28 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Tue Aug 1 15:14:27 2006 Subject: SpamAssassin 3.1.4 In-Reply-To: <000501c6b573$d3b2ba50$287ba8c0@office.fsl> References: <000501c6b573$d3b2ba50$287ba8c0@office.fsl> Message-ID: Hi Steve, >> I'm guessing it's just a minor bugfix version, but are people out there >> using it? >> >> ... > > We've tested and found some of the SARE rules are generating errors: > VIRUS_WARNING_MYDOOM4' > [21887] info: rules: meta test SARE_OBFU_CIALIS has undefined dependency > 'SARE_O > BFU_CIALIS2' > [21887] info: rules: meta test FP_MIXED_PORN3 has undefined dependency > 'FP_PENET > RATION' > > But these don't appear to be causing any problems. There are many comments > on the Internet similar to: > http://www.nabble.com/SpamAssassin-3.1.4-and-SARE-rules-t2009875.html > > Any SA list readers out there care to comment? We are allready working to get all the rules fixed. We allready put some changes in SVN. Most are harmless, oh and btw, you also listed non SARE rules ;) Bye, Raymond. From acabrera at etapatelecom.net Tue Aug 1 23:40:58 2006 From: acabrera at etapatelecom.net (Ing. Augusto Cabrera D.) Date: Tue Aug 1 23:52:14 2006 Subject: Information about software for work with sendmail. In-Reply-To: <44B5FDEF.8010605@solid-state-logic.com> Message-ID: <200608012257.k71Muuul026187@megatron.etapaonline.net.ec> Hello everybody.- I need information about a software to create and delete accounts with a graphics interface with Sendmail. Thank you Ing. Augusto Cabrera Duffaut. ISP - ADMINISTRADOR DE SERVIDORES Dep. Valor Agregado ETAPATELECOM S.A. Tel: (593) ( 07) 2808874 - 2803601 - Ext (711) CUENCA - ECUADOR _____________________________________ Este mensaje ha sido analizado por el Servicio Gratuito de Proteccion contra Virus de E-mail de Etapatelecom. From csweeney at osubucks.org Wed Aug 2 00:02:40 2006 From: csweeney at osubucks.org (Christopher Sweeney) Date: Wed Aug 2 00:03:05 2006 Subject: Information about software for work with sendmail. In-Reply-To: <200608012257.k71Muuul026187@megatron.etapaonline.net.ec> References: <200608012257.k71Muuul026187@megatron.etapaonline.net.ec> Message-ID: <44CFDD90.9030705@osubucks.org> Ing. Augusto Cabrera D. wrote: > Hello everybody.- > > I need information about a software to create and delete accounts with a > graphics interface with Sendmail. > > > Thank you > > Ing. Augusto Cabrera Duffaut. > ISP - ADMINISTRADOR DE SERVIDORES > Dep. Valor Agregado > ETAPATELECOM S.A. > Tel: (593) ( 07) 2808874 - 2803601 - Ext (711) > CUENCA - ECUADOR > > > > _____________________________________ > Este mensaje ha sido analizado por el > Servicio Gratuito de Proteccion contra Virus de E-mail de Etapatelecom. > > www.webmin.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rich at mail.wvnet.edu Wed Aug 2 00:03:10 2006 From: rich at mail.wvnet.edu (Richard Lynch) Date: Wed Aug 2 00:03:33 2006 Subject: A quick and easy performance improvement In-Reply-To: <44CF5F28.6030203@trayerproducts.com> References: <1E293D3FF63A3740B10AD5AAD88535D20226D04F@UBIMAIL1.ubisoft.org> <44CF240C.B662.0038.0@tac.esi.net> <44CF5F28.6030203@trayerproducts.com> Message-ID: <44CFDDAE.1040304@mail.wvnet.edu> What about using tmpfs instead of a ramdisk for bayes's DB? The problem I have with a ramdisk is that you're giving up real memory for it. In my case that would be about 1.5GB. That's a lot to give up. With tmpfs it would be in virtual memory and grow or shrink as needed (using the swap file). That wouldn't be as good as a ramdisk in term of performance but it would be more flexible. Has anyone done that? How did it work out? ~rich Green, Rodney wrote: > Here's a link to a howto on creating a ramdisk... > > http://www.vanemery.com/Linux/Ramdisk/ramdisk.html > > Chris Hammond wrote: >> Thanks Daniel, it does sound quite simple. I will look at trying this. >> >> Thanks >> Chris >> >> >>>>> "Daniel Maher" 08/01/06 9:43 AM >>> >>>>> >> Sure, it's actually quite simple. >> >> I just created a ramdisk in the standard way, and mounted it as >> /var/spool/MailScanner/incoming >> >> I then created a simple cronjob that runs every couple of hours, which >> runs sa- learn -- sync, and then copies the >> /var/spool/MailScanner/incoming/bayes/* to a directory on a physical >> disk. >> >> I should point out that the contents of /bayes/ is around 500MB to >> 600MB on each of the servers in my mail pool, so the more RAM the >> better. :) >> >> -- >> _ >> ?v? Daniel Maher >> /(_)\ Administrateur Syst?me Unix >> ^ ^ Unix System Administrator >> >> Sentio aliquos togatos contra me conspirare. >> >>> ----- Original Message----- >>> From: mailscanner- bounces@lists.mailscanner.info >>> >> [mailto:mailscanner- >> >>> bounces@lists.mailscanner.info] On Behalf Of Chris Hammond >>> Sent: August 1, 2006 9:14 AM >>> To: MailScanner discussion >>> Subject: Re: A quick and easy performance improvement >>> >>> Daniel, would you share how you setup yours? >>> >>> Thanks >>> Chris >>> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> >> > -- -------------- next part -------------- A non-text attachment was scrubbed... Name: rich.vcf Type: text/x-vcard Size: 299 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060801/c24609b4/rich.vcf From alex at nkpanama.com Wed Aug 2 00:27:15 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Wed Aug 2 00:27:41 2006 Subject: A quick and easy performance improvement In-Reply-To: <44CFDDAE.1040304@mail.wvnet.edu> References: <1E293D3FF63A3740B10AD5AAD88535D20226D04F@UBIMAIL1.ubisoft.org> <44CF240C.B662.0038.0@tac.esi.net> <44CF5F28.6030203@trayerproducts.com> <44CFDDAE.1040304@mail.wvnet.edu> Message-ID: <44CFE353.2020005@nkpanama.com> Works great for me so far... Don't have on many production servers, but most of my low volume and/or testing servers seem to work better with bayes in tmpfs. Richard Lynch wrote: > What about using tmpfs instead of a ramdisk for bayes's DB? The > problem I have with a ramdisk is that you're giving up real memory for > it. In my case that would be about 1.5GB. That's a lot to give up. > With tmpfs it would be in virtual memory and grow or shrink as needed > (using the swap file). That wouldn't be as good as a ramdisk in term > of performance but it would be more flexible. Has anyone done that? > How did it work out? > > ~rich > > Green, Rodney wrote: >> Here's a link to a howto on creating a ramdisk... >> >> http://www.vanemery.com/Linux/Ramdisk/ramdisk.html >> >> Chris Hammond wrote: >>> Thanks Daniel, it does sound quite simple. I will look at trying this. >>> >>> Thanks >>> Chris >>> >>> >>>>>> "Daniel Maher" 08/01/06 9:43 AM >>> >>>>>> >>> Sure, it's actually quite simple. >>> >>> I just created a ramdisk in the standard way, and mounted it as >>> /var/spool/MailScanner/incoming >>> >>> I then created a simple cronjob that runs every couple of hours, which >>> runs sa- learn -- sync, and then copies the >>> /var/spool/MailScanner/incoming/bayes/* to a directory on a physical >>> disk. >>> >>> I should point out that the contents of /bayes/ is around 500MB to >>> 600MB on each of the servers in my mail pool, so the more RAM the >>> better. :) >>> >>> -- >>> _ >>> ?v? Daniel Maher >>> /(_)\ Administrateur Syst?me Unix >>> ^ ^ Unix System Administrator >>> >>> Sentio aliquos togatos contra me conspirare. >>> >>>> ----- Original Message----- >>>> From: mailscanner- bounces@lists.mailscanner.info >>>> >>> [mailto:mailscanner- >>> >>>> bounces@lists.mailscanner.info] On Behalf Of Chris Hammond >>>> Sent: August 1, 2006 9:14 AM >>>> To: MailScanner discussion >>>> Subject: Re: A quick and easy performance improvement >>>> >>>> Daniel, would you share how you setup yours? >>>> >>>> Thanks >>>> Chris >>>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> -- This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> >>> >> > > From miguelk at konsultex.com.br Wed Aug 2 02:47:03 2006 From: miguelk at konsultex.com.br (Miguel Koren OBrien de Lacy) Date: Wed Aug 2 02:47:37 2006 Subject: Information about software for work with sendmail. In-Reply-To: <200608012257.k71Muuul026187@megatron.etapaonline.net.ec> References: <44B5FDEF.8010605@solid-state-logic.com> <200608012257.k71Muuul026187@megatron.etapaonline.net.ec> Message-ID: <20060802014527.M55833@konsultex.com.br> Augusto; I use Webmin to manage the server, including user accounts, Sendmail and MailScanner. See it at http://www.webmin.com Miguel -- Konsultex Informatica (http://www.konsultex.com.br) ---------- Original Message ----------- From: "Ing. Augusto Cabrera D." To: "'MailScanner discussion'" Sent: Tue, 1 Aug 2006 17:40:58 -0500 Subject: Information about software for work with sendmail. > Hello everybody.- > > I need information about a software to create and delete accounts with a > graphics interface with Sendmail. > > Thank you > > Ing. Augusto Cabrera Duffaut. > ISP - ADMINISTRADOR DE SERVIDORES > Dep. Valor Agregado > ETAPATELECOM S.A. > Tel: (593) ( 07) 2808874 - 2803601 - Ext (711) > CUENCA - ECUADOR > > _____________________________________ > Este mensaje ha sido analizado por el > Servicio Gratuito de Proteccion contra Virus de E-mail de Etapatelecom. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > Esta mensagem foi verificada pelo sistema de antiv?rus e > acredita-se estar livre de perigo. ------- End of Original Message ------- -- Esta mensagem foi verificada pelo sistema de antiv?rus e acredita-se estar livre de perigo. From gmane at tippingmar.com Wed Aug 2 06:24:11 2006 From: gmane at tippingmar.com (Mark Nienberg) Date: Wed Aug 2 06:24:35 2006 Subject: DNS question Message-ID: I'm running a caching nameserver on my MailScanner machine. For the last two days I have been seeing lots of these is /var/log/messages: Aug 1 22:10:53 tesla named[18013]: dispatch 0x8face08: shutting down due to TCP receive error: 64.202.165.202#53: connection reset The times seem to correspond to when MailScanner starts scanning a batch. The IP address is always the one shown above or 68.178.211.201. That said, named is still running and I can dig, etc. And mail is being delivered. I updated DCC, razor, and pyzor servers, so that isn't it. Thanks for any ideas, Mark Nienberg From P.G.M.Peters at utwente.nl Wed Aug 2 08:37:35 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Wed Aug 2 08:37:39 2006 Subject: blocking out-of-office Message-ID: <44D0563F.90409@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I'm back from vacation in Wales and I didn't set Out-of-Office. But it turns out a lot of our employees do. And they all use Exchange so a lot of OOO's are send out because of spam. I remember there was a way to tell MailScanner to block these messages but I can't find anything in the archives. Does anybody else have a better memory? - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE0FY/elLo80lrIdIRAkshAJ0fWujj/jwRzY5EOfiLhmJZVqfOLQCeJGkn HttUb7dMpNK7D0/nv0dLJ+Y= =/ToE -----END PGP SIGNATURE----- From glenn.steen at gmail.com Wed Aug 2 08:48:14 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 2 08:48:17 2006 Subject: DNS question In-Reply-To: References: Message-ID: <223f97700608020048x6eece12fy9f0b4ba863ce1622@mail.gmail.com> On 02/08/06, Mark Nienberg wrote: > I'm running a caching nameserver on my MailScanner machine. For the > last two days I have been seeing lots of these is /var/log/messages: > > Aug 1 22:10:53 tesla named[18013]: dispatch 0x8face08: shutting down > due to TCP receive error: 64.202.165.202#53: connection reset > > The times seem to correspond to when MailScanner starts scanning a > batch. The IP address is always the one shown above or 68.178.211.201. > > That said, named is still running and I can dig, etc. And mail is being > delivered. I updated DCC, razor, and pyzor servers, so that isn't it. > > Thanks for any ideas, > Mark Nienberg > Whois says "go daddy software, inc." and reverse lookup gives .secureserver.net ... I'm not sure you need do anything (or worry too much:-)... Either an error in their end, or some ... foolery... -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Wed Aug 2 09:00:12 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 2 09:01:17 2006 Subject: blocking out-of-office In-Reply-To: <44D0563F.90409@utwente.nl> References: <44D0563F.90409@utwente.nl> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Read the comments above the "Remove These Headers" option. # If any of these headers are included in a a message, they will be deleted. # This is very useful for removing return-receipt requests and any headers # which mean special things to your email client application. # X-Mozilla-Status is bad as it allows spammers to make a message appear to # have already been read, which is believed to bypass some naive spam # filtering systems. # Receipt requests are bad as they give any attacker confirmation that an # account is active and being read. You don't want this sort of information # to leak outside your corporation. So you might want to remove # Disposition-Notification-To and Return-Receipt-To. # If you are having problems with duplicate message-id headers when you # release spam from the quarantine and send it to an Exchange server, then add # Message-Id. # Each header should end in a ":", but MailScanner will add it if you forget. # Headers should be separated by commas or spaces. # This can also be the filename of a ruleset. Remove These Headers = Return-Receipt-To, Disposition-Notification- To, X-Mozilla-Status On 2 Aug 2006, at 08:37, Peter Peters wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > I'm back from vacation in Wales and I didn't set Out-of-Office. But it > turns out a lot of our employees do. And they all use Exchange so a > lot > of OOO's are send out because of spam. I remember there was a way to > tell MailScanner to block these messages but I can't find anything in > the archives. > > Does anybody else have a better memory? > > - -- > Peter Peters, senior beheerder (Security) > Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) > Universiteit Twente, Postbus 217, 7500 AE Enschede > telefoon: 053 - 489 2301, fax: 053 - 489 2383, http:// > www.utwente.nl/itbe > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2.2 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFE0FY/elLo80lrIdIRAkshAJ0fWujj/jwRzY5EOfiLhmJZVqfOLQCeJGkn > HttUb7dMpNK7D0/nv0dLJ+Y= > =/ToE > -----END PGP SIGNATURE----- > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! - -- Julian Field MailScanner@ecs.soton.ac.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: US-ASCII wj8DBQFE0FucEfZZRxQVtlQRAouIAJwL9n/fGpiRA0iJiFdbeuu2FF7EGACgsj9z msP9OXp0U4ltUbNjfAF3v6s= =fuZY -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From P.G.M.Peters at utwente.nl Wed Aug 2 09:10:30 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Wed Aug 2 09:10:35 2006 Subject: blocking out-of-office In-Reply-To: References: <44D0563F.90409@utwente.nl> Message-ID: <44D05DF6.6030505@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Julian Field wrote on 2-8-2006 10:00: > Read the comments above the "Remove These Headers" option. > > # If any of these headers are included in a a message, they will be > deleted. > # This is very useful for removing return-receipt requests and any > headers > # which mean special things to your email client application. This helps only when the sender asks for a DSN. This does not help when the recipient has configured to send an out of office to every message he receives. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE0F32elLo80lrIdIRAmbQAKCJ4h3BGz3Gw2IJEX6u0+k9oSNXiACgiN/b K+JnG0vXyTQc0MW0AFXmV7c= =w6I2 -----END PGP SIGNATURE----- From nick.smith67 at googlemail.com Wed Aug 2 09:53:11 2006 From: nick.smith67 at googlemail.com (Nick Smith) Date: Wed Aug 2 09:53:18 2006 Subject: Sys::Syslog Message-ID: Hi all, Just upgraded to MS 4.55.9 which included an upgrade of Sys::Syslog from 0.05 (which was part of the OS's Perl installation) to 0.17 After the upgrade, MS wouldn't log to syslog and neither would the original MS version (4.54) I downgraded Sys::Syslog back to 0.05 and it started working again In the past, I have always had to run syslogd in "remote mode" with a UDP listener for it to work with 0.05, but 0.17 wouldn't log at all whether using remote mode or not This test script worked fine with 0.17 installed: use strict; use Sys::Syslog; openlog("testprog", 'pid, nowait', "local6"); syslog("local6.info", "testing"); After some trial (and mostly) error, I finally discovered that adding the "ndelay" parameter to MS's openlog statement in Log.pm made it work: eval { Sys::Syslog::openlog($name, 'pid, nowait, ndelay', $facility); }; I don't pretend to have any clue what is going on here, I would assume that 99% of folks don't need to specify ndelay or it would have come to light previously. However in my case it would seem to be required. BTW Sys::Syslog 0.17 has the welcome side effect that I no longer need to run syslogd in UDP "remote mode" for MS to work Solaris 10 (Intel) Perl 5.8.4 Logging to facility local6 Anybody have any insight? Any downside to using "ndelay"? If there is no downside, can the MS distribution be changed to use it? Thanks Nick From res at ausics.net Wed Aug 2 11:00:28 2006 From: res at ausics.net (Res) Date: Wed Aug 2 11:00:38 2006 Subject: Sys::Syslog In-Reply-To: References: Message-ID: Hi Nick, > > I downgraded Sys::Syslog back to 0.05 and it started working again I hope you mean 0.15 ? > After some trial (and mostly) error, I finally discovered that adding > the "ndelay" parameter to MS's openlog statement in Log.pm made it > work: > > eval { Sys::Syslog::openlog($name, 'pid, nowait, ndelay', $facility); }; ndelay is good > Anybody have any insight? Any downside to using "ndelay"? If there is > no downside, can the MS distribution be changed to use it? A regression has been introduced between versions 0.15 and 0.17 the changes should have been orthogonal to that functional part of the code affected by this problem and Sebastien is looking into it, be this part of your problem or not, time will tell :) -- Cheers Res From nick.smith67 at googlemail.com Wed Aug 2 11:38:44 2006 From: nick.smith67 at googlemail.com (Nick Smith) Date: Wed Aug 2 11:38:46 2006 Subject: Sys::Syslog In-Reply-To: References: Message-ID: Hi Res, Thanks for the reply... On 8/2/06, Res wrote: > Hi Nick, > > > > > I downgraded Sys::Syslog back to 0.05 and it started working again > > I hope you mean 0.15 ? > ...actually I do mean 0.05 - from Syslog.pm: $VERSION = '0.05'; The Sys::Syslog module was simply the one bundled with the Perl 5.8.4 installation on the box - I've never touched it before, and probably never would have done if the MS installation hadn't upgraded it :) > > A regression has been introduced between versions 0.15 and 0.17 > the changes should have been orthogonal to that functional part of the > code affected by this problem and Sebastien is looking into it, be this > part of your problem or not, time will tell :) > Interesting - unfortunately since I leapt from 0.05 to 0.17 without ever having used 0.15 or 0.16 it isn't easy to tell The bit that I really don't get though is why the test script would work without ndelay being used yet MS seems to require it to make it work Thanks Nick From res at ausics.net Wed Aug 2 13:03:55 2006 From: res at ausics.net (Res) Date: Wed Aug 2 13:04:08 2006 Subject: Sys::Syslog In-Reply-To: References: Message-ID: On Wed, 2 Aug 2006, Nick Smith wrote: > Hi Res, > > Thanks for the reply... > > On 8/2/06, Res wrote: >> Hi Nick, >> >> > >> > I downgraded Sys::Syslog back to 0.05 and it started working again >> >> I hope you mean 0.15 ? >> > > ...actually I do mean 0.05 - from Syslog.pm: > > $VERSION = '0.05'; > > The Sys::Syslog module was simply the one bundled with the Perl 5.8.4 > installation on the box - I've never touched it before, and probably > never would have done if the MS installation hadn't upgraded it :) > >> >> A regression has been introduced between versions 0.15 and 0.17 >> the changes should have been orthogonal to that functional part of the >> code affected by this problem and Sebastien is looking into it, be this >> part of your problem or not, time will tell :) >> > > Interesting - unfortunately since I leapt from 0.05 to 0.17 without > ever having used 0.15 or 0.16 it isn't easy to tell > > The bit that I really don't get though is why the test script would > work without ndelay being used yet MS seems to require it to make it > work > That is weird, I might play with our test bed in morning and see what comes up there > Thanks > > Nick > -- Cheers Res From alex at erus.co.uk Wed Aug 2 13:40:46 2006 From: alex at erus.co.uk (Alex Pimperton) Date: Wed Aug 2 13:40:53 2006 Subject: DNS question Message-ID: <44D09D4E.3060104@erus.co.uk> Mark Nienberg wrote: > I'm running a caching nameserver on my MailScanner machine. For the > last two days I have been seeing lots of these is /var/log/messages: > > Aug 1 22:10:53 tesla named[18013]: dispatch 0x8face08: shutting down > due to TCP receive error: 64.202.165.202#53: connection reset > There has been something very similar reported on NANOG in the last few days: > > Has anyone else seen an increase of the following named errors? > > > > Aug 1 01:00:09 morannon /usr/sbin/named[21279]: dispatch 0x4035bd70: > > shutting down due to TCP receive error: unexpected error > > Aug 1 01:00:09 morannon /usr/sbin/named[21279]: dispatch 0x4035bd70: > > shutting down due to TCP receive error: unexpected error > Noted similar here, started Jul 31 17:06:09 (GMT+1). > > .. someone trying some new anti-bind trickery? > The error can occur in "normal" usage of BIND9 so may reflect a change > in > firewall practice or similar. > It is occurring on recursive servers with no remote recursive queries > allowed, > so it is presumably in response to some query initiated locally > (email/spam > related perhaps?). > > Suggest the DNS ops list may be best place to take further comments." I'd try the DNS ops list and see if they've cracked it yet. Regards, Alex From ugob at camo-route.com Wed Aug 2 14:45:20 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Wed Aug 2 14:45:52 2006 Subject: DNS question In-Reply-To: <44D09D4E.3060104@erus.co.uk> References: <44D09D4E.3060104@erus.co.uk> Message-ID: Alex Pimperton wrote: > Mark Nienberg wrote: >> I'm running a caching nameserver on my MailScanner machine. For the >> last two days I have been seeing lots of these is /var/log/messages: >> >> Aug 1 22:10:53 tesla named[18013]: dispatch 0x8face08: shutting down >> due to TCP receive error: 64.202.165.202#53: connection reset >> > > >> Suggest the DNS ops list may be best place to take further comments." > > I'd try the DNS ops list and see if they've cracked it yet. Please let us know if you have an answer... Thanks Ugo From bbecken at aafp.org Wed Aug 2 15:19:32 2006 From: bbecken at aafp.org (Brad Beckenhauer) Date: Wed Aug 2 15:20:07 2006 Subject: Kaspersky A/V not running. Message-ID: <44D06E18.D87E.0068.3@aafp.org> I've got a valid license for Kaspersky and I've been trying to get MailScanner to use it without success. I have kaspersky-4.5 defined in mailscanner.conf and I have updated the virus.scanners.conf file to point to the kaspersky directory. The wrapper script runs successfully, yet the log file never shows that kaspersky scan the email ( I can see Clamav and bitdefender entries). The maillog shows that the autoupdate scripts are running (shown below). I've even run MailScanner --lint and it's not showing any errors. Any suggestions and what's missing? Vitals: MailScanner v4.54.6 Kaspersky v5.5.3 installed in the default location: /opt/kav/5.5/kav4unix # cat /var/log/maillog | grep kaspersky Aug 2 05:02:12 mx1 update.virus.scanners: Found kaspersky-4.5 installed Aug 2 05:02:12 mx1 update.virus.scanners: Running autoupdate for kaspersky-4.5 Aug 2 05:02:27 mx1 kaspersky-autoupdate[13356]: Kaspersky-5.0 updated MailScanner.conf: # This *cannot* be the filename of a ruleset. Virus Scanners = clamav bitdefender kaspersky-4.5 virus.scanners.conf # Kaspersky 4.5 and newer kaspersky-4.5 /usr/lib/MailScanner/kaspersky-wrapper /opt/kav/5.5/kav4unix kaspersky /usr/lib/MailScanner/kaspersky-wrapper /opt/AVP Wrapper test. # /usr/lib/MailScanner/kaspersky-wrapper /opt/kav/5.5/kav4unix /tmp [02/08/06 09:06:32 I] Kaspersky Anti-Virus On-Demand Scanner for Linux. Version 5.5.3/RELEASE build #100, compiled Jul 27 2005, 15:36:21 [02/08/06 09:06:32 I] Copyright (C) Kaspersky Lab, 1997-2005. [02/08/06 09:06:32 I] Portions Copyright (C) Lan Crypto [02/08/06 09:06:32 I] There are 1 Kaspersky license keys found: [02/08/06 09:06:32 I] License file xxxxxxx.key, serial xxxx-xxxxxx-xxxxxxxx, "Kaspersky Anti-Virus BO Suite US Edition. 1-1 FileServer Base Licence + 1 year Maintenance", expires 13-11-2006 in 100 days [02/08/06 09:06:40 I] The scan path: /tmp [02/08/06 09:06:40 I] Silent mode is on From listacct at tulsaconnect.com Wed Aug 2 17:04:05 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Wed Aug 2 17:04:02 2006 Subject: ClamAV on FreeBSD - ports or Perl module? Message-ID: <44D0CCF5.9000905@tulsaconnect.com> I am deploying a new generation of MailScanner boxes, and am going with FreeBSD 6.1 and the latest version of MS. In addition to a few commerical AV scanners, I am going to give ClamAV a try. Question is -- should I install from ports, or install the ClamAV Perl module, or both? I've seen references to where the ClamAV Perl module is faster. -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From davidj at synaq.com Wed Aug 2 17:09:02 2006 From: davidj at synaq.com (David Jacobson) Date: Wed Aug 2 17:09:41 2006 Subject: ClamAV on FreeBSD - ports or Perl module? In-Reply-To: <44D0CCF5.9000905@tulsaconnect.com> References: <44D0CCF5.9000905@tulsaconnect.com> Message-ID: <1154534942.28994.99.camel@jakes.synaq.com> Hi Mike, I'd recommend installing ClamAV from source and getting the module via CPAN. The module is a lot faster and if you have auto in your Virus Scanners function it will pick up the module as the preferred scanneer. Kind Regards, David On Wed, 2006-08-02 at 11:04 -0500, TCIS List Acct wrote: > I am deploying a new generation of MailScanner boxes, and am going with FreeBSD > 6.1 and the latest version of MS. In addition to a few commerical AV scanners, > I am going to give ClamAV a try. Question is -- should I install from ports, or > install the ClamAV Perl module, or both? I've seen references to where the > ClamAV Perl module is faster. > > -- > > ----------------------------------------- > Mike Bacher / listacct@tulsaconnect.com > TCIS - TulsaConnect Internet Services > http://www.tulsaconnect.com > ----------------------------------------- -- Regards, David Jacobson Technical Director SYNAQ (Pty) Ltd Tel: 011 245 5888 Direct: 011 245 5889 Fax: 011 783 9275 Cell: 083 235 0760 Mail: davidj@synaq.com Web: http://www.synaq.com Key Fingerprint 8246 FCE1 3C22 7EFB E61B 18DF 6E8B 65E8 BD50 78A1 From listacct at tulsaconnect.com Wed Aug 2 17:42:51 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Wed Aug 2 17:42:48 2006 Subject: ClamAV on FreeBSD - ports or Perl module? In-Reply-To: <1154534942.28994.99.camel@jakes.synaq.com> References: <44D0CCF5.9000905@tulsaconnect.com> <1154534942.28994.99.camel@jakes.synaq.com> Message-ID: <44D0D60B.1040805@tulsaconnect.com> David Jacobson wrote: > Hi Mike, > > I'd recommend installing ClamAV from source and getting the module via > CPAN. > > The module is a lot faster and if you have auto in your Virus Scanners > function it will pick up the module as the preferred scanneer. > > Kind Regards, > David I installed ClamAV from ports and then tried to install Mail::ClamAV from CPAN, but it failed due to the default Perl 5.8.8 install on FreeBSD not being built with threads. So, I then tried to build from ports ( /usr/ports/mail/p5-Mail-ClamAV) and it built, but gave a warning at the end saying my Perl needed to be built with threading, so looks like there is no way around that requirement. Anyone know how stable Perl 5.8.8 on FreeBSD 6.1 is with threading enabled? -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From amoore at dekalbmemorial.com Wed Aug 2 18:17:00 2006 From: amoore at dekalbmemorial.com (Aaron K. Moore) Date: Wed Aug 2 18:17:14 2006 Subject: DNS question In-Reply-To: Message-ID: <60D398EB2DB948409CA1F50D8AF122570152E8A8@exch1.dekalbmemorial.local> Ugo Bellavance wrote: > Please let us know if you have an answer... The SANS Internet Storm Center's handlers are following this. Their findings are available at http://isc.sans.org/diary.php?storyid=1538 . -- Aaron Kent Moore Information Technology Services DeKalb Memorial Hospital, Inc. Auburn, IN E-mail: amoore@dekalbmemorial.com From ka at pacific.net Wed Aug 2 18:29:22 2006 From: ka at pacific.net (Ken A) Date: Wed Aug 2 18:28:34 2006 Subject: DNS question In-Reply-To: <60D398EB2DB948409CA1F50D8AF122570152E8A8@exch1.dekalbmemorial.local> References: <60D398EB2DB948409CA1F50D8AF122570152E8A8@exch1.dekalbmemorial.local> Message-ID: <44D0E0F2.7040700@pacific.net> Mark Andrews posted yesterday to bind-users list: > ...there is a bug in tcpmsg.c where the address is not copied from the socket event to the tcpmsg structure. Ken A Pacific.Net Aaron K. Moore wrote: > Ugo Bellavance wrote: >> Please let us know if you have an answer... > > The SANS Internet Storm Center's handlers are following this. Their > findings are available at http://isc.sans.org/diary.php?storyid=1538 . > From ewr at erols.com Wed Aug 2 18:39:58 2006 From: ewr at erols.com (ewr@erols.com) Date: Wed Aug 2 18:46:44 2006 Subject: RBL and trusted users from blacklisted IP addresses Message-ID: <0e3c01c6b65a$aca45300$c664a8c0@ew> This is probably as much of a sendmail question as a mailscanner question, but I figured I'd start here. My mail server is set up to use pop-before-smtp for authentication. When a user pops their email from the server, the IP address that they are checking their mail from gets added to sendmail's access.db for 10 minutes. It is inserted into the file as " RELAY". I am using mailscanner/spamassassin to scan all incoming mails. "Spam List = OORDB-RBL SBL+XBL" is set in mailscanner.conf My users are spread out around the country and connect to the internet from constantly changing locations. Most of the time everything works great. The problem I am occassionally running into is that my users will occassionally try to send email from a black-listed IP address. This is happening more and more as my users begin to use their laptops at hotels, use Verizon wireless cards, etc. If one of my users trys to send an email to another user on my system from an RBL'd IP address, the email will be marked as spam. I don't have a complete understanding of the order of how sendmail processes the headers, passes the email to mailscanner, etc... But I suspect that there must be some way to prevent these mails from being marked as spam. I have a considered a few approaches, but haven't figured out how to actually accomplish any of them yet: #1) Is there a way to rewrite the IP address in the "Recieved" header in the email after it is accepted for RELAY? I know I trust the email after it makes it past the "access.db", so I could just put one of my own IP addresses in there. #2) Is there a way to check the IP against a dynamic white-list and mark it as non-spam no matter what? I can probably update our pop-before-smtp to update another whitelist. Any suggestions would be greatly appreciated. We do have a VPN and if a user uses the VPN there is no problem, but for various reasons VPN access isn't always available. Thanks! Eric From alex at nkpanama.com Wed Aug 2 19:01:47 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Wed Aug 2 19:02:28 2006 Subject: RBL and trusted users from blacklisted IP addresses In-Reply-To: <0e3c01c6b65a$aca45300$c664a8c0@ew> References: <0e3c01c6b65a$aca45300$c664a8c0@ew> Message-ID: <44D0E88B.6070409@nkpanama.com> My only suggestion would be to avoid POP-before-SMTP altogether and institute SMTP AUTH. It will avoid many problems and add an additional level of accountability for your users. Look for a thread here started by Muhammad Nauman (if I recall correctly) regarding the advantages of this. Otherwise, to fiddle around too much with headers (even to go as far as rewriting them) is usually not kosher. ewr@erols.com wrote: > This is probably as much of a sendmail question as a mailscanner question, > but I figured I'd start here. > > My mail server is set up to use pop-before-smtp for authentication. When a > user pops their email from the server, the IP address that they are checking > their mail from gets added to sendmail's access.db for 10 minutes. It is > inserted into the file as " RELAY". > > I am using mailscanner/spamassassin to scan all incoming mails. > "Spam List = OORDB-RBL SBL+XBL" is set in mailscanner.conf > > My users are spread out around the country and connect to the internet from > constantly changing locations. Most of the time everything works great. > > The problem I am occassionally running into is that my users will > occassionally try to send email from a black-listed IP address. This is > happening more and more as my users begin to use their laptops at hotels, > use Verizon wireless cards, etc. If one of my users trys to send an email > to another user on my system from an RBL'd IP address, the email will be > marked as spam. > > I don't have a complete understanding of the order of how sendmail processes > the headers, passes the email to mailscanner, etc... But I suspect that > there must be some way to prevent these mails from being marked as spam. > > I have a considered a few approaches, but haven't figured out how to > actually accomplish any of them yet: > #1) Is there a way to rewrite the IP address in the "Recieved" header in the > email after it is accepted for RELAY? I know I trust the email after it > makes it past the "access.db", so I could just put one of my own IP > addresses in there. > > #2) Is there a way to check the IP against a dynamic white-list and mark it > as non-spam no matter what? I can probably update our pop-before-smtp to > update another whitelist. > > Any suggestions would be greatly appreciated. We do have a VPN and if a > user uses the VPN there is no problem, but for various reasons VPN access > isn't always available. > > Thanks! > > Eric > > From steve.freegard at fsl.com Wed Aug 2 19:10:25 2006 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Aug 2 19:08:32 2006 Subject: RBL and trusted users from blacklisted IP addresses In-Reply-To: <0e3c01c6b65a$aca45300$c664a8c0@ew> References: <0e3c01c6b65a$aca45300$c664a8c0@ew> Message-ID: <44D0EA91.40900@fsl.com> Hi Eric, ewr@erols.com wrote: > This is probably as much of a sendmail question as a mailscanner question, > but I figured I'd start here. > > My mail server is set up to use pop-before-smtp for authentication. When a > user pops their email from the server, the IP address that they are checking > their mail from gets added to sendmail's access.db for 10 minutes. It is > inserted into the file as " RELAY". > > I am using mailscanner/spamassassin to scan all incoming mails. > "Spam List = OORDB-RBL SBL+XBL" is set in mailscanner.conf Why not move the RBL checks from MailScanner into Sendmail?? -- this will reduce the load on your system as black listed host connections will be rejected with a 5xx SMTP error which is cheaper than MailScanner+SpamAssassin. You will need to modify the POP before SMTP script to write to the access.db in the format 'Connect:ip.add.re.ss RELAY' to allow the bypass of the RBL checks for POP before SMTP users though, and you might want to think about setting FEATURE(`delay_checks') too. This will stop MailScanner marking the message with {Spam?} if the client appears on an RBL -- but it might just move the problem into SpamAssassin as it will probably get scored accordingly, you'll have to try and see. > #2) Is there a way to check the IP against a dynamic white-list and mark it > as non-spam no matter what? I can probably update our pop-before-smtp to > update another whitelist. You could create a CustomFunction on the 'Spam Checks' setting which looks up entries in the access.db and returns 'No' if the $message->{clientip} key exists with a RELAY value. Kind regards, Steve. -- Steve Freegard Development Director Fort Systems Ltd. From ugob at camo-route.com Wed Aug 2 19:16:53 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Wed Aug 2 19:17:55 2006 Subject: chinese-language email In-Reply-To: References: Message-ID: Adri Koppes wrote: > Hi Daniel, > > In your local.cf or spamassassin.prefs.conf check the settings of > ok_languages and ok_locales. > These 2 SpamAssassin settings are used for the FARWAY and other rules. I guess that every time we add something to these settings, the catch rate for foreign spam is reduced? Ugo From mikej at rogers.com Wed Aug 2 19:25:31 2006 From: mikej at rogers.com (Mike Jakubik) Date: Wed Aug 2 19:25:26 2006 Subject: ClamAV on FreeBSD - ports or Perl module? In-Reply-To: <44D0D60B.1040805@tulsaconnect.com> References: <44D0CCF5.9000905@tulsaconnect.com> <1154534942.28994.99.camel@jakes.synaq.com> <44D0D60B.1040805@tulsaconnect.com> Message-ID: <44D0EE1B.5080402@rogers.com> TCIS List Acct wrote: > I installed ClamAV from ports and then tried to install Mail::ClamAV > from CPAN, but it failed due to the default Perl 5.8.8 install on > FreeBSD not being built with threads. So, I then tried to build from > ports ( /usr/ports/mail/p5-Mail-ClamAV) and it built, but gave a > warning at the end saying my Perl needed to be built with threading, > so looks like there is no way around that requirement. Anyone know > how stable Perl 5.8.8 on FreeBSD 6.1 is with threading enabled? > First of all, you should always stick to the ports if possible. It will ensure things just work, and it will be easier for you to manage and keep the software up to date. As for the ClamAV perl module, last time i tested it, it worked just fine without a threaded perl. All in all you should probably test it yourself before deployment, you can recompile perl with thread support. For any further questions, i would go to the freebsd-ports mailing list. From drew at themarshalls.co.uk Wed Aug 2 19:30:51 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Wed Aug 2 19:31:08 2006 Subject: ClamAV on FreeBSD - ports or Perl module? In-Reply-To: <44D0D60B.1040805@tulsaconnect.com> References: <44D0CCF5.9000905@tulsaconnect.com> <1154534942.28994.99.camel@jakes.synaq.com> <44D0D60B.1040805@tulsaconnect.com> Message-ID: On 2 Aug 2006, at 17:42, TCIS List Acct wrote: > > > David Jacobson wrote: >> Hi Mike, >> I'd recommend installing ClamAV from source and getting the module >> via >> CPAN. >> The module is a lot faster and if you have auto in your Virus >> Scanners >> function it will pick up the module as the preferred scanneer. >> Kind Regards, >> David > > I installed ClamAV from ports and then tried to install > Mail::ClamAV from CPAN, but it failed due to the default Perl 5.8.8 > install on FreeBSD not being built with threads. So, I then tried > to build from ports ( /usr/ports/mail/p5-Mail-ClamAV) and it built, > but gave a warning at the end saying my Perl needed to be built > with threading, so looks like there is no way around that > requirement. Anyone know how stable Perl 5.8.8 on FreeBSD 6.1 is > with threading enabled? > I would always say go with the ports. They are up dated pretty regularly so never far behind the source any way. I am also running the ClamAV Perl module on Perl 5.8.8 with out threading (Admittedly in FreeBSD 6.0) and have no issues at all. I would think you should be fine as you are although it's worth monitoring MailScanner and chuck a few Eicar test viruses through to make sure Clam (Via it's module) is being used, just to be sure. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From bpumphrey at WoodMacLaw.com Wed Aug 2 19:49:03 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Wed Aug 2 19:49:08 2006 Subject: blocking out-of-office In-Reply-To: <44D0563F.90409@utwente.nl> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501751D2D@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Peter Peters > Sent: Wednesday, August 02, 2006 3:38 AM > To: MailScanner discussion > Subject: blocking out-of-office > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > I'm back from vacation in Wales and I didn't set Out-of-Office. But it > turns out a lot of our employees do. And they all use Exchange so a lot > of OOO's are send out because of spam. I remember there was a way to > tell MailScanner to block these messages but I can't find anything in > the archives. > > Does anybody else have a better memory? > > - -- Does this have anything to do with this... My employees report that when they have the out of office turned on they receive more spam..... From evan at espphotography.com Wed Aug 2 20:07:08 2006 From: evan at espphotography.com (Evan Platt) Date: Wed Aug 2 20:07:53 2006 Subject: blocking out-of-office In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501751D2D@woodenex.woodmacl aw.local> References: <44D0563F.90409@utwente.nl> <04D932B0071FE34FA63EBB1977B48D1501751D2D@woodenex.woodmaclaw.local> Message-ID: <7.0.1.0.2.20060802120551.02062650@espphotography.com> At 11:49 AM 8/2/2006, you wrote: >My employees report that when they have the out of office turned on they >receive more spam..... I don't know how the two are related. Most spam I see doesn't have a valid reply address. My suggestion is to use a *nix based autoresponder. Have it only reply to addresses in your address book. Or better yet, ditch the autoresponder. From jgolden at ci.grand-rapids.mi.us Wed Aug 2 20:33:30 2006 From: jgolden at ci.grand-rapids.mi.us (Golden, James) Date: Wed Aug 2 20:35:30 2006 Subject: Question about spam.assassin.prefs.conf Message-ID: <1154547210.12498.5.camel@doit-b8wsw21.grand-rapids.mi.us> Hi all, I upgraded our MS last week and noticed that a new spam.assassin.prefs.conf.rpmnew file was created. When I compare it to my old one, it is quite different. As long as I ensure that any settings in the old one are in the new one, can't I replace the old one with the new? Is there are reason I should/should not do this? Thanks, James -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060802/3af6652a/attachment.html From lshaw at emitinc.com Wed Aug 2 20:57:54 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Wed Aug 2 20:58:07 2006 Subject: RBL and trusted users from blacklisted IP addresses In-Reply-To: <0e3c01c6b65a$aca45300$c664a8c0@ew> References: <0e3c01c6b65a$aca45300$c664a8c0@ew> Message-ID: On Wed, 2 Aug 2006, ewr@erols.com wrote: > This is probably as much of a sendmail question as a mailscanner question, > but I figured I'd start here. > > My mail server is set up to use pop-before-smtp for authentication. When a > user pops their email from the server, the IP address that they are checking > their mail from gets added to sendmail's access.db for 10 minutes. It is > inserted into the file as " RELAY". > > I am using mailscanner/spamassassin to scan all incoming mails. > "Spam List = OORDB-RBL SBL+XBL" is set in mailscanner.conf > > My users are spread out around the country and connect to the internet from > constantly changing locations. Most of the time everything works great. > > The problem I am occassionally running into is that my users will > occassionally try to send email from a black-listed IP address. One simple solution to this is to set up sendmail to listen on port 587, the mail submission port. The users would then connect to port 587 and do authenticated SMTP. You can then set up a separate sendmail instance to listen on this port and bypass the MailScanner queue entirely. If the users are doing authentication, there is little need to worry about spam. The only problem might be protecting machines from viruses spreading *from* your users' machines. Whether that's going to be an issue you need to worry about depends on your users. - Logan From ewr at erols.com Wed Aug 2 21:29:15 2006 From: ewr at erols.com (ewr@erols.com) Date: Wed Aug 2 21:48:35 2006 Subject: RBL and trusted users from blacklisted IP addresses In-Reply-To: <44D0E88B.6070409@nkpanama.com> Message-ID: <0eb801c6b672$52aacc90$c664a8c0@ew> >My only suggestion would be to avoid POP-before-SMTP >altogether and institute SMTP AUTH. It will avoid many >problems and add an additional level of accountability for >your users. Look for a thread here started by Muhammad Nauman >(if I recall correctly) regarding the advantages of this. > >Otherwise, to fiddle around too much with headers (even to go >as far as rewriting them) is usually not kosher. I looked for the thread but didn't find anything relevant. Do you know how long ago it was? I actually have AUTH turned on, my users just aren't "forced" to use it yet... but I'm not sure exactly how SMTP Auth will help with this. Does an email arriving that has been AUTH'ed somehow become immune to RBL checks? From listacct at tulsaconnect.com Wed Aug 2 21:54:57 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Wed Aug 2 21:54:54 2006 Subject: ClamAV on FreeBSD - ports or Perl module? In-Reply-To: References: <44D0CCF5.9000905@tulsaconnect.com> <1154534942.28994.99.camel@jakes.synaq.com> <44D0D60B.1040805@tulsaconnect.com> Message-ID: <44D11121.2080104@tulsaconnect.com> Drew Marshall wrote: > I would always say go with the ports. They are up dated pretty regularly > so never far behind the source any way. > > I am also running the ClamAV Perl module on Perl 5.8.8 with out > threading (Admittedly in FreeBSD 6.0) and have no issues at all. I would > think you should be fine as you are although it's worth monitoring > MailScanner and chuck a few Eicar test viruses through to make sure Clam > (Via it's module) is being used, just to be sure. > > Drew > http://www.freshports.org/mail/p5-Mail-ClamAV/ See entry on 23 Feb 2004 I get that warning after I install that port.. -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From drew at themarshalls.co.uk Wed Aug 2 22:06:27 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Wed Aug 2 22:06:43 2006 Subject: ClamAV on FreeBSD - ports or Perl module? In-Reply-To: <44D11121.2080104@tulsaconnect.com> References: <44D0CCF5.9000905@tulsaconnect.com> <1154534942.28994.99.camel@jakes.synaq.com> <44D0D60B.1040805@tulsaconnect.com> <44D11121.2080104@tulsaconnect.com> Message-ID: On 2 Aug 2006, at 21:54, TCIS List Acct wrote: > > > Drew Marshall wrote: > >> I would always say go with the ports. They are up dated pretty >> regularly so never far behind the source any way. >> I am also running the ClamAV Perl module on Perl 5.8.8 with out >> threading (Admittedly in FreeBSD 6.0) and have no issues at all. I >> would think you should be fine as you are although it's worth >> monitoring MailScanner and chuck a few Eicar test viruses through >> to make sure Clam (Via it's module) is being used, just to be sure. >> Drew > > http://www.freshports.org/mail/p5-Mail-ClamAV/ > > See entry on 23 Feb 2004 > > I get that warning after I install that port.. Hmm, interesting. As Jan-Peter (The port maintainer) also just happens to be a MailScanner user (And the maintainer for the MS port) and a subscriber to the list, perhaps he could comment better. I am running that version without threading and have done so for ages with no issues, so I don't understand (Like normal ;-) ). I'll drop him a line off list as he is a very busy lad and doesn't always read every post from the list. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From radus at smartpost.ro Thu Aug 3 00:27:27 2006 From: radus at smartpost.ro (Radu Spineanu) Date: Thu Aug 3 00:27:36 2006 Subject: mailscanner and SMTP AUTH Message-ID: <44D134DF.3080102@smartpost.ro> Hi Can mailscanner be configured to ignore all checks for messages sent via smtp auth? In my current setup, when i try to send an email from home using SMTP AUTH it's marked as SPAM because if fails SPF and some RBL checks (ip block was added in rbls as it's used for home use). Radu From mrm at medicine.wisc.edu Thu Aug 3 00:58:40 2006 From: mrm at medicine.wisc.edu (Michael Masse) Date: Thu Aug 3 00:59:03 2006 Subject: Inline image havoc Message-ID: <44D0F5E5.7FBE.00FC.3@medicine.wisc.edu> I apologize because this is more of a SA related question, but I was curious if anyone running a busy Mailscanner is also running any of the various SA pluggins that do OCR checking to defeat inline image spam? Do they work? How much extra load on the server have you noticed? Is there any pluggin that seems better overall? Seems as of late, the only spam that ever gets through is the inline image stuff and just recently we are getting bombarded with the junk.... It's bad enough that pine looks like a good option again..... Mike From ajos1 at onion.demon.co.uk Thu Aug 3 01:17:25 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Thu Aug 3 01:17:36 2006 Subject: SpamAssassin 3.1.4 Message-ID: - We have it running on 6 linux servers... and one Microsoft exchange... I trust it is working!! (Not yet checked if there are any false positives). >> >> Might just be a slow summer, but I don't recall having seen any mention of SA 3.1.4 on here. I'm guessing it's just a minor bugfix version, but are people out there using it? >> From michele at blacknight.ie Thu Aug 3 01:22:38 2006 From: michele at blacknight.ie (Michele Neylon:: Blacknight.ie) Date: Thu Aug 3 01:22:41 2006 Subject: mailscanner and SMTP AUTH In-Reply-To: <44D134DF.3080102@smartpost.ro> References: <44D134DF.3080102@smartpost.ro> Message-ID: <44D141CE.9090805@blacknight.ie> Radu Spineanu wrote: > Hi > > Can mailscanner be configured to ignore all checks for messages sent via > smtp auth? > > In my current setup, when i try to send an email from home using SMTP > AUTH it's marked as SPAM because if fails SPF and some RBL checks (ip > block was added in rbls as it's used for home use). > > Radu Do you have a fixed IP at home? You could simply whitelist your home IP or your ISP's netblock -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From jaearick at colby.edu Thu Aug 3 01:21:16 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu Aug 3 01:26:11 2006 Subject: Inline image havoc In-Reply-To: <44D0F5E5.7FBE.00FC.3@medicine.wisc.edu> References: <44D0F5E5.7FBE.00FC.3@medicine.wisc.edu> Message-ID: I added this to my spam.assassin.prefs.conf file the other day, and it has helped. It was posted by another reader a few days ago: #---added 8/1/2006 to combat image spam rawbody INLINE_IMAGE /src\s*=\s*["']cid:/i describe INLINE_IMAGE Inline Images score INLINE_IMAGE 2.0 BTW, I *am* a pine user. I still don't like image spam... Jeff Earickson Colby College On Wed, 2 Aug 2006, Michael Masse wrote: > Date: Wed, 02 Aug 2006 18:58:40 -0500 > From: Michael Masse > Reply-To: MailScanner discussion > To: mailscanner@lists.mailscanner.info > Subject: Inline image havoc > > I apologize because this is more of a SA related question, but I was > curious if anyone running a busy Mailscanner is also running any of the > various SA pluggins that do OCR checking to defeat inline image spam? > Do they work? How much extra load on the server have you noticed? > Is there any pluggin that seems better overall? Seems as of late, the > only spam that ever gets through is the inline image stuff and just > recently we are getting bombarded with the junk.... It's bad enough > that pine looks like a good option again..... > > > Mike > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From ajos1 at onion.demon.co.uk Thu Aug 3 01:32:23 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Thu Aug 3 01:32:28 2006 Subject: Sys::Syslog Message-ID: This is happening to me on FC5 as well... >> >> Just upgraded to MS 4.55.9 which included an upgrade of Sys::Syslog from 0.05 (which was part of the OS's Perl installation) to 0.17 >> >> After the upgrade, MS wouldn't log to syslog and neither would the original MS version (4.54) >> == ===================================================================== = = When Ms Jowell, whose department is responsible for sport, was = asked who she thought was going to win the cup, she gleefully = pointed towards her ministerial vehicle, which is now bedecked in = flags, to declare: "There's only one England." = = Need help dealing with Parking Tickets, Bailiffs, Capita or NTL... = Call... +44 8457 90 90 90 http://www.samaritans.org/ = ===================================================================== From ajos1 at onion.demon.co.uk Thu Aug 3 01:40:45 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Thu Aug 3 01:40:52 2006 Subject: Question about spam.assassin.prefs.conf Message-ID: - How long ago was your previous update? I do ALL the STABLE updates... from RPM... and my spamassassin.prefs.conf is dated: -rw-r--r-- 1 root root 11023 May 8 14:53 spam.assassin.prefs.conf (There is no RPMNEW)... so I am assuming May 8 is the lastest version to have? >> >> I upgraded our MS last week and noticed that a new spam.assassin.prefs.conf.rpmnew file was created. When I compare it to my old one, it is quite different. As long as I ensure that any settings in the old one are in the new one, can't I replace the old one with the new? Is there are reason I should/should not do this? >> == ===================================================================== = = When Ms Jowell, whose department is responsible for sport, was = asked who she thought was going to win the cup, she gleefully = pointed towards her ministerial vehicle, which is now bedecked in = flags, to declare: "There's only one England." = = Need help dealing with Parking Tickets, Bailiffs, Capita or NTL... = Call... +44 8457 90 90 90 http://www.samaritans.org/ = ===================================================================== From res at ausics.net Thu Aug 3 02:03:12 2006 From: res at ausics.net (Res) Date: Thu Aug 3 02:03:23 2006 Subject: {MailScanner: Spam?} Re: Sys::Syslog In-Reply-To: References: Message-ID: On Thu, 3 Aug 2006, ajos1@onion.demon.co.uk wrote: > This is happening to me on FC5 as well... On Linux? or Sun.. ? > >>> >>> Just upgraded to MS 4.55.9 which included an upgrade of Sys::Syslog > from 0.05 (which was part of the OS's Perl installation) to 0.17 >>> >>> After the upgrade, MS wouldn't log to syslog and neither would the > original MS version (4.54) >>> > > == > ===================================================================== > = > = When Ms Jowell, whose department is responsible for sport, was > = asked who she thought was going to win the cup, she gleefully > = pointed towards her ministerial vehicle, which is now bedecked in > = flags, to declare: "There's only one England." > = > = Need help dealing with Parking Tickets, Bailiffs, Capita or NTL... > = Call... +44 8457 90 90 90 http://www.samaritans.org/ > = > ===================================================================== > -- Cheers Res From pete at enitech.com.au Thu Aug 3 02:25:15 2006 From: pete at enitech.com.au (Peter Russell) Date: Thu Aug 3 02:25:33 2006 Subject: SpamAssassin 3.1.4 In-Reply-To: References: <000501c6b573$d3b2ba50$287ba8c0@office.fsl> Message-ID: <44D1507B.7060804@enitech.com.au> Julian has his package up with 3.1.4 - should we go ahead and update? Raymond Dijkxhoorn wrote: > Hi Steve, > >>> I'm guessing it's just a minor bugfix version, but are people out there >>> using it? >>> >>> ... >> >> We've tested and found some of the SARE rules are generating errors: > >> VIRUS_WARNING_MYDOOM4' >> [21887] info: rules: meta test SARE_OBFU_CIALIS has undefined dependency >> 'SARE_O >> BFU_CIALIS2' >> [21887] info: rules: meta test FP_MIXED_PORN3 has undefined dependency >> 'FP_PENET >> RATION' >> >> But these don't appear to be causing any problems. There are many >> comments >> on the Internet similar to: >> http://www.nabble.com/SpamAssassin-3.1.4-and-SARE-rules-t2009875.html >> >> Any SA list readers out there care to comment? > > We are allready working to get all the rules fixed. We allready put some > changes in SVN. Most are harmless, oh and btw, you also listed non SARE > rules ;) > > Bye, > Raymond. From jrudd at ucsc.edu Thu Aug 3 02:47:25 2006 From: jrudd at ucsc.edu (John Rudd) Date: Thu Aug 3 02:47:57 2006 Subject: mailscanner and SMTP AUTH In-Reply-To: <44D134DF.3080102@smartpost.ro> References: <44D134DF.3080102@smartpost.ro> Message-ID: <777745c1dc10717ce27ebe7f61581188@ucsc.edu> In the rule that invokes mailscanner, add the condition: Source is not authenticated On Aug 2, 2006, at 4:27 PM, Radu Spineanu wrote: > Hi > > Can mailscanner be configured to ignore all checks for messages sent > via > smtp auth? > > In my current setup, when i try to send an email from home using SMTP > AUTH it's marked as SPAM because if fails SPF and some RBL checks (ip > block was added in rbls as it's used for home use). > > Radu > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From jrudd at ucsc.edu Thu Aug 3 02:49:23 2006 From: jrudd at ucsc.edu (John Rudd) Date: Thu Aug 3 02:49:51 2006 Subject: mailscanner and SMTP AUTH In-Reply-To: <44D134DF.3080102@smartpost.ro> References: <44D134DF.3080102@smartpost.ro> Message-ID: <4bfc7f70e5e06f88919dfc6345ff34f8@ucsc.edu> oops, ignore my last comment... I was mixing up which list I'm on. On Aug 2, 2006, at 4:27 PM, Radu Spineanu wrote: > Hi > > Can mailscanner be configured to ignore all checks for messages sent > via > smtp auth? > > In my current setup, when i try to send an email from home using SMTP > AUTH it's marked as SPAM because if fails SPF and some RBL checks (ip > block was added in rbls as it's used for home use). > > Radu > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From dave.list at pixelhammer.com Thu Aug 3 03:09:02 2006 From: dave.list at pixelhammer.com (DAve) Date: Thu Aug 3 03:09:35 2006 Subject: Inline image havoc In-Reply-To: <44D0F5E5.7FBE.00FC.3@medicine.wisc.edu> References: <44D0F5E5.7FBE.00FC.3@medicine.wisc.edu> Message-ID: <44D15ABE.5030407@pixelhammer.com> Michael Masse wrote: > I apologize because this is more of a SA related question, but I was > curious if anyone running a busy Mailscanner is also running any of the > various SA pluggins that do OCR checking to defeat inline image spam? > Do they work? How much extra load on the server have you noticed? > Is there any pluggin that seems better overall? Seems as of late, the > only spam that ever gets through is the inline image stuff and just > recently we are getting bombarded with the junk.... It's bad enough > that pine looks like a good option again..... > > > Mike > We just recently moved our SA from the mail toasters running spamc to using MailScanner. It's much better btw, adding full SA to MailScanner was a negliable resource increase. Doing so I again tried bayes, not having much luck with it in previous years. Feeding bayes the image spams that got through, and using SARE stock rules, have made my image spams decrease a large amount. There is a large debate going whether the resources needed for checking images will be worth the trouble. Personally I'm waiting until someone has a plugin that gets mentioned as a 'must have' like SURBL or URIBL before I bother with it. Of course everyones spam is different, might not work for you. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From alex at nkpanama.com Thu Aug 3 03:12:13 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Aug 3 03:12:55 2006 Subject: RBL and trusted users from blacklisted IP addresses In-Reply-To: <0eb801c6b672$52aacc90$c664a8c0@ew> References: <0eb801c6b672$52aacc90$c664a8c0@ew> Message-ID: <44D15B7D.2020007@nkpanama.com> ewr@erols.com wrote: >> My only suggestion would be to avoid POP-before-SMTP >> altogether and institute SMTP AUTH. It will avoid many >> problems and add an additional level of accountability for >> your users. Look for a thread here started by Muhammad Nauman >> (if I recall correctly) regarding the advantages of this. >> >> Otherwise, to fiddle around too much with headers (even to go >> as far as rewriting them) is usually not kosher. >> > > I looked for the thread but didn't find anything relevant. Do you know how > long ago it was? > > I actually have AUTH turned on, my users just aren't "forced" to use it > yet... but I'm not sure exactly how SMTP Auth will help with this. Does an > email arriving that has been AUTH'ed somehow become immune to RBL checks? > > You can create spamassassin rules tailored to your server that recognize the AUTH header and act accordingly. The other suggestion (MSA on port 587 independent from MailScanner) is also an option. From pete at enitech.com.au Thu Aug 3 03:20:41 2006 From: pete at enitech.com.au (Peter Russell) Date: Thu Aug 3 03:20:54 2006 Subject: MailScanner ANNOUNCE: 4.55 stable released In-Reply-To: References: Message-ID: <44D15D79.1030105@enitech.com.au> Hi, i have upgraded to the latest version and tried --chnged on one of my machines and get a wierd error. This is Red Hat Enterprise Linux AS release 4 (Nahant) This is Perl version 5.008005 (5.8.5) This is MailScanner version 4.55.9 # MailScanner --changed Cannot open config file --changed, No such file or directory at /usr/lib/MailScanner/MailScanner/Config.pm line 605. Compilation failed in require at /usr/sbin/MailScanner line 69. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 69. Any ideas on the cause? Thanks Pete Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Morning/Afternoon/Evening all! > > I have just released the latest stable release of MailScanner, 4.55. > > There are many minor changes this month, nothing earth-shattering, > and a few fixes for you. One new feature you may find useful is the > "--changed" command-line option, which will make MailScanner print > out a table of all the settings you have changed from the defaults. > This should help diagnosing problem much easier, as you won't have to > read the MailScanner.conf and try to spot the changes any more. Just > run "MailScanner --changed" and it will tell you all you need to know. > > Download as usual from > www.mailscanner.info > > The full Change Log is here: > > * New Features and Improvements * > 1 Added educ.ar and uba.ar to country.domains.conf for less strict > phishing net. > 1 Code tidy up in Message constructor. > 1 Speed improvements to ZMailer attachment extraction to keep up with > the > other MTAs. > 1 "Log Speed = no" now does what it says on the tin. (UK in-joke :-) > 1 Added "stopms" option to Linux init.d scripts. > 1 Improved behaviour when %percentvars% at start of MailScanner.conf > have not > been configured at all. It now uses the fully-qualified hostname > to guess > the domain name and website address. It used to refuse to run > which was > very impolite. > 1 Added Sys::Hostname::Long to list of required modules to implement > the above. > 2 Documentation rationalisation. Most up to date versions are all on > the web. > 3 Now output lock type in use with "--lint". > 4 Improvement to Sophos.install for Sophos Version 5 so that email > logging is > disabled. > 4 Now use syslog "notice" priority instead of "info" when issuing > messages > that are nearly warnings. This helps you drastically reduce the > amount of > syslog output by just logging priorities greater than or equal to > "notice". > 5 Added a "Contact Us" web page instead of just a mailto: link. > 6 Improved Help guidance in Contact Us web page. > 6 New command-line option: "-c" or "--changed". > This will print out a table of all the configuration settings that > have > been changed from the default values hard-coded into MailScanner. > Note > this may not be quite the same as the differences from the supplied > default MailScanner.conf file. > 6 Updated hard-coded defaults to better match MailScanner.conf settings. > 6 Improved handling of broken Custom Functions. Having a broken Custom > Function will now just result in the setting's default value being > used. > 7 Bugfix for "--changed" printing when using Custom Functions. > 8 Improved syslog-ing code so it doesn't matter is syslogd dies. > 8 Upgraded DBD-SQLite to version 1.12 as it builds a lot more easily. > 8 Improved handling of Postfix virtual users. Thanks to > jpabuyer@tecnoera.com. > 9 Added catch to commercial virus scanning code to allow syslogd to > die during > a virus scan. > 9 Improved speed logging to remove chatter. > 9 Upgraded Sys::Syslog to 0.17 which builds okay, unlike 0.16. > 9 MCP timings are no longer output if MCP checks are disabled. > > * Fixes * > 1 Put back in the checks of free disk space that were in 4.53.1 but > then lost. > 1 Fix in check_MailScanner for MacOSX. > 3 Default lock type for sendmail is now posix, as it should be. > 4 Fix to phishing net so that links to "www.domain.com." are accepted > as legal. > 6 Fixed problem with dangerous filenames in TNEF archives when using the > external TNEF expander. > 8 Fixed problem with long SpamAssassin report in report files getting > truncated > at % signs. > 8 Fixed phishing net problem with some cases of outbind://\d+/.... URLs. > 9 Stopped logging code producing ridiculous numbers. > 9 Improved Denial-of-service attack detector to handle multiple virus > scanners > more quickly. Now clears detection in 2 x Virus Scanner Timeout, > as expected. > 9 Fixed minor bug in TNEF handling of bad messages. > 9 "service MailScanner reload" should work properly now. > > - -- > Julian Field > MailScanner@ecs.soton.ac.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP SDK 3.7.0 > Charset: US-ASCII > > wj8DBQFEzw2LEfZZRxQVtlQRAkXgAJsGcNkLiq3fIciMmq6f6gbvouA6UgCg5ND9 > DWtjaI46fNH1v4XPt9FK1Pk= > =/a/k > -----END PGP SIGNATURE----- > From mrm at medicine.wisc.edu Thu Aug 3 04:31:44 2006 From: mrm at medicine.wisc.edu (Michael Masse) Date: Thu Aug 3 04:32:16 2006 Subject: Inline image havoc In-Reply-To: References: <44D0F5E5.7FBE.00FC.3@medicine.wisc.edu> Message-ID: <44D12796.7FBE.00FC.3@medicine.wisc.edu> >>> On 8/2/2006 at 7:21 PM, in message , "Jeff A. Earickson" wrote: > I added this to my spam.assassin.prefs.conf file the other day, > and it has helped. It was posted by another reader a few days > ago: > > #---added 8/1/2006 to combat image spam > rawbody INLINE_IMAGE /src\s*=\s*["']cid:/i > describe INLINE_IMAGE Inline Images > score INLINE_IMAGE 2.0 > I have been running this as well and it certainly has helped, but some are still slipping through. I guess I'll try a score of 3 points and see if that helps. Mike From pete at enitech.com.au Thu Aug 3 04:53:20 2006 From: pete at enitech.com.au (Peter Russell) Date: Thu Aug 3 04:53:32 2006 Subject: Inline image havoc In-Reply-To: <44D12796.7FBE.00FC.3@medicine.wisc.edu> References: <44D0F5E5.7FBE.00FC.3@medicine.wisc.edu> <44D12796.7FBE.00FC.3@medicine.wisc.edu> Message-ID: <44D17330.70409@enitech.com.au> Working nicely here on 1.50 My low spam score is 6 and this pushes them over. SpamAssassin Score: 6.32 6 required -0.18 BAYES_40 Bayesian spam probability is 20 to 40% 2.77 DATE_IN_FUTURE_12_24 Date: is 12 to 24 hours after Received: date 0.00 HTML_MESSAGE HTML included in message 1.50 INLINE_IMAGE 2.23 RCVD_IN_WHOIS_INVALID CompleteWhois: sender on invalid IP block Michael Masse wrote: > >>>> On 8/2/2006 at 7:21 PM, in message > , > "Jeff A. Earickson" wrote: >> I added this to my spam.assassin.prefs.conf file the other day, >> and it has helped. It was posted by another reader a few days >> ago: >> >> #---added 8/1/2006 to combat image spam >> rawbody INLINE_IMAGE /src\s*=\s*["']cid:/i >> describe INLINE_IMAGE Inline Images >> score INLINE_IMAGE 2.0 >> > > > I have been running this as well and it certainly has helped, but some > are still slipping through. I guess I'll try a score of 3 points and > see if that helps. > > Mike > From doc at maddoc.net Thu Aug 3 06:28:39 2006 From: doc at maddoc.net (Doc Schneider) Date: Thu Aug 3 06:28:44 2006 Subject: 70_sare_stocks.cf Message-ID: <44D18987.4070400@maddoc.net> I added a "tweak" to the rule set that should catch more of these dang image spams. For those of you running "SARE_STOCK" please let me know if these are now being caught. Thanks! I can be contacted off list either at this address or maddoc@maddoc.net which is the contact address in the rules. -- -Doc Lincoln, NE. http://www.genealogyforyou.com/ http://www.cairnproductions.com/ From chrisgreen at hotmail.com Thu Aug 3 06:34:26 2006 From: chrisgreen at hotmail.com (Chris Green) Date: Thu Aug 3 06:34:47 2006 Subject: blocking out-of-office In-Reply-To: <7.0.1.0.2.20060802120551.02062650@espphotography.com> Message-ID: >At 11:49 AM 8/2/2006, you wrote: > >>My employees report that when they have the out of office turned on they >>receive more spam..... > > >I don't know how the two are related. Most spam I see doesn't have a valid >reply address. > >My suggestion is to use a *nix based autoresponder. Have it only reply to >addresses in your address book. Or better yet, ditch the autoresponder. > Spam comes in and gets through filter Out Of Office AutoReply goes out Boiiiing! - NDR arrives in inbox Therefore spam, in the implied sense of the word, would double. It pollutes auto-whitelists too, but doesn't usually expose you to more spam due because bogus addresses are unlikely to be reused. From sujithem at cdacb.ernet.in Thu Aug 3 06:45:33 2006 From: sujithem at cdacb.ernet.in (Sujith Emmanuel) Date: Thu Aug 3 06:46:12 2006 Subject: 70_sare_stocks.cf In-Reply-To: <44D18987.4070400@maddoc.net> References: <44D18987.4070400@maddoc.net> Message-ID: <1d1e72700608022245m29b4a257s8c89659099d0c864@mail.gmail.com> Please lemme know when you last updated the rule, 2006-08-02? Thanks Sujith Emmanuel On 8/3/06, Doc Schneider wrote: > > I added a "tweak" to the rule set that should catch more of these dang > image spams. > > For those of you running "SARE_STOCK" please let me know if these are > now being caught. > > Thanks! > > I can be contacted off list either at this address or maddoc@maddoc.net > which is the contact address in the rules. > > -- > -Doc > Lincoln, NE. > http://www.genealogyforyou.com/ > http://www.cairnproductions.com/ > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060803/b9620790/attachment.html From Jan-Peter.Koopmann at seceidos.de Thu Aug 3 07:10:20 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Thu Aug 3 07:10:58 2006 Subject: ClamAV on FreeBSD - ports or Perl module? In-Reply-To: Message-ID: On Wednesday, August 02, 2006 11:06 PM Drew Marshall wrote: Drew, thanks for the wake-up call off-list. :-) >>> I would always say go with the ports. Yes. You should do that with every software available as a port. >>> They are up dated pretty >>> regularly so never far behind the source any way. Well in case of MailScanner: Mea culpa once again. I will try to produce an up-to-date version today. >> http://www.freshports.org/mail/p5-Mail-ClamAV/ >> >> See entry on 23 Feb 2004 So long ago. Let me search my memory. :-) At that time the module required threaded perl to work. I am not sure whether or not this was a perl or a clamav requirement. Recompiling perl with threaded support helped but personally gave me other problems so I always went for the command-line version. If others say it works with the non-threaded version now things might have changed. I will give it a try (maybe this afternoon). Are you "only" getting the warning in pkg-message? If so I would guess it is just an outdated warning. Kind regards, JP From Jan-Peter.Koopmann at seceidos.de Thu Aug 3 07:16:50 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Thu Aug 3 07:17:15 2006 Subject: Manpages / FreeBSD Message-ID: Hi, just a quick question. Obviously the documentation is now on the web. I just realized that the latest version does not seem to contain any documentation at all. Question: Is everybody ok with this? I could try to maintain the man pages and patch them in the FreeBSD port but I could also save some time and simply rely on the web documentation. Just want to make sure not everyone port user is going to kill me for that later on. :-) Regards, JP From doc at maddoc.net Thu Aug 3 07:20:42 2006 From: doc at maddoc.net (Doc Schneider) Date: Thu Aug 3 07:20:47 2006 Subject: 70_sare_stocks.cf In-Reply-To: <1d1e72700608022245m29b4a257s8c89659099d0c864@mail.gmail.com> References: <44D18987.4070400@maddoc.net> <1d1e72700608022245m29b4a257s8c89659099d0c864@mail.gmail.com> Message-ID: <44D195BA.6050308@maddoc.net> Sujith Emmanuel wrote: > Please lemme know when you last updated the rule, 2006-08-02? > > Thanks > Sujith Emmanuel > > On 8/3/06, *Doc Schneider* < doc@maddoc.net > wrote: > > I added a "tweak" to the rule set that should catch more of these dang > image spams. > > For those of you running "SARE_STOCK" please let me know if these are > now being caught. > > Thanks! > > I can be contacted off list either at this address or > maddoc@maddoc.net > which is the contact address in the rules. > > -- > -Doc > Lincoln, NE. > http://www.genealogyforyou.com/ > http://www.cairnproductions.com/ > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > # Version: 01.00.28 # Created: 2005-12-18 # Modified: 2006-08-02 Is the latest and greatest. -- -Doc Lincoln, NE. http://www.genealogyforyou.com/ http://www.cairnproductions.com/ From sujithem at cdacb.ernet.in Thu Aug 3 07:52:17 2006 From: sujithem at cdacb.ernet.in (Sujith Emmanuel) Date: Thu Aug 3 07:52:54 2006 Subject: 70_sare_stocks.cf In-Reply-To: <44D195BA.6050308@maddoc.net> References: <44D18987.4070400@maddoc.net> <1d1e72700608022245m29b4a257s8c89659099d0c864@mail.gmail.com> <44D195BA.6050308@maddoc.net> Message-ID: <1d1e72700608022352n71f1517al5c45bfc6d550bd57@mail.gmail.com> Yes i got that today, thank you very much. Lemme check out the results. Thanks and Regards Sujith Emmanuel # Version: 01.00.28 # Created: 2005-12-18 # Modified: 2006-08-02 Is the latest and greatest. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060803/7de732ec/attachment.html From davidj at synaq.com Thu Aug 3 08:13:10 2006 From: davidj at synaq.com (David Jacobson) Date: Thu Aug 3 08:13:57 2006 Subject: MCP Speed... Message-ID: <1154589190.14071.3.camel@jakes.synaq.com> Hi Gents, I wonder if you can help with a small problem regarding MCP speeds. We maintain a number of MailScanner servers for a customer which processes about a million e-mails a month. The client has requested that we check for certain keywords +/- 20 and send them through to an address. We've implemented this for them, but it adds an extreme load on the servers. I've had a close look at the MCP spam.assassin.prefs.conf and even though it disabled Razor / Pyzor / DCC etc I still believe it's doing way too many checks than required for pure keyword analysis. It appears to load all the plugins when doing a spamassassin - p /etc/MailScanner/mcp/mcp.spam.assassin.prefs.conf such as SPF, AWL, etc etc all from v310.pre, can someone tell me how I can disable the MCP prefs from using this? I still obviously want to keep the plugins so I can't remove them from v310.pre Any advise would be appreciated... -- Regards, David Jacobson Technical Director SYNAQ (Pty) Ltd Tel: 011 245 5888 Direct: 011 245 5889 Fax: 011 783 9275 Cell: 083 235 0760 Mail: davidj@synaq.com Web: http://www.synaq.com Key Fingerprint 8246 FCE1 3C22 7EFB E61B 18DF 6E8B 65E8 BD50 78A1 From adrik at salesmanager.nl Thu Aug 3 08:23:46 2006 From: adrik at salesmanager.nl (Adri Koppes) Date: Thu Aug 3 08:23:49 2006 Subject: Manpages / FreeBSD Message-ID: Hi JanPeter, I promise not to kill you. :-) ManPages are nice to have on the system, but I think I can live without them if need be. Perhaps a compromise, where you install small and simple ManPages, which tell you to visit the web for more detailed and advanced information? These would only have to written once and never updated anymore. Regards, Adri. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Koopmann, Jan-Peter > Sent: donderdag 3 augustus 2006 8:17 > To: MailScanner discussion > Subject: Manpages / FreeBSD > > Hi, > > just a quick question. Obviously the documentation is now on > the web. I just realized that the latest version does not > seem to contain any documentation at all. Question: Is > everybody ok with this? I could try to maintain the man pages > and patch them in the FreeBSD port but I could also save some > time and simply rely on the web documentation. Just want to > make sure not everyone port user is going to kill me for that > later on. :-) > > > Regards, > JP > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From adrik at salesmanager.nl Thu Aug 3 08:29:07 2006 From: adrik at salesmanager.nl (Adri Koppes) Date: Thu Aug 3 08:29:10 2006 Subject: ClamAV on FreeBSD - ports or Perl module? Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Koopmann, Jan-Peter > Sent: donderdag 3 augustus 2006 8:10 > To: MailScanner discussion > Subject: RE: ClamAV on FreeBSD - ports or Perl module? > > On Wednesday, August 02, 2006 11:06 PM Drew Marshall wrote: > > Drew, thanks for the wake-up call off-list. :-) > > >>> I would always say go with the ports. > > Yes. You should do that with every software available as a port. > > >>> They are up dated pretty > >>> regularly so never far behind the source any way. > > Well in case of MailScanner: Mea culpa once again. I will try > to produce an up-to-date version today. > > >> http://www.freshports.org/mail/p5-Mail-ClamAV/ > >> > >> See entry on 23 Feb 2004 > > So long ago. Let me search my memory. :-) At that time the > module required threaded perl to work. I am not sure whether > or not this was a perl or a clamav requirement. Recompiling > perl with threaded support helped but personally gave me > other problems so I always went for the command-line version. > If others say it works with the non-threaded version now > things might have changed. I will give it a try (maybe this > afternoon). Are you "only" getting the warning in > pkg-message? If so I would guess it is just an outdated warning. Jan Peter, I have been using p5-Mail-ClamAV 0.30 with the standard perl 5.8.6 on FreeBSD 5.4 without any problems for over 1 year now. Regards, Adri. From glenn.steen at gmail.com Thu Aug 3 08:54:58 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Aug 3 08:55:03 2006 Subject: blocking out-of-office In-Reply-To: <44D05DF6.6030505@utwente.nl> References: <44D0563F.90409@utwente.nl> <44D05DF6.6030505@utwente.nl> Message-ID: <223f97700608030054g4692424ch3e0deeeacb043c7@mail.gmail.com> On 02/08/06, Peter Peters wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > Julian Field wrote on 2-8-2006 10:00: > > Read the comments above the "Remove These Headers" option. > > > > # If any of these headers are included in a a message, they will be > > deleted. > > # This is very useful for removing return-receipt requests and any > > headers > > # which mean special things to your email client application. > > This helps only when the sender asks for a DSN. This does not help when > the recipient has configured to send an out of office to every message > he receives. > This has been asked before on the list, but never really answered.... because it can't be(!)... OoO/vacation really is a phenomenon, not a standardised thing, so you don't have much to go by... Other than scoring the actual text (usually in the subject), I don't think you have many options. If you use Postfix, you could make a DISCARDing header_check, but then.... that might end badly:-). The sane solution is to not allow OoO, and encourage your user to use other measures (like "mailbox delegations" etc). Unfortunately PHBs are rarely sane...:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From adrik at salesmanager.nl Thu Aug 3 09:00:23 2006 From: adrik at salesmanager.nl (Adri Koppes) Date: Thu Aug 3 09:00:28 2006 Subject: chinese-language email Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Ugo Bellavance > Sent: woensdag 2 augustus 2006 20:17 > To: mailscanner@lists.mailscanner.info > Subject: Re: chinese-language email > > Adri Koppes wrote: > > Hi Daniel, > > > > In your local.cf or spamassassin.prefs.conf check the settings of > > ok_languages and ok_locales. > > These 2 SpamAssassin settings are used for the FARWAY and > other rules. > > I guess that every time we add something to these settings, > the catch rate for foreign spam is reduced? > Ugo, For every language you add to these settings, they will no longer be marked and some of the FARAWAY and CHARSET rules score quite heavily. When people start using these settings, I recommend they add all the foreign languages and locales they expect to receive in legitimate messages. Adri. From drew at themarshalls.co.uk Thu Aug 3 09:09:40 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Thu Aug 3 09:09:53 2006 Subject: Manpages / FreeBSD In-Reply-To: References: Message-ID: <55502.194.70.180.170.1154592580.squirrel@webmail.r-bit.net> On Thu, August 3, 2006 08:23, Adri Koppes wrote: > Hi JanPeter, > > I promise not to kill you. :-) Me too! :-) > ManPages are nice to have on the system, but I think I can live without > them if need be. > Perhaps a compromise, where you install small and simple ManPages, which > tell you to visit the web for more detailed and advanced information? > These would only have to written once and never updated anymore. Agreed. This would be a good option. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From navshobhmagotra at cdacnoida.in Thu Aug 3 11:51:03 2006 From: navshobhmagotra at cdacnoida.in (Nasvhobh Magotra) Date: Thu Aug 3 11:51:51 2006 Subject: SpamAssassin MailScanner Problem Message-ID: <200608031051.k73AplgA012739@bkserver.blacknight.ie> Hi all Members I have configured a qmail server with openprotect-5.0.4 that contains mailscanner ,spamassassin and clamav as default scanners on a debian sarge system. The installation went smoothly. But I have a peculiar problem. The clamav scanning is working perfectly but spamassassin is not. I have checked Mailscanner.conf and it is perfectly fine. If I test GTUBE it is giving perfect results i.e. score 1000 but if I test the example file "/etc/Mailscanner/testmessages/sample-spam.txt" it always gives a score of zero. If I run /usr/bin/spamc on the file it results in a score of 16.2 . I am not able to find exactly what is the problem . the example /var/log/mail.log is : Aug 3 16:05:42 email MailScanner[6361]: Filetype Checks: Allowing 4660723 msg-6361-1.txt Aug 3 16:05:42 email MailScanner[6361]: Uninfected: Delivered 1 messages Aug 3 16:14:51 email MailScanner[6314]: New Batch: Scanning 1 messages, 664 bytes Aug 3 16:14:51 email MailScanner[6314]: MCP Checks: Starting Aug 3 16:14:51 email MailScanner[6314]: Spam Checks: Starting Aug 3 16:15:07 email MailScanner[6314]: Message 4660723 from ece (test@test.com) to test.com is not spam, SpamAssassin (score=0, required 3) Aug 3 16:15:07 email MailScanner[6314]: Virus and Content Scanning: Starting Aug 3 16:15:08 email MailScanner[6314]: Filename Checks: Allowing 4660723 msg-6314-2.txt Aug 3 16:15:08 email MailScanner[6314]: Filetype Checks: Allowing 4660723 msg-6314-2.txt Aug 3 16:15:08 email MailScanner[6314]: Uninfected: Delivered 1 messages Aug 3 16:15:53 email MailScanner[6314]: New Batch: Scanning 1 messages, 735 bytes Aug 3 16:15:53 email MailScanner[6314]: MCP Checks: Starting Aug 3 16:15:53 email MailScanner[6314]: Spam Checks: Starting Aug 3 16:15:55 email MailScanner[6314]: Message 4660723 from ece (test@test.com) to test.com is spam, SpamAssassin (score=1000, required 3, GTUBE 1000.00) Aug 3 16:15:55 email MailScanner[6314]: Spam Checks: Found 1 spam messages Aug 3 16:15:55 email MailScanner[6314]: Spam Actions: message 4660723 actions are deliver Aug 3 16:15:55 email MailScanner[6314]: Virus and Content Scanning: Starting Aug 3 16:15:57 email MailScanner[6314]: Filename Checks: Allowing 4660723 msg-6314-3.txt Aug 3 16:15:57 email MailScanner[6314]: Filetype Checks: Allowing 4660723 msg-6314-3.txt Aug 3 16:15:57 email MailScanner[6314]: Uninfected: Delivered 1 messages Regards, Navshobh Magotra, Network Administrator, C-56/1, Anusandhan Bhavan Institutional Area, CDAC, Sector-62,Noida-201307 Ph. 0120-3063330/331 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060803/be88f071/attachment.html From ugob at camo-route.com Thu Aug 3 13:34:51 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Thu Aug 3 13:35:33 2006 Subject: chinese-language email In-Reply-To: References: Message-ID: Adri Koppes wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Ugo Bellavance >> Sent: woensdag 2 augustus 2006 20:17 >> To: mailscanner@lists.mailscanner.info >> Subject: Re: chinese-language email >> >> Adri Koppes wrote: >>> Hi Daniel, >>> >>> In your local.cf or spamassassin.prefs.conf check the settings of >>> ok_languages and ok_locales. >>> These 2 SpamAssassin settings are used for the FARWAY and >> other rules. >> >> I guess that every time we add something to these settings, >> the catch rate for foreign spam is reduced? >> > Ugo, > > For every language you add to these settings, they will no longer be > marked and some of the FARAWAY and CHARSET rules score quite heavily. > When people start using these settings, I recommend they add all the > foreign languages and locales they expect to receive in legitimate > messages. Ok, but from what I've seen, the default is en, so we're all using it. This doesn't really answer my question... What I meant is that CHARSET and FARAWAY rules helps us catch some spam from foreign countries. If I get a few false positives for chinese e-mails and I put chinese in ok_locales and ok_languages, my catch rate for chinese spam will we lower right? Most of our traffic is english and french. Thanks. Ugo > > Adri. From adrik at salesmanager.nl Thu Aug 3 13:44:43 2006 From: adrik at salesmanager.nl (Adri Koppes) Date: Thu Aug 3 13:44:44 2006 Subject: chinese-language email Message-ID: > Ok, but from what I've seen, the default is en, so we're all > using it. > This doesn't really answer my question... What I meant is > that CHARSET and FARAWAY rules helps us catch some spam from > foreign countries. If I get a few false positives for > chinese e-mails and I put chinese in ok_locales and > ok_languages, my catch rate for chinese spam will we lower > right? Most of our traffic is english and french. Ugo, I know, Jules put the default for english only in spam.preferences.conf. This means any non-english message will get an extra 2 or 3 points added to the SA score. When you add the chinese language, it will no longer add the extra score to these messages, so yes, the catch rate for chinese spam will be lower. If most of your traffic is english and french, I'd suggest using 'en fr' for ok_languages. Adri. From daniel.maher at ubisoft.com Thu Aug 3 14:27:10 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Thu Aug 3 14:27:14 2006 Subject: 70_sare_stocks.cf Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D06E@UBIMAIL1.ubisoft.org> Hello, Would it be possible for you to post a diff for your tweaks? I'm curious, and I'm sure I'm not the only one! :) -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Doc Schneider > Sent: August 3, 2006 1:29 AM > To: MailScanner discussion > Subject: 70_sare_stocks.cf > > I added a "tweak" to the rule set that should catch more of these dang > image spams. > > For those of you running "SARE_STOCK" please let me know if these are > now being caught. > > Thanks! > > I can be contacted off list either at this address or maddoc@maddoc.net > which is the contact address in the rules. > > -- > -Doc > Lincoln, NE. > http://www.genealogyforyou.com/ > http://www.cairnproductions.com/ > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From daniel.maher at ubisoft.com Thu Aug 3 14:33:22 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Thu Aug 3 14:33:25 2006 Subject: chinese-language email Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D070@UBIMAIL1.ubisoft.org> If you actually receive a fair amount of Chinese-language spam, you may want to consider the following: http://www.ccert.edu.cn/spam/sa/Chinese_rules_en.htm -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Adri Koppes > Sent: August 3, 2006 8:45 AM > To: MailScanner discussion > Subject: RE: chinese-language email > > > Ok, but from what I've seen, the default is en, so we're all > > using it. > > This doesn't really answer my question... What I meant is > > that CHARSET and FARAWAY rules helps us catch some spam from > > foreign countries. If I get a few false positives for > > chinese e-mails and I put chinese in ok_locales and > > ok_languages, my catch rate for chinese spam will we lower > > right? Most of our traffic is english and french. > > Ugo, > > I know, Jules put the default for english only in spam.preferences.conf. > This means any non-english message will get an extra 2 or 3 points added > to the SA score. > When you add the chinese language, it will no longer add the extra score > to these messages, so yes, the catch rate for chinese spam will be > lower. > If most of your traffic is english and french, I'd suggest using 'en fr' > for ok_languages. > > Adri. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From dhawal at netmagicsolutions.com Thu Aug 3 14:37:57 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Thu Aug 3 14:38:11 2006 Subject: 70_sare_stocks.cf In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D06E@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D06E@UBIMAIL1.ubisoft.org> Message-ID: <44D1FC35.1030804@netmagicsolutions.com> Daniel Maher wrote: > Hello, > > Would it be possible for you to post a diff for your tweaks? I'm curious, and I'm sure I'm not the only one! :) here.. [root@sauron ~]# diff 70_sare_stocks.cf 70_sare_stocks.cf.20060803-1409 2c2 < # Version: 01.00.28 --- > # Version: 01.00.27 4c4 < # Modified: 2006-08-02 --- > # Modified: 2006-07-24 48d47 < # 01.00.28 Tweeked GIF catcher rule. 729c728 < full SARE_GIF_ATTACH /name=\"?[0-9a-z._\-]{3,18}\.gif\"?/i --- > full SARE_GIF_ATTACH /name=\"[a-z.]{3,18}\.gif\"/i Works fine for me so far.. in addition i use these posted on the sa-users list.. though i ought to be using the second one as a meta rule. rawbody INLINE_IMAGE /src\s*=\s*["']cid:/i describe INLINE_IMAGE Inline Image score INLINE_IMAGE 2.0 rawbody INLINE_IMAGE2 /src\s*=\s*["']cid:image001\.gif/i describe INLINE_IMAGE2 Inline Image image001.gif score INLINE_IMAGE2 2.0 >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Doc Schneider >> Sent: August 3, 2006 1:29 AM >> To: MailScanner discussion >> Subject: 70_sare_stocks.cf >> >> I added a "tweak" to the rule set that should catch more of these dang >> image spams. >> >> For those of you running "SARE_STOCK" please let me know if these are >> now being caught. >> >> Thanks! >> >> I can be contacted off list either at this address or maddoc@maddoc.net >> which is the contact address in the rules. >> >> -- >> -Doc >> Lincoln, NE. >> http://www.genealogyforyou.com/ >> http://www.cairnproductions.com/ From raymond at prolocation.net Thu Aug 3 14:47:13 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Thu Aug 3 14:47:13 2006 Subject: 70_sare_stocks.cf In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D06E@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D06E@UBIMAIL1.ubisoft.org> Message-ID: Hi! > Would it be possible for you to post a diff for your tweaks? I'm > curious, and I'm sure I'm not the only one! :) >> For those of you running "SARE_STOCK" please let me know if these are >> now being caught. >> >> Thanks! Just get a new version of the ruleset, all is included there. Bye, Raymond. From jgolden at ci.grand-rapids.mi.us Thu Aug 3 15:39:09 2006 From: jgolden at ci.grand-rapids.mi.us (Golden, James) Date: Thu Aug 3 15:39:56 2006 Subject: Spamassassin Timeouts Message-ID: <1154615949.5548.1.camel@doit-b8wsw21.grand-rapids.mi.us> I received this info from Logwatch, but I am not sure if it is something I should be concerned about. Would anyone else be kind enough to fill me in? And what to do about it if it is not an OK thing? MailScanner Status: 21351 messages Scanned by MailScanner 968.5 Total MB 13531 Spam messages detected by MailScanner 13531 Spam messages with action(s) store 902 hits from MailScanner SpamAssassin cache 6 Viruses found by MailScanner 4 Banned attachments found by MailScanner 967 Content Problems found by MailScanner 7778 Messages delivered by MailScanner 61 SpamAssassin timeout(s Thanks, James -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060803/cea8193a/attachment.html From jgolden at ci.grand-rapids.mi.us Thu Aug 3 16:14:12 2006 From: jgolden at ci.grand-rapids.mi.us (Golden, James) Date: Thu Aug 3 16:14:48 2006 Subject: Question about spam.assassin.prefs.conf In-Reply-To: References: Message-ID: <1154618053.5548.12.camel@doit-b8wsw21.grand-rapids.mi.us> Sorry, I should have put that info in there. I'm not sure what the original date of the file was, because now I moved it. I did a compare on my old one and the rpmnew one. -rw-r--r-- 1 root root 10963 May 27 15:19 spam.assassin.prefs.conf.rpmnew In the old file test I found this as a latest edit: # JKF 12/01/2005 - known troublesome rule So, after the compare, I then added any settings entry that was missing (which was about 3 lines) (bayes_path, awl_path, and one other) to the file. and then replaced the old one with the rpmnew version. Everything looks OK. I was just wondering if I missed a step. I know I ran a few scripts to upgrade Mailscanner.conf and another, but I didn't remember doing it for spam.assassin.prefs.conf file. I did just upgrade to the 4.54.6-1 version. I didn't do it via RPM, I did it via the script from MailScanner (if I remember correctly). Thanks for the response, James On Thu, 2006-08-03 at 01:40 -0400, ajos1@onion.demon.co.uk wrote: > - > > How long ago was your previous update? > > I do ALL the STABLE updates... from RPM... and my spamassassin.prefs.conf is dated: > > -rw-r--r-- 1 root root 11023 May 8 14:53 spam.assassin.prefs.conf > > (There is no RPMNEW)... so I am assuming May 8 is the lastest version to have? > > >> > >> I upgraded our MS last week and noticed that a new spam.assassin.prefs.conf.rpmnew file was created. When I compare it to my old one, it is quite different. As long as I ensure that any settings in the old one are in the new one, can't I replace the old one with the new? Is there are reason I should/should not do this? > >> > > == > ===================================================================== > = > = When Ms Jowell, whose department is responsible for sport, was > = asked who she thought was going to win the cup, she gleefully > = pointed towards her ministerial vehicle, which is now bedecked in > = flags, to declare: "There's only one England." > = > = Need help dealing with Parking Tickets, Bailiffs, Capita or NTL... > = Call... +44 8457 90 90 90 http://www.samaritans.org/ > = > ===================================================================== -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060803/2879767a/attachment.html From steve.swaney at fsl.com Thu Aug 3 16:23:46 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Thu Aug 3 16:21:54 2006 Subject: Spamassassin Timeouts In-Reply-To: <1154615949.5548.1.camel@doit-b8wsw21.grand-rapids.mi.us> Message-ID: <006b01c6b710$d0657e70$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Golden, James > Sent: Thursday, August 03, 2006 10:39 AM > To: MailScanner discussion > Subject: Spamassassin Timeouts > > I received this info from Logwatch, but I am not sure if it is something I > should be concerned about. Would anyone else be kind enough to fill me > in? And what to do about it if it is not an OK thing? > > MailScanner Status: > 21351 messages Scanned by MailScanner > 968.5 Total MB > 13531 Spam messages detected by MailScanner > 13531 Spam messages with action(s) store > 902 hits from MailScanner SpamAssassin cache > 6 Viruses found by MailScanner > 4 Banned attachments found by MailScanner > 967 Content Problems found by MailScanner > 7778 Messages delivered by MailScanner > > 61 SpamAssassin timeout(s > > Thanks, > > James You should be concerned because probably some spam is getting through and MailScanner processing is taking longer than it should. SpamAssassin time outs most often occur because the SpamAssassin network tests are taking too long or never completing. Check your DNS lookup speed and the health of your network in general. Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From ka at pacific.net Thu Aug 3 16:25:45 2006 From: ka at pacific.net (Ken A) Date: Thu Aug 3 16:24:54 2006 Subject: Inline image havoc In-Reply-To: <44D0F5E5.7FBE.00FC.3@medicine.wisc.edu> References: <44D0F5E5.7FBE.00FC.3@medicine.wisc.edu> Message-ID: <44D21579.3050601@pacific.net> Try this: full LOCAL_IMAGE_07312006 /QKAAQMAAQOAAQAA/ describe LOCAL_IMAGE_07312006 spam image score LOCAL_IMAGE_07312006 10.0 It's nabbed all of them here, but it's entirely dependent on the content of the image, so ymmv. The image analysis consists of copying the base64 parts from 4 spams to 4 files, then doing 'cat 1 2 3 4 | sort' and look for repeat lines. I expect the image will change at about 5pm tomorrow... just before I go home for the weekend. Ken A. Pacific.Net Michael Masse wrote: > I apologize because this is more of a SA related question, but I was > curious if anyone running a busy Mailscanner is also running any of the > various SA pluggins that do OCR checking to defeat inline image spam? > Do they work? How much extra load on the server have you noticed? > Is there any pluggin that seems better overall? Seems as of late, the > only spam that ever gets through is the inline image stuff and just > recently we are getting bombarded with the junk.... It's bad enough > that pine looks like a good option again..... > > > Mike > From dstraka at caspercollege.edu Thu Aug 3 16:39:49 2006 From: dstraka at caspercollege.edu (Daniel Straka) Date: Thu Aug 3 16:40:36 2006 Subject: Logwatch MailScanner Status Missing Message-ID: <44D1C465.61A4.0000.0@caspercollege.edu> I recently installed a new MailScanner machine with SUSE Enterprise 10 and sendmail, I was previously on RedHat 7.3. MailScanner seems to be working fine, but Logwatch does not display a MailScanner Status section as it did with Redhat. Also SUSE has several mail log files (mail, mail.info, mail.err, mail.warn) whereas Redhat had only the file "maillog". Logwatch doesn't seem to recognize any of these. Can anyone guide with how to get Logwatch to report the MailScanner Status section for me on this system? Thanks..Dan -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jgolden at ci.grand-rapids.mi.us Thu Aug 3 16:51:12 2006 From: jgolden at ci.grand-rapids.mi.us (Golden, James) Date: Thu Aug 3 16:51:18 2006 Subject: [Fwd: RE: Spamassassin Timeouts] Message-ID: <1154620273.6014.1.camel@doit-b8wsw21.grand-rapids.mi.us> Thanks for that. I am thinking it may be more of a hardware issue. My digs were quick Worst: real 0m0.324s user 0m0.010s sys 0m0.020s Best: real 0m0.090s user 0m0.020s sys 0m0.000s When I looked at top though I find this is typical: 11:47:08 up 8 days, 8:27, 1 user, load average: 7.78, 6.86, 6.88 102 processes: 94 sleeping, 4 running, 4 zombie, 0 stopped CPU states: cpu user nice system irq softirq iowait idle total 131.8% 0.0% 31.4% 0.0% 0.0% 0.0% 36.4% cpu00 55.7% 0.0% 15.6% 0.0% 0.0% 0.0% 28.5% cpu01 76.1% 0.0% 15.8% 0.0% 0.0% 0.0% 8.0% Mem: 2068248k av, 1857084k used, 211164k free, 0k shrd, 291000k buff 896772k active, 775948k inactive Swap: 1020088k av, 158976k used, 861112k free 616232k cached Any recommendations? Should I cut back on some network tests? I have been very happy with the setup lately as it has been catching a LOT more spam that it was a week ago. I have 8 Mailscanner processes allowed to run at a time Thanks, James > From: Stephen Swaney > Reply-To: MailScanner discussion > To: 'MailScanner discussion' > Subject: RE: Spamassassin Timeouts > Date: Thu, 3 Aug 2006 11:23:46 -0400 > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Golden, James > > Sent: Thursday, August 03, 2006 10:39 AM > > To: MailScanner discussion > > Subject: Spamassassin Timeouts > > > > I received this info from Logwatch, but I am not sure if it is something I > > should be concerned about. Would anyone else be kind enough to fill me > > in? And what to do about it if it is not an OK thing? > > > > MailScanner Status: > > 21351 messages Scanned by MailScanner > > 968.5 Total MB > > 13531 Spam messages detected by MailScanner > > 13531 Spam messages with action(s) store > > 902 hits from MailScanner SpamAssassin cache > > 6 Viruses found by MailScanner > > 4 Banned attachments found by MailScanner > > 967 Content Problems found by MailScanner > > 7778 Messages delivered by MailScanner > > > > 61 SpamAssassin timeout(s > > > > Thanks, > > > > James > > You should be concerned because probably some spam is getting through and > MailScanner processing is taking longer than it should. > > SpamAssassin time outs most often occur because the SpamAssassin network > tests are taking too long or never completing. Check your DNS lookup speed > and the health of your network in general. > > Steve > > Stephen Swaney > Fort Systems Ltd. > stephen.swaney@fsl.com > www.fsl.com > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060803/c579d4d8/attachment.html From jaearick at colby.edu Thu Aug 3 17:15:12 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu Aug 3 17:21:23 2006 Subject: SA rules_du_jour lint bug: FOUND Message-ID: Gang, I upgraded to SA 3.1.4 last night, and continued to be plagued by lint failures in the rules_du_jour script, like so: /opt/perl5/bin/spamassassin -p /opt/MailScanner/etc/spam.assassin.prefs.conf --lint [27791] warn: config: SpamAssassin failed to parse line, "/var/spool/spamassassin" is not valid for "bayes_path", skipping: bayes_path /var/spool/spamassassin I had this problem in earlier versions of SA, but had worked around it by having a different spam.assassin.prefs.conf with no bayes_path entry. This hack quit working with 3.1.4. I found where the problem is in the SpamAssassin code. The following diff to [perlpath]/5.8.8/Mail/SpamAssassin/Conf.pm "fixes" the problem: *** Conf.pm.orig Thu Aug 3 11:49:37 2006 --- Conf.pm.new Thu Aug 3 12:04:24 2006 *************** *** 2239,2246 **** unless (defined $value && $value !~ /^$/) { return $MISSING_REQUIRED_VALUE; } ! if (-d $value) { ! return $INVALID_VALUE; } $self->{bayes_path} = $value; } --- 2239,2246 ---- unless (defined $value && $value !~ /^$/) { return $MISSING_REQUIRED_VALUE; } ! if (-f $value) { ! return $INVALID_VALUE; } $self->{bayes_path} = $value; } I know this isn't quite right, since the test should be "if NOT a directory, return INVALID_VALUE". But the code: if ( ! -d $value) didn't work correctly. Anyway, this clearly seems to be a bug in SpamAssassin. Since I'm not a subscriber to SpamAssassin-dev, would somebody else (Raymond?) care to post this bug to the SA developers? Jeff Earickson Colby College From mkettler at evi-inc.com Thu Aug 3 17:57:10 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Aug 3 17:57:31 2006 Subject: SA rules_du_jour lint bug: FOUND In-Reply-To: References: Message-ID: <44D22AE6.4020709@evi-inc.com> Jeff A. Earickson wrote: > Gang, > > I upgraded to SA 3.1.4 last night, and continued to be plagued by > lint failures in the rules_du_jour script, like so: > > /opt/perl5/bin/spamassassin -p > /opt/MailScanner/etc/spam.assassin.prefs.conf --lint > [27791] warn: config: SpamAssassin failed to parse line, > "/var/spool/spamassassin" is not valid for "bayes_path", skipping: > bayes_path /var/spool/spamassassin > > I had this problem in earlier versions of SA, but had worked around > > I know this isn't quite right, since the test should be "if NOT a > directory, return INVALID_VALUE". But the code: NO! It should be IF a directory, return invalid. It is NOT valid to specify a directory as a bayes path, because bayes_path is not just a path. It's a path plus partial filename! From jaearick at colby.edu Thu Aug 3 18:54:03 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu Aug 3 19:04:51 2006 Subject: SA rules_du_jour lint bug: FOUND In-Reply-To: <44D22AE6.4020709@evi-inc.com> References: <44D22AE6.4020709@evi-inc.com> Message-ID: Matt, Doh!! Thanks for pointing this out, I had always thought that bayes_path was a directory name, not some strange combo of directory + file prepend. I fixed my spam.assassin.prefs.conf, reverted to the original SA Conf.pm, everything works with Rules_du_jour again. Julian, Could you please modify the spam.assassin.prefs.conf to include the following useful comments (diff -c format)? *************** *** 83,89 **** --- 83,96 ---- # FSL Note: we need to coordinate the Bayes File Placement # With MailWatch + # bayes_path should NOT be directory! + # The Rules_du_jour script will choke if it is a directory. + # It needs to be a full pathname, PLUS a partial filename. + # In this example, the trailing "bayes" will be the "bayes*" + # files in the directory "/etc/MailScanner/bayes/" + # Thanks to Matt Kettler for pointing this out. #bayes_path /etc/MailScanner/bayes/bayes + # This is actually used as a mask, not a raw chmod setting. # Thanks for Matt Kettler for spotting this one. # Commented out: this if for MailWatch and Exim/Postfix users only. Jeff Earickson Colby College On Thu, 3 Aug 2006, Matt Kettler wrote: > Date: Thu, 03 Aug 2006 12:57:10 -0400 > From: Matt Kettler > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: SA rules_du_jour lint bug: FOUND > > Jeff A. Earickson wrote: >> Gang, >> >> I upgraded to SA 3.1.4 last night, and continued to be plagued by >> lint failures in the rules_du_jour script, like so: >> >> /opt/perl5/bin/spamassassin -p >> /opt/MailScanner/etc/spam.assassin.prefs.conf --lint >> [27791] warn: config: SpamAssassin failed to parse line, >> "/var/spool/spamassassin" is not valid for "bayes_path", skipping: >> bayes_path /var/spool/spamassassin >> >> I had this problem in earlier versions of SA, but had worked around > > >> >> I know this isn't quite right, since the test should be "if NOT a >> directory, return INVALID_VALUE". But the code: > > NO! It should be IF a directory, return invalid. It is NOT valid to specify a > directory as a bayes path, because bayes_path is not just a path. It's a path > plus partial filename! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From bpumphrey at WoodMacLaw.com Thu Aug 3 19:05:21 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Thu Aug 3 19:05:27 2006 Subject: blocking out-of-office In-Reply-To: Message-ID: <04D932B0071FE34FA63EBB1977B48D15017B3F6C@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Chris Green > Sent: Thursday, August 03, 2006 1:34 AM > To: mailscanner@lists.mailscanner.info > Subject: RE: blocking out-of-office > > >At 11:49 AM 8/2/2006, you wrote: > > > >>My employees report that when they have the out of office turned on they > >>receive more spam..... > > > > > >I don't know how the two are related. Most spam I see doesn't have a > valid > >reply address. > > > >My suggestion is to use a *nix based autoresponder. Have it only reply to > >addresses in your address book. Or better yet, ditch the autoresponder. > > > Spam comes in and gets through filter > Out Of Office AutoReply goes out > Boiiiing! - NDR arrives in inbox > Therefore spam, in the implied sense of the word, would double. > > It pollutes auto-whitelists too, but doesn't usually expose you to more > spam > due because bogus addresses are unlikely to be reused. > > Makes sense. I also assume that Outlook 2003's client side filter sends out a Out of Office response to the filtered spam that ends up in the junk mail folder. True? From jase at sensis.com Thu Aug 3 19:09:32 2006 From: jase at sensis.com (Desai, Jason) Date: Thu Aug 3 19:09:59 2006 Subject: blocking out-of-office Message-ID: <1951DC816E1A9F469307B05FA183F43852206B@corpatsmail1.corp.sensis.com> mailscanner-bounces@lists.mailscanner.info wrote: SHA1 wrote: > Hi, > > Julian Field wrote on 2-8-2006 10:00: >> Read the comments above the "Remove These Headers" option. >> >> # If any of these headers are included in a a message, they will be >> deleted. # This is very useful for removing return-receipt requests >> and any headers # which mean special things to your email client >> application. > > This helps only when the sender asks for a DSN. This does not help > when the recipient has configured to send an out of office to every > message he receives. Peter, I have recently implemented something similar. Management wanted to allow only some people to send out of office messages over the internet. Since our MailScanner box is inline, I wrote a custom function for the Is Definitely MCP option. It's not a complex function. I am waiting to hear back from management to see if I can post it here. Jase From Jan-Peter.Koopmann at seceidos.de Thu Aug 3 19:44:37 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Thu Aug 3 19:45:03 2006 Subject: ClamAV on FreeBSD - ports or Perl module? In-Reply-To: Message-ID: On Thursday, August 03, 2006 9:29 AM Adri Koppes wrote: > I have been using p5-Mail-ClamAV 0.30 with the standard perl 5.8.6 on > FreeBSD 5.4 without any problems for over 1 year now. Good to know! I will try to switch to Mail-ClamAV the next days (today just was not possible as was the new port). If that works out as well (which it will) I will remove the warning from p5-Mail-ClamAV. Thanks! From Jan-Peter.Koopmann at seceidos.de Thu Aug 3 19:46:35 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Thu Aug 3 19:46:58 2006 Subject: Manpages / FreeBSD In-Reply-To: Message-ID: On Thursday, August 03, 2006 9:24 AM Adri Koppes wrote: > I promise not to kill you. :-) I will take your word for it! :-) > ManPages are nice to have on the system, but I think I can live > without them if need be. > Perhaps a compromise, where you install small and simple ManPages, > which tell you to visit the web for more detailed and advanced > information? These would only have to written once and never updated > anymore. Sounds like a good solution to me. I will need to adjust the port a bit due to several files not being in there anymore. Therefore it will be a few days before I can release the new version. Moreover I will have to look through the web documentation and see if there are FreeBSD specific things that I need to point out in the man pages or need to be ajusted on the web. Regards, JP From Jan-Peter.Koopmann at seceidos.de Thu Aug 3 19:56:07 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Thu Aug 3 19:56:26 2006 Subject: blocking out-of-office In-Reply-To: <223f97700608030054g4692424ch3e0deeeacb043c7@mail.gmail.com> Message-ID: On Thursday, August 03, 2006 9:55 AM Glenn Steen wrote: > The sane solution is to not allow OoO, Which is easily done in Exchange itself. You can configure it to only send OOO within your Exchange installation but not send it out via SMTP. > and encourage your user to use > other measures (like "mailbox delegations" etc). Unfortunately PHBs > are rarely sane...:-) And there are situations where you need OOO. We are still developing a small script fetching the OOO status from Exchange and feeding it to a small exim autoresponder. At least that one is configurable and will not send mails back to mailing lists, bulk mail etc. And if your spam detection is good enough OOO will not be a problem for you I suppose. Regards, JP From mailscanner at yeticomputers.com Thu Aug 3 20:06:38 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Thu Aug 3 20:06:48 2006 Subject: blocking out-of-office In-Reply-To: References: Message-ID: <44D2493E.1080209@yeticomputers.com> Koopmann, Jan-Peter wrote: > And there are situations where you need OOO. We are still developing a small script fetching the OOO status from Exchange and feeding it to a small exim autoresponder. At least that one is configurable and will not send mails back to mailing lists, bulk mail etc. And if your spam detection is good enough OOO will not be a problem for you I suppose. I'm curious as to some of the situations you believe need OoO. I can't think of any that wouldn't be better handled by a different solution. Of course, "better" is subjective, so I might have considered the situations you're referring to and felt differently. Still, can you give me an idea of what you're thinking? Rick From Jan-Peter.Koopmann at seceidos.de Thu Aug 3 20:14:53 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Thu Aug 3 20:15:26 2006 Subject: blocking out-of-office In-Reply-To: <44D2493E.1080209@yeticomputers.com> Message-ID: On Thursday, August 03, 2006 9:07 PM Rick Chadderdon wrote: > I'm curious as to some of the situations you believe need OoO. I > can't think of any that wouldn't be better handled by a different > solution. Of course, "better" is subjective, so I might have > considered the situations you're referring to and felt differently. > Still, can you give me an idea of what you're thinking? I tend to get private and business mail in one mailbox. Therefore I cannot simply forward all my mail to a collegue or give him/her access to it. Maybe there is not even a collegue so things simply have to wait a week but I want to let the client/customer/friend know. Etc. From campbell at cnpapers.com Thu Aug 3 20:33:40 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Aug 3 20:33:54 2006 Subject: blocking out-of-office References: Message-ID: <000801c6b733$b9845370$0705000a@DDF5DW71> ----- Original Message ----- From: "Koopmann, Jan-Peter" To: "MailScanner discussion" Sent: Thursday, August 03, 2006 3:14 PM Subject: RE: blocking out-of-office > On Thursday, August 03, 2006 9:07 PM Rick Chadderdon wrote: > >> I'm curious as to some of the situations you believe need OoO. I >> can't think of any that wouldn't be better handled by a different >> solution. Of course, "better" is subjective, so I might have >> considered the situations you're referring to and felt differently. >> Still, can you give me an idea of what you're thinking? > > I tend to get private and business mail in one mailbox. Therefore I cannot > simply forward all my mail to a collegue or give him/her access to it. > Maybe there is not even a collegue so things simply have to wait a week > but I want to let the client/customer/friend know. Etc. I'm fighting this with some of our salespeople. They want it and insist on doing it, regardless of the reasons I give them for not doing it. Some just want mail forwarded to another salesperson. I feel, though, that it would be more polite to their customers, to set up a group of contacts, business and personal, for them to notify of their absence. They could also mention a temporary contact during their absence. (Personal email would not require this). This accomplishes two things: The account does not find out after sending email that their salesperson is gone, and It reminds the account that there is a company with staff that is thinking of them (good will type stuff). Of course, all of this means the salesperson must do a little extra work in creating and maintaining the lists, which they say is too much work for them. By using a personalized mailman list, this could appear even more thoughtful as the contact could be addressed directly. Just my two cents worth - I haven't been able to convince anyone to do this yet here. Steve Campbell campbell@cnpapers.com Charleston Newspapers > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From jethro.binks at strath.ac.uk Thu Aug 3 20:34:04 2006 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Thu Aug 3 20:34:07 2006 Subject: blocking out-of-office In-Reply-To: References: Message-ID: <20060803202427.S10038@defjam.cc.strath.ac.uk> On Thu, 3 Aug 2006, Koopmann, Jan-Peter wrote: > On Thursday, August 03, 2006 9:07 PM Rick Chadderdon wrote: > > > I'm curious as to some of the situations you believe need OoO. I > > can't think of any that wouldn't be better handled by a different > > solution. Of course, "better" is subjective, so I might have > > considered the situations you're referring to and felt differently. > > Still, can you give me an idea of what you're thinking? > > I tend to get private and business mail in one mailbox. Therefore I > cannot simply forward all my mail to a collegue or give him/her access > to it. Maybe there is not even a collegue so things simply have to wait > a week but I want to let the client/customer/friend know. Etc. This is quite common. We have legal reasons for requiring OoO; for example, the Freedom of Information Act in England and Wales considers a request sent by email to be 'received' by a public authority unless the sender hears otherwise (by way of a bounce or OoO). If you're away for two or three weeks and hence don't respond to the request within the prescribed time, and the sender has no reason to believe the request has not been received (no OoO), then the public authority has failed in the obligations the Act places upon it. But likewise I don't like the lack of controllability that Exchange (which is used internally) offers for OoO. I have implemented autoresponse systems in Exim with extreme measures so that it won't respond to, generically, 'stuff that it shouldn't respond to', so far as that is possible. I can't do a fraction of that stuff with Exchange, so it will willy-nilly send mail out in response to practically any old tat it receives. You can mitigate things by having delegated access to mailboxes, of course, but that all gets rather sticky where personal mail may be present (or there is no-one appropriate to delegate to, or whether mailbox contents really confidential to their owner, or there is no-one available to authorise delegation, or whatever). Saying "personal mail is not permitted" isn't good enough unfortunately; regardless of whether it should be there or not, if it is there, it needs to be treated with respect. (Because of all this, I have been writing guidelines for our users in this area; how they should use OoOs, recommendations how they should handle personal mail, and so on). Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services University Of Strathclyde, Glasgow, UK From mailscanner at yeticomputers.com Thu Aug 3 21:05:24 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Thu Aug 3 21:05:35 2006 Subject: blocking out-of-office In-Reply-To: References: Message-ID: <44D25704.3050300@yeticomputers.com> Koopmann, Jan-Peter wrote: > On Thursday, August 03, 2006 9:07 PM Rick Chadderdon wrote: > > >> ...can you give me an idea of what you're thinking? >> > > I tend to get private and business mail in one mailbox. Therefore I cannot simply forward all my mail to a collegue or give him/her access to it. Maybe there is not even a collegue so things simply have to wait a week but I want to let the client/customer/friend know. Etc. Thanks for the reply. I'd handle it differently (and a lot less conveniently), but I can see now where you're coming from. It's just that my hatred of OoO messages is so great that I'll do pretty much anything to avoid using them (or allowing them to be used.) A few months ago, one of my users set up his email client to autoreply with a nice message, sent a test message to himself from the /same account/ and left for vacation without bothering to check the results of his test. Moments later, my mail log started scrolling madly... (sigh) Of course, this is far from the first time that such antics have caused me pain. Did I mention that I despise OoO messages? Rick From mailscanner at yeticomputers.com Thu Aug 3 21:17:22 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Thu Aug 3 21:17:38 2006 Subject: blocking out-of-office In-Reply-To: <20060803202427.S10038@defjam.cc.strath.ac.uk> References: <20060803202427.S10038@defjam.cc.strath.ac.uk> Message-ID: <44D259D2.6080009@yeticomputers.com> Jethro R Binks wrote: > Saying "personal mail is not > permitted" isn't good enough unfortunately; regardless of whether it > should be there or not, if it is there, it needs to be treated with > respect. You think so? I strongly disagree. If someone abuses a system (and knowingly using it outside of the standards established *is* abuse) then their conduct in no way deserves respect. I'm far too cynical to believe that anyone claiming not to know the rules is being truthful. If I loaned someone my car with the condition "smoking is not permitted" and they *did* smoke... Grrrr. I'd not respect that decision, either. I suppose that if there is no set policy I might make an allowance, but really... who nowadays doesn't know that a corporate account should not be used for personal communication? Rick From ugob at camo-route.com Thu Aug 3 21:33:18 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Thu Aug 3 21:33:49 2006 Subject: chinese-language email In-Reply-To: References: Message-ID: Adri Koppes wrote: >> Ok, but from what I've seen, the default is en, so we're all >> using it. >> This doesn't really answer my question... What I meant is >> that CHARSET and FARAWAY rules helps us catch some spam from >> foreign countries. If I get a few false positives for >> chinese e-mails and I put chinese in ok_locales and >> ok_languages, my catch rate for chinese spam will we lower >> right? Most of our traffic is english and french. > > Ugo, > > I know, Jules put the default for english only in spam.preferences.conf. > This means any non-english message will get an extra 2 or 3 points added > to the SA score. > When you add the chinese language, it will no longer add the extra score > to these messages, so yes, the catch rate for chinese spam will be > lower. > If most of your traffic is english and french, I'd suggest using 'en fr' > for ok_languages. Thanks, I really appreciate your answer. Regards, Ugo From ssilva at sgvwater.com Thu Aug 3 21:38:38 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Aug 3 21:39:04 2006 Subject: MCP Speed... In-Reply-To: <1154589190.14071.3.camel@jakes.synaq.com> References: <1154589190.14071.3.camel@jakes.synaq.com> Message-ID: David Jacobson spake the following on 8/3/2006 12:13 AM: > Hi Gents, > > I wonder if you can help with a small problem regarding MCP speeds. > > We maintain a number of MailScanner servers for a customer which > processes about a million e-mails a month. > > The client has requested that we check for certain keywords +/- 20 and > send them through to an address. > > We've implemented this for them, but it adds an extreme load on the > servers. I've had a close look at the MCP spam.assassin.prefs.conf and > even though it disabled Razor / Pyzor / DCC etc I still believe it's > doing way too many checks than required for pure keyword analysis. > > It appears to load all the plugins when doing a spamassassin - > p /etc/MailScanner/mcp/mcp.spam.assassin.prefs.conf such as SPF, AWL, > etc etc all from v310.pre, can someone tell me how I can disable the MCP > prefs from using this? > > I still obviously want to keep the plugins so I can't remove them from > v310.pre > > Any advise would be appreciated... > Maybe a custom function would work here? Might be a lot lighter. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From jethro.binks at strath.ac.uk Thu Aug 3 21:43:35 2006 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Thu Aug 3 21:43:40 2006 Subject: blocking out-of-office In-Reply-To: <44D259D2.6080009@yeticomputers.com> References: <20060803202427.S10038@defjam.cc.strath.ac.uk> <44D259D2.6080009@yeticomputers.com> Message-ID: <20060803213821.W10038@defjam.cc.strath.ac.uk> On Thu, 3 Aug 2006, Rick Chadderdon wrote: > Jethro R Binks wrote: > > Saying "personal mail is not > > permitted" isn't good enough unfortunately; regardless of whether it > > should be there or not, if it is there, it needs to be treated with > > respect. > You think so? I strongly disagree. You can disagree all you like, but that's essentially what legislation says we must do (Human Rights Act, and the European legislation from which it derives). > who nowadays doesn't know that a corporate account should not be used > for personal communication? The people who have not been told that it shouldn't be used for such, and the people who have been told that it may be used for such. And speaking personally, I find such rules oppressive and offensive. One's personal life doesn't end when one walks through the office door. This is the real world. There are, of course, reasonable limits on how far 'personal use' should extend. Most sane employers got over their hangup about use of telephones for personal use years ago, and set out the circumstances under which it may occur. Email is little different. It's about treating employees as human beings, not automatons. As long as the corporate policies and procedures are in place, and everyone is well aware of the guidelines and boundaries, then there is little to fear. Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services University Of Strathclyde, Glasgow, UK From ssilva at sgvwater.com Thu Aug 3 21:41:20 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Aug 3 21:45:24 2006 Subject: SpamAssassin MailScanner Problem In-Reply-To: <200608031051.k73AplgA012739@bkserver.blacknight.ie> References: <200608031051.k73AplgA012739@bkserver.blacknight.ie> Message-ID: Nasvhobh Magotra spake the following on 8/3/2006 3:51 AM: > Hi all Members > > > > I have configured a qmail server with openprotect-5.0.4 that contains > mailscanner ,spamassassin and clamav as default scanners on a debian > sarge system. The installation went smoothly. But I have a peculiar > problem. The clamav scanning is working perfectly but spamassassin is > not. I have checked Mailscanner.conf and it is perfectly fine. > Since Openprotect is a custom project BASED on MailScanner, their list might be a better place to look. They seem to have stopped development, at least of the free version, as it seems to be behind a few versions. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Aug 3 21:47:46 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Aug 3 21:50:18 2006 Subject: SA rules_du_jour lint bug: FOUND In-Reply-To: References: Message-ID: Jeff A. Earickson spake the following on 8/3/2006 9:15 AM: > Gang, > > I upgraded to SA 3.1.4 last night, and continued to be plagued by > lint failures in the rules_du_jour script, like so: > > /opt/perl5/bin/spamassassin -p > /opt/MailScanner/etc/spam.assassin.prefs.conf --lint > [27791] warn: config: SpamAssassin failed to parse line, > "/var/spool/spamassassin" is not valid for "bayes_path", skipping: > bayes_path /var/spool/spamassassin But that is not a valid bayes path. It would be something like var/spool/spamassassin/bayes where the directory of /var/spool/spamassassin/ had files like; bayes_journal bayes_seen bayes_toks Notice all the files start with the last part of the bayes_path statement. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Aug 3 23:19:45 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Aug 3 23:20:05 2006 Subject: blocking out-of-office In-Reply-To: <20060803202427.S10038@defjam.cc.strath.ac.uk> References: <20060803202427.S10038@defjam.cc.strath.ac.uk> Message-ID: Jethro R Binks spake the following on 8/3/2006 12:34 PM: > On Thu, 3 Aug 2006, Koopmann, Jan-Peter wrote: > >> On Thursday, August 03, 2006 9:07 PM Rick Chadderdon wrote: >> >>> I'm curious as to some of the situations you believe need OoO. I >>> can't think of any that wouldn't be better handled by a different >>> solution. Of course, "better" is subjective, so I might have >>> considered the situations you're referring to and felt differently. >>> Still, can you give me an idea of what you're thinking? >> I tend to get private and business mail in one mailbox. Therefore I >> cannot simply forward all my mail to a collegue or give him/her access >> to it. Maybe there is not even a collegue so things simply have to wait >> a week but I want to let the client/customer/friend know. Etc. > > This is quite common. > > We have legal reasons for requiring OoO; for example, the Freedom of > Information Act in England and Wales considers a request sent by email to > be 'received' by a public authority unless the sender hears otherwise (by > way of a bounce or OoO). If you're away for two or three weeks and hence > don't respond to the request within the prescribed time, and the sender > has no reason to believe the request has not been received (no OoO), then > the public authority has failed in the obligations the Act places upon it. > > But likewise I don't like the lack of controllability that Exchange (which > is used internally) offers for OoO. I have implemented autoresponse > systems in Exim with extreme measures so that it won't respond to, > generically, 'stuff that it shouldn't respond to', so far as that is > possible. I can't do a fraction of that stuff with Exchange, so it will > willy-nilly send mail out in response to practically any old tat it > receives. > > You can mitigate things by having delegated access to mailboxes, of > course, but that all gets rather sticky where personal mail may be present > (or there is no-one appropriate to delegate to, or whether mailbox > contents really confidential to their owner, or there is no-one available > to authorise delegation, or whatever). Saying "personal mail is not > permitted" isn't good enough unfortunately; regardless of whether it > should be there or not, if it is there, it needs to be treated with > respect. Personal mail is a loaded subject. What if a business contact hears about some event in your life and sends a congratulation/condolence? That now is a personal e-mail, even though it is a business contact. And having a system that responds to business contacts from a list would fail here. So I agree with your thoughts on the respect issue. > > (Because of all this, I have been writing guidelines for our users in this > area; how they should use OoOs, recommendations how they should handle > personal mail, and so on). > > Jethro. > > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > Jethro R Binks > Computing Officer, IT Services > University Of Strathclyde, Glasgow, UK -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From marcel-ml at irc-addicts.de Thu Aug 3 23:48:41 2006 From: marcel-ml at irc-addicts.de (Marcel Blenkers) Date: Thu Aug 3 23:49:16 2006 Subject: Spamassassin Timeouts In-Reply-To: <1154615949.5548.1.camel@doit-b8wsw21.grand-rapids.mi.us> References: <1154615949.5548.1.camel@doit-b8wsw21.grand-rapids.mi.us> Message-ID: Hi there, On Thu, 3 Aug 2006, Golden, James wrote: > I received this info from Logwatch, but I am not sure if it is something > I should be concerned about. Would anyone else be kind enough to fill > me in? And what to do about it if it is not an OK thing? > > MailScanner Status: > 21351 messages Scanned by MailScanner > 968.5 Total MB > 13531 Spam messages detected by MailScanner > 13531 Spam messages with action(s) store > 902 hits from MailScanner SpamAssassin cache > 6 Viruses found by MailScanner > 4 Banned attachments found by MailScanner > 967 Content Problems found by MailScanner > 7778 Messages delivered by MailScanner > > 61 SpamAssassin timeout(s > > Thanks, > > James > i also had those problems. A lot of timeouts with spamassassin. What worked for me (and please do not laugh) i setup a cronjob, which does the following every 4 hours.. /usr/bin/sa-learn --force-expire --sync and now there are no timeouts anymore and everything works just fine.. if there is another way to handle this problem..let me know =) Marcel From jon.bates at summitmotors.com.au Fri Aug 4 01:08:40 2006 From: jon.bates at summitmotors.com.au (Jon Bates) Date: Fri Aug 4 01:08:57 2006 Subject: Blocking attachments - Stopping sneaky employees Message-ID: <006f01c6b75a$240dc660$5864a8c0@jonlaptop> I've got all audio and video type files being quarantined on my servers. Some users are now getting smart to the fact that they can simply change the extention on the file to bypass this system. Is there some way to filter attachments based on the attachment mime type or something? I've done a few hours searching and I havent come up with a suitable answer. Any guidance would be appreciated! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060804/2106548f/attachment.html From res at ausics.net Fri Aug 4 01:22:44 2006 From: res at ausics.net (Res) Date: Fri Aug 4 01:22:52 2006 Subject: blocking out-of-office In-Reply-To: References: Message-ID: On Thu, 3 Aug 2006, Koopmann, Jan-Peter wrote: > On Thursday, August 03, 2006 9:55 AM Glenn Steen wrote: > >> The sane solution is to not allow OoO, > > Which is easily done in Exchange itself. You can configure it to only send OOO within your Exchange installation but not send it out via SMTP. Part of the problem is most will ignore and not send OoO's to those marked as Precedence: junk bulk However many lists, including this one use list, which is not AFAIK a default searched for item, hence mailman is not telling the receving server to ignore it, mind you, not that i've sene many exchange servers correctly setup to ignore bulk/junk anyway :) -- Cheers Res From brent.addis at pronet.co.nz Fri Aug 4 01:24:37 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Fri Aug 4 01:25:29 2006 Subject: Blocking attachments - Stopping sneaky employees In-Reply-To: <006f01c6b75a$240dc660$5864a8c0@jonlaptop> References: <006f01c6b75a$240dc660$5864a8c0@jonlaptop> Message-ID: <44D293C5.904@pronet.co.nz> Use the file command. do a search for #file in your MailScanner.conf Jon Bates wrote: > > I've got all audio and video type files being quarantined on my > servers. Some users are now getting smart to the fact that they can > simply change the extention on the file to bypass this system. > > Is there some way to filter attachments based on the attachment mime > type or something? I've done a few hours searching and I havent come > up with a suitable answer. > > Any guidance would be appreciated! ------------------------------------------------------------------------ From res at ausics.net Fri Aug 4 01:27:50 2006 From: res at ausics.net (Res) Date: Fri Aug 4 01:27:58 2006 Subject: Blocking attachments - Stopping sneaky employees In-Reply-To: <006f01c6b75a$240dc660$5864a8c0@jonlaptop> References: <006f01c6b75a$240dc660$5864a8c0@jonlaptop> Message-ID: Jon, On Fri, 4 Aug 2006, Jon Bates wrote: > > I've got all audio and video type files being quarantined on my servers. > Some users are now getting smart to the fact that they can simply change the > extention on the file to bypass this system. > > Is there some way to filter attachments based on the attachment mime type or > something? I've done a few hours searching and I havent come up with a > suitable answer. This is already in MailScanner.conf # Where the "file" command is installed. # This is used for checking the content type of files, regardless of their # filename. File Command = /usr/bin/file > > Any guidance would be appreciated! > -- Cheers Res From dhawal at netmagicsolutions.com Fri Aug 4 01:28:24 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Fri Aug 4 01:28:39 2006 Subject: Blocking attachments - Stopping sneaky employees In-Reply-To: <006f01c6b75a$240dc660$5864a8c0@jonlaptop> References: <006f01c6b75a$240dc660$5864a8c0@jonlaptop> Message-ID: <44D294A8.8070108@netmagicsolutions.com> Jon Bates wrote: > > I've got all audio and video type files being quarantined on my servers. > Some users are now getting smart to the fact that they can simply change > the extention on the file to bypass this system. > > Is there some way to filter attachments based on the attachment mime > type or something? I've done a few hours searching and I havent come up > with a suitable answer. > > Any guidance would be appreciated! See the following configuration options in MailScanner.conf File Command Allow Filetypes Deny Filetypes Filetype Rules See here for more description. http://mailscanner.info/MailScanner.conf.index.html - dhawal From sujithem at cdacb.ernet.in Fri Aug 4 05:09:44 2006 From: sujithem at cdacb.ernet.in (Sujith Emmanuel) Date: Fri Aug 4 05:10:32 2006 Subject: Spamassassin Timeouts In-Reply-To: References: <1154615949.5548.1.camel@doit-b8wsw21.grand-rapids.mi.us> Message-ID: <1d1e72700608032109t15942410n8034c427a8ab79b4@mail.gmail.com> Hi there, Even am getting a lot of timeouts, maybe a caching nameserver on the same server could help. Regards Sujith Emmanuel On 8/4/06, Marcel Blenkers wrote: > > Hi there, > > > > On Thu, 3 Aug 2006, Golden, James wrote: > > > I received this info from Logwatch, but I am not sure if it is something > > I should be concerned about. Would anyone else be kind enough to fill > > me in? And what to do about it if it is not an OK thing? > > > > MailScanner Status: > > 21351 messages Scanned by MailScanner > > 968.5 Total MB > > 13531 Spam messages detected by MailScanner > > 13531 Spam messages with action(s) store > > 902 hits from MailScanner SpamAssassin cache > > 6 Viruses found by MailScanner > > 4 Banned attachments found by MailScanner > > 967 Content Problems found by MailScanner > > 7778 Messages delivered by MailScanner > > > > 61 SpamAssassin timeout(s > > > > Thanks, > > > > James > > > > i also had those problems. > A lot of timeouts with spamassassin. > > What worked for me (and please do not laugh) i setup a cronjob, which does > the following every 4 hours.. > > /usr/bin/sa-learn --force-expire --sync > > and now there are no timeouts anymore and everything works just fine.. > > if there is another way to handle this problem..let me know =) > > Marcel > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060804/8cb3ce9a/attachment.html From febrianto at sioenasia.com Fri Aug 4 05:38:54 2006 From: febrianto at sioenasia.com (Budi Febrianto) Date: Fri Aug 4 05:34:48 2006 Subject: ClamAV detected as SophosSavi in logwatch Message-ID: I never install Sophos, but in LogWatch entry of my mailscanner it say it this. Entry in LogWatch : SophosSavi Virus Report: (Total Seen = 1081) Exploit.HTML.IFrame: 204 Times(s) HTML.Phishing.Auction-149: 1 Times(s) HTML.Phishing.Bank-623: 103 Times(s) HTML.Phishing.Bank-626: 2 Times(s) HTML.Phishing.Bank-627: 78 Times(s) Worm.Bagle.Gen-zippwd-5: 2 Times(s) Worm.Bagle.pwd-eml: 9 Times(s) Worm.Mydoom.I: 24 Times(s) Worm.Mytob.FN: 302 Times(s) Worm.Mytob.NK: 18 Times(s) Worm.SomeFool.AA-2: 2 Times(s) Worm.SomeFool.P: 332 Times(s) Worm.VB-9: 4 Times(s) >From MailScanner --lint Read 753 hostnames from the phishing whitelist Config: calling custom init function MailWatchLogging Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. MailScanner.conf says "Virus Scanners = clamavmodule" Found these virus scanners installed: clamavmodule Is this normal, Or I missconefigured something? Best Regards From MailScanner at ecs.soton.ac.uk Fri Aug 4 08:44:57 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 4 08:45:35 2006 Subject: SA rules_du_jour lint bug: FOUND In-Reply-To: References: <44D22AE6.4020709@evi-inc.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Done. On 3 Aug 2006, at 18:54, Jeff A. Earickson wrote: > Matt, > > Doh!! Thanks for pointing this out, I had always thought that > bayes_path was a directory name, not some strange combo of > directory + file prepend. I fixed my spam.assassin.prefs.conf, > reverted to the original SA Conf.pm, everything works with > Rules_du_jour again. > > Julian, > > Could you please modify the spam.assassin.prefs.conf to include > the following useful comments (diff -c format)? > > *************** > *** 83,89 **** > --- 83,96 ---- > # FSL Note: we need to coordinate the Bayes File Placement > # With MailWatch > > + # bayes_path should NOT be directory! > + # The Rules_du_jour script will choke if it is a directory. > + # It needs to be a full pathname, PLUS a partial filename. > + # In this example, the trailing "bayes" will be the "bayes*" + # > files in the directory "/etc/MailScanner/bayes/" > + # Thanks to Matt Kettler for pointing this out. > #bayes_path /etc/MailScanner/bayes/bayes > + > # This is actually used as a mask, not a raw chmod setting. > # Thanks for Matt Kettler for spotting this one. > # Commented out: this if for MailWatch and Exim/Postfix users only. > > Jeff Earickson > Colby College > > On Thu, 3 Aug 2006, Matt Kettler wrote: > >> Date: Thu, 03 Aug 2006 12:57:10 -0400 >> From: Matt Kettler >> Reply-To: MailScanner discussion >> To: MailScanner discussion >> Subject: Re: SA rules_du_jour lint bug: FOUND >> Jeff A. Earickson wrote: >>> Gang, >>> >>> I upgraded to SA 3.1.4 last night, and continued to be plagued by >>> lint failures in the rules_du_jour script, like so: >>> >>> /opt/perl5/bin/spamassassin -p >>> /opt/MailScanner/etc/spam.assassin.prefs.conf --lint >>> [27791] warn: config: SpamAssassin failed to parse line, >>> "/var/spool/spamassassin" is not valid for "bayes_path", skipping: >>> bayes_path /var/spool/spamassassin >>> >>> I had this problem in earlier versions of SA, but had worked around >> >> >>> >>> I know this isn't quite right, since the test should be "if NOT a >>> directory, return INVALID_VALUE". But the code: >> >> NO! It should be IF a directory, return invalid. It is NOT valid >> to specify a >> directory as a bayes path, because bayes_path is not just a path. >> It's a path >> plus partial filename! >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! - -- Julian Field MailScanner@ecs.soton.ac.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: US-ASCII wj8DBQFE0vsJEfZZRxQVtlQRAnMnAKCamaEbaf67kxl4XjZoVewzM0y59wCg8GbO GcFz6a0YfMO+vJfEO8BzMPM= =Zsn4 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From glenn.steen at gmail.com Fri Aug 4 08:55:18 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 4 08:55:22 2006 Subject: blocking out-of-office In-Reply-To: References: <223f97700608030054g4692424ch3e0deeeacb043c7@mail.gmail.com> Message-ID: <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> On 03/08/06, Koopmann, Jan-Peter wrote: > On Thursday, August 03, 2006 9:55 AM Glenn Steen wrote: > > > The sane solution is to not allow OoO, > > Which is easily done in Exchange itself. You can configure it to only send OOO within your Exchange installation but not send it out via SMTP. Of course. OoO can have a somewhat meaningful role inside the organisation. > > and encourage your user to use > > other measures (like "mailbox delegations" etc). Unfortunately PHBs > > are rarely sane...:-) > > And there are situations where you need OOO. We are still developing a small script fetching the OOO status from Exchange and feeding it to a small exim autoresponder. At least that one is configurable and will not send mails back to mailing lists, bulk mail etc. And if your spam detection is good enough OOO will not be a problem for you I suppose. > Everyone is entiteled to their own opinion, but ... "Need" is a strong word:). There are at least two issues at hand. One is the phenomenon as such, the other is badly behaving MTAs in conjunction with OoO. Most problems with OoO *could* be alleviated if someone did make a stab at an RFC, so that we could stop fumbling around trying to wrest some form of control on the issue and instead have clearly defined interfaces for it (That's not probable to happen though:-). Then one would have the policy issue to tangle with... Having said that, I'd be interrested in seeing what you've accomplished so far, and perhaps adapting it to a postfix environment... I assume it's based on some form of more or less clever LDAP query? (Yeah, I'm an Exim noob:). Oh BTW, from that you can see that I don't have a particularily sane PHB;-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From pieter at verhaeghe-textiel.be Fri Aug 4 08:59:18 2006 From: pieter at verhaeghe-textiel.be (Pieter Verhaeghe) Date: Fri Aug 4 08:59:46 2006 Subject: Permissions archive messages Message-ID: Hi, I want to change the group owner of the archive messages. This is possible for the quarantine messages with the configuration option "Quarantine group". But I found no "Archive group" in MailScanner.conf. How should I configure this? Thanks for your support! Greetings, Pieter -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060804/dbd7a4ee/attachment.html From jethro.binks at strath.ac.uk Fri Aug 4 09:22:44 2006 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Fri Aug 4 09:22:46 2006 Subject: blocking out-of-office In-Reply-To: References: Message-ID: <20060804091650.E10038@defjam.cc.strath.ac.uk> On Fri, 4 Aug 2006, Res wrote: > Part of the problem is most will ignore and not send OoO's to those marked as > Precedence: junk bulk > However many lists, including this one use list, which is not AFAIK a default > searched for item, hence mailman is not telling the receving server to ignore > it, mind you, not that i've sene many exchange servers correctly setup to > ignore bulk/junk anyway :) I fear we are dangerously off-topic for MailScanner now, but hopefully still of general interest ... It would be nice if Exchange could be made more intelligent with regard to whom (or not) it will send OoO messages. It would be nicer if it could be configurable too. Maybe I should ask our Microsoft contacts about the prospects of more intelligence in future versions. FWIW, this page relating to Exim displays the conditions I use in an autoresponse implementation: http://www.exim.org/eximwiki/EximAutoReply I'd be grateful for feedback on other tricks for detecting messages (mostly 'autogenerated' in some way) to which an autoresponse (including OoO) should not be sent, or problems known with the rules I am using. (I didn't write the original page, but I did enhance it with Example 2 and other commentary, and added some useful references). Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services University Of Strathclyde, Glasgow, UK From glenn.steen at gmail.com Fri Aug 4 09:28:12 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 4 09:28:15 2006 Subject: blocking out-of-office In-Reply-To: <20060803202427.S10038@defjam.cc.strath.ac.uk> References: <20060803202427.S10038@defjam.cc.strath.ac.uk> Message-ID: <223f97700608040128q51cecf5dq3ab689230a7e5ecd@mail.gmail.com> On 03/08/06, Jethro R Binks wrote: > On Thu, 3 Aug 2006, Koopmann, Jan-Peter wrote: > > > On Thursday, August 03, 2006 9:07 PM Rick Chadderdon wrote: > > > > > I'm curious as to some of the situations you believe need OoO. I > > > can't think of any that wouldn't be better handled by a different > > > solution. Of course, "better" is subjective, so I might have > > > considered the situations you're referring to and felt differently. > > > Still, can you give me an idea of what you're thinking? > > > > I tend to get private and business mail in one mailbox. Therefore I > > cannot simply forward all my mail to a collegue or give him/her access > > to it. Maybe there is not even a collegue so things simply have to wait > > a week but I want to let the client/customer/friend know. Etc. > > This is quite common. Yes. Not all can be solved by mailbox delegations, this is quite true. But is it really helpful for the sender to receive an OoO? Most times no. If it is really urgent, why would you be using *email* and not the phone? In an emergency? Oh well, that is a philosophical matter I guess:-). > We have legal reasons for requiring OoO; for example, the Freedom of > Information Act in England and Wales considers a request sent by email to > be 'received' by a public authority unless the sender hears otherwise (by > way of a bounce or OoO). If you're away for two or three weeks and hence > don't respond to the request within the prescribed time, and the sender > has no reason to believe the request has not been received (no OoO), then > the public authority has failed in the obligations the Act places upon it. Legislation differ from country to country, so ... An OoO would not be enough, here in Sweden. Why? Cutting a long thing very short: Because OoO is not a standardised thing. So it is neither a help or a hindrance for the diverse agencies here. Further, any missive sent to the government becomes a public document upon receipt (unless specifically covered by secrecy... Not that much is;), so in theory... the "private" mail one handles at ones work address could simply become a public document (The principle of public access... We've been busy selling the idea to the EU for quite some time now:-). > But likewise I don't like the lack of controllability that Exchange (which > is used internally) offers for OoO. I have implemented autoresponse > systems in Exim with extreme measures so that it won't respond to, > generically, 'stuff that it shouldn't respond to', so far as that is > possible. I can't do a fraction of that stuff with Exchange, so it will > willy-nilly send mail out in response to practically any old tat it > receives. No argument there:) > You can mitigate things by having delegated access to mailboxes, of > course, but that all gets rather sticky where personal mail may be present > (or there is no-one appropriate to delegate to, or whether mailbox > contents really confidential to their owner, or there is no-one available > to authorise delegation, or whatever). Saying "personal mail is not > permitted" isn't good enough unfortunately; regardless of whether it > should be there or not, if it is there, it needs to be treated with > respect. Actually, for some organisations, it would be quite all right. But in the real world, well... people are people, and one should take care with their integrity. Mailbox delegation was mentioned just as an example, not the surefire solution to the OoO madness. You and JP mention letting a more capable autoresponder handle the autoresponding... And that is a fine way to solve some of the madness too. We have two problems: The policy decision regarding OoO (and this is usually the domain of the PHBs), and the badness of some MTAs in regards to autoresponding > (Because of all this, I have been writing guidelines for our users in this > area; how they should use OoOs, recommendations how they should handle > personal mail, and so on). Ah yes, the third option... Enlightenment. Unfortunately users are people, and people a people... and there will always be a few that simply don't read the guidelines. Sigh. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Aug 4 09:37:32 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 4 09:37:49 2006 Subject: Question about spam.assassin.prefs.conf In-Reply-To: <1154618053.5548.12.camel@doit-b8wsw21.grand-rapids.mi.us> References: <1154618053.5548.12.camel@doit-b8wsw21.grand-rapids.mi.us> Message-ID: <223f97700608040137u7e22feb3y7cf34ae158c75b2d@mail.gmail.com> On 03/08/06, Golden, James wrote: > (snip) > So, after the compare, I then added any settings entry that was missing > (which was about 3 lines) (bayes_path, awl_path, and one other) to the file. > and then replaced the old one with the rpmnew version. Everything looks > OK. I was just wondering if I missed a step. I know I ran a few scripts to > upgrade Mailscanner.conf and another, but I didn't remember doing it for > spam.assassin.prefs.conf file. No, I don't think you missed a step... That is exactly why you got an rpmnew file, and further, that is exactly what you are supposed to do: Check the differences, make an educated guess as to what you should have and make the necessary changes. > I did just upgrade to the 4.54.6-1 version. I didn't do it via RPM, I did > it via the script from MailScanner (if I remember correctly). The MailScanner RPM install is done by running the install.sh script from the tar-ball ... that contain all the necessary rpms... which will then be built/installed as needed. You wouldn't have gotten an rpmnew file if you hadn't;-) (snip) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ckowarzik at email.de Fri Aug 4 09:39:42 2006 From: ckowarzik at email.de (Christian Kowarzik) Date: Fri Aug 4 09:40:28 2006 Subject: mailscanner and SMTP AUTH In-Reply-To: <44D134DF.3080102@smartpost.ro> References: <44D134DF.3080102@smartpost.ro> Message-ID: <44D307CE.7020806@email.de> Hi I use the following spamassassin rules in my /etc/mail/spamassassin/local.cf to decrease the spamassassin score for email senders using smtp auth: header __OUR_AUTH Received =~ /authenticated .* by smtp\.xxx\.de/i header __NOT_OUR_AUTH Received !~ /authenticated .* by smtp\.xxx\.de/i meta INIT_RECVD_OUR_AUTH __OUR_AUTH && ( __NOT_OUR_AUTH == 0) describe INIT_RECVD_OUR_AUTH Initially received by us using authentication tflags INIT_RECVD_OUR_AUTH nice score INIT_RECVD_OUR_AUTH -20 First I test that the email was received using smtp-auth and second i test that there exists no "non-authenticated" received lines in the email header. So if both conditions are true I know that my email server initially received that email and the sender is authenticated. Christian Radu Spineanu schrieb: > Hi > > Can mailscanner be configured to ignore all checks for messages sent via > smtp auth? > > In my current setup, when i try to send an email from home using SMTP > AUTH it's marked as SPAM because if fails SPF and some RBL checks (ip > block was added in rbls as it's used for home use). > > Radu From Jan-Peter.Koopmann at seceidos.de Fri Aug 4 11:29:28 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Fri Aug 4 11:29:25 2006 Subject: blocking out-of-office In-Reply-To: <44D259D2.6080009@yeticomputers.com> Message-ID: On Thursday, August 03, 2006 10:17 PM Rick Chadderdon wrote: > You think so? I strongly disagree. Fine. German Law does not care about you disagreeing. If you do not explicitly forbid private use of your e-mail system (and the employee has to sign the agreement) you basically have no administrative access to the users mailbox. Moreover you as a company can choose to allow private use. Several studies confirm that allowing the private use of mail and internet are good for the company. People tend to stay longer at work since they are not forced to leave "early" or on time to finish their ebay auction etc. > If someone abuses a system (and > knowingly using it outside of the standards established *is* abuse) > then their conduct in no way deserves respect. If you forbid private use and make sure this is done in a lawful way: I agree. Regards, JP From Jan-Peter.Koopmann at seceidos.de Fri Aug 4 11:31:52 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Fri Aug 4 11:31:51 2006 Subject: blocking out-of-office In-Reply-To: Message-ID: On Friday, August 04, 2006 2:23 AM Res wrote: >> Which is easily done in Exchange itself. You can configure it to >> only send OOO within your Exchange installation but not send it out >> via SMTP. > > > Part of the problem is most will ignore and not send OoO's to those > marked as Precedence: junk bulk However many lists, including this Exchange does not respect Precedence headers. Their sort of detection of "bulk mail" is "different" if not broken. :-) From Jan-Peter.Koopmann at seceidos.de Fri Aug 4 11:34:42 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Fri Aug 4 11:34:39 2006 Subject: blocking out-of-office In-Reply-To: <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> Message-ID: On Friday, August 04, 2006 9:55 AM Glenn Steen wrote: > Everyone is entiteled to their own opinion, but ... "Need" is a > strong word:). If I am forced to use OoO - due to legislation or simply because it is my spec or the spec of my boss (if I had one) - then "Need" is the only word. :-) > adapting it to a postfix environment... I assume it's based on some > form of more or less clever LDAP query? (Yeah, I'm an Exim noob:). > Oh BTW, from that you can see that I don't have a particularily sane > PHB;-). -- You cannot get the OoO info via LDAP. You need to login to the mailbox using Outlook CDOs. There might be a way using WebDAV but I am not entirely sure. The project is a bit abandoned... :-) From Jan-Peter.Koopmann at seceidos.de Fri Aug 4 11:42:01 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Fri Aug 4 11:42:11 2006 Subject: blocking out-of-office In-Reply-To: <223f97700608040128q51cecf5dq3ab689230a7e5ecd@mail.gmail.com> Message-ID: On Friday, August 04, 2006 10:28 AM Glenn Steen wrote: > Yes. Not all can be solved by mailbox delegations, this is quite true. > But is it really helpful for the sender to receive an OoO? Most times > no. If it is really urgent, why would you be using *email* and not > the phone? So I need to tell my clients to phone me everytime to make sure a more or less urgent matter needs attending? Let's say 200 business days a year e-mail would be sufficient. And during my 5 day vacation they would need to call me in order to find out. That does not really make sense. > In an emergency? Oh well, that is a philosophical matter I > guess:-). Indeed. > too. We have two problems: The policy decision regarding OoO (and > this is usually the domain of the PHBs), and the badness of some MTAs > in regards to autoresponding Agreed. > Ah yes, the third option... Enlightenment. That works? :-) > Unfortunately users are > people, and people a people... and there will always be a few that > simply don't read the guidelines. Sigh. That's what I think as well. Let's stop this thread. Whether or not we like he use of OoO there always will be and noone here will change that even if we wanted to. :-) In real world there is the need for OoO even if some of you do not agree or would try to solve it otherwise. Regards, JP From glenn.steen at gmail.com Fri Aug 4 11:59:55 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 4 11:59:59 2006 Subject: blocking out-of-office In-Reply-To: References: <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> Message-ID: <223f97700608040359i15a6cb36x1c1e3ab15d38460@mail.gmail.com> On 04/08/06, Koopmann, Jan-Peter wrote: > On Friday, August 04, 2006 9:55 AM Glenn Steen wrote: > > > Everyone is entiteled to their own opinion, but ... "Need" is a > > strong word:). > > If I am forced to use OoO - due to legislation or simply because it is > my spec or the spec of my boss (if I had one) - then "Need" is the only > word. :-) True. As said (to Jethro), legislation differ, so "Need" it is then... for you:-). > > adapting it to a postfix environment... I assume it's based on some > > form of more or less clever LDAP query? (Yeah, I'm an Exim noob:). > > Oh BTW, from that you can see that I don't have a particularily sane > > PHB;-). -- > > You cannot get the OoO info via LDAP. You need to login to the mailbox > using Outlook CDOs. There might be a way using WebDAV but I am not > entirely sure. The project is a bit abandoned... :-) Ah. Too bad. Then again, what was I thinking there.... that M$ would make anything simple to look up....? :-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From res at ausics.net Fri Aug 4 12:09:52 2006 From: res at ausics.net (Res) Date: Fri Aug 4 12:10:03 2006 Subject: blocking out-of-office In-Reply-To: <20060804091650.E10038@defjam.cc.strath.ac.uk> References: <20060804091650.E10038@defjam.cc.strath.ac.uk> Message-ID: On Fri, 4 Aug 2006, Jethro R Binks wrote: > configurable too. Maybe I should ask our Microsoft contacts about the > prospects of more intelligence in future versions. hahahahhahahahahahha do you moonlight at the comedy club ? :P hahah you must as you used M$ and intelligence in the same sentance ;) -- Cheers Res From glenn.steen at gmail.com Fri Aug 4 12:12:24 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 4 12:12:28 2006 Subject: blocking out-of-office In-Reply-To: References: <223f97700608040128q51cecf5dq3ab689230a7e5ecd@mail.gmail.com> Message-ID: <223f97700608040412i4311a64cj6b36335c9221732d@mail.gmail.com> Sorry all, this is drifting wildly off-topic....:-) On 04/08/06, Koopmann, Jan-Peter wrote: > On Friday, August 04, 2006 10:28 AM Glenn Steen wrote: > > > Yes. Not all can be solved by mailbox delegations, this is quite true. > > But is it really helpful for the sender to receive an OoO? Most times > > no. If it is really urgent, why would you be using *email* and not > > the phone? > > So I need to tell my clients to phone me everytime to make sure a more > or less urgent matter needs attending? Let's say 200 business days a > year e-mail would be sufficient. And during my 5 day vacation they would > need to call me in order to find out. That does not really make sense. Ah, but then ... that's not really an emegency then. Oh well. It all depends on your situation. BTW, 5 _days_ vacation? In total? If so, you need another Union:-D. But if you are away for only five days, then surely there is nothing sent by email that just couldn't wait...? > > In an emergency? Oh well, that is a philosophical matter I > > guess:-). > > Indeed. > > > too. We have two problems: The policy decision regarding OoO (and > > this is usually the domain of the PHBs), and the badness of some MTAs > > in regards to autoresponding > > Agreed. > > > Ah yes, the third option... Enlightenment. > > That works? :-) Nope. Or at least hasn't done so for the past 20-odd years:-). > > Unfortunately users are > > people, and people a people... and there will always be a few that > > simply don't read the guidelines. Sigh. > > That's what I think as well. > > Let's stop this thread. Whether or not we like he use of OoO there > always will be and noone here will change that even if we wanted to. :-) > In real world there is the need for OoO even if some of you do not agree > or would try to solve it otherwise. > This subthread at least. The original question posed by Peter was how to limit the spread of OoO by use of MailScanner... and that has perhaps some room for discussion left. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From dhawal at netmagicsolutions.com Fri Aug 4 12:14:23 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Fri Aug 4 12:18:15 2006 Subject: blocking out-of-office discussions In-Reply-To: <223f97700608040359i15a6cb36x1c1e3ab15d38460@mail.gmail.com> References: <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> <223f97700608040359i15a6cb36x1c1e3ab15d38460@mail.gmail.com> Message-ID: <20060804164423.8czeuufdkcgwksc4@mail.netmagicsolutions.com> This us getting absolutely OT.. MailScanner has nothing to do with legislation.. Can we end this silly thread which is only contributing towards polluting the list archives and wasting time / bandwidth. From jethro.binks at strath.ac.uk Fri Aug 4 12:55:46 2006 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Fri Aug 4 12:55:48 2006 Subject: blocking out-of-office discussions In-Reply-To: <20060804164423.8czeuufdkcgwksc4@mail.netmagicsolutions.com> References: <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> <223f97700608040359i15a6cb36x1c1e3ab15d38460@mail.gmail.com> <20060804164423.8czeuufdkcgwksc4@mail.netmagicsolutions.com> Message-ID: <20060804125505.C10038@defjam.cc.strath.ac.uk> On Fri, 4 Aug 2006, Dhawal Doshy wrote: > This us getting absolutely OT.. MailScanner has nothing to do with > legislation.. > Can we end this silly thread which is only contributing towards polluting the > list archives and wasting time / bandwidth. Speaking perfectly frankly, that seems to be a common theme on this list anyway. At least this discussion is mail-related and generically useful. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services University Of Strathclyde, Glasgow, UK From Andreas.Doerfler at kempten.de Fri Aug 4 12:57:13 2006 From: Andreas.Doerfler at kempten.de (=?iso-8859-1?Q?D=F6rfler_Andreas?=) Date: Fri Aug 4 12:57:34 2006 Subject: ignored messeges Message-ID: hey there, i havent checked my mqueue.in for months .. because i tough everyting works fine. that more im scared to find about 200 undelivered mails in there short example: -rw------- 1 root mail 28672 Feb 12 2005 dfj1C64nMG031005 ... -rw------- 1 root mail 6386 Jul 18 11:45 dfk6I8gtUk025915 -rw------- 1 root mail 5336 Jul 19 17:46 dfk6JEkXh1022049 -rw------- 1 root mail 5149 Jul 20 13:34 dfk6KAXUsc004185 -rw------- 1 root mail 6630 Jul 21 17:21 dfk6LEL11J029142 -rw------- 1 root mail 12288 Jul 22 06:07 dfk6M46wOv029047 most of em are spam so i dont see a problem, but some are not. dont understand how this can happen because i deliver about 6000 mails everyday without any problems. some ignored mails from last year ... from the mail log i take these when restart MS: Aug 4 13:17:31 ar4 MailScanner[12699]: Cannot read queue directory /var/spool/mqueue.in/dfj1C64nMG031005 ... got this message multible times, but ive senn em first time, tried now more times but it wont come again in the logs i use sendmail, ms 4.55.9 on a suse 9.2 box greetings andy --free your mind, use open source http://www.mono-project.com ASCII ribbon campaign ( ) - against HTML email X & vCards / \ From radus at smartpost.ro Fri Aug 4 13:20:16 2006 From: radus at smartpost.ro (Radu Spineanu) Date: Fri Aug 4 13:20:36 2006 Subject: mailscanner and SMTP AUTH In-Reply-To: <44D141CE.9090805@blacknight.ie> References: <44D134DF.3080102@smartpost.ro> <44D141CE.9090805@blacknight.ie> Message-ID: <44D33B80.3000300@smartpost.ro> Michele Neylon:: Blacknight.ie wrote: > Radu Spineanu wrote: >> Hi >> >> Can mailscanner be configured to ignore all checks for messages sent via >> smtp auth? >> >> In my current setup, when i try to send an email from home using SMTP >> AUTH it's marked as SPAM because if fails SPF and some RBL checks (ip >> block was added in rbls as it's used for home use). >> >> Radu > Do you have a fixed IP at home? You could simply whitelist your home IP > or your ISP's netblock > Unfortunately no. And most people using this mail setup are from different parts of the world. Radu From P.G.M.Peters at utwente.nl Fri Aug 4 14:44:16 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Fri Aug 4 14:44:23 2006 Subject: blocking out-of-office In-Reply-To: <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> References: <223f97700608030054g4692424ch3e0deeeacb043c7@mail.gmail.com> <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> Message-ID: <44D34F30.2070300@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote on 4-8-2006 9:55: > On 03/08/06, Koopmann, Jan-Peter wrote: >> On Thursday, August 03, 2006 9:55 AM Glenn Steen wrote: >> >> > The sane solution is to not allow OoO, >> >> Which is easily done in Exchange itself. You can configure it to only >> send OOO within your Exchange installation but not send it out via SMTP. > > Of course. OoO can have a somewhat meaningful role inside the organisation. But we have a lot of organizations in our organization. A lot of the (bigger) departments run their own exchange. And while the AD is shared they still tend to send e-mail from one department to the other through SMTP (which is good because it gets scanned by MailScanner). Luckily I managed to get it on-topic again. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE008welLo80lrIdIRAuxFAJ9X2zISVfF+XnJOhBGc6mWZ3FP+5QCgkEy2 cLuZ4I4wekZfoSc5pxtyGX8= =Qixt -----END PGP SIGNATURE----- From P.G.M.Peters at utwente.nl Fri Aug 4 14:46:56 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Fri Aug 4 14:47:00 2006 Subject: blocking out-of-office In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501751D2D@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D1501751D2D@woodenex.woodmaclaw.local> Message-ID: <44D34FD0.6020309@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Billy A. Pumphrey wrote on 2-8-2006 20:49: > My employees report that when they have the out of office turned on they > receive more spam..... Considering OOO could be called spam (according to the definition of unwanted bulk e-mail) you could say that when those employees have turned on OOO it is holiday so more people have done the same. Resulting in OOO's from others (perhaps based on forged sender addresses in spam). - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE00/QelLo80lrIdIRAubCAJ9U2DV2R5xeoiwv0QOagpNS7ZSYmwCbBIUa 3UPxoBWcafLsyFVlYZlTMTE= =hPf9 -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Fri Aug 4 14:47:01 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 4 14:47:37 2006 Subject: ignored messeges In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 df files without qf files are just left-over junk from things like broken TCP connections and stuff like that. df files without qf files (or vice versa) can just be deleted. On 4 Aug 2006, at 12:57, D?rfler Andreas wrote: > hey there, > > i havent checked my mqueue.in for months .. because i tough > everyting works fine. > that more im scared to find about 200 undelivered mails in there > > short example: > -rw------- 1 root mail 28672 Feb 12 2005 dfj1C64nMG031005 > ... > -rw------- 1 root mail 6386 Jul 18 11:45 dfk6I8gtUk025915 > -rw------- 1 root mail 5336 Jul 19 17:46 dfk6JEkXh1022049 > -rw------- 1 root mail 5149 Jul 20 13:34 dfk6KAXUsc004185 > -rw------- 1 root mail 6630 Jul 21 17:21 dfk6LEL11J029142 > -rw------- 1 root mail 12288 Jul 22 06:07 dfk6M46wOv029047 > > most of em are spam so i dont see a problem, but some are not. > > dont understand how this can happen because i deliver about > 6000 mails everyday without any problems. > some ignored mails from last year ... > > from the mail log i take these when restart MS: > > Aug 4 13:17:31 ar4 MailScanner[12699]: Cannot read queue > directory /var/spool/mqueue.in/dfj1C64nMG031005 > ... > got this message multible times, but ive senn em first time, > tried now more times but it wont come again in the logs > > i use sendmail, ms 4.55.9 on a suse 9.2 box > > greetings > andy > > --free your mind, use open source > http://www.mono-project.com > > ASCII ribbon campaign ( ) > - against HTML email X > & vCards / \ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! - -- Julian Field MailScanner@ecs.soton.ac.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE00/kEfZZRxQVtlQRAjlGAKClFtaRPmYCo6ewuNDQNrP188z0QgCg2xKX XMpMnj01s3jHrNv1vy+V69A= =rXe0 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From P.G.M.Peters at utwente.nl Fri Aug 4 14:48:08 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Fri Aug 4 14:48:12 2006 Subject: blocking out-of-office In-Reply-To: <1951DC816E1A9F469307B05FA183F43852206B@corpatsmail1.corp.sensis.com> References: <1951DC816E1A9F469307B05FA183F43852206B@corpatsmail1.corp.sensis.com> Message-ID: <44D35018.3000409@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Desai, Jason wrote on 3-8-2006 20:09: > I have recently implemented something similar. Management wanted to > allow only some people to send out of office messages over the internet. > Since our MailScanner box is inline, I wrote a custom function for the > Is Definitely MCP option. It's not a complex function. I am waiting to > hear back from management to see if I can post it here. That would be great. Perhaps something for Julian to include in some future version. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE01AYelLo80lrIdIRAp3oAJ44Tohs+im5ZALx5u+s5ud17KMoIQCffyMT dD6KMGuj8nAb/hdRkjYCa80= =gM/7 -----END PGP SIGNATURE----- From mgt at stellarcore.net Fri Aug 4 14:57:47 2006 From: mgt at stellarcore.net (Mike Tremaine) Date: Fri Aug 4 14:58:01 2006 Subject: Subject: ClamAV detected as SophosSavi in logwatch In-Reply-To: <200608041106.k74B6h9R001647@bkserver.blacknight.ie> References: <200608041106.k74B6h9R001647@bkserver.blacknight.ie> Message-ID: <1154699868.3202.4.camel@dwarfstar.stellarcore.net> On Fri, 2006-08-04 at 12:06 +0100, mailscanner- request@lists.mailscanner.info wrote: > I never install Sophos, but in LogWatch entry of my mailscanner it say it > this. > > Entry in LogWatch : > SophosSavi Virus Report: (Total Seen = 1081) > Exploit.HTML.IFrame: 204 Times(s) > HTML.Phishing.Auction-149: 1 Times(s) > HTML.Phishing.Bank-623: 103 Times(s) > HTML.Phishing.Bank-626: 2 Times(s) > HTML.Phishing.Bank-627: 78 Times(s) > Worm.Bagle.Gen-zippwd-5: 2 Times(s) > Worm.Bagle.pwd-eml: 9 Times(s) > Worm.Mydoom.I: 24 Times(s) > Worm.Mytob.FN: 302 Times(s) > Worm.Mytob.NK: 18 Times(s) > Worm.SomeFool.AA-2: 2 Times(s) > Worm.SomeFool.P: 332 Times(s) > Worm.VB-9: 4 Times(s) That is a Logwatch problem not a Mailscanner problem. If you can tell me which version of Logwatch you are running [and MailScanner/ClamAV] I'll take a look. [FYI current stable Logwatch is 7.3]. You can send this to me directly or to the logwatch at logwatch org list. -Mike From glenn.steen at gmail.com Fri Aug 4 15:10:04 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 4 15:10:09 2006 Subject: blocking out-of-office In-Reply-To: <44D34F30.2070300@utwente.nl> References: <223f97700608030054g4692424ch3e0deeeacb043c7@mail.gmail.com> <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> <44D34F30.2070300@utwente.nl> Message-ID: <223f97700608040710q4a5fb074n2350081aee51f4a1@mail.gmail.com> On 04/08/06, Peter Peters wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Glenn Steen wrote on 4-8-2006 9:55: > > On 03/08/06, Koopmann, Jan-Peter wrote: > >> On Thursday, August 03, 2006 9:55 AM Glenn Steen wrote: > >> > >> > The sane solution is to not allow OoO, > >> > >> Which is easily done in Exchange itself. You can configure it to only > >> send OOO within your Exchange installation but not send it out via SMTP. > > > > Of course. OoO can have a somewhat meaningful role inside the organisation. > > But we have a lot of organizations in our organization. A lot of the > (bigger) departments run their own exchange. And while the AD is shared > they still tend to send e-mail from one department to the other through > SMTP (which is good because it gets scanned by MailScanner). Um, I'm feeling more than the usual tad slow here (Friday afternoon syndrome:-), are you saying you want to block all OoO trying to exit the "superorganisation" or the ones bouncing around between suborganisations? SA rule(s) could help you, I suppose, if you want something selective (PF header_checks are bit limited so wouldn't handle that gracefully:-). > Luckily I managed to get it on-topic again. :-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ewr at erols.com Fri Aug 4 15:04:47 2006 From: ewr at erols.com (ewr@erols.com) Date: Fri Aug 4 15:10:49 2006 Subject: mailscanner and SMTP AUTH In-Reply-To: <44D307CE.7020806@email.de> Message-ID: <01af01c6b7ce$f24b6090$4f02a8c0@ew> Thanks Christian! I like this idea and think it will work well. I am not entirely up to speed (yet) on how the SA rules work and have a question about it. Does this rule only check the first Received header? I want to make sure that a forged Received header farther down the email doesn't get the -20 deduct. Sorry for my ignorance! Thanks! Eric >-----Original Message----- >From: mailscanner-bounces@lists.mailscanner.info >[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >Of Christian Kowarzik >Sent: Friday, August 04, 2006 4:40 AM >To: MailScanner discussion >Subject: Re: mailscanner and SMTP AUTH > >Hi > >I use the following spamassassin rules in my >/etc/mail/spamassassin/local.cf to decrease the spamassassin >score for email senders using smtp auth: > > >header __OUR_AUTH Received =~ >/authenticated .* by smtp\.xxx\.de/i >header __NOT_OUR_AUTH Received !~ >/authenticated .* by smtp\.xxx\.de/i >meta INIT_RECVD_OUR_AUTH __OUR_AUTH && ( >__NOT_OUR_AUTH == 0) >describe INIT_RECVD_OUR_AUTH Initially received by >us using authentication >tflags INIT_RECVD_OUR_AUTH nice >score INIT_RECVD_OUR_AUTH -20 > >First I test that the email was received using smtp-auth and >second i test that there exists no >"non-authenticated" received lines in the email header. >So if both conditions are true I know that my email server >initially received that email and the >sender is authenticated. > >Christian > >Radu Spineanu schrieb: >> Hi >> >> Can mailscanner be configured to ignore all checks for >messages sent via >> smtp auth? >> >> In my current setup, when i try to send an email from home using SMTP >> AUTH it's marked as SPAM because if fails SPF and some RBL checks (ip >> block was added in rbls as it's used for home use). >> >> Radu >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! From dstraka at caspercollege.edu Fri Aug 4 15:22:04 2006 From: dstraka at caspercollege.edu (Daniel Straka) Date: Fri Aug 4 15:22:58 2006 Subject: MS Status not Reporting in Logwatch Message-ID: <44D303AB.61A4.0000.0@caspercollege.edu> I recently installed a new MailScanner machine with SUSE Enterprise 10 and sendmail, I was previously on RedHat 7.3. Logwatch does not display the MailScanner Status section as it did with Redhat. Also SUSE has different mail logging (ie, several mail log files mail, mail.info, mail.err, mail.warn) whereas Redhat had only the file "maillog". Can anyone guide me with how to get Logwatch to report the MailScanner Status section for me on this system? Thanks, Dan Straka Systems Coordinator Casper College 307.268.2399 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- BEGIN:VCARD VERSION:2.1 FN:Straka, Daniel TEL:307.268.2399 EMAIL:Dstraka@caspercollege.edu ORG:Casper College TITLE:Systems Coordinator URL:http://wind.caspercollege.edu/~dstraka/ END:VCARD From listacct at tulsaconnect.com Fri Aug 4 15:50:01 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Fri Aug 4 15:49:56 2006 Subject: ClamAV on FreeBSD - ports or Perl module? In-Reply-To: References: Message-ID: <44D35E99.7020507@tulsaconnect.com> Koopmann, Jan-Peter wrote: > On Thursday, August 03, 2006 9:29 AM Adri Koppes wrote: > >> I have been using p5-Mail-ClamAV 0.30 with the standard perl 5.8.6 on >> FreeBSD 5.4 without any problems for over 1 year now. > > Good to know! I will try to switch to Mail-ClamAV the next days (today just was not possible as was the new port). If that works out as well (which it will) I will remove the warning from p5-Mail-ClamAV. Thanks! Tried installing Mail-ClamAV from ports, it installed fine (other than the threaded Perl warning), but when I try to use it: Aug 4 09:45:15 mx5 MailScanner[42648]: ClamAV Perl module not found, did you install it? but yet: $ ls -al /var/db/pkg/ | grep ClamAV drwxr-xr-x 2 root wheel 512 Aug 2 11:38 p5-Mail-ClamAV-0.17 ..it is clearly installed.. -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From mailscanner at yeticomputers.com Fri Aug 4 15:57:08 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Fri Aug 4 15:57:18 2006 Subject: blocking out-of-office In-Reply-To: <20060803213821.W10038@defjam.cc.strath.ac.uk> References: <20060803202427.S10038@defjam.cc.strath.ac.uk> <44D259D2.6080009@yeticomputers.com> <20060803213821.W10038@defjam.cc.strath.ac.uk> Message-ID: <44D36044.3020804@yeticomputers.com> Jethro R Binks wrote: > On Thu, 3 Aug 2006, Rick Chadderdon wrote: >> who nowadays doesn't know that a corporate account should not be used >> for personal communication? >> > > The people who have not been told that it shouldn't be used for such, and > the people who have been told that it may be used for such. > I guess I wasn't clear at all in my post. The line you quoted was intended to refer to situations where there is no established policy. The latter group you mention clearly does not apply. I *do* believe that, by now, most of the former group should be aware (and are aware) that unless it is explicitly allowed, most companies do not want you to use their resources for your own personal needs - and that's what I meant by the sentence you quoted above. > And speaking personally, I find such rules oppressive and offensive. > One's personal life doesn't end when one walks through the office door. > This is the real world. There are, of course, reasonable limits on how > far 'personal use' should extend. Yes. Unfortunately, it has been my experience that a seemingly growing number of people will extend and abuse every tiny privilege you offer them. While I would not work for a place with such rules in place and I do not enforce such rules on my own employees, I can fully understand why a company would do so. One of my clients was able to reduce his bandwidth consumption by about 90% (freeing him from the need to get a larger pipe than his existing T1) by simply having me block the staff's access to any website that was not on a list of sites they needed to do their work. Amazingly, he was also able to reduce his staff by about 50% once all of his people had to do their jobs rather than "socially network". This is entirely a philosophical issue, and I apologize if I appeared to be attacking your beliefs. Rick From mailscanner at yeticomputers.com Fri Aug 4 15:57:13 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Fri Aug 4 15:57:22 2006 Subject: blocking out-of-office In-Reply-To: References: Message-ID: <44D36049.40407@yeticomputers.com> Koopmann, Jan-Peter wrote: > On Thursday, August 03, 2006 10:17 PM Rick Chadderdon wrote: > > >> You think so? I strongly disagree. >> > > Fine. German Law does not care about you disagreeing. > [...] > Moreover you as a company can choose to allow private use. > I wasn't referring to situations where the region's prevailing law compels behavior, or where policy allows such use. I incorrectly assumed that this was obvious in my post. For that, I apologize. To clarify: If law allows one to set policy whereby personal email can be disallowed, and such policy is set, I don't believe that those who violate such policies should be tolerated or 'respected'. Rick From jgolden at ci.grand-rapids.mi.us Fri Aug 4 15:59:39 2006 From: jgolden at ci.grand-rapids.mi.us (Golden, James) Date: Fri Aug 4 15:59:34 2006 Subject: Retreiving quarntined email/attachments Message-ID: <1154703579.6475.6.camel@doit-b8wsw21.grand-rapids.mi.us> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smiley-4.png Type: image/png Size: 822 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060804/08ed62a0/smiley-4.png From P.G.M.Peters at utwente.nl Fri Aug 4 16:01:48 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Fri Aug 4 16:01:52 2006 Subject: blocking out-of-office In-Reply-To: <223f97700608040710q4a5fb074n2350081aee51f4a1@mail.gmail.com> References: <223f97700608030054g4692424ch3e0deeeacb043c7@mail.gmail.com> <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> <44D34F30.2070300@utwente.nl> <223f97700608040710q4a5fb074n2350081aee51f4a1@mail.gmail.com> Message-ID: <44D3615C.7010709@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote on 4-8-2006 16:10: >> But we have a lot of organizations in our organization. A lot of the >> (bigger) departments run their own exchange. And while the AD is shared >> they still tend to send e-mail from one department to the other through >> SMTP (which is good because it gets scanned by MailScanner). > > Um, I'm feeling more than the usual tad slow here (Friday afternoon > syndrome:-), are you saying you want to block all OoO trying to exit > the "superorganisation" or the ones bouncing around between > suborganisations? > SA rule(s) could help you, I suppose, if you want something selective > (PF header_checks are bit limited so wouldn't handle that > gracefully:-). Yes, I would want to block OoO's trying to get outside the university but keep the OoO's flowing between the departments. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE02FcelLo80lrIdIRAgGxAJ9x/m6RodTMYzSngXuwtBj/f1N63ACgizTJ 8un13fmbVhYS17h2P8uPWtw= =UM1D -----END PGP SIGNATURE----- From ssilva at sgvwater.com Fri Aug 4 16:03:01 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Aug 4 16:03:34 2006 Subject: blocking out-of-office In-Reply-To: <223f97700608040128q51cecf5dq3ab689230a7e5ecd@mail.gmail.com> References: <20060803202427.S10038@defjam.cc.strath.ac.uk> <223f97700608040128q51cecf5dq3ab689230a7e5ecd@mail.gmail.com> Message-ID: > Ah yes, the third option... Enlightenment. Unfortunately users are > people, and people a people... and there will always be a few that > simply don't read the guidelines. Sigh. > More like en'lart'enment. As in a big stick to the harder regions of the cranium ;-) -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From danc at bluestarshows.com Fri Aug 4 16:07:27 2006 From: danc at bluestarshows.com (Dan Carl) Date: Fri Aug 4 16:10:57 2006 Subject: Sendmail question Message-ID: <003d01c6b7d7$b331e100$0200000a@danc3> Anyone willing to answer a sendmail question? Or atleast point me in the right direction. (I don't have news) I can send mail fine thru my sendmail/Mailerscanner server with windows clients but when I send it thru from my other linux server Yahoo marks it as BULK(spam). Thanks Dan From cconn at abacom.com Fri Aug 4 16:11:14 2006 From: cconn at abacom.com (Chris Conn) Date: Fri Aug 4 16:11:20 2006 Subject: ignored messeges In-Reply-To: References: Message-ID: <44D36392.6000009@abacom.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > df files without qf files are just left-over junk from things like > broken TCP connections and stuff like that. df files without qf files > (or vice versa) can just be deleted. > #!/bin/sh cd /var/spool/mqueue.in/ find ./ -daystart -ctime +1|xargs rm Gets rid of files that are a couple of days old or older in the mqueue.in directory (change it to the right path if not the same). Chris > On 4 Aug 2006, at 12:57, D?rfler Andreas wrote: > > >>hey there, >> >>i havent checked my mqueue.in for months .. because i tough >>everyting works fine. >>that more im scared to find about 200 undelivered mails in there >> >>short example: >>-rw------- 1 root mail 28672 Feb 12 2005 dfj1C64nMG031005 >>... >>-rw------- 1 root mail 6386 Jul 18 11:45 dfk6I8gtUk025915 >>-rw------- 1 root mail 5336 Jul 19 17:46 dfk6JEkXh1022049 >>-rw------- 1 root mail 5149 Jul 20 13:34 dfk6KAXUsc004185 >>-rw------- 1 root mail 6630 Jul 21 17:21 dfk6LEL11J029142 >>-rw------- 1 root mail 12288 Jul 22 06:07 dfk6M46wOv029047 >> >>most of em are spam so i dont see a problem, but some are not. >> >>dont understand how this can happen because i deliver about >>6000 mails everyday without any problems. >>some ignored mails from last year ... >> >>from the mail log i take these when restart MS: >> >>Aug 4 13:17:31 ar4 MailScanner[12699]: Cannot read queue >>directory /var/spool/mqueue.in/dfj1C64nMG031005 >>... >>got this message multible times, but ive senn em first time, >>tried now more times but it wont come again in the logs >> >>i use sendmail, ms 4.55.9 on a suse 9.2 box >> >>greetings >>andy >> >>--free your mind, use open source >>http://www.mono-project.com >> >>ASCII ribbon campaign ( ) >> - against HTML email X >> & vCards / \ >>-- >>MailScanner mailing list >>mailscanner@lists.mailscanner.info >>http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >>Before posting, read http://wiki.mailscanner.info/posting >> >>Support MailScanner development - buy the book off the website! > > > - -- > Julian Field > MailScanner@ecs.soton.ac.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP SDK 3.7.0 > Charset: ISO-8859-1 > > wj8DBQFE00/kEfZZRxQVtlQRAjlGAKClFtaRPmYCo6ewuNDQNrP188z0QgCg2xKX > XMpMnj01s3jHrNv1vy+V69A= > =rXe0 > -----END PGP SIGNATURE----- > From glenn.steen at gmail.com Fri Aug 4 17:13:36 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 4 17:20:35 2006 Subject: blocking out-of-office In-Reply-To: <44D3615C.7010709@utwente.nl> References: <223f97700608030054g4692424ch3e0deeeacb043c7@mail.gmail.com> <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> <44D34F30.2070300@utwente.nl> <223f97700608040710q4a5fb074n2350081aee51f4a1@mail.gmail.com> <44D3615C.7010709@utwente.nl> Message-ID: <223f97700608040913g4c5a9ce0p60ab1545599bcfdd@mail.gmail.com> On 04/08/06, Peter Peters wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Glenn Steen wrote on 4-8-2006 16:10: > > >> But we have a lot of organizations in our organization. A lot of the > >> (bigger) departments run their own exchange. And while the AD is shared > >> they still tend to send e-mail from one department to the other through > >> SMTP (which is good because it gets scanned by MailScanner). > > > > Um, I'm feeling more than the usual tad slow here (Friday afternoon > > syndrome:-), are you saying you want to block all OoO trying to exit > > the "superorganisation" or the ones bouncing around between > > suborganisations? > > SA rule(s) could help you, I suppose, if you want something selective > > (PF header_checks are bit limited so wouldn't handle that > > gracefully:-). > > Yes, I would want to block OoO's trying to get outside the university > but keep the OoO's flowing between the departments. > Well then, you'd have two problems: 1) Identifying an OoO. 2) selectively disallowing them to exit your organization. I'd look into making a set of SA rules to facilitate this. One or two to identify that the message really is an OoO, that it originates from one of your subdomains, and finally one rule to combine those results and giving that one a truly hefty score, pushing it into the high scoring spam category. Either that, or go the CustomFunction route (or perhaps even try to make something out of the generic AV option). My Friday-afternoon-syndrome has moved on to Friday-evening-syndrome (into my first beer and fired up the grill), so I'd not trust myself further than that:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Kevin_Miller at ci.juneau.ak.us Fri Aug 4 17:21:27 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Aug 4 17:21:32 2006 Subject: Sendmail question In-Reply-To: <003d01c6b7d7$b331e100$0200000a@danc3> Message-ID: Dan Carl wrote: > Anyone willing to answer a sendmail question? > Or atleast point me in the right direction. (I don't have news) > I can send mail fine thru my sendmail/Mailerscanner server with > windows clients but when I send it thru from my other linux server > Yahoo marks it as BULK(spam). > Thanks > Dan So Yahoo bounces spam? I'd have thought they were more on the ball than that. Not much to go on here - what error's being returned? It might be instructive to see a post from one of your linux boxes. I noted that this one came from Outlook Express. Are you using SPF? If so, do you have all your servers listed? Do your linux servers send directly or do they use mail.bluestarshows.com? ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From glenn.steen at gmail.com Fri Aug 4 17:11:14 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 4 17:50:07 2006 Subject: blocking out-of-office In-Reply-To: <44D3615C.7010709@utwente.nl> References: <223f97700608030054g4692424ch3e0deeeacb043c7@mail.gmail.com> <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> <44D34F30.2070300@utwente.nl> <223f97700608040710q4a5fb074n2350081aee51f4a1@mail.gmail.com> <44D3615C.7010709@utwente.nl> Message-ID: <223f97700608040911l68008e80w115ebf588301e6be@mail.gmail.com> On 04/08/06, Peter Peters wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Glenn Steen wrote on 4-8-2006 16:10: > > >> But we have a lot of organizations in our organization. A lot of the > >> (bigger) departments run their own exchange. And while the AD is shared > >> they still tend to send e-mail from one department to the other through > >> SMTP (which is good because it gets scanned by MailScanner). > > > > Um, I'm feeling more than the usual tad slow here (Friday afternoon > > syndrome:-), are you saying you want to block all OoO trying to exit > > the "superorganisation" or the ones bouncing around between > > suborganisations? > > SA rule(s) could help you, I suppose, if you want something selective > > (PF header_checks are bit limited so wouldn't handle that > > gracefully:-). > > Yes, I would want to block OoO's trying to get outside the university > but keep the OoO's flowing between the departments. > Well then, you'd have two problems: 1) Identifying an OoO. 2) selectively disallowing them to exit your organization. I'd look into making a set of SA rules to facilitate this. One or two to identify that the message really is an OoO, that it originates from one of your subdomains, and finally one rule to combine those results and giving that one a truly hefty score, pushing it into the high scoring spam category. Either that, or go the CustomFunction route (or perhaps even try to make something out of the generic AV option). My Friday-afternoon-syndrome has moved on to Friday-evening-syndrome (into my first beer and fired up the grill), so I'd not trust myself further than that:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ugob at camo-route.com Fri Aug 4 18:10:08 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Aug 4 18:11:05 2006 Subject: Sendmail question In-Reply-To: References: <003d01c6b7d7$b331e100$0200000a@danc3> Message-ID: Kevin Miller wrote: > Dan Carl wrote: >> Anyone willing to answer a sendmail question? >> Or atleast point me in the right direction. (I don't have news) >> I can send mail fine thru my sendmail/Mailerscanner server with >> windows clients but when I send it thru from my other linux server >> Yahoo marks it as BULK(spam). >> Thanks >> Dan > > So Yahoo bounces spam? I'd have thought they were more on the ball than > that. Not much to go on here - what error's being returned? It might > be instructive to see a post from one of your linux boxes. I noted that > this one came from Outlook Express. He said that Yahoo marks it, not bounces it. > > Are you using SPF? If so, do you have all your servers listed? > > Do your linux servers send directly or do they use > mail.bluestarshows.com? -> good points... > > ...Kevin From Kevin_Miller at ci.juneau.ak.us Fri Aug 4 18:14:17 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Aug 4 18:14:20 2006 Subject: filename/type exceptions Message-ID: It's the end of the week, I'd rather be out fishing, and most of my latte is still in the cup so induldge me please if I'm being braindead. A person is trying to send some of my users an .mp3 file but it is blocked. ( I pretty much just go w/the MS defaults for file name/type blocking.) I figured no problem, a ruleset is the way to go. Thing is, the sample rulesets and those I've created in the past have an action of "yes" or "no". The MailScanner.conf says the filename and filetype can be the name of a ruleset, but right now for instance, Filename Rules = %etc-dir%/filename.rules.conf So if I was to make a new ruleset in the rules dir, (ending in .rules of course) what would it look like. I want to maintain the existing filename/type exclusions as a default, but allow this one fellow to send the .mp3 file. Would I have to copy the filename.rules.conf file to something like filename.exceptions.conf, rem out the line for mpegs, the create a filename.rules file that has: From: Joe.Blow@kokomo.com filename.exceptions.conf FromOrTo: default filename.rules.conf Then do the same for filetype? Seems like overkill to have to make a custom filename/type file for each exception but maybe that's how it's done? TIA... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From lshaw at emitinc.com Fri Aug 4 18:26:23 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Fri Aug 4 18:26:41 2006 Subject: blocking out-of-office In-Reply-To: <223f97700608040911l68008e80w115ebf588301e6be@mail.gmail.com> References: <223f97700608030054g4692424ch3e0deeeacb043c7@mail.gmail.com> <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> <44D34F30.2070300@utwente.nl> <223f97700608040710q4a5fb074n2350081aee51f4a1@mail.gmail.com> <44D3615C.7010709@utwente.nl> <223f97700608040911l68008e80w115ebf588301e6be@mail.gmail.com> Message-ID: On Fri, 4 Aug 2006, Glenn Steen wrote: > On 04/08/06, Peter Peters wrote: >> Yes, I would want to block OoO's trying to get outside the university >> but keep the OoO's flowing between the departments. >> > Well then, you'd have two problems: > 1) Identifying an OoO. > 2) selectively disallowing them to exit your organization. > > I'd look into making a set of SA rules to facilitate this. One or two > to identify that the message really is an OoO, that it originates from > one of your subdomains, and finally one rule to combine those results > and giving that one a truly hefty score, pushing it into the high > scoring spam category. One down side of that approach is that scoring a legit user's message (even if an OoO) as spam will screw up that user's SpamAssassin AWL average, thus affecting the user's other messages. - Logan From TGFurnish at herffjones.com Fri Aug 4 18:27:32 2006 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Fri Aug 4 18:27:35 2006 Subject: simple question? use multiple 'always looked up last' functions? Message-ID: <57573D714A832C43B9D80EAFBDA48D030135711D@inex3.herffjones.hj-int> What's the best/cleanest/simplest way to use more than one function for Always Looked Up Last? In particular, I'd like to use IPBlock and MailWatch at the same time. Do I have to write a new, combined function? Please say no... :-) -- Trever Furnish, tgfurnish@herffjones.com Herff Jones, Inc. Unix / Network Administrator From ckowarzik at email.de Fri Aug 4 18:33:22 2006 From: ckowarzik at email.de (Christian Kowarzik) Date: Fri Aug 4 18:35:40 2006 Subject: mailscanner and SMTP AUTH In-Reply-To: <01af01c6b7ce$f24b6090$4f02a8c0@ew> References: <01af01c6b7ce$f24b6090$4f02a8c0@ew> Message-ID: <44D384E2.40205@email.de> Hi Eric ewr@erols.com schrieb: > Thanks Christian! > > I like this idea and think it will work well. I am not entirely up to speed (yet) on how the SA > rules work and have a question about it. > > Does this rule only check the first Received header? No, both rules check all received headers of the mail. > I want to make sure that a forged Received header farther down the email doesn't get the -20 > deduct. The meta rule will *only* match if all received lines in the email are "authenticated". The meta rule will *not* match if there are any "non-authenticated" received headers in the email. And this is exactly what we want ;-) Christian > > Sorry for my ignorance! > > Thanks! > > Eric > >> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Christian Kowarzik Sent: >> Friday, August 04, 2006 4:40 AM To: MailScanner discussion Subject: Re: mailscanner and SMTP >> AUTH >> >> Hi >> >> I use the following spamassassin rules in my /etc/mail/spamassassin/local.cf to decrease the >> spamassassin score for email senders using smtp auth: >> >> >> header __OUR_AUTH Received =~ /authenticated .* by smtp\.xxx\.de/i header >> __NOT_OUR_AUTH Received !~ /authenticated .* by smtp\.xxx\.de/i meta >> INIT_RECVD_OUR_AUTH __OUR_AUTH && ( __NOT_OUR_AUTH == 0) describe >> INIT_RECVD_OUR_AUTH Initially received by us using authentication tflags >> INIT_RECVD_OUR_AUTH nice score INIT_RECVD_OUR_AUTH -20 >> >> First I test that the email was received using smtp-auth and second i test that there exists no >> "non-authenticated" received lines in the email header. So if both conditions are true I know >> that my email server initially received that email and the sender is authenticated. >> >> Christian >> >> Radu Spineanu schrieb: >>> Hi >>> >>> Can mailscanner be configured to ignore all checks for >> messages sent via >>> smtp auth? >>> >>> In my current setup, when i try to send an email from home using SMTP AUTH it's marked as >>> SPAM because if fails SPF and some RBL checks (ip block was added in rbls as it's used for >>> home use). >>> >>> Radu >> -- MailScanner mailing list mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > From mgt at stellarcore.net Fri Aug 4 18:55:53 2006 From: mgt at stellarcore.net (Mike Tremaine) Date: Fri Aug 4 18:56:03 2006 Subject: Subject: MS Status not Reporting in Logwatch In-Reply-To: <200608041741.k74HfrM5013558@bkserver.blacknight.ie> References: <200608041741.k74HfrM5013558@bkserver.blacknight.ie> Message-ID: <1154714153.3202.10.camel@dwarfstar.stellarcore.net> > From: "Daniel Straka" > Subject: MS Status not Reporting in Logwatch > To: > Message-ID: <44D303AB.61A4.0000.0@caspercollege.edu> > Content-Type: text/plain; charset="us-ascii" > > I recently installed a new MailScanner machine with SUSE Enterprise 10 > and sendmail, I was previously on RedHat 7.3. Logwatch does not > display > the MailScanner Status section as it did with Redhat. Also SUSE has > different > mail logging (ie, several mail log files mail, mail.info, mail.err, > mail.warn) > whereas Redhat had only the file "maillog". > > Can anyone guide me with how to get Logwatch to report the MailScanner > Status section for me on this system? > > Thanks, I don't have SuSE to verify the paths but the general idea is to copy /usr/share/logwatch/default.conf/logfiles/maillog.conf to /etc/logwatch/conf/logfiles/maillog.conf And edit LogFile = maillog LogFile = syslog To cover all the logfiles you want to look at. [This is one of the reasons there is a dist.conf directory also so distribution can set this stuff up for you. :/] Any follow ups to this should go to logwatch at logwatch org as this is not a MailScanner problem - Thanks -Mike From ckowarzik at email.de Fri Aug 4 19:02:32 2006 From: ckowarzik at email.de (Christian Kowarzik) Date: Fri Aug 4 19:00:08 2006 Subject: mailscanner and SMTP AUTH In-Reply-To: <44D307CE.7020806@email.de> References: <44D134DF.3080102@smartpost.ro> <44D307CE.7020806@email.de> Message-ID: <44D38BB8.7060605@email.de> Hi This works for sendmail received headers (we use sendmail 8.12.11-4 on RHEL3) as sendmail adds the word "authenticated" (and more) to the received header if the email was received using smtp-auth. For the format of your received header, look for "HReceived:" in your your sendmail.cf or for "confRECEIVED_HEADER" in your sendmail.mc. Christian Christian Kowarzik schrieb: > Hi > > I use the following spamassassin rules in my > /etc/mail/spamassassin/local.cf to decrease the spamassassin score for > email senders using smtp auth: > > > header __OUR_AUTH Received =~ /authenticated .* by > smtp\.xxx\.de/i > header __NOT_OUR_AUTH Received !~ /authenticated .* by > smtp\.xxx\.de/i > meta INIT_RECVD_OUR_AUTH __OUR_AUTH && ( __NOT_OUR_AUTH > == 0) > describe INIT_RECVD_OUR_AUTH Initially received by us using > authentication > tflags INIT_RECVD_OUR_AUTH nice > score INIT_RECVD_OUR_AUTH -20 > > First I test that the email was received using smtp-auth and second i > test that there exists no "non-authenticated" received lines in the > email header. > So if both conditions are true I know that my email server initially > received that email and the sender is authenticated. > > Christian > > Radu Spineanu schrieb: >> Hi >> >> Can mailscanner be configured to ignore all checks for messages sent via >> smtp auth? >> >> In my current setup, when i try to send an email from home using SMTP >> AUTH it's marked as SPAM because if fails SPF and some RBL checks (ip >> block was added in rbls as it's used for home use). >> >> Radu From radus at smartpost.ro Fri Aug 4 19:22:01 2006 From: radus at smartpost.ro (Radu Spineanu) Date: Fri Aug 4 19:22:08 2006 Subject: mailscanner and SMTP AUTH In-Reply-To: <44D38BB8.7060605@email.de> References: <44D134DF.3080102@smartpost.ro> <44D307CE.7020806@email.de> <44D38BB8.7060605@email.de> Message-ID: <44D39049.5050808@smartpost.ro> Hi For postfix i think "smtpd_sasl_authenticated_header" is needed which was added in 2.3. Radu Christian Kowarzik wrote: > Hi > > This works for sendmail received headers (we use sendmail 8.12.11-4 on > RHEL3) as sendmail adds the word "authenticated" (and more) to the > received header if the email was received using smtp-auth. > > For the format of your received header, look for "HReceived:" in your > your sendmail.cf or for "confRECEIVED_HEADER" in your sendmail.mc. > > Christian > > Christian Kowarzik schrieb: >> Hi >> >> I use the following spamassassin rules in my >> /etc/mail/spamassassin/local.cf to decrease the spamassassin score for >> email senders using smtp auth: >> >> >> header __OUR_AUTH Received =~ /authenticated .* >> by smtp\.xxx\.de/i >> header __NOT_OUR_AUTH Received !~ /authenticated .* >> by smtp\.xxx\.de/i >> meta INIT_RECVD_OUR_AUTH __OUR_AUTH && ( __NOT_OUR_AUTH >> == 0) >> describe INIT_RECVD_OUR_AUTH Initially received by us using >> authentication >> tflags INIT_RECVD_OUR_AUTH nice >> score INIT_RECVD_OUR_AUTH -20 >> >> First I test that the email was received using smtp-auth and second i >> test that there exists no "non-authenticated" received lines in the >> email header. >> So if both conditions are true I know that my email server initially >> received that email and the sender is authenticated. >> >> Christian >> >> Radu Spineanu schrieb: >>> Hi >>> >>> Can mailscanner be configured to ignore all checks for messages sent via >>> smtp auth? >>> >>> In my current setup, when i try to send an email from home using SMTP >>> AUTH it's marked as SPAM because if fails SPF and some RBL checks (ip >>> block was added in rbls as it's used for home use). >>> >>> Radu From mailscanner at ecs.soton.ac.uk Fri Aug 4 21:39:00 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 4 21:39:14 2006 Subject: simple question? use multiple 'always looked up last' functions? In-Reply-To: <57573D714A832C43B9D80EAFBDA48D030135711D@inex3.herffjones.hj-int> References: <57573D714A832C43B9D80EAFBDA48D030135711D@inex3.herffjones.hj-int> Message-ID: <44D3B064.9000809@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Furnish, Trever G wrote: > What's the best/cleanest/simplest way to use more than one function for > Always Looked Up Last? > > In particular, I'd like to use IPBlock and MailWatch at the same time. > Do I have to write a new, combined function? Please say no... :-) You need to write a combined function that just calls the others. So yes, but it only needs to be a 2-liner. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE07BmEfZZRxQVtlQRAmEEAKDaJAF+L4aa4Av6/vbZk/2lbL2JFwCgowoc E1BuFUg/iZhZFb1nUmNhzwo= =1TBD -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From jgolden at ci.grand-rapids.mi.us Fri Aug 4 21:38:43 2006 From: jgolden at ci.grand-rapids.mi.us (Golden, James) Date: Fri Aug 4 21:41:10 2006 Subject: Retreiving attachments Message-ID: <1154723924.8831.4.camel@doit-b8wsw21.grand-rapids.mi.us> Hello, I've have been wasting my whole day trying to figure out how to do this. Can anyone could help besides telling me to install Mailwatch (because it's not an option right now). I have messages that are being snagged by MailScanner because the attachment is too large. When I go to the directory the attachment is in binary in the message. I tried using a sendmail -t < message, but of course it gets snagged again by MS. Is there an option I'm missing to store the attachments seperatly from the message, is there a way to send this on without it bieng scanned? Is there a way to get the attachement out of the message? I need help soon as this is becoming a large issue today (about 6 end users) and my boss is hearing about it! Thanks, James -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060804/b344842d/attachment.html From r.berber at computer.org Fri Aug 4 21:40:32 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Fri Aug 4 21:41:14 2006 Subject: ClamAV on FreeBSD - ports or Perl module? In-Reply-To: <44D35E99.7020507@tulsaconnect.com> References: <44D35E99.7020507@tulsaconnect.com> Message-ID: TCIS wrote: [snip] > Tried installing Mail-ClamAV from ports, it installed fine (other than > the threaded Perl warning), but when I try to use it: > > Aug 4 09:45:15 mx5 MailScanner[42648]: ClamAV Perl module not found, > did you install it? Do you have more than one perl version installed? > but yet: > > $ ls -al /var/db/pkg/ | grep ClamAV > drwxr-xr-x 2 root wheel 512 Aug 2 11:38 p5-Mail-ClamAV-0.17 > > ..it is clearly installed.. Clearly? Use cpan, inside the shell use "i Mail::ClamAV" that will tell you if it really is installed. If you have more than one version of perl, then make sure the module was installed to the same perl used by MailScanner. -- Ren? Berber From mailscanner at ecs.soton.ac.uk Fri Aug 4 21:41:38 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 4 21:41:51 2006 Subject: filename/type exceptions In-Reply-To: References: Message-ID: <44D3B102.50304@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin Miller wrote: > It's the end of the week, I'd rather be out fishing, and most of my > latte is still in the cup so induldge me please if I'm being braindead. > A person is trying to send some of my users an .mp3 file but it is > blocked. ( I pretty much just go w/the MS defaults for file name/type > blocking.) I figured no problem, a ruleset is the way to go. Thing is, > the sample rulesets and those I've created in the past have an action of > "yes" or "no". > > The MailScanner.conf says the filename and filetype can be the name of a > ruleset, but right now for instance, > Filename Rules = %etc-dir%/filename.rules.conf > > So if I was to make a new ruleset in the rules dir, (ending in .rules of > course) what would it look like. I want to maintain the existing > filename/type exclusions as a default, but allow this one fellow to send > the .mp3 file. > > Would I have to copy the filename.rules.conf file to something like > filename.exceptions.conf, rem out the line for mpegs, the create a > filename.rules file that has: > > From: Joe.Blow@kokomo.com filename.exceptions.conf > FromOrTo: default filename.rules.conf > > Then do the same for filetype? > > Seems like overkill to have to make a custom filename/type file for each > exception but maybe that's how it's done? The easy solution is to see the "Allow Filetypes" setting in MailScanner.conf. This saves you having to mess around with multiple filetype.rules.conf files. Similar for filenames as well. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE07EEEfZZRxQVtlQRAnvsAJ9UsHeSGMAbbhbXO7cp2T++aHGqhQCgo4q/ pWGePXZNHxhbEtIqTzoF6K4= =/ac5 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From jgolden at ci.grand-rapids.mi.us Fri Aug 4 22:10:19 2006 From: jgolden at ci.grand-rapids.mi.us (Golden, James) Date: Fri Aug 4 22:09:51 2006 Subject: Retreiving attachments In-Reply-To: <1154723924.8831.4.camel@doit-b8wsw21.grand-rapids.mi.us> References: <1154723924.8831.4.camel@doit-b8wsw21.grand-rapids.mi.us> Message-ID: <1154725820.8831.6.camel@doit-b8wsw21.grand-rapids.mi.us> The attachments seem to be .doc or .xls or others and the client always seems to be Outlook. On Fri, 2006-08-04 at 16:38 -0400, Golden, James wrote: > Hello, > > I've have been wasting my whole day trying to figure out how to do > this. Can anyone could help besides telling me to install Mailwatch > (because it's not an option right now). > > I have messages that are being snagged by MailScanner because the > attachment is too large. When I go to the directory the attachment is > in binary in the message. > > I tried using a sendmail -t < message, but of course it gets snagged > again by MS. Is there an option I'm missing to store the attachments > separately from the message, is there a way to send this on without it > being scanned? Is there a way to get the attachment out of the > message? > > I need help soon as this is becoming a large issue today (about 6 end > users) and my boss is hearing about it! > > Thanks, > > James -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060804/fa919d9c/attachment.html From dwinkler at algorithmics.com Fri Aug 4 21:07:09 2006 From: dwinkler at algorithmics.com (Derek Winkler) Date: Fri Aug 4 22:14:56 2006 Subject: http://lists.mailscanner.info/mailman/listinfo/mailscanner not Wo rking Message-ID: <23675CFC52BBC44EB355406A3A8A0491FC9CB0@TORMAIL.algorithmics.com> I can't access the list management URL... http://lists.mailscanner.info/mailman/listinfo/mailscanner Trying to disable mail delivery as I'll be turning on OoO, please forgive me if you get my OoO. This email and any files transmitted with it are confidential and proprietary to Algorithmics Incorporated and its affiliates ("Algorithmics"). If received in error, use is prohibited. Please destroy, and notify sender. Sender does not waive confidentiality or privilege. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. Algorithmics does not accept liability for any errors or omissions. Any commitment intended to bind Algorithmics must be reduced to writing and signed by an authorized signatory. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060804/90450ee4/attachment.html From mailscanner at yeticomputers.com Fri Aug 4 22:17:31 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Fri Aug 4 22:17:43 2006 Subject: Retreiving attachments In-Reply-To: <1154723924.8831.4.camel@doit-b8wsw21.grand-rapids.mi.us> References: <1154723924.8831.4.camel@doit-b8wsw21.grand-rapids.mi.us> Message-ID: <44D3B96B.8030908@yeticomputers.com> You could try increasing the maximum allowed attachment size temporarily and resubmitting those messages. Maybe consider permanently increasing the maximum attachment size to accommodate the files your users actually send. Try to get your boss to let you limit the size to something reasonable, although I know how hard that can be. Rick Golden, James wrote: > Hello, > > I've have been wasting my whole day trying to figure out how to do > this. Can anyone could help besides telling me to install Mailwatch > (because it's not an option right now). > > I have messages that are being snagged by MailScanner because the > attachment is too large. When I go to the directory the attachment is > in binary in the message. > > I tried using a sendmail -t < message, but of course it gets snagged > again by MS. Is there an option I'm missing to store the attachments > seperatly from the message, is there a way to send this on without it > bieng scanned? Is there a way to get the attachement out of the message? > > I need help soon as this is becoming a large issue today (about 6 end > users) and my boss is hearing about it! > > Thanks, > > James From ssilva at sgvwater.com Fri Aug 4 22:48:16 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Aug 4 22:48:28 2006 Subject: blocking out-of-office In-Reply-To: <223f97700608040913g4c5a9ce0p60ab1545599bcfdd@mail.gmail.com> References: <223f97700608030054g4692424ch3e0deeeacb043c7@mail.gmail.com> <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> <44D34F30.2070300@utwente.nl> <223f97700608040710q4a5fb074n2350081aee51f4a1@mail.gmail.com> <44D3615C.7010709@utwente.nl> <223f97700608040913g4c5a9ce0p60ab1545599bcfdd@mail.gmail.com> Message-ID: Glenn Steen spake the following on 8/4/2006 9:13 AM: > On 04/08/06, Peter Peters wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Glenn Steen wrote on 4-8-2006 16:10: >> >> >> But we have a lot of organizations in our organization. A lot of the >> >> (bigger) departments run their own exchange. And while the AD is >> shared >> >> they still tend to send e-mail from one department to the other >> through >> >> SMTP (which is good because it gets scanned by MailScanner). >> > >> > Um, I'm feeling more than the usual tad slow here (Friday afternoon >> > syndrome:-), are you saying you want to block all OoO trying to exit >> > the "superorganisation" or the ones bouncing around between >> > suborganisations? >> > SA rule(s) could help you, I suppose, if you want something selective >> > (PF header_checks are bit limited so wouldn't handle that >> > gracefully:-). >> >> Yes, I would want to block OoO's trying to get outside the university >> but keep the OoO's flowing between the departments. >> > Well then, you'd have two problems: > 1) Identifying an OoO. > 2) selectively disallowing them to exit your organization. > > I'd look into making a set of SA rules to facilitate this. One or two > to identify that the message really is an OoO, that it originates from > one of your subdomains, and finally one rule to combine those results > and giving that one a truly hefty score, pushing it into the high > scoring spam category. > Either that, or go the CustomFunction route (or perhaps even try to > make something out of the generic AV option). > My Friday-afternoon-syndrome has moved on to Friday-evening-syndrome > (into my first beer and fired up the grill), so I'd not trust myself > further than that:-) > > Cheers Tip one for us!!! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From steve.swaney at fsl.com Fri Aug 4 22:50:49 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Fri Aug 4 22:48:58 2006 Subject: Retreiving attachments In-Reply-To: <1154725820.8831.6.camel@doit-b8wsw21.grand-rapids.mi.us> Message-ID: <0b7d01c6b810$0cd549d0$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Golden, James > Sent: Friday, August 04, 2006 5:10 PM > To: MailScanner discussion > Subject: Re: Retreiving attachments > > The attachments seem to be .doc or .xls or others and the client always > seems to be Outlook. > > On Fri, 2006-08-04 at 16:38 -0400, Golden, James wrote: > > > Hello, > > I've have been wasting my whole day trying to figure out how to do > this. Can anyone could help besides telling me to install Mailwatch > (because it's not an option right now). > > I have messages that are being snagged by MailScanner because the > attachment is too large. When I go to the directory the attachment is in > binary in the message. > > I tried using a sendmail -t < message, but of course it gets snagged > again by MS. Is there an option I'm missing to store the attachments > separately from the message, is there a way to send this on without it > being scanned? Is there a way to get the attachment out of the message? > > I need help soon as this is becoming a large issue today (about 6 > end users) and my boss is hearing about it! > > Thanks, > > James You need to create a rule sets that exempt the localhost from attachment filename and filetype checking. If you have a Red Hat, CentOS or SuSE system, the following paths will be correct. They will vary on other systems but the same principals will work. First create two files: /etc/MailScanner/filename.rules.allowall.conf /etc/MailScanner/filetype.rules.allowall.conf The contents of each file will be identical: allow *. - - The spaces MUST be Tabs so the contents of both files is really: allow*.->Tab>- Then create the file /etc/MailScanner/rules/filename.rules. The contents of this file should be: # Allow all filenames from localhost From: 127.0.0.0 /etc/MailScanner/filename.rules.allowall.conf # Default entry FromOrTo: default /etc/MailScanner/filename.rules.conf Then create the file /etc/MailScanner/rules/filetype.rules. The contents of this file should be: # Allow all filetypes from localhost From: 127.0.0.0 /etc/MailScanner/filetype.rules.allowall.conf # Default entry FromOrTo: default /etc/MailScanner/filetype.rules.conf Then edit /etc/MailScanner.conf to call the new rulesets. Change the setting for Filename Rules to be: Filename Rules = %rules-dir%/filename.rules And change the setting for Filetype Rules to be: Filetype Rules = %rules-dir%/filetype.rules Then reload MailScanner. You should now be able to release the files using the `sendmail -t < message` command without MailScanner re-quarantining the files. Have a nice weekend. Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From listacct at tulsaconnect.com Fri Aug 4 22:57:51 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Fri Aug 4 22:57:54 2006 Subject: ClamAV on FreeBSD - ports or Perl module? In-Reply-To: References: <44D35E99.7020507@tulsaconnect.com> Message-ID: <44D3C2DF.8090303@tulsaconnect.com> Ren? Berber wrote: > Do you have more than one perl version installed? > Nope. Fresh FreeBSD 6.1 install.. > Clearly? Use cpan, inside the shell use "i Mail::ClamAV" that will tell you if > it really is installed. > > If you have more than one version of perl, then make sure the module was > installed to the same perl used by MailScanner. Module id = Mail::ClamAV CPAN_USERID SABECK (Scott Beck ) CPAN_VERSION 0.17 CPAN_FILE S/SA/SABECK/Mail-ClamAV-0.17.tar.gz UPLOAD_DATE 2005-03-08 DSLIP_STATUS (,,,,) MANPAGE Mail::ClamAV - Perl extension for the clamav virus scanner INST_FILE /usr/local/lib/perl5/site_perl/5.8.8/mach/Mail/ClamAV.pm INST_VERSION 0.17 -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From danc at bluestarshows.com Fri Aug 4 22:58:12 2006 From: danc at bluestarshows.com (Dan Carl) Date: Fri Aug 4 23:01:47 2006 Subject: Sendmail question References: <003d01c6b7d7$b331e100$0200000a@danc3> Message-ID: <001901c6b811$1525ee40$0200000a@danc3> I got it work vi mutt but not using PHP yahoo marks it as bulk because the Return-Path: nobody@mydomain.com if I use the -f I can change the Return-Path: but then yahoo marks it as bulk because of this: X-Authentication-Warning mydomain.com: nobody set sender to me@mydomain.com using -f Sorry about the off-topic post time to search google. ----- Original Message ----- From: "Ugo Bellavance" To: Sent: Friday, August 04, 2006 12:10 PM Subject: Re: Sendmail question > Kevin Miller wrote: > > Dan Carl wrote: > >> Anyone willing to answer a sendmail question? > >> Or atleast point me in the right direction. (I don't have news) > >> I can send mail fine thru my sendmail/Mailerscanner server with > >> windows clients but when I send it thru from my other linux server > >> Yahoo marks it as BULK(spam). > >> Thanks > >> Dan > > > > So Yahoo bounces spam? I'd have thought they were more on the ball than > > that. Not much to go on here - what error's being returned? It might > > be instructive to see a post from one of your linux boxes. I noted that > > this one came from Outlook Express. > > He said that Yahoo marks it, not bounces it. > > > > > Are you using SPF? If so, do you have all your servers listed? > > > > Do your linux servers send directly or do they use > > mail.bluestarshows.com? > > -> good points... > > > > > ...Kevin > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From steve.swaney at fsl.com Fri Aug 4 23:12:42 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Fri Aug 4 23:10:51 2006 Subject: Retreiving attachments In-Reply-To: <44D3B96B.8030908@yeticomputers.com> Message-ID: <0ba401c6b813$1ceea890$287ba8c0@office.fsl> Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Rick Chadderdon > Sent: Friday, August 04, 2006 5:18 PM > To: MailScanner discussion > Subject: Re: Retreiving attachments > > You could try increasing the maximum allowed attachment size temporarily > and resubmitting those messages. Maybe consider permanently increasing > the maximum attachment size to accommodate the files your users actually > send. Try to get your boss to let you limit the size to something > reasonable, although I know how hard that can be. > > Rick > > Golden, James wrote: > > Hello, > > > > I've have been wasting my whole day trying to figure out how to do > > this. Can anyone could help besides telling me to install Mailwatch > > (because it's not an option right now). > > > > I have messages that are being snagged by MailScanner because the > > attachment is too large. When I go to the directory the attachment is > > in binary in the message. > > > > I tried using a sendmail -t < message, but of course it gets snagged > > again by MS. Is there an option I'm missing to store the attachments > > seperatly from the message, is there a way to send this on without it > > bieng scanned? Is there a way to get the attachement out of the > message? > > > > I need help soon as this is becoming a large issue today (about 6 end > > users) and my boss is hearing about it! > > > > Thanks, > > > > James Sorry I misunderstood. My previous posting will allow the release of messages that have been trapped by filename filetype rules. To release a message that has an attachment that is too large, just temporarily remove the Maximum Attachment Size limit in MailScanner.conf: Minimum Attachment Size = 0 Relaese the message and tnem set back to the original setting. You could alss create a ruleset: Minimum Attachment Size = %rules-dir%/max.attachment.rules where /etc/MailScanner/rules/max.attachment.rules contains: # allow anything for local host From: 127.0.0.1 0 FormOrTo: default 10000000 Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From res at ausics.net Sat Aug 5 04:38:22 2006 From: res at ausics.net (Res) Date: Sat Aug 5 04:38:36 2006 Subject: Sendmail question In-Reply-To: References: <003d01c6b7d7$b331e100$0200000a@danc3> Message-ID: On Fri, 4 Aug 2006, Ugo Bellavance wrote: > > He said that Yahoo marks it, not bounces it. pitty they did not mark there own spamming scum as spammers -- Cheers Res From alex at nkpanama.com Sat Aug 5 06:28:21 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Sat Aug 5 06:28:44 2006 Subject: ignored messeges In-Reply-To: <44D36392.6000009@abacom.com> References: <44D36392.6000009@abacom.com> Message-ID: <44D42C75.7000303@nkpanama.com> Chris Conn wrote: > > > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> df files without qf files are just left-over junk from things like >> broken TCP connections and stuff like that. df files without qf >> files (or vice versa) can just be deleted. >> > > #!/bin/sh > > cd /var/spool/mqueue.in/ > find ./ -daystart -ctime +1|xargs rm > > > Gets rid of files that are a couple of days old or older in the > mqueue.in directory (change it to the right path if not the same). > > Chris > Shouldn't it read... find ./ -daystart -ctime +1|xargs -r rm ... so that if there aren't any files to delete you won't get an error message? From glenn.steen at gmail.com Sat Aug 5 08:47:46 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Aug 5 08:47:49 2006 Subject: blocking out-of-office In-Reply-To: References: <223f97700608030054g4692424ch3e0deeeacb043c7@mail.gmail.com> <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> <44D34F30.2070300@utwente.nl> <223f97700608040710q4a5fb074n2350081aee51f4a1@mail.gmail.com> <44D3615C.7010709@utwente.nl> <223f97700608040911l68008e80w115ebf588301e6be@mail.gmail.com> Message-ID: <223f97700608050047x3b63e572g2a8fc95b517527f7@mail.gmail.com> On 04/08/06, Logan Shaw wrote: > On Fri, 4 Aug 2006, Glenn Steen wrote: > > On 04/08/06, Peter Peters wrote: > >> Yes, I would want to block OoO's trying to get outside the university > >> but keep the OoO's flowing between the departments. > >> > > Well then, you'd have two problems: > > 1) Identifying an OoO. > > 2) selectively disallowing them to exit your organization. > > > > I'd look into making a set of SA rules to facilitate this. One or two > > to identify that the message really is an OoO, that it originates from > > one of your subdomains, and finally one rule to combine those results > > and giving that one a truly hefty score, pushing it into the high > > scoring spam category. > > One down side of that approach is that scoring a legit user's > message (even if an OoO) as spam will screw up that user's > SpamAssassin AWL average, thus affecting the user's other > messages. > > - Logan Yep. But that would be where MCP could make a difference... If one can get the two different calls to SA to not interfere with each other (I started looking at MCP earlier this week, and I have some doubts... Need to check more before airing those doubts on the list though. Might be me misunderstanding something:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From bgmahesh at gmail.com Sat Aug 5 08:50:29 2006 From: bgmahesh at gmail.com (BG Mahesh) Date: Sat Aug 5 08:50:31 2006 Subject: Envelope-To and Bcc Message-ID: <5227ac5c0608050050p6f11f7a3g232a7f65eb65800f@mail.gmail.com> # Do you want to add the Envelope-To: header? # This can be useful for tracking spam destinations, but should be # used with care due to possible privacy concerns with the use of # Bcc: headers by users. # This can also be the filename of a ruleset. Add Envelope To Header = no Is there anyway to use the above feature without comprimising on privacy? I see that bcc info is included in the Envelope-To line [as clearly mentioned in the docs]. -- -- B.G. Mahesh http://www.oneindia.in/ http://www.click.in/ - Free Indian Classifieds -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060805/f91a2377/attachment.html From glenn.steen at gmail.com Sat Aug 5 08:50:39 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Aug 5 08:50:42 2006 Subject: blocking out-of-office In-Reply-To: References: <223f97700608030054g4692424ch3e0deeeacb043c7@mail.gmail.com> <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> <44D34F30.2070300@utwente.nl> <223f97700608040710q4a5fb074n2350081aee51f4a1@mail.gmail.com> <44D3615C.7010709@utwente.nl> <223f97700608040913g4c5a9ce0p60ab1545599bcfdd@mail.gmail.com> Message-ID: <223f97700608050050w5460c22coa3c7111c95fb2494@mail.gmail.com> On 04/08/06, Scott Silva wrote: > Glenn Steen spake the following on 8/4/2006 9:13 AM: (snip) > > My Friday-afternoon-syndrome has moved on to Friday-evening-syndrome > > (into my first beer and fired up the grill), so I'd not trust myself > > further than that:-) > > > > Cheers > Tip one for us!!! My headache tells me that I tipped not only one, but several.... So... Feel duly saluted;-). Now where did I put that hangover rectification tool (HORT == aspirin;)... -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From chrisgreen at hotmail.com Sat Aug 5 09:28:28 2006 From: chrisgreen at hotmail.com (Chris Green) Date: Sat Aug 5 09:28:36 2006 Subject: blocking out-of-office In-Reply-To: <04D932B0071FE34FA63EBB1977B48D15017B3F6C@woodenex.woodmaclaw.local> Message-ID: Billy Pumphrey wrote: > > >>My employees report that when they have the out of office turned on >they > > >>receive more spam..... > > > > > > > > >I don't know how the two are related. Most spam I see doesn't have a > > valid > > >reply address. > > > > > >My suggestion is to use a *nix based autoresponder. Have it only >reply to > > >addresses in your address book. Or better yet, ditch the >autoresponder. > > > > > Spam comes in and gets through filter > > Out Of Office AutoReply goes out > > Boiiiing! - NDR arrives in inbox > > Therefore spam, in the implied sense of the word, would double. > > > > It pollutes auto-whitelists too, but doesn't usually expose you to >more > > spam > > because bogus addresses are unlikely to be reused. > > > > > >Makes sense. I also assume that Outlook 2003's client side filter sends >out a Out of Office response to the filtered spam that ends up in the >junk mail folder. True? If you are using Exchange 2003 behind Outlook 2003 the spam detection is done at the server end rather than by Outlook, so spam that it successfully detects (which is nowhere near the detection rate for MailScanner) never hits your inbox at all. As per http://go.microsoft.com/fwlink/?LinkId=31729 "Rules and the Junk E-mail Filter Rules are now designed so that they do not act on messages that are moved to the Junk E-mail folder. This keeps e-mail you mark as junk in the correct place rather than moving it to another folder according to a rule that would otherwise apply." I can't be absolutely certain because it's tough to test it out, but I expect the OoO will not fire either as it seems to be a glorified rule itself - too illogical for Microsoft to miss this one. From chrisgreen at hotmail.com Sat Aug 5 09:41:00 2006 From: chrisgreen at hotmail.com (Chris Green) Date: Sat Aug 5 09:41:08 2006 Subject: Triggering Outlook's Junk E-mail filter In-Reply-To: <04D932B0071FE34FA63EBB1977B48D15017B3F6C@woodenex.woodmaclaw.local> Message-ID: Hi everyone, Hope the hangovers are wearing off nicely :-) That previous question about Outlook's out-of-office behaviour got me thinking, and Google doesn't seem to want to give me an answer. Does anyone know if it's possible to configure a Spam Action which would cause Outlook to move the email into the Junk E-mail folder without setting up a rule on every single users mailbox? A special header that would fire the Outlook filter perhaps? Chris From mailscanner at mango.zw Sat Aug 5 10:17:27 2006 From: mailscanner at mango.zw (Jim Holland) Date: Sat Aug 5 10:19:15 2006 Subject: Retreiving attachments In-Reply-To: <1154723924.8831.4.camel@doit-b8wsw21.grand-rapids.mi.us> Message-ID: On Fri, 4 Aug 2006, Golden, James wrote: > I've have been wasting my whole day trying to figure out how to do this. > Can anyone could help besides telling me to install Mailwatch (because > it's not an option right now). > > I have messages that are being snagged by MailScanner because the > attachment is too large. When I go to the directory the attachment is > in binary in the message. > > I tried using a sendmail -t < message, but of course it gets snagged > again by MS. Is there an option I'm missing to store the attachments > seperatly from the message, is there a way to send this on without it > bieng scanned? Is there a way to get the attachement out of the > message? > > I need help soon as this is becoming a large issue today (about 6 end > users) and my boss is hearing about it! I just use the following command: sendmail -i -Am user@domain < message as that will bypass MailScanner. Using -t may send the message to unwanted recipients, so I prefer to be explicit with the recipient address. The -i is just a precaution in case the message contains a single line with only a dot in it, which would otherwise be interpreted as the end of the message. For convenience I have the following alias in .bashrc: alias send='/usr/sbin/sendmail -i -Am' so I can just enter the command as: send user@domain < message Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From mailscanner at ecs.soton.ac.uk Sat Aug 5 11:42:58 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 5 11:43:16 2006 Subject: Envelope-To and Bcc In-Reply-To: <5227ac5c0608050050p6f11f7a3g232a7f65eb65800f@mail.gmail.com> References: <5227ac5c0608050050p6f11f7a3g232a7f65eb65800f@mail.gmail.com> Message-ID: <44D47632.4060104@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 BG Mahesh wrote: > > # Do you want to add the Envelope-To: header? > # This can be useful for tracking spam destinations, but should be > # used with care due to possible privacy concerns with the use of > # Bcc: headers by users. > # This can also be the filename of a ruleset. > Add Envelope To Header = no > > Is there anyway to use the above feature without comprimising on > privacy? I see that bcc info is included in the Envelope-To line [as > clearly mentioned in the docs]. No. Top marks for understanding the problem though, most people miss the point completely :-) I just use the setting for testing rulesets. It includes the Bcc as that is just a list of extra recipients who happen not to appear in the headers. Otherwise they are perfectly normal recipients, just like the To and Cc lists are. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE1HY0EfZZRxQVtlQRAqYzAKCmrVW3exEb88XGxSi7VgFRPU4zQACcC/QG PUP137gIvs9AHuP6h1xBqHc= =kS26 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From bgmahesh at gmail.com Sat Aug 5 13:51:24 2006 From: bgmahesh at gmail.com (BG Mahesh) Date: Sat Aug 5 13:51:27 2006 Subject: Envelope-To and Bcc In-Reply-To: <44D47632.4060104@ecs.soton.ac.uk> References: <5227ac5c0608050050p6f11f7a3g232a7f65eb65800f@mail.gmail.com> <44D47632.4060104@ecs.soton.ac.uk> Message-ID: <5227ac5c0608050551g402aaccdx7bd27dca5afa4d6@mail.gmail.com> On 8/5/06, Julian Field wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > BG Mahesh wrote: > > > > # Do you want to add the Envelope-To: header? > > # This can be useful for tracking spam destinations, but should be > > # used with care due to possible privacy concerns with the use of > > # Bcc: headers by users. > > # This can also be the filename of a ruleset. > > Add Envelope To Header = no > > > > Is there anyway to use the above feature without comprimising on > > privacy? I see that bcc info is included in the Envelope-To line [as > > clearly mentioned in the docs]. > > No. Top marks for understanding the problem though, most people miss the > point completely :-) > > I just use the setting for testing rulesets. > > It includes the Bcc as that is just a list of extra recipients who > happen not to appear in the headers. Otherwise they are perfectly normal > recipients, just like the To and Cc lists are. > > - - I somehow need sendmail to add another line like X-Rcpt-To which has just ONE email id and our other email server [mdaemon] that downloads the emails from a common pop account will use that field to deliver the email. Currently Mdaemon is getting totally confused on whom to deliver the email without this line :-( -- Mahesh -- -- B.G. Mahesh http://www.greynium.com/ http://www.oneindia.in/ http://www.click.in/ - Free Indian Classifieds -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060805/02c93af8/attachment.html From cconn at abacom.com Sat Aug 5 13:52:59 2006 From: cconn at abacom.com (Chris Conn) Date: Sat Aug 5 13:53:06 2006 Subject: ignored messeges In-Reply-To: <44D42C75.7000303@nkpanama.com> References: <44D36392.6000009@abacom.com> <44D42C75.7000303@nkpanama.com> Message-ID: <44D494AB.7000506@abacom.com> >> > Shouldn't it read... > > find ./ -daystart -ctime +1|xargs -r rm > > ... so that if there aren't any files to delete you won't get an error > message? =) Assuming there are sometimes no files to delete, yes =) Thanks, Chris From mike at vesol.com Sat Aug 5 15:39:02 2006 From: mike at vesol.com (Mike Kercher) Date: Sat Aug 5 15:39:14 2006 Subject: Triggering Outlook's Junk E-mail filter In-Reply-To: Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Chris Green > Sent: Saturday, August 05, 2006 3:41 AM > To: mailscanner@lists.mailscanner.info > Subject: Triggering Outlook's Junk E-mail filter > > Hi everyone, > > Hope the hangovers are wearing off nicely :-) > > That previous question about Outlook's out-of-office > behaviour got me thinking, and Google doesn't seem to want to > give me an answer. > > Does anyone know if it's possible to configure a Spam Action > which would cause Outlook to move the email into the Junk > E-mail folder without setting up a rule on every single users > mailbox? A special header that would fire the Outlook filter perhaps? > > > Chris What would happen if a user had the Junk Filtering turned off? Mike From chrisgreen at hotmail.com Sat Aug 5 16:02:54 2006 From: chrisgreen at hotmail.com (Chris Green) Date: Sat Aug 5 16:03:01 2006 Subject: Triggering Outlook's Junk E-mail filter In-Reply-To: Message-ID: Mike Kercher wrote: > > > > Hi everyone, > > > > Hope the hangovers are wearing off nicely :-) > > > > That previous question about Outlook's out-of-office > > behaviour got me thinking, and Google doesn't seem to want to > > give me an answer. > > > > Does anyone know if it's possible to configure a Spam Action > > which would cause Outlook to move the email into the Junk > > E-mail folder without setting up a rule on every single users > > mailbox? A special header that would fire the Outlook filter perhaps? > >What would happen if a user had the Junk Filtering turned off? > They would be encouraged to turn it back on :-) I would expect that if they had gone in and changed this from the default they were either a) advanced users with alternative solutions; b) clever enough to realise it could result in more spam; or c) previously employed by Sainsbury's as the trolley-boy and found it a bit too mentally challenging. Apologies to all for forgetting to flag this OT. I have posted the same question on an Outlook discussion list and will share the answer here if I get one. From mailscanner at ecs.soton.ac.uk Sat Aug 5 21:13:15 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 5 21:13:33 2006 Subject: Envelope-To and Bcc In-Reply-To: <5227ac5c0608050551g402aaccdx7bd27dca5afa4d6@mail.gmail.com> References: <5227ac5c0608050050p6f11f7a3g232a7f65eb65800f@mail.gmail.com> <44D47632.4060104@ecs.soton.ac.uk> <5227ac5c0608050551g402aaccdx7bd27dca5afa4d6@mail.gmail.com> Message-ID: <44D4FBDB.2080702@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 BG Mahesh wrote: > > > On 8/5/06, *Julian Field* > wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > BG Mahesh wrote: > > > > # Do you want to add the Envelope-To: header? > > # This can be useful for tracking spam destinations, but should be > > # used with care due to possible privacy concerns with the use of > > # Bcc: headers by users. > > # This can also be the filename of a ruleset. > > Add Envelope To Header = no > > > > Is there anyway to use the above feature without comprimising on > > privacy? I see that bcc info is included in the Envelope-To line [as > > clearly mentioned in the docs]. > > No. Top marks for understanding the problem though, most people miss the > point completely :-) > > I just use the setting for testing rulesets. > > It includes the Bcc as that is just a list of extra recipients who > happen not to appear in the headers. Otherwise they are perfectly normal > recipients, just like the To and Cc lists are. > > - - > > > > I somehow need sendmail to add another line like X-Rcpt-To which has > just ONE email id and our other email server [mdaemon] that downloads > the emails from a common pop account will use that field to deliver the > email. Currently Mdaemon is getting totally confused on whom to deliver > the email without this line :-( There is no way of telling which recipient is more important than any other recipient. They are just a list. I can't help your totally broken software, sorry. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE1PveEfZZRxQVtlQRAgKrAJ42dtHN6zUhBtOFahBJujZz72bEUQCg/x1k JmygxSo0m3pSY0t4tuwdEpc= =Ck3s -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From res at ausics.net Sun Aug 6 07:53:12 2006 From: res at ausics.net (Res) Date: Sun Aug 6 07:53:28 2006 Subject: Virus Updates noise levels Message-ID: Hi Julian, Any chance we can reduce the noise levels in this? update.virus.scanners: Found clamav installed update.virus.scanners: Running autoupdate for clamav ClamAV-autoupdate[12231]: ClamAV did not need updating update.virus.scanners: Found f-prot installed update.virus.scanners: Running autoupdate for f-prot F-Prot autoupdate[12255]: F-Prot did not need updating. ....perhaps reduce 4 lines into just 1 update.virus.scanners: Found clamav installed update.virus.scanners: Running autoupdate for clamav update.virus.scanners: Found f-prot installed update.virus.scanners: Running autoupdate for f-prot - INTO - update.virus.scanners: Found clamav f-prot installed. Running autoupdate -- Cheers Res From mike at vesol.com Sun Aug 6 15:12:24 2006 From: mike at vesol.com (Mike Kercher) Date: Sun Aug 6 15:12:37 2006 Subject: Virus Updates noise levels In-Reply-To: Message-ID: > > Hi Julian, > Any chance we can reduce the noise levels in this? > > update.virus.scanners: Found clamav installed > update.virus.scanners: Running autoupdate for clamav > ClamAV-autoupdate[12231]: ClamAV did not need updating > update.virus.scanners: Found f-prot installed > update.virus.scanners: Running autoupdate for f-prot F-Prot > autoupdate[12255]: F-Prot did not need updating. > > > ....perhaps reduce 4 lines into just 1 > > update.virus.scanners: Found clamav installed > update.virus.scanners: Running autoupdate for clamav > update.virus.scanners: Found f-prot installed > update.virus.scanners: Running autoupdate for f-prot > - INTO - > update.virus.scanners: Found clamav f-prot installed. Running > autoupdate > > Why? From akharin at zahav.net.il Sun Aug 6 15:55:50 2006 From: akharin at zahav.net.il (Irvin Jacobson) Date: Sun Aug 6 15:55:59 2006 Subject: Installation problems with stable release of 4.55 Message-ID: <20060806175550.ACZ36796@rachel.inter.net.il> Hi all, I had version 4.39 and removed it, I then installed 4.55, didn't get any error messages during installation, just post when attempting to start the service: MailScanner: Can't locate Filesys/Df.pm in @INC (@INC contains: /usr/lib/MailScanner/5.8.3/i386-linux-thread-multi /usr/lib/MailScanner/5.8.3 /usr/lib/MailScanner/i386-linux-thread-multi /usr/lib/MailScanner/5.8.2 /usr/lib/MailScanner/5.8.1 /usr/lib/MailScanner/5.8.0 /usr/lib/MailScanner /usr/lib/perl5/5.8.3/i386-linux-thread-multi /usr/lib/perl5/5.8.3 /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl . /usr/lib/MailScanner/5.8.3/i386-linux-thread-multi /usr/lib/MailScanner/5.8.3 /usr/lib/MailScanner/i386-linux-thread-multi /usr/lib/MailScanner/5.8.2 /usr/lib/MailScanner/5.8.1 /usr/lib/MailScanner/5.8.0 /usr/lib/MailScanner) at /usr/sbin/MailScanner line 66. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 66. [ OK ] It reports that the status is ok, but it doesn't start. Any ideas/suggestions? Thanks, Irvin. From mailscanner at ecs.soton.ac.uk Sun Aug 6 19:27:45 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sun Aug 6 19:28:04 2006 Subject: Installation problems with stable release of 4.55 In-Reply-To: <20060806175550.ACZ36796@rachel.inter.net.il> References: <20060806175550.ACZ36796@rachel.inter.net.il> Message-ID: <44D634A1.5040500@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 That would indicate that the Filesys::Df module did not install successfully. Re-run install.sh and watch carefully when Filesys::Df tries to install. It's just after Time::HiRes towards the end (after DBI and DBD::SQLite). Note down why Filesys::Df did not install and let me know what it said. Otherwise, if it still won't install, do this: # perl -MCPAN -e shell > install Filesys::Df Ctrl-D and hopefully that will install it. What does "MailScanner --version" say? What version/release of Linux are you using? Please let us know how you get on resolving this problem. Irvin Jacobson wrote: > Hi all, > > I had version 4.39 and removed it, I then installed 4.55, > didn't get any error messages during installation, just post > when attempting to start the service: > > MailScanner: Can't locate Filesys/Df.pm in @INC (@INC > contains: /usr/lib/MailScanner/5.8.3/i386-linux-thread-multi > /usr/lib/MailScanner/5.8.3 > /usr/lib/MailScanner/i386-linux-thread-multi > /usr/lib/MailScanner/5.8.2 /usr/lib/MailScanner/5.8.1 > /usr/lib/MailScanner/5.8.0 /usr/lib/MailScanner > /usr/lib/perl5/5.8.3/i386-linux-thread-multi > /usr/lib/perl5/5.8.3 > /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 > /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 > /usr/lib/perl5/site_perl > /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.3 > /usr/lib/perl5/vendor_perl/5.8.2 > /usr/lib/perl5/vendor_perl/5.8.1 > /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl . > /usr/lib/MailScanner/5.8.3/i386-linux-thread-multi > /usr/lib/MailScanner/5.8.3 > /usr/lib/MailScanner/i386-linux-thread-multi > /usr/lib/MailScanner/5.8.2 /usr/lib/MailScanner/5.8.1 > /usr/lib/MailScanner/5.8.0 /usr/lib/MailScanner) at > /usr/sbin/MailScanner line 66. > BEGIN failed--compilation aborted at /usr/sbin/MailScanner > line 66. > [ OK ] > > It reports that the status is ok, but it doesn't start. > > Any ideas/suggestions? > > Thanks, > Irvin. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE1jSmEfZZRxQVtlQRAjMzAJ4hUy+JtuHSSzjoBSw1I6CnVJRpjwCcCKDD Va2B1jZ5tRRGIYdhHT89eUQ= =n9WY -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From jdp1024 at earthlink.net Sun Aug 6 22:15:39 2006 From: jdp1024 at earthlink.net (JDP) Date: Sun Aug 6 22:15:52 2006 Subject: MailScanner & Postfix Message-ID: <25415518.1154898939886.JavaMail.root@elwamui-norfolk.atl.sa.earthlink.net> Hello, I am sooo close to getting this running, but somehow my test mail is not getting through. On a Suse 9.3 server I have MailScanner, Spamassassin, Postfix, & ClamAV set up to scan mail and then pass it on to an internal Exchange server. I can see the test message going through the system in /var/log/mail.info, but it never makes it to the Exchange server. Aug 6 13:45:09 postmaster postfix/smtpd[31844]: connect from unknown[192.168.xx.xxx] Aug 6 13:45:09 postmaster postfix/smtpd[31844]: 8E1D718548C: client=unknown[192.168.xx.xxx] Aug 6 13:45:23 postmaster postfix/cleanup[31847]: 8E1D718548C: hold: header Received: from 1243876 (unknown [192.168.20.160])??by postmaster.domain.com (Postfix) with SMTP id 8E1D718548C??for ; Sun, 6 Aug 2006 13:45:09 -0700 (PDT) from unknown[192.168.20.160]; from=user@domian.com> to= proto=SMTP helo=<1243876> Aug 6 13:45:23 postmaster postfix/cleanup[31847]: 8E1D718548C: message-id=<20060806204509.8E1D718548C@postmaster.domain.com> Aug 6 13:45:23 postmaster postfix/smtpd[31844]: disconnect from unknown[192.168.xx.xxx] Aug 6 13:45:24 postmaster MailScanner[30318]: New Batch: Scanning 1 messages, 683 bytes Aug 6 13:45:24 postmaster MailScanner[30318]: Virus and Content Scanning: Starting Aug 6 13:46:55 postmaster update.virus.scanners: Found clamav installed Aug 6 13:46:55 postmaster update.virus.scanners: Running autoupdate for clamav Aug 6 13:46:56 postmaster update.virus.scanners: Found generic installed Aug 6 13:46:56 postmaster update.virus.scanners: Running autoupdate for generic I think I have the relaying of domains set up correctly, but now i am not sure. Maybe the problem is here "how to invoke the MTA"; # Set whether to use postfix, sendmail, exim or zmailer. # If you are using postfix, then see the "SpamAssassin User State Dir" # setting near the end of this file #MTA = sendmail MTA = postfix # Set how to invoke MTA when sending messages MailScanner has created # (e.g. to sender/recipient saying "found a virus in your message") # This can also be the filename of a ruleset. Sendmail = /usr/sbin/sendmail # Sendmail2 is provided for Exim users. # It is the command used to attempt delivery of outgoing cleaned/disinfected # messages. # This is not usually required for sendmail. # This can also be the filename of a ruleset. #For Exim users: Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_send.conf #For sendmail users: Sendmail2 = /usr/sbin/sendmail #Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf Sendmail2 = /usr/sbin/sendmail Many thanks in advance, ~James From jdp1024 at earthlink.net Sun Aug 6 22:36:43 2006 From: jdp1024 at earthlink.net (JDP) Date: Sun Aug 6 22:37:00 2006 Subject: MailScanner & Postfix Message-ID: <9913518.1154900203939.JavaMail.root@elwamui-norfolk.atl.sa.earthlink.net> >Hello, > >I am sooo close to getting this running, but somehow my test mail is not getting through. On a Suse 9.3 server I have MailScanner, Spamassassin, Postfix, & ClamAV set up to scan mail and then pass it on to an internal Exchange server. I can see the test message going through the system in /var/log/mail.info, but it never makes it to the Exchange server. > > >Aug 6 13:45:09 postmaster postfix/smtpd[31844]: connect from unknown[192.168.xx.xxx] >Aug 6 13:45:09 postmaster postfix/smtpd[31844]: 8E1D718548C: client=unknown[192.168.xx.xxx] >Aug 6 13:45:23 postmaster postfix/cleanup[31847]: 8E1D718548C: hold: header Received: >from 1243876 (unknown [192.168.20.160])??by postmaster.domain.com (Postfix) with >SMTP id 8E1D718548C??for ; Sun, 6 Aug 2006 13:45:09 -0700 >(PDT) from unknown[192.168.20.160]; from=user@domian.com> to= >proto=SMTP helo=<1243876> >Aug 6 13:45:23 postmaster postfix/cleanup[31847]: 8E1D718548C: message-id=<20060806204509.8E1D718548C@postmaster.domain.com> >Aug 6 13:45:23 postmaster postfix/smtpd[31844]: disconnect from unknown[192.168.xx.xxx] >Aug 6 13:45:24 postmaster MailScanner[30318]: New Batch: Scanning 1 messages, 683 >bytes >Aug 6 13:45:24 postmaster MailScanner[30318]: Virus and Content Scanning: Starting >Aug 6 13:46:55 postmaster update.virus.scanners: Found clamav installed >Aug 6 13:46:55 postmaster update.virus.scanners: Running autoupdate for clamav >Aug 6 13:46:56 postmaster update.virus.scanners: Found generic installed >Aug 6 13:46:56 postmaster update.virus.scanners: Running autoupdate for generic > > >I think I have the relaying of domains set up correctly, but now i am not sure. > >Maybe the problem is here "how to invoke the MTA"; > > ># Set whether to use postfix, sendmail, exim or zmailer. ># If you are using postfix, then see the "SpamAssassin User State Dir" ># setting near the end of this file >#MTA = sendmail >MTA = postfix > ># Set how to invoke MTA when sending messages MailScanner has created ># (e.g. to sender/recipient saying "found a virus in your message") ># This can also be the filename of a ruleset. >Sendmail = /usr/sbin/sendmail > ># Sendmail2 is provided for Exim users. ># It is the command used to attempt delivery of outgoing cleaned/disinfected ># messages. ># This is not usually required for sendmail. ># This can also be the filename of a ruleset. >#For Exim users: Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_send.conf >#For sendmail users: Sendmail2 = /usr/sbin/sendmail >#Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf >Sendmail2 = /usr/sbin/sendmail > > >Many thanks in advance, > >~James Hello, Also, after starting mailScanner from ../init.d and then checking the status I get; postmaster:~ # /etc/init.d/MailScanner status Checking for service MailScanner: postfix/postfix-script: fatal: usage: postfix start (or stop, reload, abort, flush, check, set-permissions, upgrade-configuration) dead What is happening? Thank you, James From res at ausics.net Sun Aug 6 22:59:24 2006 From: res at ausics.net (Res) Date: Sun Aug 6 22:59:38 2006 Subject: Virus Updates noise levels In-Reply-To: References: Message-ID: On Sun, 6 Aug 2006, Mike Kercher wrote: >> >> Hi Julian, >> Any chance we can reduce the noise levels in this? >> >> update.virus.scanners: Found clamav installed >> update.virus.scanners: Running autoupdate for clamav >> ClamAV-autoupdate[12231]: ClamAV did not need updating >> update.virus.scanners: Found f-prot installed >> update.virus.scanners: Running autoupdate for f-prot F-Prot >> autoupdate[12255]: F-Prot did not need updating. >> >> >> ....perhaps reduce 4 lines into just 1 >> >> update.virus.scanners: Found clamav installed >> update.virus.scanners: Running autoupdate for clamav >> update.virus.scanners: Found f-prot installed >> update.virus.scanners: Running autoupdate for f-prot >> - INTO - >> update.virus.scanners: Found clamav f-prot installed. Running >> autoupdate >> >> > > Why? i would imagine its obvious :) but for just for you : its more mailscanner overkill in logging that sort of stuff is fine for debugging, for operational mail servers, its pointless > -- Cheers Res From pete at enitech.com.au Mon Aug 7 00:31:05 2006 From: pete at enitech.com.au (Peter Russell) Date: Mon Aug 7 00:31:35 2006 Subject: MailScanner & Postfix In-Reply-To: <9913518.1154900203939.JavaMail.root@elwamui-norfolk.atl.sa.earthlink.net> References: <9913518.1154900203939.JavaMail.root@elwamui-norfolk.atl.sa.earthlink.net> Message-ID: <44D67BB9.7030905@enitech.com.au> Follow the guide in the wiki, triple check you have set it up EXACTLY as documented - my bet is your directory permissions are wrong, or the postfix user/group setting in mailscanner.conf is wrong. Also, does Postfix know were your exchange server is? If ALL of your mail is destined for Exchange use the Transport map, make life heaps easier. Pete JDP wrote: > >> Hello, >> >> I am sooo close to getting this running, but somehow my test mail is not getting through. On a Suse 9.3 server I have MailScanner, Spamassassin, Postfix, & ClamAV set up to scan mail and then pass it on to an internal Exchange server. I can see the test message going through the system in /var/log/mail.info, but it never makes it to the Exchange server. >> >> >> Aug 6 13:45:09 postmaster postfix/smtpd[31844]: connect from unknown[192.168.xx.xxx] >> Aug 6 13:45:09 postmaster postfix/smtpd[31844]: 8E1D718548C: client=unknown[192.168.xx.xxx] >> Aug 6 13:45:23 postmaster postfix/cleanup[31847]: 8E1D718548C: hold: header Received: >>from 1243876 (unknown [192.168.20.160])??by postmaster.domain.com (Postfix) with >> SMTP id 8E1D718548C??for ; Sun, 6 Aug 2006 13:45:09 -0700 >> (PDT) from unknown[192.168.20.160]; from=user@domian.com> to= >> proto=SMTP helo=<1243876> >> Aug 6 13:45:23 postmaster postfix/cleanup[31847]: 8E1D718548C: message-id=<20060806204509.8E1D718548C@postmaster.domain.com> >> Aug 6 13:45:23 postmaster postfix/smtpd[31844]: disconnect from unknown[192.168.xx.xxx] >> Aug 6 13:45:24 postmaster MailScanner[30318]: New Batch: Scanning 1 messages, 683 >> bytes >> Aug 6 13:45:24 postmaster MailScanner[30318]: Virus and Content Scanning: Starting >> Aug 6 13:46:55 postmaster update.virus.scanners: Found clamav installed >> Aug 6 13:46:55 postmaster update.virus.scanners: Running autoupdate for clamav >> Aug 6 13:46:56 postmaster update.virus.scanners: Found generic installed >> Aug 6 13:46:56 postmaster update.virus.scanners: Running autoupdate for generic >> >> >> I think I have the relaying of domains set up correctly, but now i am not sure. >> >> Maybe the problem is here "how to invoke the MTA"; >> >> >> # Set whether to use postfix, sendmail, exim or zmailer. >> # If you are using postfix, then see the "SpamAssassin User State Dir" >> # setting near the end of this file >> #MTA = sendmail >> MTA = postfix >> >> # Set how to invoke MTA when sending messages MailScanner has created >> # (e.g. to sender/recipient saying "found a virus in your message") >> # This can also be the filename of a ruleset. >> Sendmail = /usr/sbin/sendmail >> >> # Sendmail2 is provided for Exim users. >> # It is the command used to attempt delivery of outgoing cleaned/disinfected >> # messages. >> # This is not usually required for sendmail. >> # This can also be the filename of a ruleset. >> #For Exim users: Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_send.conf >> #For sendmail users: Sendmail2 = /usr/sbin/sendmail >> #Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf >> Sendmail2 = /usr/sbin/sendmail >> >> >> Many thanks in advance, >> >> ~James > Hello, > > Also, after starting mailScanner from ../init.d and then checking the status I get; > > postmaster:~ # /etc/init.d/MailScanner status > Checking for service MailScanner: postfix/postfix-script: fatal: usage: postfix start (or stop, reload, abort, flush, check, set-permissions, upgrade-configuration) > dead > What is happening? > > Thank you, > > James From jrudd at ucsc.edu Mon Aug 7 00:55:07 2006 From: jrudd at ucsc.edu (John Rudd) Date: Mon Aug 7 00:55:33 2006 Subject: Virus Updates noise levels In-Reply-To: References: Message-ID: On Aug 6, 2006, at 7:12 AM, Mike Kercher wrote: >> >> Hi Julian, >> Any chance we can reduce the noise levels in this? >> >> update.virus.scanners: Found clamav installed >> update.virus.scanners: Running autoupdate for clamav >> ClamAV-autoupdate[12231]: ClamAV did not need updating >> update.virus.scanners: Found f-prot installed >> update.virus.scanners: Running autoupdate for f-prot F-Prot >> autoupdate[12255]: F-Prot did not need updating. >> >> >> ....perhaps reduce 4 lines into just 1 >> >> update.virus.scanners: Found clamav installed >> update.virus.scanners: Running autoupdate for clamav >> update.virus.scanners: Found f-prot installed >> update.virus.scanners: Running autoupdate for f-prot >> - INTO - >> update.virus.scanners: Found clamav f-prot installed. Running >> autoupdate >> >> > > Why? I think the message subject said it all: to reduce noise level. Signal to noise level is incredibly important for anything that you plan to actually read ... like the logs of a production service when you're trying to track down a problem. The key to good communication is brevity: say what needs to be said, say it clearly, and say _nothing_ more. From chrisgreen at hotmail.com Mon Aug 7 01:49:38 2006 From: chrisgreen at hotmail.com (Chris Green) Date: Mon Aug 7 01:49:42 2006 Subject: MailScanner & Postfix In-Reply-To: <9913518.1154900203939.JavaMail.root@elwamui-norfolk.atl.sa.earthlink.net> Message-ID: JDP wrote: > ># Sendmail2 is provided for Exim users. > ># It is the command used to attempt delivery of outgoing >cleaned/disinfected > ># messages. > ># This is not usually required for sendmail. > ># This can also be the filename of a ruleset. > >#For Exim users: Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_send.conf > >#For sendmail users: Sendmail2 = /usr/sbin/sendmail > >#Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf > >Sendmail2 = /usr/sbin/sendmail I have been referencing instructions that tell me that even under Postfix the above line should read: Sendmail2 = /usr/sbin/sendmail -DOUTGOING I've always wondered whether this really makes a difference or not - but it works for me, so I've never spent any time looking into it . Chris From Andreas.Doerfler at kempten.de Mon Aug 7 07:36:36 2006 From: Andreas.Doerfler at kempten.de (=?iso-8859-1?Q?D=F6rfler_Andreas?=) Date: Mon Aug 7 07:39:07 2006 Subject: ignored messeges Message-ID: hey julian, thats good news, thank you :) greetings andy --free your mind, use open source http://www.mono-project.com ASCII ribbon campaign ( ) - against HTML email X & vCards / \ > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: Friday, August 04, 2006 3:47 PM > To: MailScanner discussion > Subject: Re: ignored messeges > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > df files without qf files are just left-over junk from things like > broken TCP connections and stuff like that. df files without > qf files > (or vice versa) can just be deleted. > > On 4 Aug 2006, at 12:57, D?rfler Andreas wrote: > > > hey there, > > > > i havent checked my mqueue.in for months .. because i tough > > everyting works fine. > > that more im scared to find about 200 undelivered mails in there > > > > short example: > > -rw------- 1 root mail 28672 Feb 12 2005 dfj1C64nMG031005 > > ... > > -rw------- 1 root mail 6386 Jul 18 11:45 dfk6I8gtUk025915 > > -rw------- 1 root mail 5336 Jul 19 17:46 dfk6JEkXh1022049 > > -rw------- 1 root mail 5149 Jul 20 13:34 dfk6KAXUsc004185 > > -rw------- 1 root mail 6630 Jul 21 17:21 dfk6LEL11J029142 > > -rw------- 1 root mail 12288 Jul 22 06:07 dfk6M46wOv029047 > > > > most of em are spam so i dont see a problem, but some are not. > > > > dont understand how this can happen because i deliver about > > 6000 mails everyday without any problems. > > some ignored mails from last year ... > > > > from the mail log i take these when restart MS: > > > > Aug 4 13:17:31 ar4 MailScanner[12699]: Cannot read queue > > directory /var/spool/mqueue.in/dfj1C64nMG031005 > > ... > > got this message multible times, but ive senn em first time, > > tried now more times but it wont come again in the logs > > > > i use sendmail, ms 4.55.9 on a suse 9.2 box > > > > greetings > > andy > > > > --free your mind, use open source > > http://www.mono-project.com > > > > ASCII ribbon campaign ( ) > > - against HTML email X > > & vCards / \ > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > - -- > Julian Field > MailScanner@ecs.soton.ac.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP SDK 3.7.0 > Charset: ISO-8859-1 > > wj8DBQFE00/kEfZZRxQVtlQRAjlGAKClFtaRPmYCo6ewuNDQNrP188z0QgCg2xKX > XMpMnj01s3jHrNv1vy+V69A= > =rXe0 > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > MailScanner thanks transtec Computers for their support. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From stef at aoc-uk.com Mon Aug 7 09:39:29 2006 From: stef at aoc-uk.com (Stef Morrell) Date: Mon Aug 7 09:39:32 2006 Subject: Envelope-To and Bcc... heading OT... Message-ID: <120103F0F5EC264097BC0A06EC9D026A010C0514@pardessus.aoc-uk.com> Julian wrote: > BG Mahesh wrote: >> I somehow need sendmail to add another line like X-Rcpt-To which has >> just ONE email id and our other email server [mdaemon] that downloads >> the emails from a common pop account will use that field to deliver >> the email. Currently Mdaemon is getting totally confused on whom to >> deliver the email without this line :-( > > There is no way of telling which recipient is more important > than any other recipient. They are just a list. I can't help > your totally broken software, sorry. mdaemon isn't totally broken ;) at least it doesn't destroy headers like some *cough* exchange *cough* mailservers do. What's wrong with having the sendmail server deliver via SMTP to the mdaemon server? Mdaemon tries all kinds of ways to be clever at parsing email from a collective POP box to deduce the correct recipient, but is always going to be hindered by the intrisic brokenness of the method. It deals with SMTP perfectly well, however. regards Stef Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net From drew at themarshalls.co.uk Mon Aug 7 10:00:03 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Mon Aug 7 10:00:30 2006 Subject: MailScanner & Postfix In-Reply-To: <25415518.1154898939886.JavaMail.root@elwamui-norfolk.atl.sa.earthlink .net> References: <25415518.1154898939886.JavaMail.root@elwamui-norfolk.atl.sa.earthlink.net> Message-ID: <60206.194.70.180.170.1154941203.squirrel@webmail.r-bit.net> On Sun, August 6, 2006 22:15, JDP wrote: > Aug 6 13:45:24 postmaster MailScanner[30318]: New Batch: Scanning 1 > messages, 683 > bytes > Aug 6 13:45:24 postmaster MailScanner[30318]: Virus and Content Scanning: > Starting > Aug 6 13:46:55 postmaster update.virus.scanners: Found clamav installed > Aug 6 13:46:55 postmaster update.virus.scanners: Running autoupdate for > clamav > Aug 6 13:46:56 postmaster update.virus.scanners: Found generic installed > Aug 6 13:46:56 postmaster update.virus.scanners: Running autoupdate for > generic > Some more log would be useful as the above bit is working fine, as you said yourself. We are missing the logs for the bit that's broken ;-) > > I think I have the relaying of domains set up correctly, but now i am not > sure. > > Maybe the problem is here "how to invoke the MTA"; > > > # Set whether to use postfix, sendmail, exim or zmailer. > # If you are using postfix, then see the "SpamAssassin User State Dir" > # setting near the end of this file > #MTA = sendmail > MTA = postfix > > # Set how to invoke MTA when sending messages MailScanner has created > # (e.g. to sender/recipient saying "found a virus in your message") > # This can also be the filename of a ruleset. > Sendmail = /usr/sbin/sendmail > > # Sendmail2 is provided for Exim users. > # It is the command used to attempt delivery of outgoing > cleaned/disinfected > # messages. > # This is not usually required for sendmail. > # This can also be the filename of a ruleset. > #For Exim users: Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_send.conf > #For sendmail users: Sendmail2 = /usr/sbin/sendmail > #Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf > Sendmail2 = /usr/sbin/sendmail > Don't think so, that all looks fine At the bottom of MailScanner.conf there is an entry delivery method. Make sure this is batch for imediate delivery see here http://www.mailscanner.info/MailScanner.conf.index.html#Delivery%20Method Otherwise, start MailScanner in debug mode with a batch of messages in the queue and report any failures. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From mailscanner at mango.zw Mon Aug 7 10:15:15 2006 From: mailscanner at mango.zw (Jim Holland) Date: Mon Aug 7 10:24:02 2006 Subject: Envelope-To and Bcc... heading OT... In-Reply-To: <120103F0F5EC264097BC0A06EC9D026A010C0514@pardessus.aoc-uk.com> Message-ID: On Mon, 7 Aug 2006, Stef Morrell wrote: > > BG Mahesh wrote: > >> I somehow need sendmail to add another line like X-Rcpt-To which has > >> just ONE email id and our other email server [mdaemon] that downloads > >> the emails from a common pop account will use that field to deliver > >> the email. Currently Mdaemon is getting totally confused on whom to > >> deliver the email without this line :-( > > > > There is no way of telling which recipient is more important > > than any other recipient. They are just a list. I can't help > > your totally broken software, sorry. > > mdaemon isn't totally broken ;) at least it doesn't destroy headers like > some *cough* exchange *cough* mailservers do. > > What's wrong with having the sendmail server deliver via SMTP to the > mdaemon server? Mdaemon tries all kinds of ways to be clever at parsing > email from a collective POP box to deduce the correct recipient, but is > always going to be hindered by the intrisic brokenness of the method. It > deals with SMTP perfectly well, however. As you say, the concept of sending mail for various recipients to a collective POP account is by definition going to cause problems. A possible solution would be to look at the options for splitting the original message into separate messages for each recipient. Here is a reference for doing this with sendmail: http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/169.html Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From glenn.steen at gmail.com Mon Aug 7 13:43:12 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Aug 7 13:43:16 2006 Subject: MailScanner & Postfi In-Reply-To: References: <9913518.1154900203939.JavaMail.root@elwamui-norfolk.atl.sa.earthlink.net> Message-ID: <223f97700608070543t30b03970p1f7b64b0daaa6f80@mail.gmail.com> On 07/08/06, Chris Green wrote: > JDP wrote: > > > ># Sendmail2 is provided for Exim users. > > ># It is the command used to attempt delivery of outgoing > >cleaned/disinfected > > ># messages. > > ># This is not usually required for sendmail. > > ># This can also be the filename of a ruleset. > > >#For Exim users: Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_send.conf > > >#For sendmail users: Sendmail2 = /usr/sbin/sendmail > > >#Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf > > >Sendmail2 = /usr/sbin/sendmail > > I have been referencing instructions that tell me that even under Postfix > the above line should read: > > Sendmail2 = /usr/sbin/sendmail -DOUTGOING > > I've always wondered whether this really makes a difference or not - but it > works for me, so I've never spent any time looking into it . > -D isn't a known option, for PF 2.1 at least, and would land you with an error. So don't do that:-). What is needed here is the info Drew asked for, from the logs... The requeueing bit (which doesn't use the sendmail commands anyway). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Jan-Peter.Koopmann at seceidos.de Mon Aug 7 13:45:03 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Mon Aug 7 13:45:27 2006 Subject: Triggering Outlook's Junk E-mail filter In-Reply-To: Message-ID: On Saturday, August 05, 2006 5:03 PM Chris Green wrote: > I would expect that if they had gone in and changed this from the > default they were either a) advanced users with alternative > solutions; b) clever enough to realise it could result in more spam; > or c) previously employed by Sainsbury's as the trolley-boy and found > it a bit too mentally challenging. d) chose to rely on MailScanner/SpamAssassin and therefore turned the Outlook detection off which btw. is what we do at our customer sites using group policy. Therefore your setup is not going to work all that well. There are applications (event sinks) that are able to centrally move messages to folders based on header values. One is even free (search for Mailshell Exchange Plugin) Kind regards. From Jan-Peter.Koopmann at seceidos.de Mon Aug 7 13:47:10 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Mon Aug 7 13:47:38 2006 Subject: blocking out-of-office In-Reply-To: <223f97700608040412i4311a64cj6b36335c9221732d@mail.gmail.com> Message-ID: On Friday, August 04, 2006 1:12 PM Glenn Steen wrote: > depends on your situation. BTW, 5 _days_ vacation? In total? If so, > you need another Union:-D. I am self-employed... :-) > But if you are away for only five days, > then surely there is nothing sent by email that just couldn't > wait...? Not 5 days in total:-) And there are always things sent to me that cannot wait for 5 days... :-) I have not yet had a vacation without such emergencies. > to limit the spread of OoO by use of MailScanner... and that has > perhaps some room for discussion left. Sure. From Jan-Peter.Koopmann at seceidos.de Mon Aug 7 13:49:11 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Mon Aug 7 13:50:10 2006 Subject: blocking out-of-office In-Reply-To: <44D36049.40407@yeticomputers.com> Message-ID: On Friday, August 04, 2006 4:57 PM Rick Chadderdon wrote: > I wasn't referring to situations where the region's prevailing law > compels behavior, or where policy allows such use. I incorrectly > assumed that this was obvious in my post. For that, I apologize. To > clarify: If law allows one to set policy whereby personal email can > be disallowed, and such policy is set, I don't believe that those who > violate such policies should be tolerated or 'respected'. My BOFH part of the body agrees. My "try to get along with the people" part does not. :-) I know where your are getting at though. *g* From Jan-Peter.Koopmann at seceidos.de Mon Aug 7 13:52:01 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Mon Aug 7 13:52:20 2006 Subject: blocking out-of-office discussions In-Reply-To: <20060804125505.C10038@defjam.cc.strath.ac.uk> Message-ID: On Friday, August 04, 2006 1:56 PM Jethro R Binks wrote: > Speaking perfectly frankly, that seems to be a common theme on this > list anyway. > > At least this discussion is mail-related and generically useful. That one gave me a good laugh. Thanks! :-) From drew at themarshalls.co.uk Mon Aug 7 14:06:21 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Mon Aug 7 14:06:34 2006 Subject: MailScanner & Postfi In-Reply-To: <223f97700608070543t30b03970p1f7b64b0daaa6f80@mail.gmail.com> References: <9913518.1154900203939.JavaMail.root@elwamui-norfolk.atl.sa.earthlink.net> <223f97700608070543t30b03970p1f7b64b0daaa6f80@mail.gmail.com> Message-ID: <61518.194.70.180.170.1154955981.squirrel@webmail.r-bit.net> On Mon, August 7, 2006 13:43, Glenn Steen wrote: > -D isn't a known option, for PF 2.1 at least, and would land you with > an error. So don't do that:-). I did wonder. I like to (try to) post accurate or true information but not being in front of a machine to break... ;-) Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From andoni.auzmendi at robertwalters.com Mon Aug 7 14:07:18 2006 From: andoni.auzmendi at robertwalters.com (Andoni Auzmendi) Date: Mon Aug 7 14:07:33 2006 Subject: Triggering Outlook's Junk E-mail filter Message-ID: <5450254EC7E7B54193C8AEFD904AA36301B1F9@PAT.internal.robertwalters.com> MailShell plug-in looks interesting. Which version of Exchange are running it on? Andoni -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Koopmann, Jan-Peter Sent: 07 August 2006 13:45 To: MailScanner discussion Subject: RE: Triggering Outlook's Junk E-mail filter On Saturday, August 05, 2006 5:03 PM Chris Green wrote: > I would expect that if they had gone in and changed this from the > default they were either a) advanced users with alternative > solutions; b) clever enough to realise it could result in more spam; > or c) previously employed by Sainsbury's as the trolley-boy and found > it a bit too mentally challenging. d) chose to rely on MailScanner/SpamAssassin and therefore turned the Outlook detection off which btw. is what we do at our customer sites using group policy. Therefore your setup is not going to work all that well. There are applications (event sinks) that are able to centrally move messages to folders based on header values. One is even free (search for Mailshell Exchange Plugin) Kind regards. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From edward.prendergast at netring.co.uk Mon Aug 7 14:23:19 2006 From: edward.prendergast at netring.co.uk (Edward Prendergast) Date: Mon Aug 7 14:23:22 2006 Subject: Triggering Outlook's Junk E-mail filter In-Reply-To: Message-ID: <200608071323.k77DNKOB010123@bkserver.blacknight.ie> On Saturday, August 05, 2006 5:03 PM Chris Green wrote: > I would expect that if they had gone in and changed this from the > default they were either a) advanced users with alternative > solutions; b) clever enough to realise it could result in more spam; > or c) previously employed by Sainsbury's as the trolley-boy and found > it a bit too mentally challenging. d) chose to rely on MailScanner/SpamAssassin and therefore turned the Outlook detection off which btw. is what we do at our customer sites using group policy. Therefore your setup is not going to work all that well. I think Chris' original point is still valid. A number of our users (primarily hosting customers have barely enough technical know-how to operating e-mails. Setting up individual rules in their e-mail client will likely prove beyond their grasp. Therefore some way of automating the delivery of messages that are potentially spam but only low-scoring to the end-user's Spam mailbox would be a useful feature indeed. Regards, Edward The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any action taken or omitted to be taken in reliance on it, any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this E-mail message is strictly prohibited and may be unlawful. If you have received this E-mail message in error, please notify us immediately. Please also destroy and delete the message from your computer. From evanderleun at hal9000.nl Mon Aug 7 14:32:38 2006 From: evanderleun at hal9000.nl (Erik van der Leun) Date: Mon Aug 7 14:32:57 2006 Subject: gOCR SpamAssassin plugin Message-ID: Does anybody have (positive :> ) experiences with setting up a OCR scanner and image validator SA-plugin ? more info: http://www.nabble.com/GIF-Spam----Setting-up-the-%27OCR-scanner-and-image-validator-SA-plugin%27-tf2042373.html the patch: http://antispam.imp.ch/patches/patch-ocrtext Kind regards, Erik From michele at blacknight.ie Mon Aug 7 14:52:38 2006 From: michele at blacknight.ie (Michele Neylon:: Blacknight.ie) Date: Mon Aug 7 14:52:41 2006 Subject: gOCR SpamAssassin plugin In-Reply-To: References: Message-ID: <44D745A6.1050007@blacknight.ie> The one that Dallas posted on the SA users group seems to work well: http://www.rulesemporium.com/plugins.htm#imageinfo -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From jchezny at northcarolina.edu Mon Aug 7 15:14:46 2006 From: jchezny at northcarolina.edu (jchezny@northcarolina.edu) Date: Mon Aug 7 15:14:53 2006 Subject: MailScanner & Postfix In-Reply-To: <9913518.1154900203939.JavaMail.root@elwamui-norfolk.atl.sa.earthlink.net> References: <9913518.1154900203939.JavaMail.root@elwamui-norfolk.atl.sa.earthlink.net> Message-ID: <1154960086.44d74ad6d57ca@webmail.northcarolina.edu> James, Have you defined an alias for root in /etc/postfix/aliases or /etc/aliases and run the appropriate command? -jc > > > >Hello, > > > >I am sooo close to getting this running, but somehow my test mail is not > getting through. On a Suse 9.3 server I have MailScanner, Spamassassin, > Postfix, & ClamAV set up to scan mail and then pass it on to an internal > Exchange server. I can see the test message going through the system in > /var/log/mail.info, but it never makes it to the Exchange server. > > > > > >Aug 6 13:45:09 postmaster postfix/smtpd[31844]: connect from > unknown[192.168.xx.xxx] > >Aug 6 13:45:09 postmaster postfix/smtpd[31844]: 8E1D718548C: > client=unknown[192.168.xx.xxx] > >Aug 6 13:45:23 postmaster postfix/cleanup[31847]: 8E1D718548C: hold: header > Received: > >from 1243876 (unknown [192.168.20.160])??by postmaster.domain.com (Postfix) > with > >SMTP id 8E1D718548C??for ; Sun, 6 Aug 2006 13:45:09 -0700 > >(PDT) from unknown[192.168.20.160]; from=user@domian.com> > to= > >proto=SMTP helo=<1243876> > >Aug 6 13:45:23 postmaster postfix/cleanup[31847]: 8E1D718548C: > message-id=<20060806204509.8E1D718548C@postmaster.domain.com> > >Aug 6 13:45:23 postmaster postfix/smtpd[31844]: disconnect from > unknown[192.168.xx.xxx] > >Aug 6 13:45:24 postmaster MailScanner[30318]: New Batch: Scanning 1 > messages, 683 > >bytes > >Aug 6 13:45:24 postmaster MailScanner[30318]: Virus and Content Scanning: > Starting > >Aug 6 13:46:55 postmaster update.virus.scanners: Found clamav installed > >Aug 6 13:46:55 postmaster update.virus.scanners: Running autoupdate for > clamav > >Aug 6 13:46:56 postmaster update.virus.scanners: Found generic installed > >Aug 6 13:46:56 postmaster update.virus.scanners: Running autoupdate for > generic > > > > > >I think I have the relaying of domains set up correctly, but now i am not > sure. > > > >Maybe the problem is here "how to invoke the MTA"; > > > > > ># Set whether to use postfix, sendmail, exim or zmailer. > ># If you are using postfix, then see the "SpamAssassin User State Dir" > ># setting near the end of this file > >#MTA = sendmail > >MTA = postfix > > > ># Set how to invoke MTA when sending messages MailScanner has created > ># (e.g. to sender/recipient saying "found a virus in your message") > ># This can also be the filename of a ruleset. > >Sendmail = /usr/sbin/sendmail > > > ># Sendmail2 is provided for Exim users. > ># It is the command used to attempt delivery of outgoing cleaned/disinfected > ># messages. > ># This is not usually required for sendmail. > ># This can also be the filename of a ruleset. > >#For Exim users: Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_send.conf > >#For sendmail users: Sendmail2 = /usr/sbin/sendmail > >#Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf > >Sendmail2 = /usr/sbin/sendmail > > > > > >Many thanks in advance, > > > >~James > Hello, > > Also, after starting mailScanner from ../init.d and then checking the status > I get; > > postmaster:~ # /etc/init.d/MailScanner status > Checking for service MailScanner: postfix/postfix-script: fatal: usage: > postfix start (or stop, reload, abort, flush, check, set-permissions, > upgrade-configuration) > dead > What is happening? > > Thank you, > > James > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ---------------------------------------------------------------- This message was sent with UNC-GA Webmail http://webmail.northcarolina.edu From Jan-Peter.Koopmann at seceidos.de Mon Aug 7 15:31:49 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Mon Aug 7 15:32:11 2006 Subject: Triggering Outlook's Junk E-mail filter In-Reply-To: <200608071323.k77DNKOB010123@bkserver.blacknight.ie> Message-ID: On Monday, August 07, 2006 3:23 PM Edward Prendergast wrote: > I think Chris' original point is still valid. Using Outlooks own Junk-Mail folder/functionality --> No. > A number of our users > (primarily hosting customers have barely enough technical know-how to > operating e-mails. Setting up individual rules in their e-mail > client will likely prove beyond their grasp. Therefore some way of > automating the delivery of messages that are potentially spam but > only low-scoring to > the end-user's Spam mailbox would be a useful feature indeed. Thus the pointer to the plugin. From jchezny at northcarolina.edu Mon Aug 7 15:32:09 2006 From: jchezny at northcarolina.edu (jchezny@northcarolina.edu) Date: Mon Aug 7 15:32:15 2006 Subject: MailScanner & Postfix In-Reply-To: <25415518.1154898939886.JavaMail.root@elwamui-norfolk.atl.sa.earthlink.net> References: <25415518.1154898939886.JavaMail.root@elwamui-norfolk.atl.sa.earthlink.net> Message-ID: <1154961129.44d74ee935632@webmail.northcarolina.edu> James, Have you set your alias in either /etc/aliases and run the *newaliases* command? jc > Hello, > > I am sooo close to getting this running, but somehow my test mail is not > getting through. On a Suse 9.3 server I have MailScanner, Spamassassin, > Postfix, & ClamAV set up to scan mail and then pass it on to an internal > Exchange server. I can see the test message going through the system in > /var/log/mail.info, but it never makes it to the Exchange server. > > > Aug 6 13:45:09 postmaster postfix/smtpd[31844]: connect from > unknown[192.168.xx.xxx] > Aug 6 13:45:09 postmaster postfix/smtpd[31844]: 8E1D718548C: > client=unknown[192.168.xx.xxx] > Aug 6 13:45:23 postmaster postfix/cleanup[31847]: 8E1D718548C: hold: header > Received: > from 1243876 (unknown [192.168.20.160])??by postmaster.domain.com (Postfix) > with > SMTP id 8E1D718548C??for ; Sun, 6 Aug 2006 13:45:09 -0700 > (PDT) from unknown[192.168.20.160]; from=user@domian.com> > to= > proto=SMTP helo=<1243876> > Aug 6 13:45:23 postmaster postfix/cleanup[31847]: 8E1D718548C: > message-id=<20060806204509.8E1D718548C@postmaster.domain.com> > Aug 6 13:45:23 postmaster postfix/smtpd[31844]: disconnect from > unknown[192.168.xx.xxx] > Aug 6 13:45:24 postmaster MailScanner[30318]: New Batch: Scanning 1 > messages, 683 > bytes > Aug 6 13:45:24 postmaster MailScanner[30318]: Virus and Content Scanning: > Starting > Aug 6 13:46:55 postmaster update.virus.scanners: Found clamav installed > Aug 6 13:46:55 postmaster update.virus.scanners: Running autoupdate for > clamav > Aug 6 13:46:56 postmaster update.virus.scanners: Found generic installed > Aug 6 13:46:56 postmaster update.virus.scanners: Running autoupdate for > generic > > > I think I have the relaying of domains set up correctly, but now i am not > sure. > > Maybe the problem is here "how to invoke the MTA"; > > > # Set whether to use postfix, sendmail, exim or zmailer. > # If you are using postfix, then see the "SpamAssassin User State Dir" > # setting near the end of this file > #MTA = sendmail > MTA = postfix > > # Set how to invoke MTA when sending messages MailScanner has created > # (e.g. to sender/recipient saying "found a virus in your message") > # This can also be the filename of a ruleset. > Sendmail = /usr/sbin/sendmail > > # Sendmail2 is provided for Exim users. > # It is the command used to attempt delivery of outgoing cleaned/disinfected > # messages. > # This is not usually required for sendmail. > # This can also be the filename of a ruleset. > #For Exim users: Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_send.conf > #For sendmail users: Sendmail2 = /usr/sbin/sendmail > #Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf > Sendmail2 = /usr/sbin/sendmail > > > Many thanks in advance, > > ~James > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ---------------------------------------------------------------- This message was sent with UNC-GA Webmail http://webmail.northcarolina.edu From Jan-Peter.Koopmann at seceidos.de Mon Aug 7 15:31:59 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Mon Aug 7 15:32:19 2006 Subject: Triggering Outlook's Junk E-mail filter In-Reply-To: <5450254EC7E7B54193C8AEFD904AA36301B1F9@PAT.internal.robertwalters.com> Message-ID: On Monday, August 07, 2006 3:07 PM Andoni Auzmendi wrote: > MailShell plug-in looks interesting. Which version of Exchange are > running it on? 2003 SP1 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3104 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060807/1a4dfb96/smime.bin From JeremyBlonde at grant.k12.ca.us Mon Aug 7 15:49:51 2006 From: JeremyBlonde at grant.k12.ca.us (Jeremy Blonde) Date: Mon Aug 7 15:46:56 2006 Subject: MailScanner & Postfix Message-ID: James, I've got the same setup as you. Are you sure you have setup the Postfix "transport" file correctly? It should contain something like: Domain.com smtp:exchange.domain.com After creating that file you'd run "postmap transport" and "postfix reload". Thanks, Jeremy Blonde Instructional Technology - Server Support Grant Joint Union School District -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of jchezny@northcarolina.edu Sent: Monday, August 07, 2006 7:32 AM To: MailScanner discussion Subject: Re: MailScanner & Postfix James, Have you set your alias in either /etc/aliases and run the *newaliases* command? jc > Hello, > > I am sooo close to getting this running, but somehow my test mail is > not getting through. On a Suse 9.3 server I have MailScanner, > Spamassassin, Postfix, & ClamAV set up to scan mail and then pass it > on to an internal Exchange server. I can see the test message going > through the system in /var/log/mail.info, but it never makes it to the Exchange server. > > > Aug 6 13:45:09 postmaster postfix/smtpd[31844]: connect from > unknown[192.168.xx.xxx] Aug 6 13:45:09 postmaster > postfix/smtpd[31844]: 8E1D718548C: > client=unknown[192.168.xx.xxx] > Aug 6 13:45:23 postmaster postfix/cleanup[31847]: 8E1D718548C: hold: > header > Received: > from 1243876 (unknown [192.168.20.160])??by postmaster.domain.com > (Postfix) with SMTP id 8E1D718548C??for ; Sun, 6 Aug > 2006 13:45:09 -0700 > (PDT) from unknown[192.168.20.160]; from=user@domian.com> > to= proto=SMTP helo=<1243876> Aug 6 13:45:23 > postmaster postfix/cleanup[31847]: 8E1D718548C: > message-id=<20060806204509.8E1D718548C@postmaster.domain.com> > Aug 6 13:45:23 postmaster postfix/smtpd[31844]: disconnect from > unknown[192.168.xx.xxx] Aug 6 13:45:24 postmaster MailScanner[30318]: > New Batch: Scanning 1 messages, 683 bytes Aug 6 13:45:24 postmaster > MailScanner[30318]: Virus and Content Scanning: > Starting > Aug 6 13:46:55 postmaster update.virus.scanners: Found clamav > installed Aug 6 13:46:55 postmaster update.virus.scanners: Running > autoupdate for clamav Aug 6 13:46:56 postmaster > update.virus.scanners: Found generic installed Aug 6 13:46:56 > postmaster update.virus.scanners: Running autoupdate for generic > > > I think I have the relaying of domains set up correctly, but now i am > not sure. > > Maybe the problem is here "how to invoke the MTA"; > > > # Set whether to use postfix, sendmail, exim or zmailer. > # If you are using postfix, then see the "SpamAssassin User State Dir" > # setting near the end of this file > #MTA = sendmail > MTA = postfix > > # Set how to invoke MTA when sending messages MailScanner has created > # (e.g. to sender/recipient saying "found a virus in your message") # > This can also be the filename of a ruleset. > Sendmail = /usr/sbin/sendmail > > # Sendmail2 is provided for Exim users. > # It is the command used to attempt delivery of outgoing > cleaned/disinfected # messages. > # This is not usually required for sendmail. > # This can also be the filename of a ruleset. > #For Exim users: Sendmail2 = /usr/sbin/exim -C > /etc/exim/exim_send.conf #For sendmail users: Sendmail2 = > /usr/sbin/sendmail > #Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf > Sendmail2 = /usr/sbin/sendmail > > > Many thanks in advance, > > ~James > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ---------------------------------------------------------------- This message was sent with UNC-GA Webmail http://webmail.northcarolina.edu -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From andoni.auzmendi at robertwalters.com Mon Aug 7 15:58:08 2006 From: andoni.auzmendi at robertwalters.com (Andoni Auzmendi) Date: Mon Aug 7 16:04:15 2006 Subject: Triggering Outlook's Junk E-mail filter Message-ID: <5450254EC7E7B54193C8AEFD904AA36301B1FC@PAT.internal.robertwalters.com> Thanks. Does anyone have experience on running Mailshell on Exchange 2000? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Koopmann, Jan-Peter Sent: 07 August 2006 15:32 To: MailScanner discussion Subject: RE: Triggering Outlook's Junk E-mail filter On Monday, August 07, 2006 3:07 PM Andoni Auzmendi wrote: > MailShell plug-in looks interesting. Which version of Exchange are > running it on? 2003 SP1 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From gordon at itnt.co.za Mon Aug 7 16:41:12 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Mon Aug 7 16:41:42 2006 Subject: setup filetype and filename rules per domain Message-ID: <068201c6ba37$eca93e80$0a02a8c0@Gordon> ITNT Banner CampaignIs there a way to setup filetype and filename rules per domain or user? I have some client domains and users that want to accept .mp3 and .wav files and others that don't Thanks Gordon Colyn From JeremyBlonde at grant.k12.ca.us Mon Aug 7 17:00:05 2006 From: JeremyBlonde at grant.k12.ca.us (Jeremy Blonde) Date: Mon Aug 7 16:57:04 2006 Subject: setup filetype and filename rules per domain Message-ID: I've been having trouble stopping the attached message from getting thru mailscanner. I've got RBLs, Rulesdujour, and bayes (using MySQL). Bayes reports that there are 14,953 spam messages and 133,137 tokens in the database. To actually block the messages, I've had to add the URLs in the messages to MCP. I've been under the impression that bayes would be able to pick out the message details and score similar messages, but it seems they come across as new messages and their scores are 0. Perhaps, bayes is not working as well as it should be? Can I get some information on how others have blocked those types of messages? Jeremy Blonde Instructional Technology - Server Support Grant Joint Union School District -------------- next part -------------- Hi, CdALIS from 3, 75 $ AMBdEN VdAGRA from 3, 35 $ VALdUM from 1, 25 $ http://www.filmogenka.com , , , , , even know the length of the day here. This watch, like the computer, is on ships time. Its been a good long time since they threw us out the gate. I squinted at the sky. And I dont think that sun has From steve.swaney at fsl.com Mon Aug 7 17:07:43 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Mon Aug 7 17:05:48 2006 Subject: setup filetype and filename rules per domain In-Reply-To: <068201c6ba37$eca93e80$0a02a8c0@Gordon> Message-ID: <18e201c6ba3b$9d70f3e0$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Gordon Colyn > Sent: Monday, August 07, 2006 11:41 AM > To: mailscanner@lists.mailscanner.info > Subject: setup filetype and filename rules per domain > > ITNT Banner CampaignIs there a way to setup filetype and filename rules > per > domain or user? > > I have some client domains and users that want to accept .mp3 and .wav > files > and others that don't > > Thanks > Gordon Colyn You need to create a rule sets that uses different filename/filetype configuration files for mail from different domains for attachment filename and filetype checking. If you have a Red Hat, CentOS or SuSE system, the following paths will be correct. They will vary on other systems but the same principals will work. First create two files: /etc/MailScanner/filename.rules.xyz.conf /etc/MailScanner/filetype.rules.xyz.conf Copy these existing files to create the new files: cp /etc/MailScanner/filename.rules.conf \ /etc/MailScanner/filename.rules.xyz.conf cp /etc/MailScanner/filenatype.rules.conf \ /etc/MailScanner/filename.rules.xyz.conf Then edit both the new files to allow or deny the files for xyz.domain Then create the file /etc/MailScanner/rules/filename.rules. The contents of this file should be: # Allow certain filenames from xyz.com From: /\*@xyz\.com/ /etc/MailScanner/filename.rules.xyz.conf # Default entry FromOrTo: default /etc/MailScanner/filename.rules.conf Then create the file /etc/MailScanner/rules/filetype.rules. The contents of this file should be: # Allow certain filetypes from xyz.com From: /\*@xyz\.com/ /etc/MailScanner/filetype.rules.xyz.conf # Default entry FromOrTo: default /etc/MailScanner/filename.rules.conf Then edit /etc/MailScanner.conf to call the new rulesets. Change the setting for Filename Rules to be: Filename Rules = %rules-dir%/filename.rules And change the setting for Filetype Rules to be: Filetype Rules = %rules-dir%/filetype.rules Then reload MailScanner. I hope this helps, Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From steve.swaney at fsl.com Mon Aug 7 17:25:05 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Mon Aug 7 17:23:12 2006 Subject: setup filetype and filename rules per domain In-Reply-To: Message-ID: <190e01c6ba3e$0b0b0c90$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Jeremy Blonde > Sent: Monday, August 07, 2006 12:00 PM > To: MailScanner discussion > Subject: RE: setup filetype and filename rules per domain > > I've been having trouble stopping the attached message from getting thru > mailscanner. I've got RBLs, Rulesdujour, and bayes (using MySQL). > Bayes reports that there are 14,953 spam messages and 133,137 tokens in > the database. To actually block the messages, I've had to add the URLs > in the messages to MCP. I've been under the impression that bayes would > be able to pick out the message details and score similar messages, but > it seems they come across as new messages and their scores are 0. > Perhaps, bayes is not working as well as it should be? > > Can I get some information on how others have blocked those types of > messages? > > Jeremy Blonde > Instructional Technology - Server Support > Grant Joint Union School District We tagged your post to the list as spam :) pts rule name description ---- ---------------------- -------------------------------------------------- 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 1.3 INFO_TLD URI: Contains an URL in the INFO top-level domain -0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.3560] 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 1.6 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: filmogenka.com] 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist [URIs: filmogenka.com] Just adding the message to the Bayes database is not enough. You need to use all the tools available: Razor DCC SpamAssassin plugins There are also some nifty milters available if you use sendmail (or now the latest postfix :). We're blocking a ton of stuff with a free milter, milter-limit available at www.snertsoft.com. Also please change the subject line when you reply to a list message and change the topic :) Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From root at doctor.nl2k.ab.ca Mon Aug 7 17:41:34 2006 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Mon Aug 7 17:42:17 2006 Subject: MailScanner 4.56.1-1 and Sys-Syslog Message-ID: <20060807164134.GA14776@doctor.nl2k.ab.ca> I wonder if I should test MailScanner 4.56.1-1 with the current sys-syslog 0.17 . I THINK the auther just pulled this module and went back to Sys-syslog 0.16 . -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From root at doctor.nl2k.ab.ca Mon Aug 7 17:43:08 2006 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Mon Aug 7 17:44:08 2006 Subject: sa-learn universal setting and spam only digested mailboxes Message-ID: <20060807164308.GB14776@doctor.nl2k.ab.ca> I will ask this question here. I have a spam - only mailbx in the mbox format and I am trying to get sa-learn to read and integrate this systemwide. How do I do this? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From AHKAPLAN at PARTNERS.ORG Mon Aug 7 17:50:06 2006 From: AHKAPLAN at PARTNERS.ORG (Kaplan, Andrew H.) Date: Mon Aug 7 17:50:13 2006 Subject: Particular User's E-Mail Getting Virus Notifications on almost all incoming e-mail Message-ID: <9C63A4713C4E3342B90428CE44806A730267983E@PHSXMB5.partners.org> Hi there - We have MailScanner 4.54 running with ClamAV 0.88.1 and SpamAssassin 3.03 on an HP-UX 10.20 trusted system. One of our users is getting Virus Detected - Denial of Service Attack error messages on nearly all his e-mails. These e-mails are those coming from without and within our company's network. This problem is not affecting any of our other users. I suspect that his mailbox is corrupt, but before I go down that route I wanted to know if there are any other possibilities. If his mailbox is bad, I will probably delete the existing box and restore and older one from tape archive. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060807/4798186b/attachment.html From mailscanner at ecs.soton.ac.uk Mon Aug 7 17:58:50 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 7 17:59:21 2006 Subject: setup filetype and filename rules per domain In-Reply-To: <18e201c6ba3b$9d70f3e0$287ba8c0@office.fsl> References: <18e201c6ba3b$9d70f3e0$287ba8c0@office.fsl> Message-ID: <44D7714A.8030800@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Swaney wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Gordon Colyn >> Sent: Monday, August 07, 2006 11:41 AM >> To: mailscanner@lists.mailscanner.info >> Subject: setup filetype and filename rules per domain >> >> ITNT Banner CampaignIs there a way to setup filetype and filename rules >> per >> domain or user? >> >> I have some client domains and users that want to accept .mp3 and .wav >> files >> and others that don't >> >> Thanks >> Gordon Colyn In recent versions (version 4.49 and onwards) there are some new configuration settings, Allow Filenames Deny Filenames Allow Filetypes Deny Filetypes These are not as flexible as the filename.rules.conf and filetype.rules.conf files, but you may find them easier to use and good enough for your requirements. For an example, let's say that domain xyz.com wants to be able to email files called "*.mp3" and "*.wav". You would still need to do similar setups to stop the "filetype.rules.conf" file trapping movies in general. But let's keep it simple for this example. 1) We need to tell MailScanner to create a ruleset for "Allow Filenames" so we can vary the value of this setting depending on where the mail is going to. In MailScanner.conf, set Allow Filenames = %rules-dir%/allow.filenames.rules 2) Create the ruleset. This just needs to allow *.mp3 and *.wav for mail going to anyone@xyz.com. In /etc/MailScanner/rules/allow.filenames.rules, put To: xyz.com \.mov$ \.mp3$ Note that the text to the right of "xyz.com" is a space-separated list of regular expressions. You need to put the "\" before the "." as otherwise "." would just match any character, not just the actual "full stop" character. "$" matches the "end of line", ensuring that the ".mov" appears at the end of the filename. 3) Run the command "service MailScanner restart" to enable all of this. That's it! - ------------------------ Note for advanced users: The order of checking all of these settings is Allow Filenames Deny Filenames filename.rules.conf The first rule that matches is the result used. - ------------------------ > You need to create a rule sets that uses different filename/filetype > configuration files for mail from different domains for attachment filename > and filetype checking. If you have a Red Hat, CentOS or SuSE system, the > following paths will be correct. They will vary on other systems but the > same principals will work. > > First create two files: > > /etc/MailScanner/filename.rules.xyz.conf > /etc/MailScanner/filetype.rules.xyz.conf > > Copy these existing files to create the new files: > > cp /etc/MailScanner/filename.rules.conf \ > /etc/MailScanner/filename.rules.xyz.conf > > cp /etc/MailScanner/filenatype.rules.conf \ > /etc/MailScanner/filename.rules.xyz.conf > > Then edit both the new files to allow or deny the files for xyz.domain > > Then create the file /etc/MailScanner/rules/filename.rules. The contents of > this file should be: > > # Allow certain filenames from xyz.com > From: /\*@xyz\.com/ /etc/MailScanner/filename.rules.xyz.conf > # Default entry > FromOrTo: default /etc/MailScanner/filename.rules.conf > > Then create the file /etc/MailScanner/rules/filetype.rules. The contents of > this file should be: > > # Allow certain filetypes from xyz.com > From: /\*@xyz\.com/ /etc/MailScanner/filetype.rules.xyz.conf > # Default entry > FromOrTo: default /etc/MailScanner/filename.rules.conf > > Then edit /etc/MailScanner.conf to call the new rulesets. Change the setting > for Filename Rules to be: > > Filename Rules = %rules-dir%/filename.rules > > And change the setting for Filetype Rules to be: > > Filetype Rules = %rules-dir%/filetype.rules > > Then reload MailScanner. > > I hope this helps, > > Steve > > Stephen Swaney > Fort Systems Ltd. > stephen.swaney@fsl.com > www.fsl.com > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE13FZEfZZRxQVtlQRAjI/AJ9QL/Glz1wAkjODkfnQ3DQoD/NY9QCfU6xt SzbgyRdd3lhVIdpvR9r0d3g= =lg1E -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From Kevin_Miller at ci.juneau.ak.us Mon Aug 7 18:13:05 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Aug 7 18:13:09 2006 Subject: setup filetype and filename rules per domain In-Reply-To: <44D7714A.8030800@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > In recent versions (version 4.49 and onwards) there are some new > configuration settings, > Allow Filenames > Deny Filenames > Allow Filetypes > Deny Filetypes > These are not as flexible as the filename.rules.conf and > filetype.rules.conf files, but you may find them easier to use and > good enough for your requirements. > > For an example, let's say that domain xyz.com wants to be able to > email files called "*.mp3" and "*.wav". You would still need to do > similar setups to stop the "filetype.rules.conf" file trapping movies > in general. But let's keep it simple for this example. > > 1) We need to tell MailScanner to create a ruleset for "Allow > Filenames" so we can vary the value of this setting depending on > where the mail is going to. > In MailScanner.conf, set > Allow Filenames = %rules-dir%/allow.filenames.rules > > 2) Create the ruleset. This just needs to allow *.mp3 and *.wav for > mail going to anyone@xyz.com. > In /etc/MailScanner/rules/allow.filenames.rules, put > To: xyz.com \.mov$ \.mp3$ > > Note that the text to the right of "xyz.com" is a space-separated list > of regular expressions. You need to put the "\" before the "." as > otherwise "." would just match any character, not just the actual > "full stop" character. "$" matches the "end of line", ensuring that > the ".mov" appears at the end of the filename. Thanks for the quickie tutorial Julian. Just a simple sanity check: I presume that in allow.filenames.rules that we can use the From: or FromOrTo: nomenclature as well as the To: tag? Are tab seperators required between operators? TIA... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From dave.list at pixelhammer.com Mon Aug 7 18:25:22 2006 From: dave.list at pixelhammer.com (DAve) Date: Mon Aug 7 18:25:44 2006 Subject: ClamAV on FreeBSD - ports or Perl module? In-Reply-To: References: Message-ID: <44D77782.2010604@pixelhammer.com> Koopmann, Jan-Peter wrote: > On Thursday, August 03, 2006 9:29 AM Adri Koppes wrote: > >> I have been using p5-Mail-ClamAV 0.30 with the standard perl 5.8.6 on >> FreeBSD 5.4 without any problems for over 1 year now. > > Good to know! I will try to switch to Mail-ClamAV the next days (today just was not possible as was the new port). If that works out as well (which it will) I will remove the warning from p5-Mail-ClamAV. Thanks! I am very interested in moving to clamavmodule at the moment as I need something to relive the load on MailScanner boxes right now. My in queue is up over 600 at the moment as I have issues with URIDNSBL no completing lookups, so SA is very slow right now. (I've posted already on the SA list). Once switching to clamavmodule will there be a tell tale log message to let me know it is working? I have a bit too much processing going on to be flipping MailScanner on and off at the moment to send Eicars. Thanks, DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From mailscanner at ecs.soton.ac.uk Mon Aug 7 18:46:38 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 7 18:47:02 2006 Subject: MailScanner ANNOUNCE: Revision to 4.55 Message-ID: <44D77C7E.5010703@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The author of the Sys::Syslog perl module has withdrawn it due to problems including compatibility issues with some Linux distributions. The most obvious effect is that the "make test" step may hang part-way through the tests. As a result, I have had no alternative other than to reluctantly publish a revision of the latest stable release of MailScanner. If you had problems installing 4.55.9 (notably on some CentOS systems) then download and upgrade to 4.55.10. Download as usual from www.mailscanner.info Note that if you had no problems installing 4.55.9, there is no reason to upgrade to 4.55.10. Sorry for this forced re-release. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE13yFEfZZRxQVtlQRAp7BAKCAElkjZdYDjj1snNJ3gz5NPr90oACcD7UW 24ByWh9/vqg8VFwMXAWtnvg= =Ctux -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From mailscanner at ecs.soton.ac.uk Mon Aug 7 18:54:43 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 7 18:54:58 2006 Subject: setup filetype and filename rules per domain In-Reply-To: References: Message-ID: <44D77E63.2090205@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin Miller wrote: > Julian Field wrote: > >> In recent versions (version 4.49 and onwards) there are some new >> configuration settings, >> Allow Filenames >> Deny Filenames >> Allow Filetypes >> Deny Filetypes >> These are not as flexible as the filename.rules.conf and >> filetype.rules.conf files, but you may find them easier to use and >> good enough for your requirements. >> >> For an example, let's say that domain xyz.com wants to be able to >> email files called "*.mp3" and "*.wav". You would still need to do >> similar setups to stop the "filetype.rules.conf" file trapping movies >> in general. But let's keep it simple for this example. >> >> 1) We need to tell MailScanner to create a ruleset for "Allow >> Filenames" so we can vary the value of this setting depending on >> where the mail is going to. >> In MailScanner.conf, set >> Allow Filenames = %rules-dir%/allow.filenames.rules >> >> 2) Create the ruleset. This just needs to allow *.mp3 and *.wav for >> mail going to anyone@xyz.com. >> In /etc/MailScanner/rules/allow.filenames.rules, put >> To: xyz.com \.mov$ \.mp3$ >> >> Note that the text to the right of "xyz.com" is a space-separated list >> of regular expressions. You need to put the "\" before the "." as >> otherwise "." would just match any character, not just the actual >> "full stop" character. "$" matches the "end of line", ensuring that >> the ".mov" appears at the end of the filename. > > Thanks for the quickie tutorial Julian. Just a simple sanity check: I > presume that in allow.filenames.rules that we can use the From: or > FromOrTo: nomenclature as well as the To: tag? Yes. > > Are tab seperators required between operators? No. One of the main features that the filename.rules.conf file provides that is better than the method above, is that the matching regular expressions can include spaces, which the method above cannot. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE135pEfZZRxQVtlQRAvv4AJ9rr2DZLa6scIatzfHeIEVEhJtRlQCdHT3M SQiddMN+gfTozUTHKK4hF1o= =oziO -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From jflowers at ezo.net Mon Aug 7 19:26:30 2006 From: jflowers at ezo.net (Jim Flowers) Date: Mon Aug 7 19:26:44 2006 Subject: Bypass spam scan based on header Message-ID: <20060807174400.M14392@ezo.net> I pre-process email with another program before forwarding messages to MailScanner. This program adds a header on the fly when a message has been whitelisted. I want to configure MailScanner to bypass spam-scanning messages that contain this header to save the overhead. Virus-scanning is still required. Is there a way to do this other than using a Custom Function or by using a sendmail hack? If not, I'll probably hack the pre-processor to add/delete the whitelisted addresses into the MySQL database for SQLBlackWhiteList.pm to handle. But I thought: if anyone has already solved this problem, I should ask. Anyone? -- Jim Flowers -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ajos1 at onion.demon.co.uk Mon Aug 7 19:29:52 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Mon Aug 7 19:30:04 2006 Subject: gOCR SpamAssassin plugin Message-ID: - What a marvellous find... I am trying it now... Just one question... where would I stick in the plugin file? I am right in thinking it will be something like: /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin And not one of these: /usr/lib/MailScanner/CustomFunctions /usr/lib/MailScanner/plugins /etc/MailScanner/CustomFunctions /etc/MailScanner/plugins -----Original Message----- From: mailscanner@lists.mailscanner.info Subj: Re: gOCR SpamAssassin plugin Date: Mon, 07 Aug 2006 14:52:38 +0100 The one that Dallas posted on the SA users group seems to work well: http://www.rulesemporium.com/plugins.htm#imageinfo From ajos1 at onion.demon.co.uk Mon Aug 7 19:33:55 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Mon Aug 7 19:34:03 2006 Subject: gOCR SpamAssassin plugin Message-ID: - Interesting one here... I ALWAYS install the MailScanner from RPM... I notice that when searching for plugins... that I have two MailScanner systems... Did they switch over at some point? /usr/lib/perl5/site_perl has newer files than does /usr/lib/perl5/vendor_perl Just checking in case an error has slipped in over the last 12 months? [root@www perl5]# la /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin total 316 -r--r--r-- 1 root root 1676 Mar 10 19:29 Test.pm -r--r--r-- 1 root root 9565 Mar 10 19:29 Hashcash.pm -r--r--r-- 1 root root 5647 Mar 10 19:29 AutoLearnThreshold.pm -r--r--r-- 1 root root 4472 Mar 10 19:29 AccessDB.pm -r--r--r-- 1 root root 3811 Mar 10 19:29 WhiteListSubject.pm -r--r--r-- 1 root root 8352 Mar 10 19:29 SpamCop.pm -r--r--r-- 1 root root 6557 Mar 10 19:29 ReplaceTags.pm -r--r--r-- 1 root root 5510 Mar 10 19:29 MIMEHeader.pm -r--r--r-- 1 root root 7927 Mar 10 19:29 DomainKeys.pm -r--r--r-- 1 root root 4354 Mar 10 19:29 AntiVirus.pm -r--r--r-- 1 root root 23243 May 24 21:07 URIDNSBL.pm -r--r--r-- 1 root root 14189 May 24 21:07 SPF.pm -r--r--r-- 1 root root 2385 May 24 21:07 RelayCountry.pm -r--r--r-- 1 root root 13831 May 24 21:07 Razor2.pm -r--r--r-- 1 root root 14167 May 24 21:07 DKIM.pm -r--r--r-- 1 root root 13064 Jul 25 23:02 TextCat.pm -r--r--r-- 1 root root 10396 Jul 25 23:02 Pyzor.pm -r--r--r-- 1 root root 22445 Jul 25 23:02 DCC.pm -r--r--r-- 1 root root 14441 Jul 25 23:02 AWL.pm drwxr-xr-x 10 root root 4096 Jul 29 01:11 .. drwxr-xr-x 2 root root 4096 Jul 29 01:11 . [root@www perl5]# la /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin total 232 -r--r--r-- 1 root root 1676 Mar 10 19:29 Test.pm -r--r--r-- 1 root root 9565 Mar 10 19:29 Hashcash.pm -r--r--r-- 1 root root 5647 Mar 10 19:29 AutoLearnThreshold.pm -r--r--r-- 1 root root 4472 Mar 10 19:29 AccessDB.pm -r--r--r-- 1 root root 3811 Mar 10 19:29 WhiteListSubject.pm -r--r--r-- 1 root root 8352 Mar 10 19:29 SpamCop.pm -r--r--r-- 1 root root 6557 Mar 10 19:29 ReplaceTags.pm -r--r--r-- 1 root root 5510 Mar 10 19:29 MIMEHeader.pm -r--r--r-- 1 root root 7927 Mar 10 19:29 DomainKeys.pm -r--r--r-- 1 root root 4354 Mar 10 19:29 AntiVirus.pm -r--r--r-- 1 root root 23243 May 24 21:07 URIDNSBL.pm -r--r--r-- 1 root root 14189 May 24 21:07 SPF.pm -r--r--r-- 1 root root 2385 May 24 21:07 RelayCountry.pm -r--r--r-- 1 root root 13831 May 24 21:07 Razor2.pm -r--r--r-- 1 root root 14167 May 24 21:07 DKIM.pm From gordon at itnt.co.za Mon Aug 7 19:49:56 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Mon Aug 7 19:50:13 2006 Subject: setup filetype and filename rules per domain References: <18e201c6ba3b$9d70f3e0$287ba8c0@office.fsl> <44D7714A.8030800@ecs.soton.ac.uk> Message-ID: <004001c6ba52$46f761e0$0d02a8c0@Gordon> Thanks! ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Monday, August 07, 2006 6:58 PM Subject: Re: setup filetype and filename rules per domain -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Swaney wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Gordon Colyn >> Sent: Monday, August 07, 2006 11:41 AM >> To: mailscanner@lists.mailscanner.info >> Subject: setup filetype and filename rules per domain >> >> ITNT Banner CampaignIs there a way to setup filetype and filename rules >> per >> domain or user? >> >> I have some client domains and users that want to accept .mp3 and .wav >> files >> and others that don't >> >> Thanks >> Gordon Colyn In recent versions (version 4.49 and onwards) there are some new configuration settings, Allow Filenames Deny Filenames Allow Filetypes Deny Filetypes These are not as flexible as the filename.rules.conf and filetype.rules.conf files, but you may find them easier to use and good enough for your requirements. For an example, let's say that domain xyz.com wants to be able to email files called "*.mp3" and "*.wav". You would still need to do similar setups to stop the "filetype.rules.conf" file trapping movies in general. But let's keep it simple for this example. 1) We need to tell MailScanner to create a ruleset for "Allow Filenames" so we can vary the value of this setting depending on where the mail is going to. In MailScanner.conf, set Allow Filenames = %rules-dir%/allow.filenames.rules 2) Create the ruleset. This just needs to allow *.mp3 and *.wav for mail going to anyone@xyz.com. In /etc/MailScanner/rules/allow.filenames.rules, put To: xyz.com \.mov$ \.mp3$ Note that the text to the right of "xyz.com" is a space-separated list of regular expressions. You need to put the "\" before the "." as otherwise "." would just match any character, not just the actual "full stop" character. "$" matches the "end of line", ensuring that the ".mov" appears at the end of the filename. 3) Run the command "service MailScanner restart" to enable all of this. That's it! - ------------------------ Note for advanced users: The order of checking all of these settings is Allow Filenames Deny Filenames filename.rules.conf The first rule that matches is the result used. - ------------------------ > You need to create a rule sets that uses different filename/filetype > configuration files for mail from different domains for attachment > filename > and filetype checking. If you have a Red Hat, CentOS or SuSE system, the > following paths will be correct. They will vary on other systems but the > same principals will work. > > First create two files: > > /etc/MailScanner/filename.rules.xyz.conf > /etc/MailScanner/filetype.rules.xyz.conf > > Copy these existing files to create the new files: > > cp /etc/MailScanner/filename.rules.conf \ > /etc/MailScanner/filename.rules.xyz.conf > > cp /etc/MailScanner/filenatype.rules.conf \ > /etc/MailScanner/filename.rules.xyz.conf > > Then edit both the new files to allow or deny the files for xyz.domain > > Then create the file /etc/MailScanner/rules/filename.rules. The contents > of > this file should be: > > # Allow certain filenames from xyz.com > From: /\*@xyz\.com/ /etc/MailScanner/filename.rules.xyz.conf > # Default entry > FromOrTo: default /etc/MailScanner/filename.rules.conf > > Then create the file /etc/MailScanner/rules/filetype.rules. The contents > of > this file should be: > > # Allow certain filetypes from xyz.com > From: /\*@xyz\.com/ /etc/MailScanner/filetype.rules.xyz.conf > # Default entry > FromOrTo: default /etc/MailScanner/filename.rules.conf > > Then edit /etc/MailScanner.conf to call the new rulesets. Change the > setting > for Filename Rules to be: > > Filename Rules = %rules-dir%/filename.rules > > And change the setting for Filetype Rules to be: > > Filetype Rules = %rules-dir%/filetype.rules > > Then reload MailScanner. > > I hope this helps, > > Steve > > Stephen Swaney > Fort Systems Ltd. > stephen.swaney@fsl.com > www.fsl.com > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE13FZEfZZRxQVtlQRAjI/AJ9QL/Glz1wAkjODkfnQ3DQoD/NY9QCfU6xt SzbgyRdd3lhVIdpvR9r0d3g= =lg1E -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From bpumphrey at WoodMacLaw.com Mon Aug 7 20:03:32 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Mon Aug 7 20:03:35 2006 Subject: blocking out-of-office discussions In-Reply-To: Message-ID: <04D932B0071FE34FA63EBB1977B48D15017B4709@woodenex.woodmaclaw.local> > On Friday, August 04, 2006 1:56 PM Jethro R Binks wrote: > > > Speaking perfectly frankly, that seems to be a common theme on this > > list anyway. > > > > At least this discussion is mail-related and generically useful. > > That one gave me a good laugh. Thanks! :-) > -- To me that makes this list stand out from the rest. MailScanner covers so many areas. From bpumphrey at WoodMacLaw.com Mon Aug 7 20:07:12 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Mon Aug 7 20:07:16 2006 Subject: OT: Another Exchange 2003 and MailScanner question In-Reply-To: Message-ID: <04D932B0071FE34FA63EBB1977B48D15017B470F@woodenex.woodmaclaw.local> Does anyone use the built in Exchange intelligent filters along with MailScanner? I currentl do not and have debated back and forth over time whether it would be good to turn it on or not. Does anyone recommend one way or the other? From mailscanner at ecs.soton.ac.uk Mon Aug 7 20:12:15 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 7 20:12:57 2006 Subject: Bypass spam scan based on header In-Reply-To: <20060807174400.M14392@ezo.net> References: <20060807174400.M14392@ezo.net> Message-ID: <44D7908F.2040304@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A simple Custom Function would do it, but do be sure to remember that any header you can add can be easily added by the spammers as well! Don't trust _anything_ in the headers :-( Jim Flowers wrote: > I pre-process email with another program before forwarding messages to > MailScanner. This program adds a header on the fly when a message has been > whitelisted. > > I want to configure MailScanner to bypass spam-scanning messages that contain > this header to save the overhead. Virus-scanning is still required. Is there > a way to do this other than using a Custom Function or by using a sendmail hack? > > If not, I'll probably hack the pre-processor to add/delete the whitelisted > addresses into the MySQL database for SQLBlackWhiteList.pm to handle. > > But I thought: if anyone has already solved this problem, I should ask. > > Anyone? > > -- > Jim Flowers > > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE15CoEfZZRxQVtlQRAm/pAJ4/NzLcP51DmWW+8QBJnM0aLjcKCgCfSlkR OrqOjExwkkJNR34DGm6cp4w= =bV4T -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From JeremyBlonde at grant.k12.ca.us Mon Aug 7 20:18:23 2006 From: JeremyBlonde at grant.k12.ca.us (Jeremy Blonde) Date: Mon Aug 7 20:17:29 2006 Subject: MailScanner ANNOUNCE: Revision to 4.55 Message-ID: FYI I'm running Gentoo Linux w/ Postfix and MailScanner 4.55.6. I just tried installing version 4.55.10 (I've been running 4.55.6). After installing it via the install.sh script, postfix would generate the following error: "postfix: Process did not exit cleanly, returned 255 with signal 0". Postfix worked when it ran without MailScanner. I verified the permissions on the directories and everything looked good. I played with it a bit but couldn't get it work. I then linked back to the old version and everything worked again. P.S. Sorry about my previous post. I was interrupted and didn't realize I hadn't update the subject. Thanks, Jeremy Blonde Instructional Technology - Server Support Grant Joint Union School District -----Original Message----- From: mailscanner-announce-bounces@lists.mailscanner.info [mailto:mailscanner-announce-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Monday, August 07, 2006 10:47 AM To: MailScanner discussion; MailScanner announcements Subject: MailScanner ANNOUNCE: Revision to 4.55 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The author of the Sys::Syslog perl module has withdrawn it due to problems including compatibility issues with some Linux distributions. The most obvious effect is that the "make test" step may hang part-way through the tests. As a result, I have had no alternative other than to reluctantly publish a revision of the latest stable release of MailScanner. If you had problems installing 4.55.9 (notably on some CentOS systems) then download and upgrade to 4.55.10. Download as usual from www.mailscanner.info Note that if you had no problems installing 4.55.9, there is no reason to upgrade to 4.55.10. Sorry for this forced re-release. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE13yFEfZZRxQVtlQRAp7BAKCAElkjZdYDjj1snNJ3gz5NPr90oACcD7UW 24ByWh9/vqg8VFwMXAWtnvg= =Ctux -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. -- MailScanner-announce mailing list mailscanner-announce@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner-announce Before posting, read the Wiki (http://wiki.mailscanner.info/). Support MailScanner development - buy the book off the website! From bbecken at aafp.org Mon Aug 7 20:17:40 2006 From: bbecken at aafp.org (Brad Beckenhauer) Date: Mon Aug 7 20:17:57 2006 Subject: MailScanner ANNOUNCE: Revision to 4.55 In-Reply-To: <44D77C7E.5010703@ecs.soton.ac.uk> References: <44D77C7E.5010703@ecs.soton.ac.uk> Message-ID: <44D74B7E.D87E.0068.3@aafp.org> Hi, Just for fun I upgraded from 4.55.9 to 4.55.10 on a Centos 4.3 box test box. I then ran MailScanner --lint and got the following. The configuration file /etc/MailScanner/MailScanner.conf is too new for this version of MailScanner. This is version 4.55.9 but the config file is for at least version 4.55.10 Easy fix is to modify the MailScanner.conf file and change the version to 4.55.9, but I thought you'd like to know. Thanks for MailScanner Julian. >>> mailscanner@ecs.soton.ac.uk 8/7/2006 12:46 PM >>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The author of the Sys::Syslog perl module has withdrawn it due to problems including compatibility issues with some Linux distributions. The most obvious effect is that the "make test" step may hang part-way through the tests. As a result, I have had no alternative other than to reluctantly publish a revision of the latest stable release of MailScanner. If you had problems installing 4.55.9 (notably on some CentOS systems) then download and upgrade to 4.55.10. Download as usual from www.mailscanner.info Note that if you had no problems installing 4.55.9, there is no reason to upgrade to 4.55.10. Sorry for this forced re-release. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE13yFEfZZRxQVtlQRAp7BAKCAElkjZdYDjj1snNJ3gz5NPr90oACcD7UW 24ByWh9/vqg8VFwMXAWtnvg= =Ctux -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mailscanner at ecs.soton.ac.uk Mon Aug 7 20:19:15 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 7 20:19:32 2006 Subject: gOCR SpamAssassin plugin In-Reply-To: References: Message-ID: <44D79233.7050008@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ajos1@onion.demon.co.uk wrote: > - > > Interesting one here... I ALWAYS install the MailScanner from RPM... I notice that when searching for plugins... that I have two MailScanner systems... > > Did they switch over at some point? The main MailScanner RPM distribution does not include anything to do with SpamAssassin. However, I do distribute an easy-to-install ClamAV+SpamAssassin distribution as well, which I strongly encourage users to install, as it does most of the setup and configuration for them too. The correct version put in by my distribution should be in site_perl and not vendor_perl. Beware that you might have a spamassassin rpm installed as well, which you should ideally remove before installing my distribution. > > /usr/lib/perl5/site_perl has newer files than does /usr/lib/perl5/vendor_perl > > Just checking in case an error has slipped in over the last 12 months? > > [root@www perl5]# la /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin > total 316 > -r--r--r-- 1 root root 1676 Mar 10 19:29 Test.pm > -r--r--r-- 1 root root 9565 Mar 10 19:29 Hashcash.pm > -r--r--r-- 1 root root 5647 Mar 10 19:29 AutoLearnThreshold.pm > -r--r--r-- 1 root root 4472 Mar 10 19:29 AccessDB.pm > -r--r--r-- 1 root root 3811 Mar 10 19:29 WhiteListSubject.pm > -r--r--r-- 1 root root 8352 Mar 10 19:29 SpamCop.pm > -r--r--r-- 1 root root 6557 Mar 10 19:29 ReplaceTags.pm > -r--r--r-- 1 root root 5510 Mar 10 19:29 MIMEHeader.pm > -r--r--r-- 1 root root 7927 Mar 10 19:29 DomainKeys.pm > -r--r--r-- 1 root root 4354 Mar 10 19:29 AntiVirus.pm > -r--r--r-- 1 root root 23243 May 24 21:07 URIDNSBL.pm > -r--r--r-- 1 root root 14189 May 24 21:07 SPF.pm > -r--r--r-- 1 root root 2385 May 24 21:07 RelayCountry.pm > -r--r--r-- 1 root root 13831 May 24 21:07 Razor2.pm > -r--r--r-- 1 root root 14167 May 24 21:07 DKIM.pm > -r--r--r-- 1 root root 13064 Jul 25 23:02 TextCat.pm > -r--r--r-- 1 root root 10396 Jul 25 23:02 Pyzor.pm > -r--r--r-- 1 root root 22445 Jul 25 23:02 DCC.pm > -r--r--r-- 1 root root 14441 Jul 25 23:02 AWL.pm > drwxr-xr-x 10 root root 4096 Jul 29 01:11 .. > drwxr-xr-x 2 root root 4096 Jul 29 01:11 . > > [root@www perl5]# la /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin > total 232 > -r--r--r-- 1 root root 1676 Mar 10 19:29 Test.pm > -r--r--r-- 1 root root 9565 Mar 10 19:29 Hashcash.pm > -r--r--r-- 1 root root 5647 Mar 10 19:29 AutoLearnThreshold.pm > -r--r--r-- 1 root root 4472 Mar 10 19:29 AccessDB.pm > -r--r--r-- 1 root root 3811 Mar 10 19:29 WhiteListSubject.pm > -r--r--r-- 1 root root 8352 Mar 10 19:29 SpamCop.pm > -r--r--r-- 1 root root 6557 Mar 10 19:29 ReplaceTags.pm > -r--r--r-- 1 root root 5510 Mar 10 19:29 MIMEHeader.pm > -r--r--r-- 1 root root 7927 Mar 10 19:29 DomainKeys.pm > -r--r--r-- 1 root root 4354 Mar 10 19:29 AntiVirus.pm > -r--r--r-- 1 root root 23243 May 24 21:07 URIDNSBL.pm > -r--r--r-- 1 root root 14189 May 24 21:07 SPF.pm > -r--r--r-- 1 root root 2385 May 24 21:07 RelayCountry.pm > -r--r--r-- 1 root root 13831 May 24 21:07 Razor2.pm > -r--r--r-- 1 root root 14167 May 24 21:07 DKIM.pm - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE15I6EfZZRxQVtlQRAngdAKCqQktQqU8cq4IE2OD+WICOjGmzvQCfWL4y a6qxMRuqr7ysF8l77c0+C6s= =7QU2 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From rob at dido.ca Mon Aug 7 20:21:52 2006 From: rob at dido.ca (Rob Morin) Date: Mon Aug 7 20:21:59 2006 Subject: Remove these headers issue.. Message-ID: <44D792D0.4090705@dido.ca> OK so i am experimenting as per my manager to have internal emails that go out through our MS, have some info removed... so i have done the following.... created a file named remove.headers.rules added this line to MailScanner.conf Remove These Headers = %rules-dir%/remove.headers.rules This file contains the below... FromOrTo: default X-Mozilla-Status: X-Mozilla-Status2: Received: User-Agent: However the User agent still does not get removed?? The Received From gets removed, but not user agent I have restarted MS after making the changes Did i miss something? Thanks... -- Rob Morin Dido InterNet Inc. Montreal, Canada Http://www.dido.ca 514-990-4444 From root at doctor.nl2k.ab.ca Mon Aug 7 22:18:06 2006 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Mon Aug 7 22:18:17 2006 Subject: MailScanner ANNOUNCE: Revision to 4.55 In-Reply-To: <44D77C7E.5010703@ecs.soton.ac.uk> References: <44D77C7E.5010703@ecs.soton.ac.uk> Message-ID: <20060807211806.GB11620@doctor.nl2k.ab.ca> On Mon, Aug 07, 2006 at 06:46:38PM +0100, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > The author of the Sys::Syslog perl module has withdrawn it due to > problems including compatibility issues with some Linux distributions. > The most obvious effect is that the "make test" step may hang part-way > through the tests. > > As a result, I have had no alternative other than to reluctantly publish > a revision of the latest stable release of MailScanner. > > If you had problems installing 4.55.9 (notably on some CentOS systems) > then download and upgrade to 4.55.10. > > Download as usual from www.mailscanner.info > > Note that if you had no problems installing 4.55.9, there is no reason > to upgrade to 4.55.10. > > Sorry for this forced re-release. > > - -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@MailScanner.biz > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Get your PCs and servers from Transtec.de, very well built and reliable! > > -----BEGIN PGP SIGNATURE----- > Version: PGP SDK 3.7.0 > Charset: ISO-8859-1 > > wj8DBQFE13yFEfZZRxQVtlQRAp7BAKCAElkjZdYDjj1snNJ3gz5NPr90oACcD7UW > 24ByWh9/vqg8VFwMXAWtnvg= > =Ctux > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > MailScanner thanks transtec Computers for their support. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > How will this affect MailScanner 4.56 ? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ugob at camo-route.com Mon Aug 7 22:33:37 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Mon Aug 7 22:34:08 2006 Subject: SA-related: how to automate SA upgrades Message-ID: Hi, I was wondering if anyone heard of a way to feed the SpamAsssassin install with an e-mail address so that we don't get this prompt: Building and Installing... What email address or URL should be used in the suspected-spam report text for users who want more information on your filter installation? (In particular, ISPs should change this to a local Postmaster contact) default text: [the administrator of that system] Regards, Ugo From rgills at intratechsystems.com Mon Aug 7 22:44:09 2006 From: rgills at intratechsystems.com (Rob Gills) Date: Mon Aug 7 22:44:05 2006 Subject: install problem with 4.55.10 Message-ID: Hello, I have noticed one small install problem with Mailscanner 4.55.10 I just joined the lists so if someone else already mentioned this, I apologize. I have just done two clean installs today, not upgrades, both on Redhat. Each one gave me the following error: MailScanner: The configuration file /etc/MailScanner/MailScanner.conf is too new for this version of MailScanner. This is version 4.55.9 but the config file is for at least version 4.55.10 I simply edited the version number to 4.55.9 in Mailscan.conf, as a work around. Works fine. Cheers, -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060807/91dd0b99/attachment.html From mike at vesol.com Mon Aug 7 22:54:13 2006 From: mike at vesol.com (Mike Kercher) Date: Mon Aug 7 22:54:24 2006 Subject: SA-related: how to automate SA upgrades In-Reply-To: Message-ID: The 'expect' command would probably come in handy here. Mike > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Ugo Bellavance > Sent: Monday, August 07, 2006 4:34 PM > To: mailscanner@lists.mailscanner.info > Subject: SA-related: how to automate SA upgrades > > Hi, > > I was wondering if anyone heard of a way to feed the > SpamAsssassin install with an e-mail address so that we don't > get this prompt: > > Building and Installing... > What email address or URL should be used in the > suspected-spam report text for users who want more > information on your filter installation? > (In particular, ISPs should change this to a local Postmaster > contact) default text: [the administrator of that system] > > Regards, > > Ugo > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From brent.addis at pronet.co.nz Mon Aug 7 23:26:12 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Mon Aug 7 23:27:10 2006 Subject: missing queue files? Message-ID: <44D7BE04.60606@pronet.co.nz> Hi. I have just migrated to a new machine (was exim 4.50, MailScanner-4.43.8) which has been humming along quite nicely for a long time. I am now running exim 4.62 along with Mailscanner-4.55.9. We are currently seeing occasional messages hitting mailscanner, being scanned, and only the Header file seemingly being inserted into the exim queue. EG: 2006-08-08 10:08:45 1GADGn-0004tk-Kq Spool file 1GADGn-0004tk-Kq-D not found envy:/var/log/exim4# ls -l /var/spool/exim4/input/ total 4 -rw------- 1 Debian-exim Debian-exim 1854 2006-08-08 10:08 1GADGn-0004tk-Kq-H I had a similar problem when I upgraded to 4.50, however I didn't have much time to look into it, so downgraded back to the above. Has anyone else seen a similar issue? From alex at nkpanama.com Mon Aug 7 23:35:18 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Mon Aug 7 23:35:36 2006 Subject: SA-related: how to automate SA upgrades In-Reply-To: References: Message-ID: <44D7C026.5080005@nkpanama.com> IANAP, but could it be possibly done by doing: echo "me@myself.com" | perl -MCPAN -e 'install Mail::SpamAssassin' ? Ugo Bellavance wrote: > Hi, > > I was wondering if anyone heard of a way to feed the SpamAsssassin > install with an e-mail address so that we don't get this prompt: > > Building and Installing... > What email address or URL should be used in the suspected-spam report > text for users who want more information on your filter installation? > (In particular, ISPs should change this to a local Postmaster contact) > default text: [the administrator of that system] > > Regards, > > Ugo > From alex at nkpanama.com Mon Aug 7 23:39:14 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Mon Aug 7 23:39:31 2006 Subject: SA-related: how to automate SA upgrades In-Reply-To: <44D7C026.5080005@nkpanama.com> References: <44D7C026.5080005@nkpanama.com> Message-ID: <44D7C112.7010202@nkpanama.com> Just tried it on a test machine and it worked. Alex Neuman van der Hans wrote: > IANAP, but could it be possibly done by doing: > > echo "me@myself.com" | perl -MCPAN -e 'install Mail::SpamAssassin' > > ? > > Ugo Bellavance wrote: >> Hi, >> >> I was wondering if anyone heard of a way to feed the >> SpamAsssassin install with an e-mail address so that we don't get >> this prompt: >> >> Building and Installing... >> What email address or URL should be used in the suspected-spam report >> text for users who want more information on your filter installation? >> (In particular, ISPs should change this to a local Postmaster contact) >> default text: [the administrator of that system] >> >> Regards, >> >> Ugo >> > From brent.addis at pronet.co.nz Mon Aug 7 23:58:31 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Tue Aug 8 00:00:44 2006 Subject: missing queue files? In-Reply-To: <44D7BE04.60606@pronet.co.nz> References: <44D7BE04.60606@pronet.co.nz> Message-ID: <44D7C597.5090201@pronet.co.nz> Brent Addis wrote: > Hi. > > I have just migrated to a new machine (was exim 4.50, > MailScanner-4.43.8) which has been humming along quite nicely for a > long time. > > I am now running exim 4.62 along with Mailscanner-4.55.9. > > We are currently seeing occasional messages hitting mailscanner, being > scanned, and only the Header file seemingly being inserted into the > exim queue. > > EG: > > 2006-08-08 10:08:45 1GADGn-0004tk-Kq Spool file 1GADGn-0004tk-Kq-D not > found > > envy:/var/log/exim4# ls -l /var/spool/exim4/input/ > total 4 > -rw------- 1 Debian-exim Debian-exim 1854 2006-08-08 10:08 > 1GADGn-0004tk-Kq-H > > > I had a similar problem when I upgraded to 4.50, however I didn't have > much time to look into it, so downgraded back to the above. > > Has anyone else seen a similar issue? > > > > > > Also: Aug 8 10:08:41 envy MailScanner[15218]: Virus and Content Scanning: Starting Aug 8 10:08:45 envy MailScanner[15218]: Uninfected: Delivered 1 messages Aug 8 10:08:45 envy MailScanner[15218]: Logging message 1GADGn-0004tk-Kq to SQL Aug 8 10:08:45 envy MailScanner[15220]: 1GADGn-0004tk-Kq: Logged to MailWatch SQL envy:/var/log# /opt/MailScanner/bin/MailScanner -v Running on Linux envy 2.6.15 #1 SMP Thu Jan 12 01:25:25 NZDT 2006 i686 GNU/Linux This is Perl version 5.008004 (5.8.4) This is MailScanner version 4.55.9 Module versions are: 1.00 AnyDBM_File 1.16 Archive::Zip 1.02 Carp 1.119 Convert::BinHex 1.00 DirHandle 1.05 Fcntl 2.72 File::Basename 2.07 File::Copy 2.01 FileHandle 1.06 File::Path 0.16 File::Temp 0.90 Filesys::Df 1.35 HTML::Entities 3.54 HTML::Parser 2.37 HTML::TokeParser 1.21 IO 1.10 IO::File 1.123 IO::Pipe 1.71 Mail::Header 3.05 MIME::Base64 5.420 MIME::Decoder 5.420 MIME::Decoder::UU 5.420 MIME::Head 5.420 MIME::Parser 3.03 MIME::QuotedPrint 5.420 MIME::Tools 0.10 Net::CIDR 1.08 POSIX 1.77 Socket 1.2 Sys::Hostname::Long 0.17 Sys::Syslog 1.86 Time::HiRes 1.02 Time::localtime Optional module versions are: 0.17 Convert::TNEF 1.808 DB_File 1.11 DBD::SQLite 1.50 DBI 1.06 Digest 1.01 Digest::HMAC 2.33 Digest::MD5 2.10 Digest::SHA1 0.44 Inline missing Mail::ClamAV 3.001004 Mail::SpamAssassin 1.997 Mail::SPF::Query 0.15 Net::CIDR::Lite 1.24 Net::IP 0.48 Net::DNS missing Net::LDAP 1.94 Parse::RecDescent missing SAVI 2.40 Test::Harness 0.62 Test::Simple 1.95 Text::Balanced 1.35 URI The issue seems to be very random, and I have as yet been unable to replicate myself From jon.bates at summitmotors.com.au Tue Aug 8 00:25:41 2006 From: jon.bates at summitmotors.com.au (Jon Bates) Date: Tue Aug 8 00:25:56 2006 Subject: Blocking attachments - Stopping sneaky employees In-Reply-To: <200608041107.k74B6h9V001647@bkserver.blacknight.ie> Message-ID: <004401c6ba78$cce4daf0$5864a8c0@jonlaptop> Ahh! I don't know how I missed this!? Thank you very much to those that replied. It's working perfectly now. Cheers Jon > Use the file command. > do a search for #file in your MailScanner.conf Jon Bates wrote: >> >> I've got all audio and video type files being quarantined on my >> servers. Some users are now getting smart to the fact that they can >> simply change the extention on the file to bypass this system. >> >> Is there some way to filter attachments based on the attachment mime >> type or something? I've done a few hours searching and I havent come >> up with a suitable answer. >> >> Any guidance would be appreciated! From ssilva at sgvwater.com Tue Aug 8 01:00:11 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 8 01:00:38 2006 Subject: blocking out-of-office In-Reply-To: <223f97700608050050w5460c22coa3c7111c95fb2494@mail.gmail.com> References: <223f97700608030054g4692424ch3e0deeeacb043c7@mail.gmail.com> <223f97700608040055s7e14ce73l76c8b0e3005a4ce8@mail.gmail.com> <44D34F30.2070300@utwente.nl> <223f97700608040710q4a5fb074n2350081aee51f4a1@mail.gmail.com> <44D3615C.7010709@utwente.nl> <223f97700608040913g4c5a9ce0p60ab1545599bcfdd@mail.gmail.com> <223f97700608050050w5460c22coa3c7111c95fb2494@mail.gmail.com> Message-ID: Glenn Steen spake the following on 8/5/2006 12:50 AM: > On 04/08/06, Scott Silva wrote: >> Glenn Steen spake the following on 8/4/2006 9:13 AM: > (snip) >> > My Friday-afternoon-syndrome has moved on to Friday-evening-syndrome >> > (into my first beer and fired up the grill), so I'd not trust myself >> > further than that:-) >> > >> > Cheers >> Tip one for us!!! > My headache tells me that I tipped not only one, but several.... So... > Feel duly saluted;-). > Now where did I put that hangover rectification tool (HORT == aspirin;)... HOTD = Hair of the dog! ;-) -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From steve.swaney at fsl.com Tue Aug 8 01:22:25 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Tue Aug 8 01:20:32 2006 Subject: FW: [Clamav-announce] problem downloading clamav-0.88.4.tar.gz Message-ID: <1b5101c6ba80$ba1a3de0$287ba8c0@office.fsl> FYI. -----Original Message----- From: clamav-announce-bounces@lists.clamav.net [mailto:clamav-announce-bounces@lists.clamav.net] On Behalf Of Luca Gibelli Sent: Monday, August 07, 2006 7:38 PM To: ClamAV Announce Cc: clamav-users@lists.clamav.net Subject: [Clamav-announce] problem downloading clamav-0.88.4.tar.gz Dear ClamAV users, Apparently there is a problem on SourceForge which makes download of clamav-0.88.4.tar.gz impossible. We temporarily made the source available from the following URLs: http://mirror.clamav.net/clamav-0.88.4.tar.gz http://mirror.clamav.net/clamav-0.88.4.tar.gz.sig Please note that once SourceForge file release system works again, we'll remove the above files. Always refer to our website for the latest download links. Regards, -- Luca Gibelli (luca _at_ clamav.net) - ClamAV, a GPL anti-virus toolkit [Tel] +44 2081239239 [Fax] +39 0187015046 [IM] nervous/jabber.linux.it PGP key id 5EFC5582 @ key server || http://www.clamav.net/gpg/luca.gpg _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-announce Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From chrisgreen at hotmail.com Tue Aug 8 03:34:00 2006 From: chrisgreen at hotmail.com (Chris Green) Date: Tue Aug 8 03:34:12 2006 Subject: MailScanner & Postfi In-Reply-To: <61518.194.70.180.170.1154955981.squirrel@webmail.r-bit.net> Message-ID: Drew Marshall wrote: > > -D isn't a known option, for PF 2.1 at least, and would land you with > > an error. So don't do that:-). > >I did wonder. I like to (try to) post accurate or true information but not >being in front of a machine to break... ;-) > Thanks guys. You're right - I've just removed it and it works fine. I never did get an error either, so it looks like PF is very tolerant with novices. Maybe that's why I like it so much :-) From chrisgreen at hotmail.com Tue Aug 8 05:41:30 2006 From: chrisgreen at hotmail.com (Chris Green) Date: Tue Aug 8 05:41:38 2006 Subject: Triggering Outlook's Junk E-mail filter In-Reply-To: Message-ID: Jan-Peter Koopmann wrote: > > > I think Chris' original point is still valid. > >Using Outlooks own Junk-Mail folder/functionality --> No. > > > A number of our users > > (primarily hosting customers have barely enough technical know-how to > > operating e-mails. Setting up individual rules in their e-mail > > client will likely prove beyond their grasp. Therefore some way of > > automating the delivery of messages that are potentially spam but > > only low-scoring to > > the end-user's Spam mailbox would be a useful feature indeed. > >Thus the pointer to the plugin. >-- Jan-Peter, thanks for the plugin tip, that looks very useful. The reasoning behind my request is that if an anti-spam mechanism already exists in a product then why not exploit it? I'm a consultant to many different companies and there is no single solution that I can apply everywhere, nor do I have absolute authority to implement change. Leaving default configuration in place and using MailScanner would work best, and zero training requirement. It's not ideal, but it's pretty close. From MailScanner at ecs.soton.ac.uk Tue Aug 8 09:17:51 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 8 09:18:13 2006 Subject: MailScanner ANNOUNCE: Revision to 4.55 In-Reply-To: <20060807211806.GB11620@doctor.nl2k.ab.ca> References: <44D77C7E.5010703@ecs.soton.ac.uk> <20060807211806.GB11620@doctor.nl2k.ab.ca> Message-ID: <7C72650D-2E9E-4277-8A8C-DF584FC0D7FB@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 7 Aug 2006, at 22:18, Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > On Mon, Aug 07, 2006 at 06:46:38PM +0100, Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> The author of the Sys::Syslog perl module has withdrawn it due to >> problems including compatibility issues with some Linux >> distributions. >> The most obvious effect is that the "make test" step may hang part- >> way >> through the tests. >> >> As a result, I have had no alternative other than to reluctantly >> publish >> a revision of the latest stable release of MailScanner. >> >> If you had problems installing 4.55.9 (notably on some CentOS >> systems) >> then download and upgrade to 4.55.10. >> >> Download as usual from www.mailscanner.info >> >> Note that if you had no problems installing 4.55.9, there is no >> reason >> to upgrade to 4.55.10. >> >> Sorry for this forced re-release. >> >> - -- >> Julian Field >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration >> help? >> Contact me at Jules@MailScanner.biz >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> Get your PCs and servers from Transtec.de, very well built and >> reliable! >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP SDK 3.7.0 >> Charset: ISO-8859-1 >> >> wj8DBQFE13yFEfZZRxQVtlQRAp7BAKCAElkjZdYDjj1snNJ3gz5NPr90oACcD7UW >> 24ByWh9/vqg8VFwMXAWtnvg= >> =Ctux >> -----END PGP SIGNATURE----- >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> MailScanner thanks transtec Computers for their support. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> > > How will this affect MailScanner 4.56 ? It won't. 4.56 will continue to be developed as normal. - -- Julian Field MailScanner@ecs.soton.ac.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: US-ASCII wj8DBQFE2EiwEfZZRxQVtlQRAuTgAKDQvATwLygNoKEDnABtXnMWTPgtWwCfRdN8 FLdmyD2C7RheAT8/RFvHY/M= =KJd6 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From MailScanner at ecs.soton.ac.uk Tue Aug 8 09:25:55 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 8 09:26:13 2006 Subject: install problem with 4.55.10 In-Reply-To: References: Message-ID: <9698ECB2-7977-42ED-8F4C-536F55543E85@ecs.soton.ac.uk> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 206 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060808/fac6f7ae/PGP-0001.bin From brent.addis at pronet.co.nz Tue Aug 8 09:37:48 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Tue Aug 8 09:38:29 2006 Subject: missing queue files? In-Reply-To: <44D7C597.5090201@pronet.co.nz> References: <44D7BE04.60606@pronet.co.nz> <44D7C597.5090201@pronet.co.nz> Message-ID: <44D84D5C.7040000@pronet.co.nz> Seems to have been fixed by changing the lock type to posix from blank. Shouldn't this be done automatically? By looking at the documentation on this setting, one would assume that by default it means "set automatically". Thanks, Brent Addis wrote: > Brent Addis wrote: >> Hi. >> >> I have just migrated to a new machine (was exim 4.50, >> MailScanner-4.43.8) which has been humming along quite nicely for a >> long time. >> >> I am now running exim 4.62 along with Mailscanner-4.55.9. >> >> We are currently seeing occasional messages hitting mailscanner, >> being scanned, and only the Header file seemingly being inserted into >> the exim queue. >> >> EG: >> >> 2006-08-08 10:08:45 1GADGn-0004tk-Kq Spool file 1GADGn-0004tk-Kq-D >> not found >> >> envy:/var/log/exim4# ls -l /var/spool/exim4/input/ >> total 4 >> -rw------- 1 Debian-exim Debian-exim 1854 2006-08-08 10:08 >> 1GADGn-0004tk-Kq-H >> >> >> I had a similar problem when I upgraded to 4.50, however I didn't >> have much time to look into it, so downgraded back to the above. >> >> Has anyone else seen a similar issue? >> >> >> >> >> >> > Also: > > Aug 8 10:08:41 envy MailScanner[15218]: Virus and Content Scanning: > Starting > Aug 8 10:08:45 envy MailScanner[15218]: Uninfected: Delivered 1 messages > Aug 8 10:08:45 envy MailScanner[15218]: Logging message > 1GADGn-0004tk-Kq to SQL > Aug 8 10:08:45 envy MailScanner[15220]: 1GADGn-0004tk-Kq: Logged to > MailWatch SQL > > envy:/var/log# /opt/MailScanner/bin/MailScanner -v > Running on > Linux envy 2.6.15 #1 SMP Thu Jan 12 01:25:25 NZDT 2006 i686 GNU/Linux > This is Perl version 5.008004 (5.8.4) > > This is MailScanner version 4.55.9 > Module versions are: > 1.00 AnyDBM_File > 1.16 Archive::Zip > 1.02 Carp > 1.119 Convert::BinHex > 1.00 DirHandle > 1.05 Fcntl > 2.72 File::Basename > 2.07 File::Copy > 2.01 FileHandle > 1.06 File::Path > 0.16 File::Temp > 0.90 Filesys::Df > 1.35 HTML::Entities > 3.54 HTML::Parser > 2.37 HTML::TokeParser > 1.21 IO > 1.10 IO::File > 1.123 IO::Pipe > 1.71 Mail::Header > 3.05 MIME::Base64 > 5.420 MIME::Decoder > 5.420 MIME::Decoder::UU > 5.420 MIME::Head > 5.420 MIME::Parser > 3.03 MIME::QuotedPrint > 5.420 MIME::Tools > 0.10 Net::CIDR > 1.08 POSIX > 1.77 Socket > 1.2 Sys::Hostname::Long > 0.17 Sys::Syslog > 1.86 Time::HiRes > 1.02 Time::localtime > > Optional module versions are: > 0.17 Convert::TNEF > 1.808 DB_File > 1.11 DBD::SQLite > 1.50 DBI > 1.06 Digest > 1.01 Digest::HMAC > 2.33 Digest::MD5 > 2.10 Digest::SHA1 > 0.44 Inline > missing Mail::ClamAV > 3.001004 Mail::SpamAssassin > 1.997 Mail::SPF::Query > 0.15 Net::CIDR::Lite > 1.24 Net::IP > 0.48 Net::DNS > missing Net::LDAP > 1.94 Parse::RecDescent > missing SAVI > 2.40 Test::Harness > 0.62 Test::Simple > 1.95 Text::Balanced > 1.35 URI > > The issue seems to be very random, and I have as yet been unable to > replicate myself > > > > > > > > > > > From P.G.M.Peters at utwente.nl Tue Aug 8 09:49:26 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Tue Aug 8 09:49:31 2006 Subject: Triggering Outlook's Junk E-mail filter In-Reply-To: References: Message-ID: <44D85016.4050303@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Koopmann, Jan-Peter wrote on 7-8-2006 14:45: > On Saturday, August 05, 2006 5:03 PM Chris Green wrote: > >> I would expect that if they had gone in and changed this from the >> default they were either a) advanced users with alternative >> solutions; b) clever enough to realise it could result in more >> spam; or c) previously employed by Sainsbury's as the trolley-boy >> and found it a bit too mentally challenging. > > d) chose to rely on MailScanner/SpamAssassin and therefore turned the > Outlook detection off which btw. is what we do at our customer sites > using group policy. Therefore your setup is not going to work all > that well. > > There are applications (event sinks) that are able to centrally move > messages to folders based on header values. One is even free (search > for Mailshell Exchange Plugin) Exchange 2003 has a spam-filter build in. It moves messages it thinks is spam to the Junk folder. This is a site wide configuration. So at least some of the spam will not trigger OOO's. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE2FAWelLo80lrIdIRAlVwAKCZKf7zX5Mg0zOtC8qvO+x6MpL/KQCgnx3k rpC5KHcJI6h4lqDXVoGZEzA= =GC7c -----END PGP SIGNATURE----- From P.G.M.Peters at utwente.nl Tue Aug 8 09:52:02 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Tue Aug 8 09:52:11 2006 Subject: Envelope-To and Bcc... heading OT... In-Reply-To: <120103F0F5EC264097BC0A06EC9D026A010C0514@pardessus.aoc-uk.com> References: <120103F0F5EC264097BC0A06EC9D026A010C0514@pardessus.aoc-uk.com> Message-ID: <44D850B2.2090405@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stef Morrell wrote on 7-8-2006 10:39: > mdaemon isn't totally broken ;) at least it doesn't destroy headers like > some *cough* exchange *cough* mailservers do. If you mean remove completly when you say remove I can confirm. IN the past when our student just used IMAP on a linux server I had them forward the message to me when they has question regarding SA rules that tagged the message as spam. Exchange, when asked to forward the whole message as attachment, removes all X-MailScanner headers. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE2FCyelLo80lrIdIRApxyAJ4+zLlQ0LheHh1RLLKNAl9yGjGhFQCfTGPf 53n3PtT8/87+1d04tlFCPVc= =QKaf -----END PGP SIGNATURE----- From P.G.M.Peters at utwente.nl Tue Aug 8 09:54:45 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Tue Aug 8 09:54:51 2006 Subject: OT: Another Exchange 2003 and MailScanner question In-Reply-To: <04D932B0071FE34FA63EBB1977B48D15017B470F@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D15017B470F@woodenex.woodmaclaw.local> Message-ID: <44D85155.5020601@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Billy A. Pumphrey wrote on 7-8-2006 21:07: > Does anyone use the built in Exchange intelligent filters along with > MailScanner? I currentl do not and have debated back and forth over > time whether it would be good to turn it on or not. Does anyone > recommend one way or the other? Our Exchange administrators have turned it on. I haven't found any message in the Junk folder yet. But then again I use Thunderbird to connect to the Exchange server. Perhaps this only works with Outlook. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE2FFVelLo80lrIdIRAvBpAKCVom84S5LRF4l3zMaIASXhRuG34gCfewEU TL29fhJ6WyU+CazvTy19uyY= =+OtI -----END PGP SIGNATURE----- From t.d.lee at durham.ac.uk Tue Aug 8 10:46:56 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Tue Aug 8 10:48:56 2006 Subject: missing queue files? In-Reply-To: <44D84D5C.7040000@pronet.co.nz> References: <44D7BE04.60606@pronet.co.nz> <44D7C597.5090201@pronet.co.nz> <44D84D5C.7040000@pronet.co.nz> Message-ID: On Tue, 8 Aug 2006, Brent Addis wrote: > Seems to have been fixed by changing the lock type to posix from blank. > > Shouldn't this be done automatically? By looking at the documentation on > this setting, one would assume that by default it means "set automatically". In early June we had some discussion about this (Subject "lock type"). Indeed the documentation and behaviour contradicted each other, and (despite the documentation) an explicit "posix" was, indeed, necessary. Julian: Could you confirm, please, in what releases since then this mismatch has actually been rectified? (Getting the documentation and behaviour to match each other is the primary point; the actual behaviour is probably relatively secondary.) Thanks. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From evanderleun at hal9000.nl Tue Aug 8 12:42:01 2006 From: evanderleun at hal9000.nl (Erik van der Leun) Date: Tue Aug 8 12:42:16 2006 Subject: gOCR SpamAssassin plugin In-Reply-To: References: Message-ID: It works like a charm for me :) On Mon, 7 Aug 2006, ajos1@onion.demon.co.uk wrote: > - > > What a marvellous find... I am trying it now... > > Just one question... where would I stick in the plugin file? > > I am right in thinking it will be something like: > > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin > /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin > > > And not one of these: > > /usr/lib/MailScanner/CustomFunctions > /usr/lib/MailScanner/plugins > /etc/MailScanner/CustomFunctions > /etc/MailScanner/plugins > > > -----Original Message----- > From: mailscanner@lists.mailscanner.info > Subj: Re: gOCR SpamAssassin plugin > Date: Mon, 07 Aug 2006 14:52:38 +0100 > > The one that Dallas posted on the SA users group seems to work well: > > http://www.rulesemporium.com/plugins.htm#imageinfo > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From augustin.siaens at aquadev.org Tue Aug 8 13:59:21 2006 From: augustin.siaens at aquadev.org (Augustin Siaens) Date: Tue Aug 8 13:59:24 2006 Subject: update problems Message-ID: <44D88AA9.6010601@aquadev.org> Hello, just because I spent the whole morning fixing this, I thought that It may interest some users. server: Fedora5 operation: update from 4.54.5-1 to 4.55.10-2 problem after upgrade. MailScanner won't work because of Spamassassin problem. Apparently something related to Syslog. After 2 hours, it appeared that the Perl module Sys::Syslog had to be upgraded. I used CPAN and now no problem. Too bad I lost the morning looking for the solution! cheers -- Augustin Siaens AQUADEV Rue des Carm?lites 151 Karmelietenstraat 1180 Bruxelles - Brussel Tel: +32 2 347 70 00 Fax: +32 2 347 00 36 -- Ce message a ?t? v?rifi? par MailScanner pour des virus ou des polluriels et rien de suspect n'a ?t? trouv?. For all your IT requirements visit: http://www.transtec.co.uk From jgolden at ci.grand-rapids.mi.us Tue Aug 8 14:04:06 2006 From: jgolden at ci.grand-rapids.mi.us (Golden, James) Date: Tue Aug 8 14:05:00 2006 Subject: Retreiving attachments In-Reply-To: <0b7d01c6b810$0cd549d0$287ba8c0@office.fsl> References: <0b7d01c6b810$0cd549d0$287ba8c0@office.fsl> Message-ID: <1155042246.4058.3.camel@doit-b8wsw21.grand-rapids.mi.us> Thanks for the answer. Sorry for the long delay in the thanks departments. One more question here, Can I put more than one rules file in the Mailscanner.conf. Currently I am pointing to a ruleset already. Currently mine looks like this Filename Rules = %etc-dir%/filename.rules.conf so would it look like this? Filename Rules = %rules-dir%/filename.rules %etc-dir %/filename.rules.conf Or would I need to combine the .rules file into the .conf file Thanks for the help. James On Fri, 2006-08-04 at 17:50 -0400, Stephen Swaney wrote: > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Golden, James > > Sent: Friday, August 04, 2006 5:10 PM > > To: MailScanner discussion > > Subject: Re: Retreiving attachments > > > > The attachments seem to be .doc or .xls or others and the client always > > seems to be Outlook. > > > > On Fri, 2006-08-04 at 16:38 -0400, Golden, James wrote: > > > > > > Hello, > > > > I've have been wasting my whole day trying to figure out how to do > > this. Can anyone could help besides telling me to install Mailwatch > > (because it's not an option right now). > > > > I have messages that are being snagged by MailScanner because the > > attachment is too large. When I go to the directory the attachment is in > > binary in the message. > > > > I tried using a sendmail -t < message, but of course it gets snagged > > again by MS. Is there an option I'm missing to store the attachments > > separately from the message, is there a way to send this on without it > > being scanned? Is there a way to get the attachment out of the message? > > > > I need help soon as this is becoming a large issue today (about 6 > > end users) and my boss is hearing about it! > > > > Thanks, > > > > James > > You need to create a rule sets that exempt the localhost from attachment > filename and filetype checking. If you have a Red Hat, CentOS or SuSE > system, the following paths will be correct. They will vary on other systems > but the same principals will work. > > First create two files: > > /etc/MailScanner/filename.rules.allowall.conf > /etc/MailScanner/filetype.rules.allowall.conf > > The contents of each file will be identical: > > allow *. - - > > The spaces MUST be Tabs so the contents of both files is really: > > allow*.->Tab>- > > Then create the file /etc/MailScanner/rules/filename.rules. The contents of > this file should be: > > # Allow all filenames from localhost > From: 127.0.0.0 /etc/MailScanner/filename.rules.allowall.conf > # Default entry > FromOrTo: default /etc/MailScanner/filename.rules.conf > > Then create the file /etc/MailScanner/rules/filetype.rules. The contents of > this file should be: > > # Allow all filetypes from localhost > From: 127.0.0.0 /etc/MailScanner/filetype.rules.allowall.conf > # Default entry > FromOrTo: default /etc/MailScanner/filetype.rules.conf > > Then edit /etc/MailScanner.conf to call the new rulesets. Change the setting > for Filename Rules to be: > > Filename Rules = %rules-dir%/filename.rules > > And change the setting for Filetype Rules to be: > > Filetype Rules = %rules-dir%/filetype.rules > > Then reload MailScanner. > > You should now be able to release the files using the `sendmail -t < > message` command without MailScanner re-quarantining the files. > > Have a nice weekend. > > Steve > Stephen Swaney > Fort Systems Ltd. > stephen.swaney@fsl.com > www.fsl.com > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060808/e7b043c7/attachment.html From root at doctor.nl2k.ab.ca Tue Aug 8 14:32:19 2006 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Tue Aug 8 14:32:43 2006 Subject: MailScanner ANNOUNCE: Revision to 4.55 In-Reply-To: <7C72650D-2E9E-4277-8A8C-DF584FC0D7FB@ecs.soton.ac.uk> References: <44D77C7E.5010703@ecs.soton.ac.uk> <20060807211806.GB11620@doctor.nl2k.ab.ca> <7C72650D-2E9E-4277-8A8C-DF584FC0D7FB@ecs.soton.ac.uk> Message-ID: <20060808133219.GB17398@doctor.nl2k.ab.ca> On Tue, Aug 08, 2006 at 09:17:51AM +0100, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > On 7 Aug 2006, at 22:18, Dave Shariff Yadallee - System Administrator > a.k.a. The Root of the Problem wrote: > > > On Mon, Aug 07, 2006 at 06:46:38PM +0100, Julian Field wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> The author of the Sys::Syslog perl module has withdrawn it due to > >> problems including compatibility issues with some Linux > >> distributions. > >> The most obvious effect is that the "make test" step may hang part- > >> way > >> through the tests. > >> > >> As a result, I have had no alternative other than to reluctantly > >> publish > >> a revision of the latest stable release of MailScanner. > >> > >> If you had problems installing 4.55.9 (notably on some CentOS > >> systems) > >> then download and upgrade to 4.55.10. > >> > >> Download as usual from www.mailscanner.info > >> > >> Note that if you had no problems installing 4.55.9, there is no > >> reason > >> to upgrade to 4.55.10. > >> > >> Sorry for this forced re-release. > >> > >> - -- > >> Julian Field > >> www.MailScanner.info > >> Buy the MailScanner book at www.MailScanner.info/store > >> > >> MailScanner customisation, or any advanced system administration > >> help? > >> Contact me at Jules@MailScanner.biz > >> > >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >> Get your PCs and servers from Transtec.de, very well built and > >> reliable! > >> > >> -----BEGIN PGP SIGNATURE----- > >> Version: PGP SDK 3.7.0 > >> Charset: ISO-8859-1 > >> > >> wj8DBQFE13yFEfZZRxQVtlQRAp7BAKCAElkjZdYDjj1snNJ3gz5NPr90oACcD7UW > >> 24ByWh9/vqg8VFwMXAWtnvg= > >> =Ctux > >> -----END PGP SIGNATURE----- > >> > >> -- > >> This message has been scanned for viruses and > >> dangerous content by MailScanner, and is > >> believed to be clean. > >> MailScanner thanks transtec Computers for their support. > >> > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > >> -- > >> This message has been scanned for viruses and > >> dangerous content by MailScanner, and is > >> believed to be clean. > >> > > > > How will this affect MailScanner 4.56 ? > > It won't. 4.56 will continue to be developed as normal. > > - -- > Julian Field > MailScanner@ecs.soton.ac.uk > I thought the Sys::Syslog references would have to be removed. > > > -----BEGIN PGP SIGNATURE----- > Version: PGP SDK 3.7.0 > Charset: US-ASCII > > wj8DBQFE2EiwEfZZRxQVtlQRAuTgAKDQvATwLygNoKEDnABtXnMWTPgtWwCfRdN8 > FLdmyD2C7RheAT8/RFvHY/M= > =KJd6 > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > MailScanner thanks transtec Computers for their support. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From rob at dido.ca Tue Aug 8 14:35:05 2006 From: rob at dido.ca (Rob Morin) Date: Tue Aug 8 14:35:09 2006 Subject: Retreiving attachments In-Reply-To: <1155042246.4058.3.camel@doit-b8wsw21.grand-rapids.mi.us> References: <0b7d01c6b810$0cd549d0$287ba8c0@office.fsl> <1155042246.4058.3.camel@doit-b8wsw21.grand-rapids.mi.us> Message-ID: <44D89309.5030308@dido.ca> On another note, has anyone come up with a way to retrieve quarantined attachments without the intervention of the sys admin? Meaning the end user can get them themselves? I thought i heard a while back of some app to do this? Have a good one! Rob Morin Dido InterNet Inc. Montreal, Canada Http://www.dido.ca 514-990-4444 Golden, James wrote: > Thanks for the answer. Sorry for the long delay in the thanks > departments. > > One more question here, > > Can I put more than one rules file in the Mailscanner.conf. Currently > I am pointing to a ruleset already. > > Currently mine looks like this > > Filename Rules = %etc-dir%/filename.rules.conf > > so would it look like this? > > Filename Rules = %rules-dir%/filename.rules %etc-dir%/filename.rules.conf > > Or would I need to combine the .rules file into the .conf file > > Thanks for the help. > > James > > > > On Fri, 2006-08-04 at 17:50 -0400, Stephen Swaney wrote: >> > -----Original Message----- >> > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> > bounces@lists.mailscanner.info ] On Behalf Of Golden, James >> > Sent: Friday, August 04, 2006 5:10 PM >> > To: MailScanner discussion >> > Subject: Re: Retreiving attachments >> > >> > The attachments seem to be .doc or .xls or others and the client always >> > seems to be Outlook. >> > >> > On Fri, 2006-08-04 at 16:38 -0400, Golden, James wrote: >> > >> > >> > Hello, >> > >> > I've have been wasting my whole day trying to figure out how to do >> > this. Can anyone could help besides telling me to install Mailwatch >> > (because it's not an option right now). >> > >> > I have messages that are being snagged by MailScanner because the >> > attachment is too large. When I go to the directory the attachment is in >> > binary in the message. >> > >> > I tried using a sendmail -t < message, but of course it gets snagged >> > again by MS. Is there an option I'm missing to store the attachments >> > separately from the message, is there a way to send this on without it >> > being scanned? Is there a way to get the attachment out of the message? >> > >> > I need help soon as this is becoming a large issue today (about 6 >> > end users) and my boss is hearing about it! >> > >> > Thanks, >> > >> > James >> >> You need to create a rule sets that exempt the localhost from attachment >> filename and filetype checking. If you have a Red Hat, CentOS or SuSE >> system, the following paths will be correct. They will vary on other systems >> but the same principals will work. >> >> First create two files: >> >> /etc/MailScanner/filename.rules.allowall.conf >> /etc/MailScanner/filetype.rules.allowall.conf >> >> The contents of each file will be identical: >> >> allow *. - - >> >> The spaces MUST be Tabs so the contents of both files is really: >> >> allow*.->Tab>- >> >> Then create the file /etc/MailScanner/rules/filename.rules. The contents of >> this file should be: >> >> # Allow all filenames from localhost >> From: 127.0.0.0 /etc/MailScanner/filename.rules.allowall.conf >> # Default entry >> FromOrTo: default /etc/MailScanner/filename.rules.conf >> >> Then create the file /etc/MailScanner/rules/filetype.rules. The contents of >> this file should be: >> >> # Allow all filetypes from localhost >> From: 127.0.0.0 /etc/MailScanner/filetype.rules.allowall.conf >> # Default entry >> FromOrTo: default /etc/MailScanner/filetype.rules.conf >> >> Then edit /etc/MailScanner.conf to call the new rulesets. Change the setting >> for Filename Rules to be: >> >> Filename Rules = %rules-dir%/filename.rules >> >> And change the setting for Filetype Rules to be: >> >> Filetype Rules = %rules-dir%/filetype.rules >> >> Then reload MailScanner. >> >> You should now be able to release the files using the `sendmail -t < >> message` command without MailScanner re-quarantining the files. >> >> Have a nice weekend. >> >> Steve >> Stephen Swaney >> Fort Systems Ltd. >> stephen.swaney@fsl.com >> www.fsl.com >> >> >> From dnsadmin at 1bigthink.com Tue Aug 8 15:43:59 2006 From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com) Date: Tue Aug 8 15:44:13 2006 Subject: Tips on how to use ruleset for 'Spam Lists To Be Spam' Message-ID: <7.0.1.0.0.20060808103633.0480b4b0@1bigthink.com> Hello All, T-Mobile's mailservers (tmodns.net) got black listed on numerous BLs. I have a handful of IMPORTANT mail users on my server sending mail with T-Mobile's servers right now. I have: Spam Lists To Be Spam = 3 in MailScanner.conf and T-Mobile's mail server makes four of my lists. They are good, long-used and trusted BLs. Spam List = SBL+XBL SPEWS ORDB-RBL spamcop.net spamhaus.org spamhaus-XBL SORBS-S PAM SORBS-ZOMBIE SORBS-HTTP DSBL SORBS-DNSBL SORBS-SMTP SORBS-WEB SORBS-BLOCK NJ ABL I don't want to open the rest of my users to the amount of spam these BLs help protect from. I would like these T-Mobile users to be able to send without getting tagged as spam, however. How can I set up a ruleset like this for individual users or individual domains? #Spam Lists To Be Spam = /etc/MailScanner/spam.lists.count Thanks, Glenn From steve.swaney at fsl.com Tue Aug 8 14:52:34 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Tue Aug 8 15:50:49 2006 Subject: Retreiving attachments In-Reply-To: <44D89309.5030308@dido.ca> Message-ID: <008f01c6baf1$eb8b08c0$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Rob Morin > Sent: Tuesday, August 08, 2006 9:35 AM > To: MailScanner discussion > Subject: Re: Retreiving attachments > > On another note, has anyone come up with a way to retrieve quarantined > attachments without the intervention of the sys admin? Meaning the end > user can get them themselves? > > I thought i heard a while back of some app to do this? > > Have a good one! > > Rob Morin > Dido InterNet Inc. > Montreal, Canada > Http://www.dido.ca > 514-990-4444 > > > > Golden, James wrote: > > Thanks for the answer. Sorry for the long delay in the thanks > > departments. > > > > One more question here, > > > > Can I put more than one rules file in the Mailscanner.conf. Currently > > I am pointing to a ruleset already. > > > > Currently mine looks like this > > > > Filename Rules = %etc-dir%/filename.rules.conf > > > > so would it look like this? > > > > Filename Rules = %rules-dir%/filename.rules %etc- > dir%/filename.rules.conf > > > > Or would I need to combine the .rules file into the .conf file > > > > Thanks for the help. > > > > James > > > > > > > > On Fri, 2006-08-04 at 17:50 -0400, Stephen Swaney wrote: > >> > -----Original Message----- > >> > From: mailscanner-bounces@lists.mailscanner.info bounces@lists.mailscanner.info> [mailto:mailscanner- > >> > bounces@lists.mailscanner.info > ] On Behalf Of Golden, James > >> > Sent: Friday, August 04, 2006 5:10 PM > >> > To: MailScanner discussion > >> > Subject: Re: Retreiving attachments > >> > > >> > The attachments seem to be .doc or .xls or others and the client > always > >> > seems to be Outlook. > >> > > >> > On Fri, 2006-08-04 at 16:38 -0400, Golden, James wrote: > >> > > >> > > >> > Hello, > >> > > >> > I've have been wasting my whole day trying to figure out how to do > >> > this. Can anyone could help besides telling me to install Mailwatch > >> > (because it's not an option right now). > >> > > >> > I have messages that are being snagged by MailScanner because the > >> > attachment is too large. When I go to the directory the attachment > is in > >> > binary in the message. > >> > > >> > I tried using a sendmail -t < message, but of course it gets snagged > >> > again by MS. Is there an option I'm missing to store the attachments > >> > separately from the message, is there a way to send this on without > it > >> > being scanned? Is there a way to get the attachment out of the > message? > >> > > >> > I need help soon as this is becoming a large issue today (about 6 > >> > end users) and my boss is hearing about it! > >> > > >> > Thanks, > >> > > >> > James > >> > >> You need to create a rule sets that exempt the localhost from > attachment > >> filename and filetype checking. If you have a Red Hat, CentOS or SuSE > >> system, the following paths will be correct. They will vary on other > systems > >> but the same principals will work. > >> > >> First create two files: > >> > >> /etc/MailScanner/filename.rules.allowall.conf > >> /etc/MailScanner/filetype.rules.allowall.conf > >> > >> The contents of each file will be identical: > >> > >> allow *. - - > >> > >> The spaces MUST be Tabs so the contents of both files is really: > >> > >> allow*.->Tab>- > >> > >> Then create the file /etc/MailScanner/rules/filename.rules. The > contents of > >> this file should be: > >> > >> # Allow all filenames from localhost > >> From: 127.0.0.0 /etc/MailScanner/filename.rules.allowall.conf > >> # Default entry > >> FromOrTo: default /etc/MailScanner/filename.rules.conf > >> > >> Then create the file /etc/MailScanner/rules/filetype.rules. The > contents of > >> this file should be: > >> > >> # Allow all filetypes from localhost > >> From: 127.0.0.0 /etc/MailScanner/filetype.rules.allowall.conf > >> # Default entry > >> FromOrTo: default /etc/MailScanner/filetype.rules.conf > >> > >> Then edit /etc/MailScanner.conf to call the new rulesets. Change the > setting > >> for Filename Rules to be: > >> > >> Filename Rules = %rules-dir%/filename.rules > >> > >> And change the setting for Filetype Rules to be: > >> > >> Filetype Rules = %rules-dir%/filetype.rules > >> > >> Then reload MailScanner. > >> > >> You should now be able to release the files using the `sendmail -t < > >> message` command without MailScanner re-quarantining the files. > >> > >> Have a nice weekend. > >> > >> Steve > >> Stephen Swaney > >> Fort Systems Ltd. > >> stephen.swaney@fsl.com > >> www.fsl.com Open Source: MailWatch for MailScanner mailwatch.sourceforge.net Commercial (based on MailScanner and MailWatch) DefenderMX www.fsl.com Please contact me off list for more information about either. Thanks, Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From MailScanner at ecs.soton.ac.uk Tue Aug 8 16:20:29 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 8 16:20:52 2006 Subject: update problems In-Reply-To: <44D88AA9.6010601@aquadev.org> References: <44D88AA9.6010601@aquadev.org> Message-ID: <0D26DBD8-B5DF-4DFD-9606-C91F74604FEF@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This seems impossible to solve. I get complaints with Sys::Syslog-0.17 where it won't even install on some systems. Hangs during "make test". And Sys::Syslog-0.16 doesn't log at all on some systems. What am I supposed to do? :-( Version 0.17 without the "make test" might be the best thing. Answers soon would be helpful. On 8 Aug 2006, at 13:59, Augustin Siaens wrote: > Hello, > > just because I spent the whole morning fixing this, I thought that > It may interest some users. > > server: Fedora5 > operation: update from 4.54.5-1 to 4.55.10-2 > > problem after upgrade. MailScanner won't work because of > Spamassassin problem. Apparently something related to Syslog. After > 2 hours, it appeared that the Perl module Sys::Syslog had to be > upgraded. I used CPAN and now no problem. Too bad I lost the > morning looking for the solution! > > cheers > > -- > Augustin Siaens > AQUADEV > Rue des Carm?lites 151 Karmelietenstraat > 1180 Bruxelles - Brussel > Tel: +32 2 347 70 00 > Fax: +32 2 347 00 36 > > > -- > Ce message a ?t? v?rifi? par MailScanner > pour des virus ou des polluriels et rien de > suspect n'a ?t? trouv?. > For all your IT requirements visit: http://www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! - -- Julian Field MailScanner@ecs.soton.ac.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE2Ku/EfZZRxQVtlQRAl0pAKCtyrxGXIBIQ37zaL5CpQ9jR02MYgCgoPz2 09xL6/Ii5ltI9S685AAi8Pc= =NZDN -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From mailscanner at ecs.soton.ac.uk Tue Aug 8 17:09:41 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 8 17:10:01 2006 Subject: Bug In-Reply-To: <20060808104059.M40451@yatta-it.com> References: <20060808104059.M40451@yatta-it.com> Message-ID: <90667BB9-E9B1-4EAE-B223-E05E2C2D3C8C@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Unfortunately 0.17 isn't great either. On some systems, it hangs during the "make test" stage of building and installing it. What I have done is produce a new 4.55.10-3 release of MailScanner that uses Sys-Syslog-0.17 but skips the "make test" so that it will always install successfully. I have never seen that version actually fail a test (other than the one that hangs) so it should all be okay. The code which is being tested by the test that hangs is never used in real life anyway. On 8 Aug 2006, at 11:43, Filippo Dini wrote: > Hi all. > > You have downgraded sys-syslog package (from 0.17 to 0.16) in your > MailScanner_4.55.10- > 2 but MailScanned don't log anything now. > > I have removed the sys-syslog 0.16 rpm and installed the 0.17 one > to get all works > again. > > I have fedora core 4 installed. > > Best wishes > > Phil > - -- Julian Field MailScanner@ecs.soton.ac.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: US-ASCII wj8DBQFE2LdGEfZZRxQVtlQRAhF+AKCsjARfjCenIfJcmdlxgI7T4AzPxQCgzQIW B01xScMUtZ4e9xt5AWqXvec= =axFx -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From Jan-Peter.Koopmann at seceidos.de Tue Aug 8 18:05:15 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Tue Aug 8 18:05:35 2006 Subject: Triggering Outlook's Junk E-mail filter In-Reply-To: <44D85016.4050303@utwente.nl> Message-ID: On Tuesday, August 08, 2006 10:49 AM Peter Peters wrote: > Exchange 2003 has a spam-filter build in. It moves messages it thinks > is spam to the Junk folder. And how can you tune the rules? Or even take a look at it? Or train the spam filter (if there was such a training facility)? If you have to use it because MailScanner/SpamAssassin is not possible: Well it sure is better than nothing. I would advice against using both together though. Rather concentrate on getting one filter to do everything you want. Makes debugging a "bit" easier. > This is a site wide configuration. So at > least some of the spam will not trigger OOO's. I thought the original question was related to MailScanner and not how to find spam in Exchange? :-) Regards, JP -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3104 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060808/e56d8d65/smime.bin From sandrews at andrewscompanies.com Tue Aug 8 18:09:09 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Tue Aug 8 18:09:14 2006 Subject: Hylafax on a MailScanner pc Message-ID: <1964AAFBC212F742958F9275BF63DBB03B1AB0@winchester.andrewscompanies.com> Does anyone have an opinion on installing hylafax on a lightly loaded mailscanner pc? Normally, I'd toss another machine in for such a different application, but this customer is experiencing server "sprawl". Any thoughts? Thanks, Steve From mikes at hartwellcorp.com Tue Aug 8 18:13:11 2006 From: mikes at hartwellcorp.com (Michael St. Laurent) Date: Tue Aug 8 18:13:40 2006 Subject: Hylafax on a MailScanner pc Message-ID: <91A5926EFF44D3118B1200104B7276EB05570E50@hart-exchange.hartwellcorp.com> How busy do you expect the fax server to be? -- Michael St. Laurent Hartwell Corporation > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of sandrews@andrewscompanies.com > Sent: Tuesday, August 08, 2006 10:09 AM > To: mailscanner@lists.mailscanner.info > Subject: Hylafax on a MailScanner pc > > Does anyone have an opinion on installing hylafax on a lightly loaded > mailscanner pc? Normally, I'd toss another machine in for such a > different application, but this customer is experiencing server > "sprawl". > > Any thoughts? > > Thanks, > > Steve > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From ka at pacific.net Tue Aug 8 18:22:09 2006 From: ka at pacific.net (Ken A) Date: Tue Aug 8 18:21:15 2006 Subject: Hylafax on a MailScanner pc In-Reply-To: <1964AAFBC212F742958F9275BF63DBB03B1AB0@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB03B1AB0@winchester.andrewscompanies.com> Message-ID: <44D8C841.3030308@pacific.net> sandrews@andrewscompanies.com wrote: > Does anyone have an opinion on installing hylafax on a lightly loaded > mailscanner pc? Normally, I'd toss another machine in for such a > different application, but this customer is experiencing server > "sprawl". > > Any thoughts? So, you want MailScanner to fax high scoring spam? :-) Hylafax is pretty stable stuff. There shouldn't be any problems as long as you set your iptables rules to protect Hylafax's ports from the Internet. Ken A. Pacific.Net > Thanks, > > Steve From sandrews at andrewscompanies.com Tue Aug 8 18:23:30 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Tue Aug 8 18:23:33 2006 Subject: Hylafax on a MailScanner pc Message-ID: <1964AAFBC212F742958F9275BF63DBB03B1AB2@winchester.andrewscompanies.com> Not seriously, but it's a small mortgage company so each fax could be 30+ pages. I'd expect 2 or 3 of those a day. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael St. Laurent Sent: Tuesday, August 08, 2006 1:13 PM To: 'MailScanner discussion' Subject: RE: Hylafax on a MailScanner pc How busy do you expect the fax server to be? -- Michael St. Laurent Hartwell Corporation > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > sandrews@andrewscompanies.com > Sent: Tuesday, August 08, 2006 10:09 AM > To: mailscanner@lists.mailscanner.info > Subject: Hylafax on a MailScanner pc > > Does anyone have an opinion on installing hylafax on a lightly loaded > mailscanner pc? Normally, I'd toss another machine in for such a > different application, but this customer is experiencing server > "sprawl". > > Any thoughts? > > Thanks, > > Steve > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From lshaw at emitinc.com Tue Aug 8 18:24:09 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Tue Aug 8 18:24:22 2006 Subject: Hylafax on a MailScanner pc In-Reply-To: <91A5926EFF44D3118B1200104B7276EB05570E50@hart-exchange.hartwellcorp.com> References: <91A5926EFF44D3118B1200104B7276EB05570E50@hart-exchange.hartwellcorp.com> Message-ID: On Tue, 8 Aug 2006, Michael St. Laurent wrote: > How busy do you expect the fax server to be? Unless you have dozens of modems, it's not like the load is going to be extremely significant. The load will be limited by the very slow bandwidth of the modem that faxes come in (and go out) over. I forget whether faxes can go faster than 14.4 kb/s, but even if they could go the full theoretical 56 kb/s that a phone line can (under limited conditions) provide, that's still not a log of bandwidth. The only performance issue I can think of is that the load from running MailScanner could slow down the fax software on the host to the point where it isn't ready to send or receive and can't keep up with the modem. Then you could end up having a longer phone call to deliver or receive a given message, or you could even get timeouts, I suppose. But on a modern machine that isn't running low on memory, I doubt this will even be a serious problem. So, I think the only question would be more of one of how easy it is to manage with two unrelated services on the same machine. - Logan From sandrews at andrewscompanies.com Tue Aug 8 18:24:35 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Tue Aug 8 18:24:38 2006 Subject: Hylafax on a MailScanner pc Message-ID: <1964AAFBC212F742958F9275BF63DBB03B1AB3@winchester.andrewscompanies.com> We don't allow the mailscanner, let alone the hylafax to touch the internet by itself. System only has port 25 forwarded to it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ken A Sent: Tuesday, August 08, 2006 1:22 PM To: MailScanner discussion Subject: Re: Hylafax on a MailScanner pc sandrews@andrewscompanies.com wrote: > Does anyone have an opinion on installing hylafax on a lightly loaded > mailscanner pc? Normally, I'd toss another machine in for such a > different application, but this customer is experiencing server > "sprawl". > > Any thoughts? So, you want MailScanner to fax high scoring spam? :-) Hylafax is pretty stable stuff. There shouldn't be any problems as long as you set your iptables rules to protect Hylafax's ports from the Internet. Ken A. Pacific.Net > Thanks, > > Steve -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mike at vesol.com Tue Aug 8 18:29:43 2006 From: mike at vesol.com (Mike Kercher) Date: Tue Aug 8 18:29:53 2006 Subject: Hylafax on a MailScanner pc In-Reply-To: <1964AAFBC212F742958F9275BF63DBB03B1AB2@winchester.andrewscompanies.com> Message-ID: I usually install an HP Digital Sender at mortgage companies. Mike > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of sandrews@andrewscompanies.com > Sent: Tuesday, August 08, 2006 12:24 PM > To: mailscanner@lists.mailscanner.info > Subject: RE: Hylafax on a MailScanner pc > > Not seriously, but it's a small mortgage company so each fax could be > 30+ pages. I'd expect 2 or 3 of those a day. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Michael St. Laurent > Sent: Tuesday, August 08, 2006 1:13 PM > To: 'MailScanner discussion' > Subject: RE: Hylafax on a MailScanner pc > > How busy do you expect the fax server to be? > > -- > Michael St. Laurent > Hartwell Corporation > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > > sandrews@andrewscompanies.com > > Sent: Tuesday, August 08, 2006 10:09 AM > > To: mailscanner@lists.mailscanner.info > > Subject: Hylafax on a MailScanner pc > > > > Does anyone have an opinion on installing hylafax on a > lightly loaded > > mailscanner pc? Normally, I'd toss another machine in for such a > > different application, but this customer is experiencing server > > "sprawl". > > > > Any thoughts? > > > > Thanks, > > > > Steve > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From Jamesp at MusicReports.com Tue Aug 8 18:32:59 2006 From: Jamesp at MusicReports.com (James D. Parra) Date: Tue Aug 8 18:33:04 2006 Subject: quarantine password-protected files Message-ID: <531F1E080638384C9623B00D71AA546D09F1F8@exchange.musicreports.com> Hello, I want to quarantine password-protected file attachments, actually, any file attachments that MailScanner determines as suspicious. After looking through mailscanner.conf I found; # Reports and Responses # --------------------- # # Do you want to store copies of the infected attachments and messages? # This can also be the filename of a ruleset. Quarantine Infections = yes However, an attachment was deleted and not stored in /var/spool/MailScanner/quaratine/, according the text message; This is a message from MailScanner E-Mail Virus Protection Service ---------------------------------------------------------------------- The original e-mail message contained potentially dangerous content, which has been removed for your safety. The content is dangerous as it is often used to spread viruses or to gain personal or confidential information from you, such as passwords or credit card numbers. Due to limitations placed on us by the Regulation of Investigatory Powers Act 2000, we were unable to keep a copy of the original attachment. The content filters found this: MailScanner: Message contained password-protected archive ~~~ Where in the conf can I fix this? Thank you in advance, James From sandrews at andrewscompanies.com Tue Aug 8 19:16:50 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Tue Aug 8 19:16:53 2006 Subject: Hylafax on a MailScanner pc Message-ID: <1964AAFBC212F742958F9275BF63DBB03B1AB9@winchester.andrewscompanies.com> Yeah, they've got one of those...BUT, it doesn't like it when you mix 8.5x11 and 8.5x14 inbound faxes. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mike Kercher Sent: Tuesday, August 08, 2006 1:30 PM To: MailScanner discussion Subject: RE: Hylafax on a MailScanner pc I usually install an HP Digital Sender at mortgage companies. Mike > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > sandrews@andrewscompanies.com > Sent: Tuesday, August 08, 2006 12:24 PM > To: mailscanner@lists.mailscanner.info > Subject: RE: Hylafax on a MailScanner pc > > Not seriously, but it's a small mortgage company so each fax could be > 30+ pages. I'd expect 2 or 3 of those a day. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Michael St. Laurent > Sent: Tuesday, August 08, 2006 1:13 PM > To: 'MailScanner discussion' > Subject: RE: Hylafax on a MailScanner pc > > How busy do you expect the fax server to be? > > -- > Michael St. Laurent > Hartwell Corporation > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > > sandrews@andrewscompanies.com > > Sent: Tuesday, August 08, 2006 10:09 AM > > To: mailscanner@lists.mailscanner.info > > Subject: Hylafax on a MailScanner pc > > > > Does anyone have an opinion on installing hylafax on a > lightly loaded > > mailscanner pc? Normally, I'd toss another machine in for such a > > different application, but this customer is experiencing server > > "sprawl". > > > > Any thoughts? > > > > Thanks, > > > > Steve > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From alex at nkpanama.com Tue Aug 8 19:33:48 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Tue Aug 8 19:34:02 2006 Subject: Hylafax on a MailScanner pc In-Reply-To: <44D8C841.3030308@pacific.net> References: <1964AAFBC212F742958F9275BF63DBB03B1AB0@winchester.andrewscompanies.com> <44D8C841.3030308@pacific.net> Message-ID: <44D8D90C.3050709@nkpanama.com> Ken A wrote: > > So, you want MailScanner to fax high scoring spam? :-) > Hylafax is pretty stable stuff. There shouldn't be any problems as > long as you set your iptables rules to protect Hylafax's ports from > the Internet. I have several hylafax+mailscanner setups. As long as you set up your rulesets correctly so you don't flag faxes as spam (they're usually a single image + a few lines of text), you should be OK. As to the hylafax ports being accessible, I go with Mr. Miyagi in Karate Kid II: "Remember, best block, no be there." - I usually only open the ports on localhost and on internal nets. From roman at rotmax.com Tue Aug 8 23:05:01 2006 From: roman at rotmax.com (Roman) Date: Tue Aug 8 22:04:51 2006 Subject: sendmail/MS multiple outbound queues ? Message-ID: <03e201c6bb36$b9e182f0$0500000a@blessin> Hi, I trying to setup MailScanner to work with multiple sendmail queues (low/high volume) with similar setup : FEATURE(`queuegroup')dnl QUEUE_GROUP(`slowmail', `Path=/var/spool/mqueue/slqueue, I=10m, J=100, N=10, R=2, F=f' )dnl but when I am starting Mailscanner it fails to start with message: NOQUEUE: SYSERR(root): QueuePath /var/spool/mqueue.in/slqueue not a subpath of QueueDirectory /var/spool/mqueue/: Mailscanner start a queuing queue in /var/spool/mqueue.in and outgoing queue /var/spool/mqueue and of course the slowmail queue is not a subpath of one of those. I wanted to know how did you setup your mailscanner and sendmail to work with multiple queues? Thank you in advance, Roman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060809/582af9b5/attachment.html From glauciusjunior at gmail.com Tue Aug 8 22:11:44 2006 From: glauciusjunior at gmail.com (glaucius junior) Date: Tue Aug 8 22:11:49 2006 Subject: mailscanner + mailwatch + postfix 2.3.2 Message-ID: <2360d6370608081411t3be99ffbva0150980ef5093d8@mail.gmail.com> Hi guys does anyone use postfix 2.3.2 and mailwatch ?? because, after upgrade my postfix from 2.2.8 to 2.3.2 my mailwatch stops to give me this information Today's Totals Processed: 0 b Clean: 0 % Viruses: 0 % Top Virus: None Blocked files: 0 % Others: 0 % Spam: 0 % High Scoring Spam: 0 % MCP: 0 % High Scoring MCP: 0 % can anyone help me ? best regards !! From brose at med.wayne.edu Wed Aug 9 00:18:16 2006 From: brose at med.wayne.edu (Rose, Bobby) Date: Wed Aug 9 00:18:23 2006 Subject: MailScanner Revision to 4.55 and tnef bug? In-Reply-To: <44D77C7E.5010703@ecs.soton.ac.uk> Message-ID: <8F2A53954C22554EB75D9643FCCE0C6B01BEA86B@MED-CORE03-MS1.med.wayne.edu> Has anyone else had problems with particular messages that seem to get processed over and over by Mailscanner? I noticed some oddities in my stats and found the process loops in the logs. I switched to debug and when it hits one of the message it quits with the error read-open /var/spool/MailScanner/incoming/11016/k77EH304024456/ATT00004: No such file or directory at /usr/lib/perl5/site_perl/5.8.5/MIME/Body.pm line 435. I thought it might be a tnef issue since the messages I was seeing had winmail.dats. I switched from the tnef command to internal and MailScanner processed the messages without a problem. I've been using the tnef command for years without a problem. I updated from 4.54 last week. -=Bobby From jaearick at colby.edu Wed Aug 9 02:35:58 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Wed Aug 9 02:42:13 2006 Subject: MailScanner Revision to 4.55 and tnef bug? In-Reply-To: <8F2A53954C22554EB75D9643FCCE0C6B01BEA86B@MED-CORE03-MS1.med.wayne.edu> References: <8F2A53954C22554EB75D9643FCCE0C6B01BEA86B@MED-CORE03-MS1.med.wayne.edu> Message-ID: Bobby, If you have the complete qf/df files for the offending message and can supply them to Julian, that might help him experiment/solve this. FWIW, I gave up on the external tnef a few months ago when 1.4 came out; it would not compile under Solaris 9/10. Checking Sourceforge however, I see that tnef-1.4.2 is available and claims to have fixed my compile problem. Maybe install tnef-1.4.2 and see if your problem messages still causes MailScanner to loop up??? Jeff Earickson Colby College On Tue, 8 Aug 2006, Rose, Bobby wrote: > Date: Tue, 8 Aug 2006 19:18:16 -0400 > From: "Rose, Bobby" > Reply-To: MailScanner discussion > To: mailscanner@lists.mailscanner.info > Subject: MailScanner Revision to 4.55 and tnef bug? > > > Has anyone else had problems with particular messages that seem to get > processed over and over by Mailscanner? I noticed some oddities in my > stats and found the process loops in the logs. I switched to debug and > when it hits one of the message it quits with the error read-open > /var/spool/MailScanner/incoming/11016/k77EH304024456/ATT00004: No such > file or directory at /usr/lib/perl5/site_perl/5.8.5/MIME/Body.pm line > 435. > > I thought it might be a tnef issue since the messages I was seeing had > winmail.dats. I switched from the tnef command to internal and > MailScanner processed the messages without a problem. I've been using > the tnef command for years without a problem. I updated from 4.54 last > week. > > -=Bobby > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From ajos1 at onion.demon.co.uk Wed Aug 9 03:16:59 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Wed Aug 9 03:17:20 2006 Subject: gOCR SpamAssassin plugin Message-ID: - >> >>Beware that you might have a spamassassin rpm installed as well >> Now that sounds very likely... I will have a check into it... Thanks a-lot-o. -----Original Message----- From: MailScanner discussion mailscanner@lists.mailscanner.info Subj: Re: gOCR SpamAssassin plugin Date: Mon, 07 Aug 2006 20:19:15 +0100 == ===================================================================== = = When Ms Jowell, whose department is responsible for sport, was = asked who she thought was going to win the cup, she gleefully = pointed towards her ministerial vehicle, which is now bedecked in = flags, to declare: "There's only one England." = = Need help dealing with Parking Tickets, Bailiffs, Capita or NTL... = Call... +44 8457 90 90 90 http://www.samaritans.org/ = ===================================================================== From jgolden at ci.grand-rapids.mi.us Wed Aug 9 03:56:55 2006 From: jgolden at ci.grand-rapids.mi.us (Golden, James) Date: Wed Aug 9 03:58:21 2006 Subject: [SOLVED] Retreiving attachments In-Reply-To: <008f01c6baf1$eb8b08c0$287ba8c0@office.fsl> Message-ID: <31495172.1155092215238.JavaMail.root@dash.grand-rapids.mi.us> Sorry for being so stupid.? After looking through it again, I see what you were doing.? 4 hours sleep a night catches up with you after awhile. Thanks for all the help. We will be implementing the Barracuda's appliances here in the next 5 weeks or so, that is why I am trying to "skate" by with this setup for now.? I figure what I am learning here will still help out when we move to those appliances. Although I have to say with the exception of the file attachment thing, since I upgraded and setup everything correctly (I think) everyone has been noticing the difference here!? In fact the guy who handles the antivirus wasn't too happy with me, because now more viruses are being caught as spam first.? Our virus numbers in email went from 200 - 300 a day to 1 - 10! Thanks all (Julian?!) for this fantastic software combination!.? It ROCKS! Thanks all who have helped with replies (especially Stephen), and have put up with me! James Golden ----- Original Message ----- From: mailscanner-bounces@lists.mailscanner.info on behalf of Stephen Swaney Sent: Tue, 8/8/2006 10:55am To: 'MailScanner discussion' Subject: RE: Retreiving attachments > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Rob Morin > Sent: Tuesday, August 08, 2006 9:35 AM > To: MailScanner discussion > Subject: Re: Retreiving attachments > > On another note, has anyone come up with a way to retrieve quarantined > attachments without the intervention of the sys admin? Meaning the end > user can get them themselves? > > I thought i heard a while back of some app to do this? > > Have a good one! > > Rob Morin > Dido InterNet Inc. > Montreal, Canada > Http://www.dido.ca > 514-990-4444 > > > > Golden, James wrote: > > Thanks for the answer.??Sorry for the long delay in the thanks > > departments. > > > > One more question here, > > > > Can I put more than one rules file in the Mailscanner.conf.??Currently > > I am pointing to a ruleset already. > > > > Currently mine looks like this > > > > Filename Rules = %etc-dir%/filename.rules.conf > > > > so would it look like this? > > > > Filename Rules = %rules-dir%/filename.rules %etc- > dir%/filename.rules.conf > > > > Or would I need to combine the .rules file into the .conf file > > > > Thanks for the help. > > > > James > > > > > > > > On Fri, 2006-08-04 at 17:50 -0400, Stephen Swaney wrote: > >> > -----Original Message----- > >> > From: mailscanner-bounces@lists.mailscanner.info bounces@lists.mailscanner.info> [mailto:mailscanner- > >> > bounces@lists.mailscanner.info > ] On Behalf Of Golden, James > >> > Sent: Friday, August 04, 2006 5:10 PM > >> > To: MailScanner discussion > >> > Subject: Re: Retreiving attachments > >> > > >> > The attachments seem to be .doc or .xls or others and the client > always > >> > seems to be Outlook. > >> > > >> > On Fri, 2006-08-04 at 16:38 -0400, Golden, James wrote: > >> > > >> > > >> > ????Hello, > >> > > >> > ????I've have been wasting my whole day trying to figure out how to do > >> > this.??Can anyone could help besides telling me to install Mailwatch > >> > (because it's not an option right now). > >> > > >> > ????I have messages that are being snagged by MailScanner because the > >> > attachment is too large.??When I go to the directory the attachment > is in > >> > binary in the message. > >> > > >> > ????I tried using a sendmail -t < message, but of course it gets snagged > >> > again by MS.??Is there an option I'm missing to store the attachments > >> > separately from the message, is there a way to send this on without > it > >> > being scanned???Is there a way to get the attachment out of the > message? > >> > > >> > ????I need help soon as this is becoming a large issue today (about 6 > >> > end users) and my boss is hearing about it! > >> > > >> > ????Thanks, > >> > > >> > ????James > >> > >> You need to create a rule sets that exempt the localhost from > attachment > >> filename and filetype checking. If you have a Red Hat, CentOS or SuSE > >> system, the following paths will be correct. They will vary on other > systems > >> but the same principals will work. > >> > >> First create two files: > >> > >> /etc/MailScanner/filename.rules.allowall.conf > >> /etc/MailScanner/filetype.rules.allowall.conf > >> > >> The contents of each file will be identical: > >> > >> allow????*.????-????- > >> > >> The spaces MUST be Tabs so the contents of both files is really: > >> > >> allow*.->Tab>- > >> > >> Then create the file /etc/MailScanner/rules/filename.rules. The > contents of > >> this file should be: > >> > >> # Allow all filenames from localhost > >> From: 127.0.0.0??/etc/MailScanner/filename.rules.allowall.conf > >> # Default entry > >> FromOrTo:?????? default???????? /etc/MailScanner/filename.rules.conf > >> > >> Then create the file /etc/MailScanner/rules/filetype.rules. The > contents of > >> this file should be: > >> > >> # Allow all filetypes from localhost > >> From: 127.0.0.0??/etc/MailScanner/filetype.rules.allowall.conf > >> # Default entry > >> FromOrTo:?????? default???????? /etc/MailScanner/filetype.rules.conf > >> > >> Then edit /etc/MailScanner.conf to call the new rulesets. Change the > setting > >> for Filename Rules to be: > >> > >> Filename Rules = %rules-dir%/filename.rules > >> > >> And change the setting for Filetype Rules to be: > >> > >> Filetype Rules = %rules-dir%/filetype.rules > >> > >> Then reload MailScanner. > >> > >> You should now be able to release the files using the `sendmail -t < > >> message` command without MailScanner re-quarantining the files. > >> > >> Have a nice weekend. > >> > >> Steve > >> Stephen Swaney > >> Fort Systems Ltd. > >> stephen.swaney@fsl.com > >> www.fsl.com Open Source: MailWatch for MailScanner mailwatch.sourceforge.net Commercial (based on MailScanner and MailWatch) DefenderMX www.fsl.com Please contact me off list for more information about either. Thanks, Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From brent.addis at pronet.co.nz Wed Aug 9 04:51:49 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Wed Aug 9 04:52:36 2006 Subject: missing queue files? In-Reply-To: References: <44D7BE04.60606@pronet.co.nz> <44D7C597.5090201@pronet.co.nz> <44D84D5C.7040000@pronet.co.nz> Message-ID: <44D95BD5.3050405@pronet.co.nz> Hi, setting to posix doesn't actually seem to have fixed it :/ Have just come in and noticed about fifteen "Spool file 1GAaoQ-0007I8-UG-D not found" obviously with different filenames. David Lee wrote: > On Tue, 8 Aug 2006, Brent Addis wrote: > > >> Seems to have been fixed by changing the lock type to posix from blank. >> >> Shouldn't this be done automatically? By looking at the documentation on >> this setting, one would assume that by default it means "set automatically". >> > > In early June we had some discussion about this (Subject "lock type"). > > Indeed the documentation and behaviour contradicted each other, and > (despite the documentation) an explicit "posix" was, indeed, necessary. > > Julian: Could you confirm, please, in what releases since then this > mismatch has actually been rectified? (Getting the documentation and > behaviour to match each other is the primary point; the actual behaviour > is probably relatively secondary.) Thanks. > > > From augustin.siaens at aquadev.org Wed Aug 9 08:36:10 2006 From: augustin.siaens at aquadev.org (Augustin Siaens) Date: Wed Aug 9 08:36:17 2006 Subject: Bug In-Reply-To: <90667BB9-E9B1-4EAE-B223-E05E2C2D3C8C@ecs.soton.ac.uk> References: <20060808104059.M40451@yatta-it.com> <90667BB9-E9B1-4EAE-B223-E05E2C2D3C8C@ecs.soton.ac.uk> Message-ID: <44D9906A.8080702@aquadev.org> Julian Field a ?crit : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Unfortunately 0.17 isn't great either. On some systems, it hangs > during the "make test" stage of building and installing it. > > What I have done is produce a new 4.55.10-3 release of MailScanner > that uses Sys-Syslog-0.17 but skips the "make test" so that it will > always install successfully. I have never seen that version actually > fail a test (other than the one that hangs) so it should all be okay. > > The code which is being tested by the test that hangs is never used > in real life anyway. > > On 8 Aug 2006, at 11:43, Filippo Dini wrote: > > >> Hi all. >> >> You have downgraded sys-syslog package (from 0.17 to 0.16) in your >> MailScanner_4.55.10- >> 2 but MailScanned don't log anything now. >> >> I have removed the sys-syslog 0.16 rpm and installed the 0.17 one >> to get all works >> again. >> >> I have fedora core 4 installed. >> >> Best wishes >> >> Phil >> >> > > - -- > Julian Field > MailScanner@ecs.soton.ac.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP SDK 3.7.0 > Charset: US-ASCII > > wj8DBQFE2LdGEfZZRxQVtlQRAhF+AKCsjARfjCenIfJcmdlxgI7T4AzPxQCgzQIW > B01xScMUtZ4e9xt5AWqXvec= > =axFx > -----END PGP SIGNATURE----- > > What is strange, is that when I was testing MailScanner, it said that there was a problem with Spamassassin so I turned the Spamassassin option and the Spam filtering option off in MailScanner.conf but the problem persisted. Was Sys::Syslog affecting SA or MailScanner or both? -- Ce message a ?t? v?rifi? par MailScanner pour des virus ou des polluriels et rien de suspect n'a ?t? trouv?. From glenn.steen at gmail.com Wed Aug 9 08:45:37 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 9 08:45:41 2006 Subject: Hylafax on a MailScanner pc In-Reply-To: References: <91A5926EFF44D3118B1200104B7276EB05570E50@hart-exchange.hartwellcorp.com> Message-ID: <223f97700608090045q69a43ea0x796ad5351ac59356@mail.gmail.com> On 08/08/06, Logan Shaw wrote: (snip) > I forget whether faxes can go faster than 14.4 kb/s, but (snip) 14.4 it is. Even if it could go faster, in theory, I don't think either the ITU standards, nor the existing machines/modems allow more. Talk about dead technoligy still twitching along:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Wed Aug 9 09:11:43 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 9 09:12:06 2006 Subject: [SOLVED] Retreiving attachments In-Reply-To: <31495172.1155092215238.JavaMail.root@dash.grand-rapids.mi.us> References: <31495172.1155092215238.JavaMail.root@dash.grand-rapids.mi.us> Message-ID: <96B97733-3A62-4EA1-B891-89CC62240015@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you like MailScanner that much, why are you going to deploy those Barracudas? A commercial setup of MailScanner (such as DefenderMX from www.fsl.com) will outperform Barracudas and is considerably cheaper. There is a detailed feature and price comparison on www.fsl.com. On 9 Aug 2006, at 03:56, Golden, James wrote: > Sorry for being so stupid. After looking through it again, I see > what you were doing. 4 hours sleep a night catches up with you > after awhile. > > Thanks for all the help. > > We will be implementing the Barracuda's appliances here in the next > 5 weeks or so, that is why I am trying to "skate" by with this > setup for now. I figure what I am learning here will still help > out when we move to those appliances. > > Although I have to say with the exception of the file attachment > thing, since I upgraded and setup everything correctly (I think) > everyone has been noticing the difference here! In fact the guy > who handles the antivirus wasn't too happy with me, because now > more viruses are being caught as spam first. Our virus numbers in > email went from 200 - 300 a day to 1 - 10! > > Thanks all (Julian?!) for this fantastic software combination!. It > ROCKS! > > Thanks all who have helped with replies (especially Stephen), and > have put up with me! > > James Golden > > > > ----- Original Message ----- > From: mailscanner-bounces@lists.mailscanner.info on behalf of > Stephen Swaney > Sent: Tue, 8/8/2006 10:55am > To: 'MailScanner discussion' > Subject: RE: Retreiving attachments > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Rob Morin >> Sent: Tuesday, August 08, 2006 9:35 AM >> To: MailScanner discussion >> Subject: Re: Retreiving attachments >> >> On another note, has anyone come up with a way to retrieve >> quarantined >> attachments without the intervention of the sys admin? Meaning the >> end >> user can get them themselves? >> >> I thought i heard a while back of some app to do this? >> >> Have a good one! >> >> Rob Morin >> Dido InterNet Inc. >> Montreal, Canada >> Http://www.dido.ca >> 514-990-4444 >> >> >> >> Golden, James wrote: >>> Thanks for the answer. Sorry for the long delay in the thanks >>> departments. >>> >>> One more question here, >>> >>> Can I put more than one rules file in the Mailscanner.conf. >>> Currently >>> I am pointing to a ruleset already. >>> >>> Currently mine looks like this >>> >>> Filename Rules = %etc-dir%/filename.rules.conf >>> >>> so would it look like this? >>> >>> Filename Rules = %rules-dir%/filename.rules %etc- >> dir%/filename.rules.conf >>> >>> Or would I need to combine the .rules file into the .conf file >>> >>> Thanks for the help. >>> >>> James >>> >>> >>> >>> On Fri, 2006-08-04 at 17:50 -0400, Stephen Swaney wrote: >>>>> -----Original Message----- >>>>> From: mailscanner-bounces@lists.mailscanner.info >>>>> > bounces@lists.mailscanner.info> [mailto:mailscanner- >>>>> bounces@lists.mailscanner.info >> ] On Behalf Of Golden, James >>>>> Sent: Friday, August 04, 2006 5:10 PM >>>>> To: MailScanner discussion >>>>> Subject: Re: Retreiving attachments >>>>> >>>>> The attachments seem to be .doc or .xls or others and the client >> always >>>>> seems to be Outlook. >>>>> >>>>> On Fri, 2006-08-04 at 16:38 -0400, Golden, James wrote: >>>>> >>>>> >>>>> Hello, >>>>> >>>>> I've have been wasting my whole day trying to figure out >>>>> how to do >>>>> this. Can anyone could help besides telling me to install >>>>> Mailwatch >>>>> (because it's not an option right now). >>>>> >>>>> I have messages that are being snagged by MailScanner >>>>> because the >>>>> attachment is too large. When I go to the directory the >>>>> attachment >> is in >>>>> binary in the message. >>>>> >>>>> I tried using a sendmail -t < message, but of course it >>>>> gets snagged >>>>> again by MS. Is there an option I'm missing to store the >>>>> attachments >>>>> separately from the message, is there a way to send this on >>>>> without >> it >>>>> being scanned? Is there a way to get the attachment out of the >> message? >>>>> >>>>> I need help soon as this is becoming a large issue today >>>>> (about 6 >>>>> end users) and my boss is hearing about it! >>>>> >>>>> Thanks, >>>>> >>>>> James >>>> >>>> You need to create a rule sets that exempt the localhost from >> attachment >>>> filename and filetype checking. If you have a Red Hat, CentOS or >>>> SuSE >>>> system, the following paths will be correct. They will vary on >>>> other >> systems >>>> but the same principals will work. >>>> >>>> First create two files: >>>> >>>> /etc/MailScanner/filename.rules.allowall.conf >>>> /etc/MailScanner/filetype.rules.allowall.conf >>>> >>>> The contents of each file will be identical: >>>> >>>> allow *. - - >>>> >>>> The spaces MUST be Tabs so the contents of both files is really: >>>> >>>> allow*.->Tab>- >>>> >>>> Then create the file /etc/MailScanner/rules/filename.rules. The >> contents of >>>> this file should be: >>>> >>>> # Allow all filenames from localhost >>>> From: 127.0.0.0 /etc/MailScanner/filename.rules.allowall.conf >>>> # Default entry >>>> FromOrTo: default /etc/MailScanner/ >>>> filename.rules.conf >>>> >>>> Then create the file /etc/MailScanner/rules/filetype.rules. The >> contents of >>>> this file should be: >>>> >>>> # Allow all filetypes from localhost >>>> From: 127.0.0.0 /etc/MailScanner/filetype.rules.allowall.conf >>>> # Default entry >>>> FromOrTo: default /etc/MailScanner/ >>>> filetype.rules.conf >>>> >>>> Then edit /etc/MailScanner.conf to call the new rulesets. Change >>>> the >> setting >>>> for Filename Rules to be: >>>> >>>> Filename Rules = %rules-dir%/filename.rules >>>> >>>> And change the setting for Filetype Rules to be: >>>> >>>> Filetype Rules = %rules-dir%/filetype.rules >>>> >>>> Then reload MailScanner. >>>> >>>> You should now be able to release the files using the `sendmail - >>>> t < >>>> message` command without MailScanner re-quarantining the files. >>>> >>>> Have a nice weekend. >>>> >>>> Steve >>>> Stephen Swaney >>>> Fort Systems Ltd. >>>> stephen.swaney@fsl.com >>>> www.fsl.com > > Open Source: MailWatch for MailScanner mailwatch.sourceforge.net > Commercial (based on MailScanner and MailWatch) DefenderMX www.fsl.com > > Please contact me off list for more information about either. > > Thanks, > > Steve > > Stephen Swaney > Fort Systems Ltd. > stephen.swaney@fsl.com > www.fsl.com > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! - -- Julian Field MailScanner@ecs.soton.ac.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: US-ASCII wj8DBQFE2ZjAEfZZRxQVtlQRAtbQAKDSbEKggJwSMy75sFjxi8pPr2PYGgCaA0pu A+YoIVWhhVgszzkXQPHrq+A= =7c6C -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From glenn.steen at gmail.com Wed Aug 9 09:25:38 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 9 09:25:41 2006 Subject: mailscanner + mailwatch + postfix 2.3.2 In-Reply-To: <2360d6370608081411t3be99ffbva0150980ef5093d8@mail.gmail.com> References: <2360d6370608081411t3be99ffbva0150980ef5093d8@mail.gmail.com> Message-ID: <223f97700608090125q7ee49c65y3d8afb9f96920ab7@mail.gmail.com> On 08/08/06, glaucius junior wrote: > Hi guys > > does anyone use postfix 2.3.2 and mailwatch ?? > > > because, after upgrade my postfix from 2.2.8 to 2.3.2 my mailwatch > stops to give me this information > > Today's Totals Processed: 0 b > Clean: 0 % > Viruses: 0 % > Top Virus: None > Blocked files: 0 % > Others: 0 % > Spam: 0 % > High Scoring Spam: 0 % > MCP: 0 % > High Scoring MCP: 0 % > > > can anyone help me ? > That just shows some totals as found in the database. Seems like you've got something up with the logging... Or perhaps with mail deliery... Is mail flowing through? Anything getting logged to the db (send something through and look at the recent messages page)? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From doron at crc.co.za Wed Aug 9 09:48:53 2006 From: doron at crc.co.za (Doron Shmaryahu) Date: Wed Aug 9 09:49:18 2006 Subject: Max message size Message-ID: <736056B20C569640AD384C4242646F22147F65@CTDC01.crc.localnet> Hi, I am using the max message size for individual users and it works great. I just want to know how I sort of whitelist all local users sending mail to each other from being limited. The is the sort of config I am looking for: user@localdomain to user2@localdomain no message size limit Then apply all the other limits ie external mail limited to 500k. Thanks in advance Doron From prandal at herefordshire.gov.uk Wed Aug 9 09:49:59 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Aug 9 09:56:25 2006 Subject: ClamAV 0.88.4 Message-ID: <86144ED6CE5B004DA23E1EAC0B569B580E923713@isabella.herefordshire.gov.uk> Nudges Jules... Any schedule for an updated install-Clam-SA.tar.gz? Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK From MailScanner at ecs.soton.ac.uk Wed Aug 9 10:48:45 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 9 10:49:09 2006 Subject: ClamAV 0.88.4 In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B580E923713@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B580E923713@isabella.herefordshire.gov.uk> Message-ID: <44D9AF7D.20307@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 What's out of date in it? Randal, Phil wrote: > Nudges Jules... > > Any schedule for an updated install-Clam-SA.tar.gz? > > Cheers, > > Phil > > -- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE2a99EfZZRxQVtlQRAvZFAKDyQSB0cCeH2FkUmNqrKUdeWGyW8gCfYHrf MLid8ASNZTzJPBDXyr18F/4= =WM2e -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From steve.freegard at fsl.com Wed Aug 9 11:19:37 2006 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Aug 9 11:19:46 2006 Subject: Max message size In-Reply-To: <736056B20C569640AD384C4242646F22147F65@CTDC01.crc.localnet> References: <736056B20C569640AD384C4242646F22147F65@CTDC01.crc.localnet> Message-ID: <44D9B6B9.3040600@fsl.com> Doron Shmaryahu wrote: > Hi, > > > I am using the max message size for individual users and it works great. > I just want to know how I sort of whitelist all local users sending mail > to each other from being limited. The is the sort of config I am looking > for: > > user@localdomain to user2@localdomain no message size limit > > Then apply all the other limits ie external mail limited to 500k. > > How about: FromAndTo: *@localdomain.com 0 Cheers, Steve. From prandal at herefordshire.gov.uk Wed Aug 9 11:26:37 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Aug 9 11:29:28 2006 Subject: ClamAV 0.88.4 Message-ID: <86144ED6CE5B004DA23E1EAC0B569B580E923781@isabella.herefordshire.gov.uk> http://www.clamav.net/security/0.88.4.html * CVE: CVE-2006-4018 * Status: Critical * Vulnerable: ClamAV 0.81 - 0.88.3 A heap overflow vulnerability was discovered in libclamav which could cause a denial of service or allow the execution of arbitrary code. The problem is specifically located in the PE file rebuild function used by the UPX unpacker. Relevant code from libclamav/upx.c: memcpy(dst, newbuf, foffset); *dsize = foffset; free(newbuf); cli_dbgmsg("UPX: PE structure rebuilt from compressed file\n"); return 1; Due to improper validation it is possible to overflow the above memcpy() beyond the allocated memory block. The problem has been fixed in 0.88.4. -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: 09 August 2006 10:49 > To: MailScanner discussion > Subject: Re: ClamAV 0.88.4 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > What's out of date in it? > > Randal, Phil wrote: > > Nudges Jules... > > > > Any schedule for an updated install-Clam-SA.tar.gz? > > > > Cheers, > > > > Phil > > > > -- > > Phil Randal > > Network Engineer > > Herefordshire Council > > Hereford, UK > > > > - -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -----BEGIN PGP SIGNATURE----- > Version: PGP SDK 3.7.0 > Charset: ISO-8859-1 > > wj8DBQFE2a99EfZZRxQVtlQRAvZFAKDyQSB0cCeH2FkUmNqrKUdeWGyW8gCfYHrf > MLid8ASNZTzJPBDXyr18F/4= > =WM2e > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > MailScanner thanks transtec Computers for their support. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From maillists at conactive.com Wed Aug 9 11:31:18 2006 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Aug 9 11:31:35 2006 Subject: [Clamav-announce] problem downloading clamav-0.88.4.tar.gz In-Reply-To: <1b5101c6ba80$ba1a3de0$287ba8c0@office.fsl> References: <1b5101c6ba80$ba1a3de0$287ba8c0@office.fsl> Message-ID: Stephen Swaney wrote on Mon, 7 Aug 2006 20:22:25 -0400: > We temporarily made the source available from the following URLs: > > http://mirror.clamav.net/clamav-0.88.4.tar.gz Same problems downloading from there. Had anyone success? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From jaearick at colby.edu Wed Aug 9 11:52:19 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Wed Aug 9 11:56:42 2006 Subject: [Clamav-announce] problem downloading clamav-0.88.4.tar.gz In-Reply-To: References: <1b5101c6ba80$ba1a3de0$287ba8c0@office.fsl> Message-ID: Yes, I got it from Sourceforge yesterday and installed it. Jeff Earickson Colby College On Wed, 9 Aug 2006, Kai Schaetzl wrote: > Date: Wed, 09 Aug 2006 12:31:18 +0200 > From: Kai Schaetzl > Reply-To: MailScanner discussion > To: mailscanner@lists.mailscanner.info > Subject: Re: [Clamav-announce] problem downloading clamav-0.88.4.tar.gz > > Stephen Swaney wrote on Mon, 7 Aug 2006 20:22:25 -0400: > >> We temporarily made the source available from the following URLs: >> >> http://mirror.clamav.net/clamav-0.88.4.tar.gz > > Same problems downloading from there. Had anyone success? > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From support-lists at petdoctors.co.uk Wed Aug 9 12:18:03 2006 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Wed Aug 9 12:16:36 2006 Subject: Weird 'spam' Message-ID: <013901c6bba5$7c90a510$1465a8c0@support01> We get about 10 of these a day with random names, subjects (like: airport-hotel-shannon, lead-movie-take) etc. sent via an enquiry form on our Web site. They are not particularly troublesome but as they don't advertise anything I am wondering what the agenda is - anyone? ++++ This is an enquiry e-mail via [web site] from: Svetlana Thanks so very much for taking your time to create this very useful and informative site. I have learned a lot from your site. Thanks!! ++++ This is an enquiry e-mail via [web site] from: Meteor Nice site its very interesting site! your site is fantastic. ++++ This is an enquiry e-mail via [web site] from: Bill Looking for information and found it at this great site... From michele at blacknight.ie Wed Aug 9 12:32:58 2006 From: michele at blacknight.ie (Michele Neylon :: Blacknight Solutions) Date: Wed Aug 9 12:33:00 2006 Subject: Weird 'spam' In-Reply-To: <013901c6bba5$7c90a510$1465a8c0@support01> Message-ID: <011b01c6bba7$90e4bcc0$88c5c657@arthur> Nigel Kendrick wrote: > We get about 10 of these a day with random names, subjects (like: > airport-hotel-shannon, lead-movie-take) etc. sent via an enquiry form > on our Web site. They are not particularly troublesome but as they > don't advertise anything I am wondering what the agenda is - anyone? > > > ++++ > > This is an enquiry e-mail via [web site] from: > Svetlana > > Thanks so very much for taking your time to create this very useful > and informative site. I have learned a lot from your site. Thanks!! > > ++++ > > This is an enquiry e-mail via [web site] from: > Meteor > > Nice site its very interesting site! your site is fantastic. > > ++++ > > This is an enquiry e-mail via [web site] from: > Bill > > Looking for information and found it at this great site... It depends on your webform. The ones we get include a link to a splog Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From root at doctor.nl2k.ab.ca Wed Aug 9 12:42:17 2006 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Wed Aug 9 12:42:53 2006 Subject: [Clamav-announce] problem downloading clamav-0.88.4.tar.gz In-Reply-To: References: <1b5101c6ba80$ba1a3de0$287ba8c0@office.fsl> Message-ID: <20060809114217.GQ19584@doctor.nl2k.ab.ca> On Wed, Aug 09, 2006 at 12:31:18PM +0200, Kai Schaetzl wrote: > Stephen Swaney wrote on Mon, 7 Aug 2006 20:22:25 -0400: > > > We temporarily made the source available from the following URLs: > > > > http://mirror.clamav.net/clamav-0.88.4.tar.gz > > Same problems downloading from there. Had anyone success? > > Kai > I have it no prblems. I could make it available via ftp://ftp.nk.ca/ > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From maillists at conactive.com Wed Aug 9 13:31:18 2006 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Aug 9 13:31:36 2006 Subject: [Clamav-announce] problem downloading clamav-0.88.4.tar.gz In-Reply-To: References: <1b5101c6ba80$ba1a3de0$287ba8c0@office.fsl> Message-ID: Jeff A. Earickson wrote on Wed, 9 Aug 2006 06:52:19 -0400 (EDT): > Yes, I got it from Sourceforge yesterday and installed it. Do you remember the mirror? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Wed Aug 9 13:31:18 2006 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Aug 9 13:31:37 2006 Subject: Weird 'spam' In-Reply-To: <013901c6bba5$7c90a510$1465a8c0@support01> References: <013901c6bba5$7c90a510$1465a8c0@support01> Message-ID: Nigel Kendrick wrote on Wed, 9 Aug 2006 12:18:03 +0100: > We get about 10 of these a day with random names, subjects (like: > airport-hotel-shannon, lead-movie-take) etc. sent via an enquiry form on our > Web site. They are not particularly troublesome but as they don't advertise > anything I am wondering what the agenda is - anyone? This is probably only the tip of the iceberg. That is what *you* get. They are trying to check out if your script can be abused. And since you are getting these so regularly it's possible that the trying phase is already over ... Check your outgoing mail queue. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From campbell at cnpapers.com Wed Aug 9 13:31:42 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Aug 9 13:32:41 2006 Subject: [SOLVED] Retreiving attachments References: <31495172.1155092215238.JavaMail.root@dash.grand-rapids.mi.us> Message-ID: <004a01c6bbaf$c540ff80$0705000a@DDF5DW71> ----- Original Message ----- From: "Golden, James" To: "MailScanner discussion" Sent: Tuesday, August 08, 2006 10:56 PM Subject: RE: [SOLVED] Retreiving attachments > Although I have to say with the exception of the file attachment thing, > since I upgraded and setup everything correctly (I think) everyone has > been noticing the difference here! In fact the guy who handles the > antivirus wasn't too happy with me, because now more viruses are being > caught as spam first. Our virus numbers in email went from 200 - 300 a day > to 1 - 10! > > > James Golden > > > James, We used to run Symantec AntiVirus on two gateways in front of our mail servers. I put MS/SA on the mail servers, and the result was so impressive, that our company finally gave up on Symantec. It was never very configuration-friendly as far as individual preferences, and because it was a Windows application ....well, you can figure out the rest. Good luck with your project Steve Campbell campbell@cnpapers.com Charleston Newspapers From jaearick at colby.edu Wed Aug 9 13:36:00 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Wed Aug 9 13:36:27 2006 Subject: [Clamav-announce] problem downloading clamav-0.88.4.tar.gz In-Reply-To: References: <1b5101c6ba80$ba1a3de0$287ba8c0@office.fsl> Message-ID: In my case, probably Minnesota, since I'm in the US. On Wed, 9 Aug 2006, Kai Schaetzl wrote: > Date: Wed, 09 Aug 2006 14:31:18 +0200 > From: Kai Schaetzl > Reply-To: MailScanner discussion > To: mailscanner@lists.mailscanner.info > Subject: Re: [Clamav-announce] problem downloading clamav-0.88.4.tar.gz > > Jeff A. Earickson wrote on Wed, 9 Aug 2006 06:52:19 -0400 (EDT): > >> Yes, I got it from Sourceforge yesterday and installed it. > > Do you remember the mirror? > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From Jan-Peter.Koopmann at seceidos.de Wed Aug 9 14:20:31 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Wed Aug 9 14:20:48 2006 Subject: Huge Dcc logdir Message-ID: Hi, I just hunted down some wasted disk space and discovered huge amounts of msg-* files in /usr/local/dcc/log which is DCCs logdir. Somehow dcc decided to log every message. How can I turn this off? I am using dccifd with SpamAssassin. I know this is a bit OT. I am in a hurry, know that a lot of dcc and SpamAssassin people hang around here so please excuse this. :-) Kind regards, JP From shuttlebox at gmail.com Wed Aug 9 14:29:53 2006 From: shuttlebox at gmail.com (shuttlebox) Date: Wed Aug 9 14:29:57 2006 Subject: Huge Dcc logdir In-Reply-To: References: Message-ID: <625385e30608090629ge1eb2a1u6c2af519c1e0fa67@mail.gmail.com> On 8/9/06, Koopmann, Jan-Peter wrote: > Hi, > > I just hunted down some wasted disk space and discovered huge amounts of msg-* files in /usr/local/dcc/log which is DCCs logdir. Somehow dcc decided to log every message. How can I turn this off? I am using dccifd with SpamAssassin. > > I know this is a bit OT. I am in a hurry, know that a lot of dcc and SpamAssassin people hang around here so please excuse this. :-) This is one of the reasons I stopped using dccifd, I didn't find an option to turn this off and had to use a simple cron entry to purge the log directory. It's probably something simple you and I have overlooked and someone will surely inform us of a solution. -- /peter From adrik at salesmanager.nl Wed Aug 9 14:33:49 2006 From: adrik at salesmanager.nl (Adri Koppes) Date: Wed Aug 9 14:33:52 2006 Subject: Huge Dcc logdir Message-ID: > Hi, > > I just hunted down some wasted disk space and discovered huge > amounts of msg-* files in /usr/local/dcc/log which is DCCs > logdir. Somehow dcc decided to log every message. How can I > turn this off? I am using dccifd with SpamAssassin. > > I know this is a bit OT. I am in a hurry, know that a lot of > dcc and SpamAssassin people hang around here so please excuse > this. :-) > Jan Peter, Have a look in /usr/local/dcc/dcc_conf at the DCCM_LOG_AT and DCCIFD_LOG_AT parameters. These control the 'bulkiness' after which messages get logged. You can also use the -t option of dccifd. Regards, Adri From dhawal at netmagicsolutions.com Wed Aug 9 14:33:54 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Wed Aug 9 14:34:16 2006 Subject: Huge Dcc logdir In-Reply-To: References: Message-ID: <44D9E442.9090603@netmagicsolutions.com> Koopmann, Jan-Peter wrote: > Hi, > > I just hunted down some wasted disk space and discovered huge amounts of msg-* files in /usr/local/dcc/log which is DCCs logdir. Somehow dcc decided to log every message. How can I turn this off? I am using dccifd with SpamAssassin. > > I know this is a bit OT. I am in a hurry, know that a lot of dcc and SpamAssassin people hang around here so please excuse this. :-) See /var/dcc/libexec/cron-dccd - dhawal From dhawal at netmagicsolutions.com Wed Aug 9 14:38:01 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Wed Aug 9 14:38:06 2006 Subject: Huge Dcc logdir In-Reply-To: <44D9E442.9090603@netmagicsolutions.com> References: <44D9E442.9090603@netmagicsolutions.com> Message-ID: <44D9E539.7000004@netmagicsolutions.com> Dhawal Doshy wrote: > Koopmann, Jan-Peter wrote: >> Hi, >> >> I just hunted down some wasted disk space and discovered huge amounts >> of msg-* files in /usr/local/dcc/log which is DCCs logdir. Somehow dcc >> decided to log every message. How can I turn this off? I am using >> dccifd with SpamAssassin. >> >> I know this is a bit OT. I am in a hurry, know that a lot of dcc and >> SpamAssassin people hang around here so please excuse this. :-) > > See /var/dcc/libexec/cron-dccd OR 'man 8 dbclean' > - dhawal > From bbecken at aafp.org Wed Aug 9 14:45:26 2006 From: bbecken at aafp.org (Brad Beckenhauer) Date: Wed Aug 9 14:45:44 2006 Subject: Huge Dcc logdir In-Reply-To: References: Message-ID: <44D9A0A5.D87E.0068.3@aafp.org> Look at dcc_conf # days to keep files in DCC log directories DBCLEAN_LOGDAYS=14 <--- I think this is the default. The cron-dccd and cron-dcc jobs do the cleanup process. >>> adrik@salesmanager.nl 8/9/2006 8:33 AM >>> > Hi, > > I just hunted down some wasted disk space and discovered huge > amounts of msg-* files in /usr/local/dcc/log which is DCCs > logdir. Somehow dcc decided to log every message. How can I > turn this off? I am using dccifd with SpamAssassin. > > I know this is a bit OT. I am in a hurry, know that a lot of > dcc and SpamAssassin people hang around here so please excuse > this. :-) > Jan Peter, Have a look in /usr/local/dcc/dcc_conf at the DCCM_LOG_AT and DCCIFD_LOG_AT parameters. These control the 'bulkiness' after which messages get logged. You can also use the -t option of dccifd. Regards, Adri -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From alex at nkpanama.com Wed Aug 9 14:47:03 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Wed Aug 9 14:47:21 2006 Subject: Weird 'spam' In-Reply-To: References: <013901c6bba5$7c90a510$1465a8c0@support01> Message-ID: <44D9E757.6030706@nkpanama.com> Kai Schaetzl wrote: > Nigel Kendrick wrote on Wed, 9 Aug 2006 12:18:03 +0100: > This is probably only the tip of the iceberg. That is what *you* get. They are > trying to check out if your script can be abused. And since you are getting > these so regularly it's possible that the trying phase is already over ... > Check your outgoing mail queue. ... and fix your form/server/whatever before you get blacklisted! :-) From prandal at herefordshire.gov.uk Wed Aug 9 14:50:15 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Aug 9 14:58:31 2006 Subject: Huge Dcc logdir Message-ID: <86144ED6CE5B004DA23E1EAC0B569B580E923860@isabella.herefordshire.gov.uk> check out /var/dcc/libexec/cron-dccd ln -s it into /etc/cron.daily and it should clean your dcc logs for you. Seems to work here. Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Koopmann, Jan-Peter > Sent: 09 August 2006 14:21 > To: MailScanner discussion > Subject: Huge Dcc logdir > > Hi, > > I just hunted down some wasted disk space and discovered huge > amounts of msg-* files in /usr/local/dcc/log which is DCCs > logdir. Somehow dcc decided to log every message. How can I > turn this off? I am using dccifd with SpamAssassin. > > I know this is a bit OT. I am in a hurry, know that a lot of > dcc and SpamAssassin people hang around here so please excuse > this. :-) > > > Kind regards, > JP > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From jaearick at colby.edu Wed Aug 9 14:50:58 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Wed Aug 9 15:00:28 2006 Subject: Huge Dcc logdir In-Reply-To: References: Message-ID: I raised this issue a while back on the dcc mailing list (check the archives). If you don't want dcc logging, your choices are: 1) Remove the log directory, and then live with the stat() complaints from dccifd at start time in the syslog directory. 2) Use the settings for the "-t" option. See the manpage: http://www.rhyolite.com/anti-spam/dcc/dccm.html#OPTION-t The way to implement the "NEVER" feature for -t is to set: DCCM_LOG_AT=NEVER in your dcc_conf file, and then leave the log subdirectory alone. You will find occasional crud in the log directory, but nothing major will stack up. Jeff Earickson Colby College On Wed, 9 Aug 2006, Koopmann, Jan-Peter wrote: > Date: Wed, 9 Aug 2006 15:20:31 +0200 > From: "Koopmann, Jan-Peter" > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Huge Dcc logdir > > Hi, > > I just hunted down some wasted disk space and discovered huge amounts of msg-* files in /usr/local/dcc/log which is DCCs logdir. Somehow dcc decided to log every message. How can I turn this off? I am using dccifd with SpamAssassin. > > I know this is a bit OT. I am in a hurry, know that a lot of dcc and SpamAssassin people hang around here so please excuse this. :-) > > > Kind regards, > JP > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From Jan-Peter.Koopmann at seceidos.de Wed Aug 9 15:01:35 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Wed Aug 9 15:02:05 2006 Subject: Huge Dcc logdir In-Reply-To: <44D9E442.9090603@netmagicsolutions.com> Message-ID: Thanks guys. I knew I could count on you. :-) > See /var/dcc/libexec/cron-dccd /usr/local/dcc/libexec/cron-dccd on FreeBSD. So setting DCCM_LOG_AT=50 DBCLEAN_LOGDAYS=1 and running cron-dccd daily should get rid of this? Does LOG_AT=50 and only one logday in some way influence the day to day operation or spam detection? I would not think so but you never know... :-) From dhawal at netmagicsolutions.com Wed Aug 9 15:12:36 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Wed Aug 9 15:12:54 2006 Subject: Huge Dcc logdir In-Reply-To: References: Message-ID: <44D9ED54.6010707@netmagicsolutions.com> Jeff A. Earickson wrote: > I raised this issue a while back on the dcc mailing list (check the > archives). If you don't want dcc logging, your choices are: > > 1) Remove the log directory, and then live with the stat() complaints > from dccifd at start time in the syslog directory. > > 2) Use the settings for the "-t" option. See the manpage: > > http://www.rhyolite.com/anti-spam/dcc/dccm.html#OPTION-t > > The way to implement the "NEVER" feature for -t is to set: > > DCCM_LOG_AT=NEVER Err.. isn't dccm the milter interface? and ideally should affect the daemon (dccd).. - dhawal From adrik at salesmanager.nl Wed Aug 9 15:13:48 2006 From: adrik at salesmanager.nl (Adri Koppes) Date: Wed Aug 9 15:13:52 2006 Subject: Huge Dcc logdir Message-ID: > Thanks guys. I knew I could count on you. :-) > > > See /var/dcc/libexec/cron-dccd > > > /usr/local/dcc/libexec/cron-dccd on FreeBSD. > > > So setting > > DCCM_LOG_AT=50 > DBCLEAN_LOGDAYS=1 > > and running cron-dccd daily should get rid of this? Does > LOG_AT=50 and only one logday in some way influence the day > to day operation or spam detection? I would not think so but > you never know... :-) Jan Peter, If you set DCCM_LOG_AT=50, then it will log messages with more then 50 hits in the log directory. DBCLEAN_LOGDAYS=1 will clean any logs older then 1 day. This should not affect the day to day operation or spam detection of dcc. Adri. From jaearick at colby.edu Wed Aug 9 15:27:05 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Wed Aug 9 15:32:17 2006 Subject: Huge Dcc logdir In-Reply-To: <44D9ED54.6010707@netmagicsolutions.com> References: <44D9ED54.6010707@netmagicsolutions.com> Message-ID: Well, it seems to affect how dccifd gets launched too. If I do: % ps -ef | grep dcc dcc 755 1 0 Aug 04 ? 0:00 /opt/dcc-1.3.40/libexec/dccifd -tCMN,NEVER, -Linfo,mail.notice -Lerror,mail.not dcc 756 755 0 Aug 04 ? 8:09 /opt/dcc-1.3.40/libexec/dccifd -tCMN,NEVER, -Linfo,mail.notice -Lerror,mail.not Note the "-t". I don't specify the -t args anyplace explicitly. It matches the manpage info I referred to. Vernon Schryver referred to the DCCM_LOG_AT setting of NEVER as a "primordial feature". Back when DCC first crawled out of the swamp. :) Jeff Earickson Colby College On Wed, 9 Aug 2006, Dhawal Doshy wrote: > Date: Wed, 09 Aug 2006 19:42:36 +0530 > From: Dhawal Doshy > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: Huge Dcc logdir > > Jeff A. Earickson wrote: >> I raised this issue a while back on the dcc mailing list (check the >> archives). If you don't want dcc logging, your choices are: >> >> 1) Remove the log directory, and then live with the stat() complaints >> from dccifd at start time in the syslog directory. >> >> 2) Use the settings for the "-t" option. See the manpage: >> >> http://www.rhyolite.com/anti-spam/dcc/dccm.html#OPTION-t >> >> The way to implement the "NEVER" feature for -t is to set: >> >> DCCM_LOG_AT=NEVER > > Err.. isn't dccm the milter interface? and ideally should affect the daemon > (dccd).. > > - dhawal > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From dave.list at pixelhammer.com Wed Aug 9 15:36:30 2006 From: dave.list at pixelhammer.com (DAve) Date: Wed Aug 9 15:36:58 2006 Subject: Wiki Submission Message-ID: <44D9F2EE.1010809@pixelhammer.com> All, I would like feed back on posting the following to the MailScanner Wiki. While this is not considered a bug by the SpamAssassin team, I do feel it is a it of a tripping hazard for users. I'd like to include the information for future reference. ------------------------------------------------------------- sa-update usage Note that sa-update has a configuration option to install updates in a directory of the administrators choosing. See http://spamassassin.apache.org/full/3.1.x/dist/doc/sa-update.html "--updatedir By default, sa-update will use the system-wide rules update directory: /home/jm/perl584/var/spamassassin/3.001005 If the updates should be stored in another location, specify it here." Note that simply using the --updatedir option is not enough without additional steps to ensure SpamAssassin is aware that rules need to be loaded from the specified location. This can cause a situation were updates are downloaded and never read by SpamAssassin. In fact installing the updates anywhere on your system other than the default location will have no effect, SpamAssassin will never read them. Using the --updatedir option will require the creation of a *cf file to tell SpamAssassin where to find the updated files. Unless, if the administrator installs updates to the site config dir (in my case /usr/local/etc/mail/spamassassin) the updates will be read, but the updates.spamassassin.org.cf will be read last, causing any changes made to the local.cf to be overridden. See http://spamassassin.apache.org/full/3.1.x/dist/doc/spamassassin.html ---------------------------------------------------------- This one caught me by surprise. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From mailscanner at yeticomputers.com Wed Aug 9 16:23:11 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Wed Aug 9 16:23:21 2006 Subject: Max message size In-Reply-To: <736056B20C569640AD384C4242646F22147F65@CTDC01.crc.localnet> References: <736056B20C569640AD384C4242646F22147F65@CTDC01.crc.localnet> Message-ID: <44D9FDDF.1090500@yeticomputers.com> Doron Shmaryahu wrote: > Hi, > > > I am using the max message size for individual users and it works great. > I just want to know how I sort of whitelist all local users sending mail > to each other from being limited. The is the sort of config I am looking > for: > > user@localdomain to user2@localdomain no message size limit > > Then apply all the other limits ie external mail limited to 500k. > > > Thanks in advance > > Doron > If you're using Postfix, you'll also need to set a higher limit in your main.cf. Keep in mind that "unlimited" (or very high) message size can cause a lot of problems if you have users with no common sense or users who don't have at least a basic understanding of how email works. If you have a large number of users, you will have at least a few of each type. I made such an allowance once for one of my domains. Issues that showed up on the first day: 1. Local users sending *huge* attachments to each other - on the order of several hundred megabytes. 2. Users sending very large attachments to people on the same domain who checked their email from home or elsewhere. The receiving user would invariably think their email client had hung, close it and try again. This would cause a number of problems, depending on what the client was. 3. Users sending mail from home or elsewhere to other users on the same domain. This was worse than the above, because the upsteam bandwidth for even most broadband users is very low. It doesn't take a very large file for someone with, say, 256Kb of upstream bandwidth to make their mail client appear to have hung while sending. I had one user with about fifteen connections to the mail server waiting to time out because he'd kept killing and restarting his mail client. I ended up dropping the limit back down and setting up a personalized web repository for users who want to exchange large files. Email is not, and never has been, the way to transfer large files. Rick From jgolden at ci.grand-rapids.mi.us Wed Aug 9 04:15:20 2006 From: jgolden at ci.grand-rapids.mi.us (Golden, James) Date: Wed Aug 9 16:24:04 2006 Subject: File Attachment size setting questions Message-ID: <19135140.1155093320010.JavaMail.root@dash.grand-rapids.mi.us> I am trying to accomplish 2 things.? In upgrading our MTA's (MailScanner, SA, ClamAV), I thought it would be best to block large attachment files here instead of on the mail server (conserve internal bandwidth).? In doing so there are 2 settings I can't figure out via my research. 1.? How can I NOT send the recipient the message at all?? I just want a message going to the sender. 2.? How do I not store that message locally.? Currently we store the mail (temporarily). Thanks, James Golden -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060808/9216d2bb/attachment.html From steve.swaney at fsl.com Wed Aug 9 16:50:04 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Wed Aug 9 16:48:11 2006 Subject: File Attachment size setting questions In-Reply-To: <19135140.1155093320010.JavaMail.root@dash.grand-rapids.mi.us> Message-ID: <092a01c6bbcb$7b615790$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Golden, James > Sent: Tuesday, August 08, 2006 11:15 PM > To: MailScanner discussion > Subject: File Attachment size setting questions > > I am trying to accomplish 2 things. In upgrading our MTA's (MailScanner, > SA, ClamAV), I thought it would be best to block large attachment files > here instead of on the mail server (conserve internal bandwidth). In > doing so there are 2 settings I can't figure out via my research. > > 1. How can I NOT send the recipient the message at all? I just want a > message going to the sender. > > 2. How do I not store that message locally. Currently we store the mail > (temporarily). > > Thanks, > > James Golden If you using sendmail or the latest Postfix that can use milters, look at: http://www.snertsoft.com/sendmail/milter-length/ Milter-lengtf is a free milter form Anthony Howe. It is a Sendmail utility milter that imposes message size limits by IP address, domain name, or sender address on a message body length, excluding the message headers. Sendmail's MaxMessageSize option only allows for a single global server wide message size limit, which is insufficient for some sites that would prefer finer granularity in the application of message size limits. This is particularly useful for mail hosts that manage several domains and/or a large number of users, such as an ISP. The MTA is the right place to block oversize messages, before acceptiong tem and then running them through MailScanner. Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From ugob at camo-route.com Wed Aug 9 17:25:52 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Wed Aug 9 17:26:12 2006 Subject: Huge Dcc logdir In-Reply-To: <44D9A0A5.D87E.0068.3@aafp.org> References: <44D9A0A5.D87E.0068.3@aafp.org> Message-ID: Brad Beckenhauer wrote: > Look at dcc_conf > > # days to keep files in DCC log directories > DBCLEAN_LOGDAYS=14 <--- I think this is the default. And make sure you run the DCC cronjob. > > The cron-dccd and cron-dcc jobs do the cleanup process. > >>>> adrik@salesmanager.nl 8/9/2006 8:33 AM >>> >> Hi, >> >> I just hunted down some wasted disk space and discovered huge >> amounts of msg-* files in /usr/local/dcc/log which is DCCs >> logdir. Somehow dcc decided to log every message. How can I >> turn this off? I am using dccifd with SpamAssassin. >> >> I know this is a bit OT. I am in a hurry, know that a lot of >> dcc and SpamAssassin people hang around here so please excuse >> this. :-) >> > Jan Peter, > > Have a look in /usr/local/dcc/dcc_conf at the DCCM_LOG_AT and > DCCIFD_LOG_AT parameters. > These control the 'bulkiness' after which messages get logged. > You can also use the -t option of dccifd. > > Regards, > > Adri > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mailscanner at ecs.soton.ac.uk Wed Aug 9 17:46:26 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 9 17:46:44 2006 Subject: ClamAV 0.88.4 In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B580E923781@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B580E923781@isabella.herefordshire.gov.uk> Message-ID: <44DA1162.3070209@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Done. I should have read the Subject: line :-) Randal, Phil wrote: > http://www.clamav.net/security/0.88.4.html > > * CVE: CVE-2006-4018 > * Status: Critical > * Vulnerable: ClamAV 0.81 - 0.88.3 > > A heap overflow vulnerability was discovered in libclamav which could > cause a denial of service or allow the execution of arbitrary code. > > The problem is specifically located in the PE file rebuild function used > by the UPX unpacker. > > Relevant code from libclamav/upx.c: > > memcpy(dst, newbuf, foffset); > *dsize = foffset; > free(newbuf); > > cli_dbgmsg("UPX: PE structure rebuilt from compressed file\n"); > return 1; > > Due to improper validation it is possible to overflow the above memcpy() > beyond the allocated memory block. > > The problem has been fixed in 0.88.4. > > > -- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Julian Field >> Sent: 09 August 2006 10:49 >> To: MailScanner discussion >> Subject: Re: ClamAV 0.88.4 >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> What's out of date in it? >> >> Randal, Phil wrote: >>> Nudges Jules... >>> >>> Any schedule for an updated install-Clam-SA.tar.gz? >>> >>> Cheers, >>> >>> Phil >>> >>> -- >>> Phil Randal >>> Network Engineer >>> Herefordshire Council >>> Hereford, UK >>> >> - -- >> Julian Field >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP SDK 3.7.0 >> Charset: ISO-8859-1 >> >> wj8DBQFE2a99EfZZRxQVtlQRAvZFAKDyQSB0cCeH2FkUmNqrKUdeWGyW8gCfYHrf >> MLid8ASNZTzJPBDXyr18F/4= >> =WM2e >> -----END PGP SIGNATURE----- >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> MailScanner thanks transtec Computers for their support. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj4DBQFE2hFmEfZZRxQVtlQRAt9sAJ4y9FFCwx2AaOnKxtT5irDr3WVCbgCY54i2 yzJ7dSPCcp0SRfmRdSg4bg== =4Wue -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From mailscanner at ecs.soton.ac.uk Wed Aug 9 17:47:28 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 9 17:48:24 2006 Subject: [Clamav-announce] problem downloading clamav-0.88.4.tar.gz In-Reply-To: References: <1b5101c6ba80$ba1a3de0$287ba8c0@office.fsl> Message-ID: <44DA11A0.4050600@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have now upgraded my easy-to-install Clam+SA package. Jeff A. Earickson wrote: > Yes, I got it from Sourceforge yesterday and installed it. > > Jeff Earickson > Colby College > > On Wed, 9 Aug 2006, Kai Schaetzl wrote: > >> Date: Wed, 09 Aug 2006 12:31:18 +0200 >> From: Kai Schaetzl >> Reply-To: MailScanner discussion >> To: mailscanner@lists.mailscanner.info >> Subject: Re: [Clamav-announce] problem downloading clamav-0.88.4.tar.gz >> >> Stephen Swaney wrote on Mon, 7 Aug 2006 20:22:25 -0400: >> >>> We temporarily made the source available from the following URLs: >>> >>> http://mirror.clamav.net/clamav-0.88.4.tar.gz >> >> Same problems downloading from there. Had anyone success? >> >> Kai >> >> -- >> Kai Sch?tzl, Berlin, Germany >> Get your web at Conactive Internet Services: http://www.conactive.com >> >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE2hGiEfZZRxQVtlQRAi3PAKCWuoklxqyEimvhunvRM9H2sturRgCfUpz7 aR+dP3WhmJZ6UZl0sjjOnuY= =VRqZ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From mailscanner at ecs.soton.ac.uk Wed Aug 9 18:16:30 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 9 18:16:44 2006 Subject: File Attachment size setting questions In-Reply-To: <092a01c6bbcb$7b615790$287ba8c0@office.fsl> References: <092a01c6bbcb$7b615790$287ba8c0@office.fsl> Message-ID: <44DA186E.8040603@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Swaney wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Golden, James >> Sent: Tuesday, August 08, 2006 11:15 PM >> To: MailScanner discussion >> Subject: File Attachment size setting questions >> >> I am trying to accomplish 2 things. In upgrading our MTA's (MailScanner, >> SA, ClamAV), I thought it would be best to block large attachment files >> here instead of on the mail server (conserve internal bandwidth). In >> doing so there are 2 settings I can't figure out via my research. >> >> 1. How can I NOT send the recipient the message at all? I just want a >> message going to the sender. >> >> 2. How do I not store that message locally. Currently we store the mail >> (temporarily). >> >> Thanks, >> >> James Golden > > If you using sendmail or the latest Postfix that can use milters, look at: > http://www.snertsoft.com/sendmail/milter-length/ > > Milter-lengtf is a free milter form Anthony Howe. It is a Sendmail utility > milter that imposes message size limits by IP address, domain name, or > sender address on a message body length, excluding the message headers. > Sendmail's MaxMessageSize option only allows for a single global server wide > message size limit, which is insufficient for some sites that would prefer > finer granularity in the application of message size limits. This is > particularly useful for mail hosts that manage several domains and/or a > large number of users, such as an ISP. > > The MTA is the right place to block oversize messages, before acceptiong tem > and then running them through MailScanner. What error message does the Milter produce? One advantage in rejecting the message in MailScanner is that a full report message explaining the problem, including a message to both the sender and recipient telling them what happened and why their mail was rejected. I have expanded this functionality in the latest release. It used to treat the message as if it was infected, the only clue being in the "report line" in the middle. It now sends a completely different message in response to size problems with messages and attachments. This can also result in the oversized attachment being stored in the quarantine, giving the recipient an alternative, more efficient way of retrieving the attachment, provided you have some sort of web-based quarantine management and retrieval system in place, such as the excellent MailWatch or DefenderMX packages. Rejecting at the MTA is more efficient, but it doesn't have a chance to explain the reason in language that users might understand. And it doesn't notify the recipient at all, so they just see the message as having either never been sent, or just "lost en route", which is less than helpful. This behaviour will damage your business reputation with your customers as they will just see it lose messages for no apparent reason, making them conclude that you run an unreliable mail service. And then they tell all their friends that your service doesn't work. Not good for business. The max message size check is done early on in the processing of a message. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE2hhxEfZZRxQVtlQRAgx/AKCbJGscU3XBkbyXLIjTqu32NBiPVwCgvfD0 /E7OAGK58h2pQYECjhybO1A= =qTxm -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From Jamesp at MusicReports.com Wed Aug 9 18:21:28 2006 From: Jamesp at MusicReports.com (James D. Parra) Date: Wed Aug 9 18:21:32 2006 Subject: quarantine password-protected files Message-ID: <531F1E080638384C9623B00D71AA546D09F211@exchange.musicreports.com> Hello, I want to quarantine password-protected file attachments, actually, any file attachments that MailScanner determines as suspicious. After looking through mailscanner.conf I found; # Reports and Responses # --------------------- # # Do you want to store copies of the infected attachments and messages? # This can also be the filename of a ruleset. Quarantine Infections = yes However, an attachment was deleted and not stored in /var/spool/MailScanner/quaratine/, according the text message; This is a message from MailScanner E-Mail Virus Protection Service ---------------------------------------------------------------------- The original e-mail message contained potentially dangerous content, which has been removed for your safety. The content is dangerous as it is often used to spread viruses or to gain personal or confidential information from you, such as passwords or credit card numbers. Due to limitations placed on us by the Regulation of Investigatory Powers Act 2000, we were unable to keep a copy of the original attachment. The content filters found this: MailScanner: Message contained password-protected archive ~~~ Where in the conf can I fix this? Hello, Still poking around in the MailScanner.conf and I can't find where to fix this. Can someone point me to a direct link in the wiki or in the documentation. Thank you in advance, ~James From Kevin_Miller at ci.juneau.ak.us Wed Aug 9 18:52:30 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Aug 9 18:52:37 2006 Subject: ALLOW FILETYPES in MailScanner.conf Message-ID: I updated my MS to take advantage of the new Allow Filenames & Allow Filetypes functions and notice that the comments documenting filetypes seems to be a copy and paste of Allow Filenames with minor editing. I'm a bit confused by one thing; in the example it shows this for filetypes: # Allow Filetypes = \.txt$ \.pdf$ # Deny Filetypes = \.com$ \.exe$ \.cpl$ \.pif$ Shouldn't that rather be: # Allow Filetypes = text postscript and the like? Looking in the filetype.rules.conf I don't see any extensions - just things like text, postscript, MPEG, etc. Am I out to lunch? What I'm doing is setting up a particular user to be able to send my users .mp3 files, so I have the following files set up: %etc-dir%/allow.filenames.rules From: joe.blow@somedomain.com \.mp3$ %etc-dir%/allow.filetypes.rules From: joe.blow@somedomain.com MPEG Is that correct, or do I really need \.mp3$ in both the filename and filetype rule files? S'later... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From ssilva at sgvwater.com Wed Aug 9 18:58:24 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Aug 9 18:58:47 2006 Subject: [SOLVED] Retreiving attachments In-Reply-To: <31495172.1155092215238.JavaMail.root@dash.grand-rapids.mi.us> References: <008f01c6baf1$eb8b08c0$287ba8c0@office.fsl> <31495172.1155092215238.JavaMail.root@dash.grand-rapids.mi.us> Message-ID: Golden, James spake the following on 8/8/2006 7:56 PM: > Sorry for being so stupid. After looking through it again, I see what you were doing. 4 hours sleep a night catches up with you after awhile. > > Thanks for all the help. > > We will be implementing the Barracuda's appliances here in the next 5 weeks or so, that is why I am trying to "skate" by with this setup for now. I figure what I am learning here will still help out when we move to those appliances. > > Although I have to say with the exception of the file attachment thing, since I upgraded and setup everything correctly (I think) everyone has been noticing the difference here! In fact the guy who handles the antivirus wasn't too happy with me, because now more viruses are being caught as spam first. Our virus numbers in email went from 200 - 300 a day to 1 - 10! > > Thanks all (Julian?!) for this fantastic software combination!. It ROCKS! > > Thanks all who have helped with replies (especially Stephen), and have put up with me! > > James Golden Fortress's appliance will run circles around the barracuda's, and you could probably get 2 DefenderMX's for the cost of one Barracuda! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Wed Aug 9 19:01:52 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Aug 9 19:05:14 2006 Subject: MailScanner ANNOUNCE: Revision to 4.55 In-Reply-To: <44D77C7E.5010703@ecs.soton.ac.uk> References: <44D77C7E.5010703@ecs.soton.ac.uk> Message-ID: Julian Field spake the following on 8/7/2006 10:46 AM: > The author of the Sys::Syslog perl module has withdrawn it due to > problems including compatibility issues with some Linux distributions. > The most obvious effect is that the "make test" step may hang part-way > through the tests. > > As a result, I have had no alternative other than to reluctantly publish > a revision of the latest stable release of MailScanner. > > If you had problems installing 4.55.9 (notably on some CentOS systems) > then download and upgrade to 4.55.10. > > Download as usual from www.mailscanner.info > > Note that if you had no problems installing 4.55.9, there is no reason > to upgrade to 4.55.10. > > Sorry for this forced re-release. > Does anything change in MailScanner, or is it just the rollback of the Sys::Syslog module? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Wed Aug 9 19:17:32 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Aug 9 19:17:43 2006 Subject: Hylafax on a MailScanner pc In-Reply-To: <44D8C841.3030308@pacific.net> References: <1964AAFBC212F742958F9275BF63DBB03B1AB0@winchester.andrewscompanies.com> <44D8C841.3030308@pacific.net> Message-ID: Ken A spake the following on 8/8/2006 10:22 AM: > > > sandrews@andrewscompanies.com wrote: >> Does anyone have an opinion on installing hylafax on a lightly loaded >> mailscanner pc? Normally, I'd toss another machine in for such a >> different application, but this customer is experiencing server >> "sprawl". >> >> Any thoughts? > > So, you want MailScanner to fax high scoring spam? :-) > Hylafax is pretty stable stuff. There shouldn't be any problems as long > as you set your iptables rules to protect Hylafax's ports from the > Internet. Sounds like a new application ... FaxScanner .. Stops your junk faxes cold! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Wed Aug 9 19:22:59 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Aug 9 19:23:28 2006 Subject: quarantine password-protected files In-Reply-To: <531F1E080638384C9623B00D71AA546D09F211@exchange.musicreports.com> References: <531F1E080638384C9623B00D71AA546D09F211@exchange.musicreports.com> Message-ID: James D. Parra spake the following on 8/9/2006 10:21 AM: > Hello, > > I want to quarantine password-protected file attachments, actually, any file > attachments that MailScanner determines as suspicious. After looking through > mailscanner.conf I found; > > > # Reports and Responses > # --------------------- > # > > # Do you want to store copies of the infected attachments and messages? > # This can also be the filename of a ruleset. > Quarantine Infections = yes > > > However, an attachment was deleted and not stored in > /var/spool/MailScanner/quaratine/, according the text message; > > This is a message from MailScanner E-Mail Virus Protection Service > ---------------------------------------------------------------------- > The original e-mail message contained potentially dangerous content, > which has been removed for your safety. > > The content is dangerous as it is often used to spread viruses or to gain > personal or confidential information from you, such as passwords or credit > card numbers. > > Due to limitations placed on us by the Regulation of Investigatory Powers > Act 2000, we were unable to keep a copy of the original attachment. > > The content filters found this: > MailScanner: Message contained password-protected archive > ~~~ > > Where in the conf can I fix this? I have been just storing all messages for a short period of time. Then you can release anything you need to, and you can set up the system to kill after a set number of days. Mailwatch makes this even easier. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From maillists at conactive.com Wed Aug 9 19:31:19 2006 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Aug 9 19:31:23 2006 Subject: Tips on how to use ruleset for 'Spam Lists To Be Spam' In-Reply-To: <7.0.1.0.0.20060808103633.0480b4b0@1bigthink.com> References: <7.0.1.0.0.20060808103633.0480b4b0@1bigthink.com> Message-ID: Dnsadmin 1bigthink.com wrote on Tue, 08 Aug 2006 10:43:59 -0400: > They are good, long-used and trusted BLs. > > Spam List = SBL+XBL SPEWS ORDB-RBL spamcop.net spamhaus.org > spamhaus-XBL SORBS-S > PAM SORBS-ZOMBIE SORBS-HTTP DSBL SORBS-DNSBL SORBS-SMTP SORBS-WEB > SORBS-BLOCK NJ > ABL long-trusted, reliable? And you use Spews? That's a contradiction. Also, it seems to me that you are duplicating RBLs. Inform yourself what these lists actually contain. You'll see that some of them are already part of others you use. Also, honestly, using umpteen lists doesn't give you any advantage over a few *really* carefully chosen ones. They are just duplicating their results. You gain something like 1% more accuracy with 5fold more ressource usage. > How can I set up a ruleset like this for individual users or > individual domains? > #Spam Lists To Be Spam = /etc/MailScanner/spam.lists.count I don't see how this would help you much. Why don't you whitelist those users? You apparently know them, so ... Or just whitelist those servers, I'm not aware that they are a source for much spam, they don't appear in my logs. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Wed Aug 9 19:31:19 2006 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Aug 9 19:31:25 2006 Subject: [Clamav-announce] problem downloading clamav-0.88.4.tar.gz In-Reply-To: <20060809114217.GQ19584@doctor.nl2k.ab.ca> References: <1b5101c6ba80$ba1a3de0$287ba8c0@office.fsl> <20060809114217.GQ19584@doctor.nl2k.ab.ca> Message-ID: wrote on Wed, 9 Aug 2006 05:42:17 -0600: > I could make it available via ftp://ftp.nk.ca/ Thanks for the offer. It seems it is working now for me as well. I assume they pulled the alternative download once sf.net started working again, but it hadn't spread to my mirror yet. So I couldn't get it from both sites for a while. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From Jamesp at MusicReports.com Wed Aug 9 19:38:50 2006 From: Jamesp at MusicReports.com (James D. Parra) Date: Wed Aug 9 19:38:53 2006 Subject: quarantine password-protected files Message-ID: <531F1E080638384C9623B00D71AA546D09F215@exchange.musicreports.com> James D. Parra spake the following on 8/9/2006 10:21 AM: > Hello, > > I want to quarantine password-protected file attachments, actually, any file > attachments that MailScanner determines as suspicious. After looking through > mailscanner.conf I found; > > > # Reports and Responses > # --------------------- > # > > # Do you want to store copies of the infected attachments and messages? > # This can also be the filename of a ruleset. > Quarantine Infections = yes > > > However, an attachment was deleted and not stored in > /var/spool/MailScanner/quaratine/, according the text message; > > This is a message from MailScanner E-Mail Virus Protection Service > ---------------------------------------------------------------------- > The original e-mail message contained potentially dangerous content, > which has been removed for your safety. > > The content is dangerous as it is often used to spread viruses or to gain > personal or confidential information from you, such as passwords or credit > card numbers. > > Due to limitations placed on us by the Regulation of Investigatory Powers > Act 2000, we were unable to keep a copy of the original attachment. > > The content filters found this: > MailScanner: Message contained password-protected archive > ~~~ > > Where in the conf can I fix this? >I have been just storing all messages for a short period of time. Then you can >release anything you need to, and you can set up the system to kill after a >set number of days. Mailwatch makes this even easier. I don't mind just storing/quarantine the attachments for retrieval later. Right now it is deleting the attachments and I don't want that. Where in the MailScanner.conf can I fix this? Many thanks, James From steve.swaney at fsl.com Wed Aug 9 20:05:58 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Wed Aug 9 20:04:04 2006 Subject: [SOLVED] Retreiving attachments In-Reply-To: Message-ID: <0a3e01c6bbe6$d97f2b20$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Scott Silva > Sent: Wednesday, August 09, 2006 1:58 PM > To: mailscanner@lists.mailscanner.info > Subject: Re: [SOLVED] Retreiving attachments > > Golden, James spake the following on 8/8/2006 7:56 PM: > > Sorry for being so stupid. After looking through it again, I see what > you were doing. 4 hours sleep a night catches up with you after awhile. > > > > Thanks for all the help. > > > > We will be implementing the Barracuda's appliances here in the next 5 > weeks or so, that is why I am trying to "skate" by with this setup for > now. I figure what I am learning here will still help out when we move to > those appliances. > > > > Although I have to say with the exception of the file attachment thing, > since I upgraded and setup everything correctly (I think) everyone has > been noticing the difference here! In fact the guy who handles the > antivirus wasn't too happy with me, because now more viruses are being > caught as spam first. Our virus numbers in email went from 200 - 300 a > day to 1 - 10! > > > > Thanks all (Julian?!) for this fantastic software combination!. It > ROCKS! > > > > Thanks all who have helped with replies (especially Stephen), and have > put up with me! > > > > James Golden > Fortress's appliance will run circles around the barracuda's, and you > could > probably get 2 DefenderMX's for the cost of one Barracuda! > {Start Commercial} And you don't need a separate appliance for incoming and outgoing e-mail. That halves the cost again :) We now support DefenderMX Dual-core x86-64 architectures so a fairly inexpensive system will process a HEAP of email. We have beaten barracuda and the rest of the competition at some sites that have run fairly sophisticated comparisons before buying DefenderMX. More information and references available are available. Please email me off-list. {End Commercial} Thanks for your patience on off topic material, Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From ssilva at sgvwater.com Wed Aug 9 20:34:20 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Aug 9 20:34:49 2006 Subject: [SOLVED] Retreiving attachments In-Reply-To: <0a3e01c6bbe6$d97f2b20$287ba8c0@office.fsl> References: <0a3e01c6bbe6$d97f2b20$287ba8c0@office.fsl> Message-ID: Stephen Swaney spake the following on 8/9/2006 12:05 PM: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Scott Silva >> Sent: Wednesday, August 09, 2006 1:58 PM >> To: mailscanner@lists.mailscanner.info >> Subject: Re: [SOLVED] Retreiving attachments >> >> Golden, James spake the following on 8/8/2006 7:56 PM: >>> Sorry for being so stupid. After looking through it again, I see what >> you were doing. 4 hours sleep a night catches up with you after awhile. >>> Thanks for all the help. >>> >>> We will be implementing the Barracuda's appliances here in the next 5 >> weeks or so, that is why I am trying to "skate" by with this setup for >> now. I figure what I am learning here will still help out when we move to >> those appliances. >>> Although I have to say with the exception of the file attachment thing, >> since I upgraded and setup everything correctly (I think) everyone has >> been noticing the difference here! In fact the guy who handles the >> antivirus wasn't too happy with me, because now more viruses are being >> caught as spam first. Our virus numbers in email went from 200 - 300 a >> day to 1 - 10! >>> Thanks all (Julian?!) for this fantastic software combination!. It >> ROCKS! >>> Thanks all who have helped with replies (especially Stephen), and have >> put up with me! >>> James Golden >> Fortress's appliance will run circles around the barracuda's, and you >> could >> probably get 2 DefenderMX's for the cost of one Barracuda! >> > > {Start Commercial} > > And you don't need a separate appliance for incoming and outgoing e-mail. > That halves the cost again :) We now support DefenderMX Dual-core x86-64 > architectures so a fairly inexpensive system will process a HEAP of email. > > We have beaten barracuda and the rest of the competition at some sites that > have run fairly sophisticated comparisons before buying DefenderMX. More > information and references available are available. Please email me > off-list. > > {End Commercial} > > Thanks for your patience on off topic material, > > Steve > > Stephen Swaney > Fort Systems Ltd. > stephen.swaney@fsl.com > www.fsl.com > Hey Steve, Everybody has to eat! And your package is perfect for someone who needs a packaged solution. Many new admins (or at least new to Linux) are being asked to get something non-windows into production. Your package is great for that. I might even push it to my PHB's in a year or so. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From jrudd at ucsc.edu Wed Aug 9 20:48:12 2006 From: jrudd at ucsc.edu (John Rudd) Date: Wed Aug 9 20:48:48 2006 Subject: ClamAV 0.88.4 In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B580E923713@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B580E923713@isabella.herefordshire.gov.uk> Message-ID: <52b3a0c5fff8a2c340b4038135aedb5d@ucsc.edu> On Aug 9, 2006, at 1:49 AM, Randal, Phil wrote: > Nudges Jules... > > Any schedule for an updated install-Clam-SA.tar.gz? > I was actually thinking, earlier today, about how hard/easy it would be to write something like the "MajorSophos" script, only for ClamAV (lets call it MajorClamav). That way it could probe the clamav servers 1/mo to look for an updated engine and see if it needs to install it (and then re-install the ClamAV perl module from CPAN, since the last time I did an engine update I needed to re-install the perl module to get it to recognize it). And, if a security announcement goes out, it'd just be a matter of re-running "MajorClamav" or something. From wintermutecx at gmail.com Wed Aug 9 22:19:22 2006 From: wintermutecx at gmail.com (Dave) Date: Wed Aug 9 22:19:25 2006 Subject: Duplicate messages/Unlinking failed In-Reply-To: <4443BEF2.8090509@avalonpub.com> References: <4443BEF2.8090509@avalonpub.com> Message-ID: I noticed these message today after I upgraded the latest Mailscanner. I went to the logs on my other server that I updated 2 days ago and they started occuringthen as well. Both servesr run CentOS3. From Jamesp at MusicReports.com Wed Aug 9 22:19:21 2006 From: Jamesp at MusicReports.com (James D. Parra) Date: Wed Aug 9 22:19:28 2006 Subject: quarantine password-protected files Message-ID: <531F1E080638384C9623B00D71AA546D09F21D@exchange.musicreports.com> > I want to quarantine password-protected file attachments, actually, any file > attachments that MailScanner determines as suspicious. After looking through > mailscanner.conf I found; > > > # Reports and Responses > # --------------------- > # > > # Do you want to store copies of the infected attachments and messages? > # This can also be the filename of a ruleset. > Quarantine Infections = yes > > > However, an attachment was deleted and not stored in > /var/spool/MailScanner/quaratine/, according the text message; > > This is a message from MailScanner E-Mail Virus Protection Service > ---------------------------------------------------------------------- > The original e-mail message contained potentially dangerous content, > which has been removed for your safety. > > The content is dangerous as it is often used to spread viruses or to gain > personal or confidential information from you, such as passwords or credit > card numbers. > > Due to limitations placed on us by the Regulation of Investigatory Powers > Act 2000, we were unable to keep a copy of the original attachment. > > The content filters found this: > MailScanner: Message contained password-protected archive > ~~~ > > Where in the conf can I fix this? >I have been just storing all messages for a short period of time. Then you can >release anything you need to, and you can set up the system to kill after a >set number of days. Mailwatch makes this even easier. I don't mind just storing/quarantine the attachments for retrieval later. Right now it is deleting the attachments and I don't want that. Where in the MailScanner.conf can I fix this? ~~~ I found this on the web (its from an older mailscanner.conf file) attempting to figure out how to stop mail scanner from deleting attachments; # Set what to do with infected attachments or messages. # keep ==> Store under the "Quarantine Dir" # delete ==> Just delete them #Action = delete Action = keep I don't see such an option in the mailscanner.conf I have. If I were to insert this in to the conf, would it work? Many thanks in advance, ~James From steve.swaney at fsl.com Wed Aug 9 22:32:49 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Wed Aug 9 22:32:52 2006 Subject: Duplicate messages/Unlinking failed In-Reply-To: Message-ID: <000001c6bbfb$5d381620$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Dave > Sent: Wednesday, August 09, 2006 5:19 PM > To: MailScanner discussion > Subject: Re: Duplicate messages/Unlinking failed > > I noticed these message today after I upgraded the latest > Mailscanner. I went to the logs on my other server that I updated 2 > days ago and they started occuringthen as well. > > Both servesr run CentOS3. > -- Check your Lock Type = Doe sendmail 8.12 or earlier it should be se to flock, Dor sendmail8.13 it should be set to posix. Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From ajos1 at onion.demon.co.uk Wed Aug 9 22:43:51 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Wed Aug 9 22:44:02 2006 Subject: gOCR SpamAssassin plugin Message-ID: - Removing could be interesting... [root@www ~/servers]# !rp rpm -e spamassassin-3.1.3-1.fc5 error: Failed dependencies: spamassassin is needed by (installed) evolution-2.6.2-1.fc5.5.i386 I will most probably just leave it... as the Perl Inc path suggests that it will use site_perl first before vendor_perl ... -----Original Message----- From: MailScanner discussion mailscanner@lists.mailscanner.info Subj: Re: gOCR SpamAssassin plugin Date: Mon, 07 Aug 2006 20:19:15 +0100 Beware that you might have a spamassassin rpm installed as well, which you should ideally remove before installing my distribution. == ===================================================================== = = When Ms Jowell, whose department is responsible for sport, was = asked who she thought was going to win the cup, she gleefully = pointed towards her ministerial vehicle, which is now bedecked in = flags, to declare: "There's only one England." = = Need help dealing with Parking Tickets, Bailiffs, Capita or NTL... = Call... +44 8457 90 90 90 http://www.samaritans.org/ = ===================================================================== From wintermutecx at gmail.com Wed Aug 9 22:55:47 2006 From: wintermutecx at gmail.com (Dave) Date: Wed Aug 9 22:55:55 2006 Subject: Duplicate messages/Unlinking failed In-Reply-To: <000001c6bbfb$5d381620$287ba8c0@office.fsl> References: <000001c6bbfb$5d381620$287ba8c0@office.fsl> Message-ID: On 8/9/06, Stephen Swaney wrote: > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Dave > > Sent: Wednesday, August 09, 2006 5:19 PM > > To: MailScanner discussion > > Subject: Re: Duplicate messages/Unlinking failed > > > > I noticed these message today after I upgraded the latest > > Mailscanner. I went to the logs on my other server that I updated 2 > > days ago and they started occuringthen as well. > > > > Both servesr run CentOS3. > > -- > > Check your > > Lock Type = > > Doe sendmail 8.12 or earlier it should be se to flock, Dor sendmail8.13 it > should be set to posix. > Looks like the default as set to posix if left blank after looking in the logs. I set it to flock instead of blank. Thanks :). From steve.swaney at fsl.com Wed Aug 9 23:01:26 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Wed Aug 9 23:01:29 2006 Subject: gOCR SpamAssassin plugin In-Reply-To: Message-ID: <003c01c6bbff$5c8013f0$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of ajos1@onion.demon.co.uk > Sent: Wednesday, August 09, 2006 10:44 PM > To: mailscanner@lists.mailscanner.info > Subject: Re: gOCR SpamAssassin plugin > > - > > Removing could be interesting... > > [root@www ~/servers]# !rp > rpm -e spamassassin-3.1.3-1.fc5 > error: Failed dependencies: > spamassassin is needed by (installed) evolution-2.6.2-1.fc5.5.i386 > > > I will most probably just leave it... as the Perl Inc path suggests that > it will use site_perl first before vendor_perl ... > > rpm --nodeps spamassassin Is probably a better idea :) Also I find thunderbird more to my liking :) Hope this helps Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From robert.isaac at volvoclub.org.uk Wed Aug 9 23:11:46 2006 From: robert.isaac at volvoclub.org.uk (Robert Isaac) Date: Wed Aug 9 23:11:50 2006 Subject: Installation issue Message-ID: <000101c6bc00$ce3a0a90$0300a8c0@250N> During installation of MailScanner 4.55 on my ProLiant DL360 G3 with RHESL-4, Sendmail 8.13.1, Perl 5.8.5 I got this: *** You are using a perl configured with threading enabled. *** You should be aware that using multiple threads is *** not recommended for production environments. What does this mean please, is there a problem? Bob ___________________________________________________ Robert Isaac Director/Web Admin www.volvoclub.org.uk Please include all previous text with reply All messages are scanned with an antivirus scanner. From sandrews at andrewscompanies.com Wed Aug 9 23:33:40 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Wed Aug 9 23:33:43 2006 Subject: Hylafax on a MailScanner pc Message-ID: <1964AAFBC212F742958F9275BF63DBB03B1AEC@winchester.andrewscompanies.com> Ahem...all faxes are junk faxes. It's the 21st century for christ's sake. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: Wednesday, August 09, 2006 2:18 PM To: mailscanner@lists.mailscanner.info Subject: Re: Hylafax on a MailScanner pc Ken A spake the following on 8/8/2006 10:22 AM: > > > sandrews@andrewscompanies.com wrote: >> Does anyone have an opinion on installing hylafax on a lightly loaded >> mailscanner pc? Normally, I'd toss another machine in for such a >> different application, but this customer is experiencing server >> "sprawl". >> >> Any thoughts? > > So, you want MailScanner to fax high scoring spam? :-) Hylafax is > pretty stable stuff. There shouldn't be any problems as long as you > set your iptables rules to protect Hylafax's ports from the Internet. Sounds like a new application ... FaxScanner .. Stops your junk faxes cold! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From roman at rotmax.com Thu Aug 10 00:46:17 2006 From: roman at rotmax.com (Roman) Date: Wed Aug 9 23:46:11 2006 Subject: Multiple mqueue.in directories with priority Message-ID: <05b001c6bc0e$0b785f80$0500000a@blessin> I am trying to figure out how can I set up MailScanner & sendmail this way that I'll be able to have 2 separated mqueue.in directories. I have one email account through which I send news letters (20-40k emails) and other emails that I use for regular emails. The problem is when the newsletter being send out it fills mqueue.in and mail can not be delivered before MailScanner scans all 20-40k emails. I saw posts here that people were able to configure different outgoing queues (fast, slow) But I think that the bottleneck is SPAM and Virus scanning in Mailscanner. So I want to separate queues before it gets to MailScanner processing . What I would like to achieve is have a mqueue.in.normal and mqueue.in.slow so that regular mail goes to mqueue.in.normal and newsletter mail will go to mqueue.in.slow and have some mechanism to move messages from mqueue.in.normal and mqueue.in.slow to MailScanner mqueue.in for processing and delivery, or have MailScanner process both directories with some priority. This way regular mail won't stack in mqueue.in waiting to be delivered only after all newsletters have been delivered. Have anyone was able to achieve something similar to what I am trying to achieve. Am I missing something ? Any ideas ? Roman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060810/2d28a218/attachment.html From lshaw at emitinc.com Thu Aug 10 00:17:46 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Thu Aug 10 00:18:00 2006 Subject: Multiple mqueue.in directories with priority In-Reply-To: <05b001c6bc0e$0b785f80$0500000a@blessin> References: <05b001c6bc0e$0b785f80$0500000a@blessin> Message-ID: On Thu, 10 Aug 2006, Roman wrote: > The problem is when the newsletter being send out it fills mqueue.in > and mail can not be delivered before MailScanner scans all 20-40k emails. > Any ideas ? Can you somehow whitelist the newsletter? It sounds like it's being sent from your site out to the rest of the world, so you should be able to trust that it isn't spam, at least. It wouldn't achieve the aim of truly making it lower priority, but it should pass through MailScanner quite quickly if it's whitelisted so that it doesn't have to be scanned at all. Just an idea, though. It might or might not be appropriate depending on whether you want need to scan the outgoing newsletter for viruses. (It might be one of those things where the chances of the newsletter containing a virus might be low, but the impact if it does have one is very high in terms of embarrassment, so maybe you do want to scan it...) Otherwise, if you really want lower priorities for the newsletter, the most obvious thing is to choose an additional port for incoming SMTP and have the newsletter sent to that port. Then you can have basically these four queue dirs with a corresponding instance of sendmail for each: /var/spool/mqueue.in /var/spool/mqueue /var/spool/mqueue.in.low-priority /var/spool/mqueue.low-priority And you'd have two instances of MailScanner, one moving messages from /var/spool/mqueue.in to /var/spool/mqueue and the other moving messages from /var/spool/mqueue.in.low-priority to /var/spool/mqueue.low-priority. You can, obviously, set the MailScanner that runs for the low-priority queue to have fewer children, which will in a sense reduce its priority. But if the objective is just to have regular mail still responsive and operational while the newsletter is delivered, putting them in separate queues should be enough, even if equal resources are devoted to both queues. - Logan From Jamesp at MusicReports.com Thu Aug 10 00:56:59 2006 From: Jamesp at MusicReports.com (James D. Parra) Date: Thu Aug 10 00:57:04 2006 Subject: quarantine attachments & Dangerous content Message-ID: <531F1E080638384C9623B00D71AA546D09F228@exchange.musicreports.com> Hello, In my past installs of mailscanner, attachments considered 'suspect' for any various reason were put into quarantine for later retrieval. In the most recent install I made, these items are instead being deleted from the e-mail message with a note in the e-mail stating that attachment was removed. For example; The content filters found this: MailScanner: Message contained password-protected archive Where in the MailScanner.conf can I specify to have suspect attachments stored or quarantined and *not* deleted. If it is not in the mailscanner.conf file is the setting in another config file? Many thanks, James From Jamesp at MusicReports.com Thu Aug 10 01:24:27 2006 From: Jamesp at MusicReports.com (James D. Parra) Date: Thu Aug 10 01:24:31 2006 Subject: quarantine password-protected files Message-ID: <531F1E080638384C9623B00D71AA546D09F229@exchange.musicreports.com> >I have been just storing all messages for a short period of time. Then you can >release anything you need to, and you can set up the system to kill after a >set number of days. Mailwatch makes this even easier. Hello Scott, How do you set this up if you're not using mailwatch? Thank you, ~James From brent.addis at pronet.co.nz Thu Aug 10 01:55:46 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Thu Aug 10 01:56:33 2006 Subject: missing queue files? In-Reply-To: <44D7C597.5090201@pronet.co.nz> References: <44D7BE04.60606@pronet.co.nz> <44D7C597.5090201@pronet.co.nz> Message-ID: <44DA8412.7070001@pronet.co.nz> Has anyone seen this before, at all? I'm still seeing missing spool files, exim is set to use posix. Thanks! Brent Addis wrote: > Brent Addis wrote: >> Hi. >> >> I have just migrated to a new machine (was exim 4.50, >> MailScanner-4.43.8) which has been humming along quite nicely for a >> long time. >> >> I am now running exim 4.62 along with Mailscanner-4.55.9. >> >> We are currently seeing occasional messages hitting mailscanner, >> being scanned, and only the Header file seemingly being inserted into >> the exim queue. >> >> EG: >> >> 2006-08-08 10:08:45 1GADGn-0004tk-Kq Spool file 1GADGn-0004tk-Kq-D >> not found >> >> envy:/var/log/exim4# ls -l /var/spool/exim4/input/ >> total 4 >> -rw------- 1 Debian-exim Debian-exim 1854 2006-08-08 10:08 >> 1GADGn-0004tk-Kq-H >> >> >> I had a similar problem when I upgraded to 4.50, however I didn't >> have much time to look into it, so downgraded back to the above. >> >> Has anyone else seen a similar issue? >> >> >> >> >> >> > Also: > > Aug 8 10:08:41 envy MailScanner[15218]: Virus and Content Scanning: > Starting > Aug 8 10:08:45 envy MailScanner[15218]: Uninfected: Delivered 1 messages > Aug 8 10:08:45 envy MailScanner[15218]: Logging message > 1GADGn-0004tk-Kq to SQL > Aug 8 10:08:45 envy MailScanner[15220]: 1GADGn-0004tk-Kq: Logged to > MailWatch SQL > > envy:/var/log# /opt/MailScanner/bin/MailScanner -v > Running on > Linux envy 2.6.15 #1 SMP Thu Jan 12 01:25:25 NZDT 2006 i686 GNU/Linux > This is Perl version 5.008004 (5.8.4) > > This is MailScanner version 4.55.9 > Module versions are: > 1.00 AnyDBM_File > 1.16 Archive::Zip > 1.02 Carp > 1.119 Convert::BinHex > 1.00 DirHandle > 1.05 Fcntl > 2.72 File::Basename > 2.07 File::Copy > 2.01 FileHandle > 1.06 File::Path > 0.16 File::Temp > 0.90 Filesys::Df > 1.35 HTML::Entities > 3.54 HTML::Parser > 2.37 HTML::TokeParser > 1.21 IO > 1.10 IO::File > 1.123 IO::Pipe > 1.71 Mail::Header > 3.05 MIME::Base64 > 5.420 MIME::Decoder > 5.420 MIME::Decoder::UU > 5.420 MIME::Head > 5.420 MIME::Parser > 3.03 MIME::QuotedPrint > 5.420 MIME::Tools > 0.10 Net::CIDR > 1.08 POSIX > 1.77 Socket > 1.2 Sys::Hostname::Long > 0.17 Sys::Syslog > 1.86 Time::HiRes > 1.02 Time::localtime > > Optional module versions are: > 0.17 Convert::TNEF > 1.808 DB_File > 1.11 DBD::SQLite > 1.50 DBI > 1.06 Digest > 1.01 Digest::HMAC > 2.33 Digest::MD5 > 2.10 Digest::SHA1 > 0.44 Inline > missing Mail::ClamAV > 3.001004 Mail::SpamAssassin > 1.997 Mail::SPF::Query > 0.15 Net::CIDR::Lite > 1.24 Net::IP > 0.48 Net::DNS > missing Net::LDAP > 1.94 Parse::RecDescent > missing SAVI > 2.40 Test::Harness > 0.62 Test::Simple > 1.95 Text::Balanced > 1.35 URI > > The issue seems to be very random, and I have as yet been unable to > replicate myself > > > > > > > > > > > From ugob at camo-route.com Thu Aug 10 02:11:26 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Thu Aug 10 02:11:43 2006 Subject: [solution] Re: won't write sendmail.in.pid In-Reply-To: References: <44C7DB0F.4070301@marcsnet.com> <44C8C8B8.2010504@marcsnet.com> <44C8E946.1070703@pacific.net> <44C93C9B.4060205@pacific.net> <1154041678.44c9474e6a31f@perdition.cnpapers.net> Message-ID: Ugo Bellavance wrote: > Steve Campbell wrote: >> Quoting Ken A : >> > >> Before you revert back to 8.13.6, try the RPMs at >> >> http://www.city-fan.org/ftp/contrib/mail/ >> >> They have worked for me and fixed a recent problem with the pid file, although, >> I'm not sure it's the same. He has FC5 RPMs for 8.13.7-4. They are pretty close >> to RH configurations (so far, I haven't had to change anything after upgrading >> from RH (Tao & CentOS) rpms). >> >> > > I use to use them myself, but the 8.13.7-4 doesn't contain the patch for > the pid file problem... To my reques, Paul from city-fan.org built 8.13.7-5, including the 2 patches suggested on sendmail's web site. I'm testing it right now on some of my servers. Thanks paul! Ugo From chrisgreen at hotmail.com Thu Aug 10 04:32:03 2006 From: chrisgreen at hotmail.com (Chris Green) Date: Thu Aug 10 04:32:09 2006 Subject: Installation issue In-Reply-To: <000101c6bc00$ce3a0a90$0300a8c0@250N> Message-ID: Robert Isaac wrote: >During installation of MailScanner 4.55 on my ProLiant DL360 G3 with >RHESL-4, Sendmail 8.13.1, Perl 5.8.5 I got this: > >*** You are using a perl configured with threading enabled. >*** You should be aware that using multiple threads is >*** not recommended for production environments. > >What does this mean please, is there a problem? > There is an in-depth article explaining threading here: http://www.xav.com/perl/lib/Pod/perlthrtut.html Essentially, threading is an experimental option that is switched on at compile-time. This means that if you are using an RPM distribution or equivalent you will not have the opportunity to choose whether to have threading enabled or not, the package author will have made that decision for you. Is there a problem? So far for me, No, but I'm sure someone else on this list might be able to enlighten us. My guess is that problems associated with threading are mainly due to logic errors in programs that use the threading feature, causing deadlocks and the like. Emphasis on the word 'guess' there.... Chris From ugob at camo-route.com Thu Aug 10 04:48:14 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Thu Aug 10 04:48:22 2006 Subject: Multiple mqueue.in directories with priority In-Reply-To: References: <05b001c6bc0e$0b785f80$0500000a@blessin> Message-ID: Logan Shaw wrote: > On Thu, 10 Aug 2006, Roman wrote: >> The problem is when the newsletter being send out it fills mqueue.in >> and mail can not be delivered before MailScanner scans all 20-40k emails. > >> Any ideas ? > > Can you somehow whitelist the newsletter? It sounds like > it's being sent from your site out to the rest of the world, > so you should be able to trust that it isn't spam, at least. Better than that, bypass spam scanning, using Spam Checks = or bypass all scanning altogether for the newsletter. From Jan-Peter.Koopmann at seceidos.de Thu Aug 10 08:12:30 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Thu Aug 10 08:12:49 2006 Subject: SORBS found by MTA but not by SA? Message-ID: Hi, this morning I received a mail from 217.72.192.242 which is listed in SORBS. My MTA did detect this (on dnsbl.sorbs.net) but SA did not. No timeouts in maillog. Any ideas? Kind regards, JP From augustin.siaens at aquadev.org Thu Aug 10 09:27:13 2006 From: augustin.siaens at aquadev.org (Augustin Siaens) Date: Thu Aug 10 09:27:27 2006 Subject: log SpamAssassin Message-ID: <44DAEDE1.10102@aquadev.org> quick question, I often see this sentence in the logs "Aug 10 10:22:42 server1 MailScanner[24621]: Expired 4 records from the SpamAssassin cache" what does it mean exactly? thanks for the info -- Augustin Siaens AQUADEV Rue des Carm?lites 151 Karmelietenstraat 1180 Bruxelles - Brussel Tel: +32 2 347 70 00 Fax: +32 2 347 00 36 -- Ce message a ?t? v?rifi? par MailScanner pour des virus ou des polluriels et rien de suspect n'a ?t? trouv?. From support-lists at petdoctors.co.uk Thu Aug 10 09:36:59 2006 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Thu Aug 10 09:35:18 2006 Subject: Weird 'spam' In-Reply-To: <44D9E757.6030706@nkpanama.com> Message-ID: <011d01c6bc58$256381a0$1465a8c0@support01> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans Sent: Wednesday, August 09, 2006 2:47 PM To: MailScanner discussion Subject: Re: Weird 'spam' Kai Schaetzl wrote: > Nigel Kendrick wrote on Wed, 9 Aug 2006 12:18:03 +0100: > This is probably only the tip of the iceberg. That is what *you* get. > They are trying to check out if your script can be abused. And since > you are getting these so regularly it's possible that the trying phase is already over ... > Check your outgoing mail queue. ... and fix your form/server/whatever before you get blacklisted! :-) -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Thanks to everyone for all the feedback. The contact form is from Joomla and the destination address is fixed and obscured from the sender so I am confident that mail cannot be sent anywhere else other than the address listed for the contact. Nigel From maillists at conactive.com Thu Aug 10 11:31:18 2006 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Aug 10 11:31:24 2006 Subject: log SpamAssassin In-Reply-To: <44DAEDE1.10102@aquadev.org> References: <44DAEDE1.10102@aquadev.org> Message-ID: Augustin Siaens wrote on Thu, 10 Aug 2006 10:27:13 +0200: > what does it mean exactly? MS stores SA check results in a cache so results can be reused in case the same message drops in again. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From dhawal at netmagicsolutions.com Thu Aug 10 11:34:01 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Thu Aug 10 11:34:16 2006 Subject: SORBS found by MTA but not by SA? In-Reply-To: References: Message-ID: <44DB0B99.10204@netmagicsolutions.com> Koopmann, Jan-Peter wrote: > Hi, > > this morning I received a mail from 217.72.192.242 which is listed in SORBS. My MTA did detect this (on dnsbl.sorbs.net) but SA did not. No timeouts in maillog. Any ideas? > > Kind regards, > JP Broken trusted_networks? can you post some more details on your trusted networks setting? - dhawal From dhawal at netmagicsolutions.com Thu Aug 10 11:37:40 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Thu Aug 10 11:37:45 2006 Subject: Installation issue In-Reply-To: References: Message-ID: <44DB0C74.2060004@netmagicsolutions.com> Chris Green wrote: > Robert Isaac wrote: >> During installation of MailScanner 4.55 on my ProLiant DL360 G3 with >> RHESL-4, Sendmail 8.13.1, Perl 5.8.5 I got this: >> >> *** You are using a perl configured with threading enabled. >> *** You should be aware that using multiple threads is >> *** not recommended for production environments. >> >> What does this mean please, is there a problem? If you notice closely.. this error occurs specifically while building the DBI rpm.. How it affects your setup / performance can be read on the below URL (as posted by Chris). - dhawal > There is an in-depth article explaining threading here: > > http://www.xav.com/perl/lib/Pod/perlthrtut.html > > Essentially, threading is an experimental option that is switched on at > compile-time. This means that if you are using an RPM distribution or > equivalent you will not have the opportunity to choose whether to have > threading enabled or not, the package author will have made that > decision for you. > > Is there a problem? So far for me, No, but I'm sure someone else on this > list might be able to enlighten us. My guess is that problems associated > with threading are mainly due to logic errors in programs that use the > threading feature, causing deadlocks and the like. Emphasis on the word > 'guess' there.... > > Chris From alex at nkpanama.com Thu Aug 10 14:51:54 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Aug 10 14:52:15 2006 Subject: Weird 'spam' In-Reply-To: <011d01c6bc58$256381a0$1465a8c0@support01> References: <011d01c6bc58$256381a0$1465a8c0@support01> Message-ID: <44DB39FA.6040004@nkpanama.com> Nigel Kendrick wrote: > Thanks to everyone for all the feedback. The contact form is from Joomla and > the destination address is fixed and obscured from the sender so I am > confident that mail cannot be sent anywhere else other than the address > listed for the contact. > > Nigel > That isn't necessarily so. http://www.securephpwiki.com/index.php/Email_Injection From alex at nkpanama.com Thu Aug 10 14:56:16 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Aug 10 14:56:37 2006 Subject: Tips on how to use ruleset for 'Spam Lists To Be Spam' In-Reply-To: References: <7.0.1.0.0.20060808103633.0480b4b0@1bigthink.com> Message-ID: <44DB3B00.90204@nkpanama.com> Kai Schaetzl wrote: >> #Spam Lists To Be Spam = /etc/MailScanner/spam.lists.count And, to my knowledge, rulesets should end with ".rules", right? From mailscanner at yeticomputers.com Thu Aug 10 15:40:43 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Thu Aug 10 15:40:56 2006 Subject: quarantine attachments & Dangerous content In-Reply-To: <531F1E080638384C9623B00D71AA546D09F228@exchange.musicreports.com> References: <531F1E080638384C9623B00D71AA546D09F228@exchange.musicreports.com> Message-ID: <44DB456B.5060002@yeticomputers.com> Perhaps password-protected zip files are identified as silent viruses? The settings to look at are: # Do you want to store copies of the infected attachments and messages? # This can also be the filename of a ruleset. Quarantine Infections = yes # There is no point quarantining most viruses these days as the infected # messages contain no useful content, so if you set this to "no" then no # infections listed in your "Silent Viruses" setting will be quarantined, # even if you have chosen to quarantine infections in general. This is # currently set to "yes" so the behaviour is the same as it was in # previous versions. # This can also be the filename of a ruleset. Quarantine Silent Viruses = no With these settings, if password-protected files are recognized as silent viruses they will not be stored. This section handles what is treated as a silent virus: # Strings listed here will be searched for in the output of the virus scanners. # It is used to list which viruses should be handled differently from other # viruses. If a virus name is given here, then # 1) The sender will not be warned that he sent it # 2) No attempt at true disinfection will take place # (but it will still be "cleaned" by removing the nasty attachments # from the message) # 3) The recipient will not receive the message, # unless the "Still Deliver Silent Viruses" option is set # Other words that can be put in this list are the 5 special keywords # HTML-IFrame : inserting this will stop senders being warned about # HTML Iframe tags, when they are not allowed. # HTML-Codebase : inserting this will stop senders being warned about # HTML Object Codebase/Data tags, when they are not allowed. # HTML-Script : inserting this will stop senders being warned about # HTML Script tags, when they are not allowed. # HTML-Form : inserting this will stop senders being warned about # HTML Form tags, when they are not allowed. # Zip-Password : inserting this will stop senders being warned about # password-protected zip files, when they are not allowed. # This keyword is not needed if you include All-Viruses. # All-Viruses : inserting this will stop senders being warned about # any virus, while still allowing you to warn senders # about HTML-based attacks. This includes Zip-Password # so you don't need to include both. # # The default of "All-Viruses" means that no senders of viruses will be # notified (as the sender address is always forged these days anyway), # but anyone who sends a message that is blocked for other reasons will # still be notified. # # This can also be the filename of a ruleset. Silent Viruses = HTML-IFrame All-Viruses Hope this helps. Rick James D. Parra wrote: > Hello, > > In my past installs of mailscanner, attachments considered 'suspect' for any > various reason were put into quarantine for later retrieval. In the most > recent install I made, these items are instead being deleted from the e-mail > message with a note in the e-mail stating that attachment was removed. For > example; > > The content filters found this: > MailScanner: Message contained password-protected archive > > Where in the MailScanner.conf can I specify to have suspect attachments > stored or quarantined and *not* deleted. If it is not in the > mailscanner.conf file is the setting in another config file? > > Many thanks, > > James > From HancockS at morganco.com Thu Aug 10 15:43:49 2006 From: HancockS at morganco.com (Hancock, Scott) Date: Thu Aug 10 15:44:29 2006 Subject: SA timeout help. Message-ID: <7A6F9F7356141C42987075747C5B87D30310BA0D@wmail.int.morganco.com> I've been looking for a SA timeout issue for several days. Is the numberign supposed to start at 0 and not 1? From the mail log Aug 10 10:39:38 pebbles MailScanner[31668]: SpamAssassin timed out and was killed, failure 0 of 20 Aug 10 10:39:39 pebbles MailScanner[31668]: Message 1GBBdG-0002OT-Sq from 209.200.5.12 (3-5968161-morganco.com?narainv@intqw.turnedtheold22.com) to morganco.com is not spam, SpamAssassin (timed out) I did find several problems but now when I run check_mailscanner and scan the output, I notice only two issues. The first is check_mailscanner can take a over a minute to get past the line [24665] dbg: bayes: expiry max exponent: 9 in the following. [24665] dbg: bayes: expiry starting [24665] dbg: locker: refresh_lock: refresh /var/lib/MailScanner/bayes.lock [24665] dbg: locker: refresh_lock: refresh /var/lib/MailScanner/bayes.lock [24665] dbg: bayes: DB expiry: tokens in DB: 16432117, Expiry max size: 150000, Oldest atime: 1116109310, Newest atime: 1155039924, Last expire: 1116253906, Current time: 1155044021 [24665] dbg: bayes: expiry check keep size, 0.75 * max: 112500 [24665] dbg: bayes: token count: 16432117, final goal reduction size: 16319617 [24665] dbg: bayes: first pass? current: 1155044021, Last: 1116253906, atime: 144604, count: 36214, newdelta: 320, ratio: 450.643867012757, period: 43200 [24665] dbg: bayes: can't use estimation method for expiry, unexpected result, calculating optimal atime delta (first pass) [24665] dbg: bayes: expiry max exponent: 9 [25485] dbg: message: ---- MIME PARSER START ---- [25485] dbg: message: main message type: multipart/mixed [25485] dbg: message: parsing multipart, got boundary: ----=_NextPart_001_0000_01C6BAFD.3D6884F0 [25485] dbg: message: found part of type text/plain, boundary: ----=_NextPart_001_0000_01C6BAFD.3D6884F0 [25485] dbg: message: parsing normal part [25485] dbg: message: added part, type: text/plain [25485] dbg: message: ---- MIME PARSER END ---- The second problem is a permissions problem in the Bayes folder. The journal file is owned by root and the rest of the files are owned by mail. The mail process does not run as root. At other points in the check_mailscanner output, Bayes entries are entered successfully. check_mailscanner output does not pause at all when the permissions error appears. See line [29627] dbg: locker: refresh_lock: refresh /var/lib/MailScanner/bayes.lock bayes: bad permissions on journal, can't read: /var/lib/MailScanner/bayes_journal below [29627] dbg: bayes: opportunistic call found expiry due [29627] dbg: bayes: bayes journal sync starting [29627] dbg: locker: refresh_lock: refresh /var/lib/MailScanner/bayes.lock [29627] dbg: locker: refresh_lock: refresh /var/lib/MailScanner/bayes.lock bayes: bad permissions on journal, can't read: /var/lib/MailScanner/bayes_journal [29627] dbg: bayes: bayes journal sync completed [29627] dbg: bayes: expiry starting [29627] dbg: locker: refresh_lock: refresh /var/lib/MailScanner/bayes.lock [29627] dbg: locker: refresh_lock: refresh /var/lib/MailScanner/bayes.lock [29627] dbg: bayes: DB expiry: tokens in DB: 16432241, Expiry max size: 150000, Oldest atime: 1116109310, Newest atime: 1155211501, Last expire: 1116253906, Current time: 1155218450 [29627] dbg: bayes: expiry check keep size, 0.75 * max: 112500 [29627] dbg: bayes: token count: 16432241, final goal reduction size: 16319741 [29627] dbg: bayes: first pass? current: 1155218450, Last: 1116253906, atime: 144604, count: 36214, newdelta: 320, ratio: 450.647291102888, period: 43200 [29627] dbg: bayes: can't use estimation method for expiry, unexpected result, calculating optimal atime delta (first pass) [29627] dbg: bayes: expiry max exponent: 9 Could either of these issues result in SA timeouts? Any fix suggestions? Should this post be on the SA list? I have the same problem on two mailscanners. One is running the latest MS version from the tar package in /opt. The other running the latest Debian package. FWIW, I made an honest attempt at understanding the debain packaging system to make my own Debian package. Running from /opt was much more simple. Thanks for any help or pointers. Scott From mailscanner at yeticomputers.com Thu Aug 10 15:58:33 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Thu Aug 10 15:58:44 2006 Subject: quarantine attachments & Dangerous content In-Reply-To: <531F1E080638384C9623B00D71AA546D09F228@exchange.musicreports.com> References: <531F1E080638384C9623B00D71AA546D09F228@exchange.musicreports.com> Message-ID: <44DB4999.90303@yeticomputers.com> James D. Parra wrote: > Hello, > > In my past installs of mailscanner, attachments considered 'suspect' for any > various reason were put into quarantine for later retrieval. In the most > recent install I made, these items are instead being deleted from the e-mail > message with a note in the e-mail stating that attachment was removed. For > example; > > The content filters found this: > MailScanner: Message contained password-protected archive > > Where in the MailScanner.conf can I specify to have suspect attachments > stored or quarantined and *not* deleted. If it is not in the > mailscanner.conf file is the setting in another config file? > > Many thanks, > > James > Also: # Strings listed here will be searched for in the output of the virus scanners. # It works to achieve the opposite effect of the "Silent Viruses" listed above. # If a string here is found in the output of the virus scanners, then the # message will be treated as if it were not infected with a "Silent Virus". # If a message is detected as both a silent virus and a non-forging virus, # then the ___non-forging status will override the silent status.___ # In simple terms, you should list virus names (or parts of them) that you # know do *not* forge the From address. # A good example of this is a document macro virus or a Joke program. # Another word that can be put in this list is the special keyword # Zip-Password : inserting this will cause senders to be warned about # password-protected zip files, when they are not allowed. # This will over-ride the All-Viruses setting in the list # of "Silent Viruses" above. # Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar From ugob at camo-route.com Thu Aug 10 15:58:36 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Thu Aug 10 15:59:36 2006 Subject: Sendmail 8.13.8 is out Message-ID: http://www.sendmail.org/releases/8.13.8.html From mkettler at evi-inc.com Thu Aug 10 16:44:43 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Aug 10 16:44:57 2006 Subject: SORBS found by MTA but not by SA? In-Reply-To: References: Message-ID: <44DB546B.90603@evi-inc.com> Koopmann, Jan-Peter wrote: > Hi, > > this morning I received a mail from 217.72.192.242 which is listed in SORBS. My MTA did detect this (on dnsbl.sorbs.net) but SA did not. No timeouts in maillog. Any ideas? What's your trusted_networks set to? If you don't have one, my guess is that SA is mis-judging where your network boundaries are. This is VERY common, particularly if your mailserver is behind a static-NAT or otherwise has a reserved IP address. By default, SA will guess at trusted_networks, and copy that to internal_networks. Any host in internal_networks is immune to RBL checks. See http://wiki.apache.org/spamassassin/TrustPath From Kevin_Miller at ci.juneau.ak.us Thu Aug 10 19:32:00 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Aug 10 19:32:05 2006 Subject: URIBL_BLACK/GREY lists Message-ID: Just updated an slightly older version of MS and noticed in spam.assassin.prefs.conf that Julian added a bunch of URIBL_BLACK/GREY lists but they're all commmented out. Any reason not to use them? Is there any further stuff that needs to happen to use them? I.e., URIBL plugins in SA or the like? If so, are they installed with the SA/Clam package? Thanks... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From Jamesp at MusicReports.com Thu Aug 10 19:48:04 2006 From: Jamesp at MusicReports.com (James D. Parra) Date: Thu Aug 10 19:48:09 2006 Subject: quarantine attachments & Dangerous content Message-ID: <531F1E080638384C9623B00D71AA546D09F232@exchange.musicreports.com> > In my past installs of mailscanner, attachments considered 'suspect' for any > various reason were put into quarantine for later retrieval. In the most > recent install I made, these items are instead being deleted from the e-mail > message with a note in the e-mail stating that attachment was removed. For > example; > > The content filters found this: > MailScanner: Message contained password-protected archive > > Where in the MailScanner.conf can I specify to have suspect attachments > stored or quarantined and *not* deleted. If it is not in the > mailscanner.conf file is the setting in another config file? Hello Rick, Thank you for your response. I made the following changes. I'll post the results when the suspect mail is resent. >Quarantine Infections = yes Already set. >Quarantine Silent Viruses = no Also preset. >Silent Viruses = HTML-IFrame All-Viruses Changed this by removing All-Viruses & Zip-Password, but left all the HTML info. Thank you, ~James From mailscanner at yeticomputers.com Thu Aug 10 20:13:54 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Thu Aug 10 20:14:08 2006 Subject: quarantine attachments & Dangerous content In-Reply-To: <531F1E080638384C9623B00D71AA546D09F232@exchange.musicreports.com> References: <531F1E080638384C9623B00D71AA546D09F232@exchange.musicreports.com> Message-ID: <44DB8572.8030300@yeticomputers.com> James D. Parra wrote: >> In my past installs of mailscanner, attachments considered 'suspect' for >> > any > >> various reason were put into quarantine for later retrieval. In the most >> recent install I made, these items are instead being deleted from the >> > e-mail > >> message with a note in the e-mail stating that attachment was removed. For >> example; >> >> The content filters found this: >> MailScanner: Message contained password-protected archive >> >> Where in the MailScanner.conf can I specify to have suspect attachments >> stored or quarantined and *not* deleted. If it is not in the >> mailscanner.conf file is the setting in another config file? >> > > Hello Rick, > > Thank you for your response. I made the following changes. I'll post the > results when the suspect mail is resent. > > >> Quarantine Infections = yes >> > > Already set. > > >> Quarantine Silent Viruses = no >> > > Also preset. > > >> Silent Viruses = HTML-IFrame All-Viruses >> > > Changed this by removing All-Viruses & Zip-Password, but left all the HTML > info. > > Thank you, > > ~James If I understand what you're trying to do, a better combination would be: Quarantine Infections = yes Quarantine Silent Viruses =yes Silent Viruses = HTML-IFrame All-Viruses My first post was just a cut/paste out of my own MailScanner.conf. I don't want password-protected zips quarantined. If you do, the above should do it for you. The changes you made will cause MailScanner to generate a lot of bogus virus warnings, and that's not something you want to do. At least it's not something I want you to do - not while following my advice. :) Don't forget that you can also use "Allow Password-Protected Archives = yes" if you just want to pass the things through. That has its own set of risks, though. Read through the comments for these options in the MailScanner.conf file - they're quite good, I think. Rick From mailscanner at ecs.soton.ac.uk Thu Aug 10 20:55:46 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 10 20:55:55 2006 Subject: ALLOW FILETYPES in MailScanner.conf In-Reply-To: References: Message-ID: <44DB8F42.5090003@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin Miller wrote: > I updated my MS to take advantage of the new Allow Filenames & Allow > Filetypes functions and notice that the comments documenting filetypes > seems to be a copy and paste of Allow Filenames with minor editing. I'm > a bit confused by one thing; in the example it shows this for filetypes: > > # Allow Filetypes = \.txt$ \.pdf$ > # Deny Filetypes = \.com$ \.exe$ \.cpl$ \.pif$ > > Shouldn't that rather be: > > # Allow Filetypes = text postscript > > and the like? Yes it should. Well spotted. > > Looking in the filetype.rules.conf I don't see any extensions - just > things like text, postscript, MPEG, etc. > > Am I out to lunch? Not at all. For a beer, maybe, for not to lunch. > > What I'm doing is setting up a particular user to be able to send my > users .mp3 files, so I have the following files set up: > > %etc-dir%/allow.filenames.rules > From: joe.blow@somedomain.com \.mp3$ > > %etc-dir%/allow.filetypes.rules > From: joe.blow@somedomain.com MPEG > > Is that correct, or do I really need \.mp3$ in both the filename and > filetype rule files? No, you've got it absolutely correct. > > S'later... > > ...Kevin - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE249FEfZZRxQVtlQRAkbxAKCrag3nx9PE6Pbn+TKPOEkAq7Ci4QCeJr28 /TSkTFF3kmV5JJSHJHEFEfA= =6cWp -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From mailscanner at ecs.soton.ac.uk Thu Aug 10 20:57:56 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 10 20:58:05 2006 Subject: MailScanner ANNOUNCE: Revision to 4.55 In-Reply-To: References: <44D77C7E.5010703@ecs.soton.ac.uk> Message-ID: <44DB8FC4.8080302@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote: > Julian Field spake the following on 8/7/2006 10:46 AM: >> The author of the Sys::Syslog perl module has withdrawn it due to >> problems including compatibility issues with some Linux distributions. >> The most obvious effect is that the "make test" step may hang part-way >> through the tests. >> >> As a result, I have had no alternative other than to reluctantly publish >> a revision of the latest stable release of MailScanner. >> >> If you had problems installing 4.55.9 (notably on some CentOS systems) >> then download and upgrade to 4.55.10. >> >> Download as usual from www.mailscanner.info >> >> Note that if you had no problems installing 4.55.9, there is no reason >> to upgrade to 4.55.10. >> >> Sorry for this forced re-release. >> > Does anything change in MailScanner, or is it just the rollback of the > Sys::Syslog module? What I ended up doing in the end was shipping a version of Sys-Syslog 0.17 that skips the "make test" stage, which can lock-up. 0.16 doesn't work at all on some systems, and 0.17 "make test" locks up on other systems. I wish the author of this could get his act together and produce some code which worked, it would make my life a whole lot easier :-( - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE24/GEfZZRxQVtlQRAo+xAJ9NFFUjvAuEbAibLopFJX3/uINKpACdEXpP ziRDRg3IIA2qm93Lk5H8HSg= =2+/Z -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From mailscanner at ecs.soton.ac.uk Thu Aug 10 20:59:22 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 10 20:59:30 2006 Subject: Tips on how to use ruleset for 'Spam Lists To Be Spam' In-Reply-To: References: <7.0.1.0.0.20060808103633.0480b4b0@1bigthink.com> Message-ID: <44DB901A.5050301@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Don't use more than 2 or maybe 3 lists in the "Spam List" setting, it will grind your system to a crawl with serial DNS lookups. Kai Schaetzl wrote: > Dnsadmin 1bigthink.com wrote on Tue, 08 Aug 2006 10:43:59 -0400: > >> They are good, long-used and trusted BLs. >> >> Spam List = SBL+XBL SPEWS ORDB-RBL spamcop.net spamhaus.org >> spamhaus-XBL SORBS-S >> PAM SORBS-ZOMBIE SORBS-HTTP DSBL SORBS-DNSBL SORBS-SMTP SORBS-WEB >> SORBS-BLOCK NJ >> ABL > > long-trusted, reliable? And you use Spews? That's a contradiction. Also, > it seems to me that you are duplicating RBLs. Inform yourself what these > lists actually contain. You'll see that some of them are already part of > others you use. Also, honestly, using umpteen lists doesn't give you any > advantage over a few *really* carefully chosen ones. They are just > duplicating their results. You gain something like 1% more accuracy with > 5fold more ressource usage. > >> How can I set up a ruleset like this for individual users or >> individual domains? >> #Spam Lists To Be Spam = /etc/MailScanner/spam.lists.count > > I don't see how this would help you much. Why don't you whitelist those > users? You apparently know them, so ... Or just whitelist those servers, > I'm not aware that they are a source for much spam, they don't appear in > my logs. > > > Kai > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE25AcEfZZRxQVtlQRAhAHAJ0UfM/xTUPZ3igUCv3XhZv3XmvpQACfQJb3 K3t3PT5xrW3FWFFcFUJy5XA= =xT+t -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From mailscanner at ecs.soton.ac.uk Thu Aug 10 21:02:33 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 10 21:02:42 2006 Subject: quarantine password-protected files In-Reply-To: <531F1E080638384C9623B00D71AA546D09F21D@exchange.musicreports.com> References: <531F1E080638384C9623B00D71AA546D09F21D@exchange.musicreports.com> Message-ID: <44DB90D9.6040804@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 James D. Parra wrote: >> I want to quarantine password-protected file attachments, actually, any > file >> attachments that MailScanner determines as suspicious. After looking > through >> mailscanner.conf I found; >> >> >> # Reports and Responses >> # --------------------- >> # >> >> # Do you want to store copies of the infected attachments and messages? >> # This can also be the filename of a ruleset. >> Quarantine Infections = yes >> >> >> However, an attachment was deleted and not stored in >> /var/spool/MailScanner/quaratine/, according the text message; >> >> This is a message from MailScanner E-Mail Virus Protection Service >> ---------------------------------------------------------------------- >> The original e-mail message contained potentially dangerous content, >> which has been removed for your safety. >> >> The content is dangerous as it is often used to spread viruses or to gain >> personal or confidential information from you, such as passwords or credit >> card numbers. >> >> Due to limitations placed on us by the Regulation of Investigatory Powers >> Act 2000, we were unable to keep a copy of the original attachment. >> >> The content filters found this: >> MailScanner: Message contained password-protected archive >> ~~~ >> >> Where in the conf can I fix this? > >> I have been just storing all messages for a short period of time. Then you > can >> release anything you need to, and you can set up the system to kill after a >> set number of days. Mailwatch makes this even easier. > > I don't mind just storing/quarantine the attachments for retrieval later. > Right now it is deleting the attachments and I don't want that. Where in the > MailScanner.conf can I fix this? > ~~~ > > I found this on the web (its from an older mailscanner.conf file) attempting > to figure out how to stop mail scanner from deleting attachments; Not from one that ever worked. > > # Set what to do with infected attachments or messages. > # keep ==> Store under the "Quarantine Dir" > # delete ==> Just delete them > #Action = delete > Action = keep The configuration setting "Action" does not and has never existed. Furthermore a "Spam Actions" keyword "keep" does not and has never existed. Try Spam Actions = store > > I don't see such an option in the mailscanner.conf I have. If I were to > insert this in to the conf, would it work? > > Many thanks in advance, > > ~James - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE25DbEfZZRxQVtlQRAqx3AJ9dFV0YCnDXlBGV/1Des27WINbcAACgyQZW Jpi/Bbne7GNVDcKos/r7Ttc= =UJWt -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From Kevin_Miller at ci.juneau.ak.us Thu Aug 10 21:04:09 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Aug 10 21:04:13 2006 Subject: ALLOW FILETYPES in MailScanner.conf In-Reply-To: <44DB8F42.5090003@ecs.soton.ac.uk> Message-ID: Julian Field wrote: >> What I'm doing is setting up a particular user to be able to send my >> users .mp3 files, so I have the following files set up: >> >> %etc-dir%/allow.filenames.rules >> From: joe.blow@somedomain.com \.mp3$ >> >> %etc-dir%/allow.filetypes.rules >> From: joe.blow@somedomain.com MPEG >> >> Is that correct, or do I really need \.mp3$ in both the filename and >> filetype rule files? > > No, you've got it absolutely correct. Almost absolutely correct. Instead of %etc-dir% I meant to say %etc-dir%/rules/ but even better is %rules-dir%. Seems to be working a treat - nice feature Julian... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From daniel.maher at ubisoft.com Thu Aug 10 21:42:24 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Thu Aug 10 21:42:28 2006 Subject: gOCR SpamAssassin plugin Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D0B5@UBIMAIL1.ubisoft.org> I've noticed that a lot of the image spam uses bitmap (.bmp) images. Unfortunately, that SARE plugin appears to handle gif, png, and jpg images only. Does anybody know of a plugin that will recognise bmp's as well? -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Michele Neylon:: > Blacknight.ie > Sent: August 7, 2006 9:53 AM > To: MailScanner discussion > Subject: Re: gOCR SpamAssassin plugin > > The one that Dallas posted on the SA users group seems to work well: > > http://www.rulesemporium.com/plugins.htm#imageinfo > > -- > Mr Michele Neylon > Blacknight Solutions > Quality Business Hosting & Colocation > http://www.blacknight.ie/ > Tel. 1850 927 280 > Intl. +353 (0) 59 9183072 > Direct Dial: +353 (0)59 9183090 > Fax. +353 (0) 59 9164239 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From jrudd at ucsc.edu Thu Aug 10 21:47:54 2006 From: jrudd at ucsc.edu (John Rudd) Date: Thu Aug 10 21:48:27 2006 Subject: gOCR SpamAssassin plugin In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D0B5@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D0B5@UBIMAIL1.ubisoft.org> Message-ID: <326f147caa00180007a54679f18bed44@ucsc.edu> The who is developing it is still taking feature suggestions and bug reports over on the SA users list. You could always request it over there. On Aug 10, 2006, at 1:42 PM, Daniel Maher wrote: > I've noticed that a lot of the image spam uses bitmap (.bmp) images. > Unfortunately, that SARE plugin appears to handle gif, png, and jpg > images only. Does anybody know of a plugin that will recognise bmp's > as well? > > -- > _ > ?v? Daniel Maher > /(_)\ Administrateur Syst?me Unix > ^ ^ Unix System Administrator > > Sentio aliquos togatos contra me conspirare. >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Michele Neylon:: >> Blacknight.ie >> Sent: August 7, 2006 9:53 AM >> To: MailScanner discussion >> Subject: Re: gOCR SpamAssassin plugin >> >> The one that Dallas posted on the SA users group seems to work well: >> >> http://www.rulesemporium.com/plugins.htm#imageinfo >> >> -- >> Mr Michele Neylon >> Blacknight Solutions >> Quality Business Hosting & Colocation >> http://www.blacknight.ie/ >> Tel. 1850 927 280 >> Intl. +353 (0) 59 9183072 >> Direct Dial: +353 (0)59 9183090 >> Fax. +353 (0) 59 9164239 >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From alex at nkpanama.com Thu Aug 10 21:48:25 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Aug 10 21:48:53 2006 Subject: gOCR SpamAssassin plugin In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D0B5@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D0B5@UBIMAIL1.ubisoft.org> Message-ID: <44DB9B99.8080606@nkpanama.com> If you absolutely *MUST* allow BMP's, I can't help you. Otherwise you *could* set up a filetype rule to disallow BMP's. Daniel Maher wrote: > I've noticed that a lot of the image spam uses bitmap (.bmp) images. Unfortunately, that SARE plugin appears to handle gif, png, and jpg images only. Does anybody know of a plugin that will recognise bmp's as well? > > -- > _ > ?v? Daniel Maher > /(_)\ Administrateur Syst?me Unix > ^ ^ Unix System Administrator > > Sentio aliquos togatos contra me conspirare. >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Michele Neylon:: >> Blacknight.ie >> Sent: August 7, 2006 9:53 AM >> To: MailScanner discussion >> Subject: Re: gOCR SpamAssassin plugin >> >> The one that Dallas posted on the SA users group seems to work well: >> >> http://www.rulesemporium.com/plugins.htm#imageinfo >> >> -- >> Mr Michele Neylon >> Blacknight Solutions >> Quality Business Hosting & Colocation >> http://www.blacknight.ie/ >> Tel. 1850 927 280 >> Intl. +353 (0) 59 9183072 >> Direct Dial: +353 (0)59 9183090 >> Fax. +353 (0) 59 9164239 >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! From daniel.maher at ubisoft.com Thu Aug 10 21:50:40 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Thu Aug 10 21:50:44 2006 Subject: gOCR SpamAssassin plugin Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D0B6@UBIMAIL1.ubisoft.org> Woops - as it turns out, the image spam doesn't use bitmaps. That's just what Outlook wants to save them as if you right-click. That's the last time I trust user input before verifying it myself! ;) -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Daniel Maher > Sent: August 10, 2006 4:42 PM > To: MailScanner discussion > Subject: RE: gOCR SpamAssassin plugin > > I've noticed that a lot of the image spam uses bitmap (.bmp) images. > Unfortunately, that SARE plugin appears to handle gif, png, and jpg images > only. Does anybody know of a plugin that will recognise bmp's as well? > > -- > _ > ?v? Daniel Maher > /(_)\ Administrateur Syst?me Unix > ^ ^ Unix System Administrator > > Sentio aliquos togatos contra me conspirare. > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Michele Neylon:: > > Blacknight.ie > > Sent: August 7, 2006 9:53 AM > > To: MailScanner discussion > > Subject: Re: gOCR SpamAssassin plugin > > > > The one that Dallas posted on the SA users group seems to work well: > > > > http://www.rulesemporium.com/plugins.htm#imageinfo > > > > -- > > Mr Michele Neylon > > Blacknight Solutions > > Quality Business Hosting & Colocation > > http://www.blacknight.ie/ > > Tel. 1850 927 280 > > Intl. +353 (0) 59 9183072 > > Direct Dial: +353 (0)59 9183090 > > Fax. +353 (0) 59 9164239 > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From rcooper at dwford.com Thu Aug 10 21:53:50 2006 From: rcooper at dwford.com (Rick Cooper) Date: Thu Aug 10 21:53:59 2006 Subject: MailScanner ANNOUNCE: Revision to 4.55 In-Reply-To: <44DB8FC4.8080302@ecs.soton.ac.uk> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Julian > Field > Sent: Thursday, August 10, 2006 3:58 PM > To: MailScanner discussion > Subject: Re: MailScanner ANNOUNCE: Revision to 4.55 > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Scott Silva wrote: > > Julian Field spake the following on 8/7/2006 10:46 AM: > >> The author of the Sys::Syslog perl module has withdrawn it due to > >> problems including compatibility issues with some Linux distributions. > >> The most obvious effect is that the "make test" step may hang part-way > >> through the tests. > >> > >> As a result, I have had no alternative other than to > reluctantly publish > >> a revision of the latest stable release of MailScanner. > >> > >> If you had problems installing 4.55.9 (notably on some CentOS systems) > >> then download and upgrade to 4.55.10. > >> > >> Download as usual from www.mailscanner.info > >> > >> Note that if you had no problems installing 4.55.9, there is no reason > >> to upgrade to 4.55.10. > >> > >> Sorry for this forced re-release. > >> > > Does anything change in MailScanner, or is it just the rollback of the > > Sys::Syslog module? > > What I ended up doing in the end was shipping a version of Sys-Syslog > 0.17 that skips the "make test" stage, which can lock-up. > 0.16 doesn't work at all on some systems, and 0.17 "make test" locks up > on other systems. > > I wish the author of this could get his act together and produce some > code which worked, it would make my life a whole lot easier :-( > > Is there a reason you need Sys::Syslog as opposed to Unix::Syslog? The biggest differences between them seem to be the fact that Unix::Syslog doesn't open a network connection to syslogd (which may well cause some of the problems on some linux systems), and Unix::Syslog uses numeric constants (parameters) in places that Sys::Syslog uses strings. Converting to Unix::Syslog might be a better long term answer. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at ecs.soton.ac.uk Thu Aug 10 22:28:44 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 10 22:28:56 2006 Subject: ALLOW FILETYPES in MailScanner.conf In-Reply-To: References: Message-ID: <44DBA50C.7010906@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin Miller wrote: > Julian Field wrote: >>> What I'm doing is setting up a particular user to be able to send my >>> users .mp3 files, so I have the following files set up: >>> >>> %etc-dir%/allow.filenames.rules >>> From: joe.blow@somedomain.com \.mp3$ >>> >>> %etc-dir%/allow.filetypes.rules >>> From: joe.blow@somedomain.com MPEG >>> >>> Is that correct, or do I really need \.mp3$ in both the filename and >>> filetype rule files? >> No, you've got it absolutely correct. > > Almost absolutely correct. Instead of %etc-dir% I meant to say > %etc-dir%/rules/ but even better is %rules-dir%. > > Seems to be working a treat - nice feature Julian... Thanks. I originally wrote it for automatic configuration generation systems, as it's simpler to control as it's just another ruleset. Tinkering with filename/filetype.rules.conf is a whole new chunk of code. But the advantage is you can put whitespace in the pattern-matches in filename/type.rules.conf. And you can intermingle allow and deny rules. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE26UPEfZZRxQVtlQRAiQ3AJ4v+knH8VZid77zJQwuThB5iEf6qQCfctji 9WcYU7XwnKYkyrCjj9Skaak= =mdOc -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From mailscanner at ecs.soton.ac.uk Thu Aug 10 22:33:10 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 10 22:33:21 2006 Subject: gOCR SpamAssassin plugin In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D0B5@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D20226D0B5@UBIMAIL1.ubisoft.org> Message-ID: <44DBA616.6000003@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The solution to this that I have just deployed here is "greylisting". I have set the delay time to 10 minutes, and the whitelist-remember time to 32 days. No-one notices the 10 minutes delay on the first email in a conversation, and 32 days means that the monthly email reminder messages from mailing lists are whitelisted. My users are *really* fussy, and I ran a trial of greylisting for a week with a few selected users who opted in to the trial. I purposely didn't tell them what I was changing so I could run a proper blind test. Not one of them noticed the 10 minute delay time. So I have just deployed it out to all 2000 users I have, and there have been no complaints at all. It has got rid of the single-image stock adverts completely. :-) Daniel Maher wrote: > I've noticed that a lot of the image spam uses bitmap (.bmp) images. Unfortunately, that SARE plugin appears to handle gif, png, and jpg images only. Does anybody know of a plugin that will recognise bmp's as well? > > -- > _ > ?v? Daniel Maher > /(_)\ Administrateur Syst?me Unix > ^ ^ Unix System Administrator > > Sentio aliquos togatos contra me conspirare. >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Michele Neylon:: >> Blacknight.ie >> Sent: August 7, 2006 9:53 AM >> To: MailScanner discussion >> Subject: Re: gOCR SpamAssassin plugin >> >> The one that Dallas posted on the SA users group seems to work well: >> >> http://www.rulesemporium.com/plugins.htm#imageinfo >> >> -- >> Mr Michele Neylon >> Blacknight Solutions >> Quality Business Hosting & Colocation >> http://www.blacknight.ie/ >> Tel. 1850 927 280 >> Intl. +353 (0) 59 9183072 >> Direct Dial: +353 (0)59 9183090 >> Fax. +353 (0) 59 9164239 >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE26YZEfZZRxQVtlQRAiItAJ9VIh871XcWBmt+vKCW2iNWNJq7rgCg/jO7 XD/0cflE3euPCUqXSdxU6CI= =vULH -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. From rpoe at plattesheriff.org Thu Aug 10 22:45:08 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Thu Aug 10 22:45:31 2006 Subject: Hylafax on a MailScanner pc In-Reply-To: <1964AAFBC212F742958F9275BF63DBB03B1AB0@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB03B1AB0@winchester.andrewscompanies.com> Message-ID: <44DB6297.65ED.00A2.0@plattesheriff.org> One of my clients has that .. works just dandy.. >>> 8/8/2006 12:09 PM >>> Does anyone have an opinion on installing hylafax on a lightly loaded mailscanner pc? Normally, I'd toss another machine in for such a different application, but this customer is experiencing server "sprawl". Any thoughts? Thanks, Steve -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ugob at camo-route.com Thu Aug 10 22:45:23 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Thu Aug 10 22:45:35 2006 Subject: weird spam, included in a word document Message-ID: Hi, I just received one funny spam. The subject is : "Bill Summary - Invoice #26820". The body is "Invoice Code Change to Invoice Identifier" And there is a word document attached. I scanned it with bitdefender, symantec, clamav, norman and AVG before opening it and it is... spam (software sellers). Anyone getting these? Ugo From rpoe at plattesheriff.org Thu Aug 10 22:47:38 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Thu Aug 10 22:47:59 2006 Subject: Hylafax on a MailScanner pc In-Reply-To: References: <1964AAFBC212F742958F9275BF63DBB03B1AB0@winchester.andrewscompanies.com> <44D8C841.3030308@pacific.net> Message-ID: <44DB632C.65ED.00A2.0@plattesheriff.org> >>> Does anyone have an opinion on installing hylafax on a lightly loaded >>> mailscanner pc? Normally, I'd toss another machine in for such a >>> different application, but this customer is experiencing server >>> "sprawl". >>>Any thoughts? >>So, you want MailScanner to fax high scoring spam? :-) >>Hylafax is pretty stable stuff. There shouldn't be any problems as long >>as you set your iptables rules to protect Hylafax's ports from the >> Internet. >Sounds like a new application ... >FaxScanner .. Stops your junk faxes cold! With SA's image OCR module .. could probably be done! From mailscanner at ecs.soton.ac.uk Thu Aug 10 22:50:54 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 10 22:51:08 2006 Subject: quarantine password-protected files In-Reply-To: <531F1E080638384C9623B00D71AA546D09F229@exchange.musicreports.com> References: <531F1E080638384C9623B00D71AA546D09F229@exchange.musicreports.com> Message-ID: <44DBAA3E.6070907@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 James D. Parra wrote: >> I have been just storing all messages for a short period of time. Then you > can >> release anything you need to, and you can set up the system to kill after a >> set number of days. Mailwatch makes this even easier. > > Hello Scott, > > How do you set this up if you're not using mailwatch? To clean out your quarantine regularly, with a variable limit on how long you keep files, take a look in /etc/cron.daily/clean.quarantine. There are a couple of settings at the top that you might want to change. 1) $disabled = 1; Set this to 0 if you want to enable this process at all. 2) $days_to_keep = 30; This is, as it says, the number of days you want to keep in the quarantine. Just change those 2 numbers and save the file. It will enable itself, you don't need to type anything to make it go. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE26pCEfZZRxQVtlQRAnCjAKCwWMVoA01oOE3loL0KGJ+sthlf5gCfSyB9 S5uqDdDdUTIhOGWXxmzaHZo= =7ga2 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From alex at nkpanama.com Thu Aug 10 22:54:36 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Aug 10 22:54:53 2006 Subject: gOCR SpamAssassin plugin In-Reply-To: <44DBA616.6000003@ecs.soton.ac.uk> References: <1E293D3FF63A3740B10AD5AAD88535D20226D0B5@UBIMAIL1.ubisoft.org> <44DBA616.6000003@ecs.soton.ac.uk> Message-ID: <44DBAB1C.1070009@nkpanama.com> I've set it to as little as 30 seconds with success. People notice it even less. May we inquire which of the many greylisting methods you used? Julian Field wrote: > The solution to this that I have just deployed here is "greylisting". I > have set the delay time to 10 minutes, and the whitelist-remember time > to 32 days. No-one notices the 10 minutes delay on the first email in a > conversation, and 32 days means that the monthly email reminder messages > from mailing lists are whitelisted. > > My users are *really* fussy, and I ran a trial of greylisting for a week > with a few selected users who opted in to the trial. I purposely didn't > tell them what I was changing so I could run a proper blind test. Not > one of them noticed the 10 minute delay time. So I have just deployed it > out to all 2000 users I have, and there have been no complaints at all. > > It has got rid of the single-image stock adverts completely. > :-) > > > Daniel Maher wrote: >> I've noticed that a lot of the image spam uses bitmap (.bmp) images. Unfortunately, that SARE plugin appears to handle gif, png, and jpg images only. Does anybody know of a plugin that will recognise bmp's as well? > >> -- >> _ >> ?v? Daniel Maher >> /(_)\ Administrateur Syst?me Unix >> ^ ^ Unix System Administrator > >> Sentio aliquos togatos contra me conspirare. >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >>> bounces@lists.mailscanner.info] On Behalf Of Michele Neylon:: >>> Blacknight.ie >>> Sent: August 7, 2006 9:53 AM >>> To: MailScanner discussion >>> Subject: Re: gOCR SpamAssassin plugin >>> >>> The one that Dallas posted on the SA users group seems to work well: >>> >>> http://www.rulesemporium.com/plugins.htm#imageinfo >>> >>> -- >>> Mr Michele Neylon >>> Blacknight Solutions >>> Quality Business Hosting & Colocation >>> http://www.blacknight.ie/ >>> Tel. 1850 927 280 >>> Intl. +353 (0) 59 9183072 >>> Direct Dial: +353 (0)59 9183090 >>> Fax. +353 (0) 59 9164239 >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! > From mailscanner at ecs.soton.ac.uk Thu Aug 10 22:55:46 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 10 22:55:54 2006 Subject: Multiple mqueue.in directories with priority In-Reply-To: <05b001c6bc0e$0b785f80$0500000a@blessin> References: <05b001c6bc0e$0b785f80$0500000a@blessin> Message-ID: <44DBAB62.9090308@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Roman wrote: > I am trying to figure out how can I set up MailScanner & sendmail this way > that I'll be able to have 2 separated mqueue.in directories. > > I have one email account through which I send news letters (20-40k emails) > and other emails that I use for regular emails. > > The problem is when the newsletter being send out it fills mqueue.in > and mail can not be delivered before MailScanner scans all 20-40k emails. > > I saw posts here that people were able to configure different outgoing > queues (fast, slow) > But I think that the bottleneck is SPAM and Virus scanning in > Mailscanner. So I want to separate > queues before it gets to MailScanner processing > . > What I would like to achieve is have a mqueue.in.normal and mqueue.in.slow > so that regular mail goes to mqueue.in.normal and newsletter mail will > go to mqueue.in.slow > and have some mechanism to move messages from mqueue.in.normal and > mqueue.in.slow to MailScanner mqueue.in for processing and delivery, or > have MailScanner process both directories with some priority. > This way regular mail won't stack in mqueue.in waiting to be delivered > only after all newsletters have been delivered. > > Have anyone was able to achieve something similar to what I am trying to > achieve. > Am I missing something ? > Any ideas ? You can tell MailScanner to use multiple incoming mqueue.in queues, that's easy, read the docs in MailScanner.conf where you set the mqueue.in directory location. However, that won't provide you with any priority over the 2 queues. To do that you will need some script that puts things from the low priority queue into MailScanner only when there is virtually nothing in the high priority queue. I could write this for you, but I would have to charge you for doing it, as I have to pay the bills just like anyone else. You guys get MailScanner for free, but you don't get the rest of my time for free, sorry. But it's not a very big job, so won't cost you a fortune. Let me know off-list if you are interested. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE26tkEfZZRxQVtlQRAttpAKDDvB/5iQl83kiI3f267AZCLlYRzwCbBe1S dxdysjTFbQA88hZuTGFYVkc= =G3S2 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From Kevin_Miller at ci.juneau.ak.us Thu Aug 10 22:55:58 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Aug 10 22:56:02 2006 Subject: weird spam, included in a word document In-Reply-To: Message-ID: Ugo Bellavance wrote: > Hi, > > I just received one funny spam. The subject is : "Bill Summary - > Invoice #26820". > > The body is "Invoice Code Change to Invoice Identifier" > > And there is a word document attached. I scanned it with bitdefender, > symantec, clamav, norman and AVG before opening it and it is... spam > (software sellers). > > Anyone getting these? > > Ugo I got one. Thought it was mildly more novel than most spam but didn't give it any thought after that... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From Jamesp at MusicReports.com Thu Aug 10 23:12:31 2006 From: Jamesp at MusicReports.com (James D. Parra) Date: Thu Aug 10 23:12:38 2006 Subject: releasing mail from quarantine -- postfix Message-ID: <531F1E080638384C9623B00D71AA546D09F236@exchange.musicreports.com> Hello, Followed the instructions from the link , but the message is a 'human-readable' file and not a 'raw mail queue file'. Can it still be sent to the user? There are embedded e-mails within it. http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:pos tfix:how_to:release_quarantined_mail Here is the dir' the file is stored in; master:/var/spool/MailScanner/quarantine/20060810 # ls -lR 9D213185489.BA6DD/ 9D213185489.BA6DD/: total 892 drwx------ 2 postfix postfix 4096 Aug 10 06:28 . drwx------ 5 postfix postfix 4096 Aug 10 11:51 .. -rwx------ 1 postfix postfix 897418 Aug 10 06:28 message Postcat can view the file named 'message'. I ran 'chmod 700 message', then ran 'cp -p message /var/spool/postfic/incoming/9' which just sat there. After wards, I ran 'cp -p message /var/spool/postfic/incoming/9D213185489', which appeared to have went, but never made it to the user. What can I do to get this message to the user? Thank you, James From dave.list at pixelhammer.com Thu Aug 10 23:17:02 2006 From: dave.list at pixelhammer.com (DAve) Date: Thu Aug 10 23:17:38 2006 Subject: weird spam, included in a word document In-Reply-To: References: Message-ID: <44DBB05E.1040204@pixelhammer.com> Ugo Bellavance wrote: > Hi, > > I just received one funny spam. The subject is : "Bill Summary - > Invoice #26820". > > The body is "Invoice Code Change to Invoice Identifier" > > And there is a word document attached. I scanned it with bitdefender, > symantec, clamav, norman and AVG before opening it and it is... spam > (software sellers). > > Anyone getting these? > > Ugo > I got a few for training, most went through with too low a score. The invoice number changes. Need some? I can spare a few hundred ;^) DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From ka at pacific.net Thu Aug 10 23:28:43 2006 From: ka at pacific.net (Ken A) Date: Thu Aug 10 23:27:47 2006 Subject: weird spam, included in a word document In-Reply-To: References: Message-ID: <44DBB31B.1070601@pacific.net> Just got subject: "August Payment Summary, Invoice #14677" Body was "ou MUST show the UCAR Invoice Number" back-to-school software sale spam in word doc... Ken A. Pacific.Net Ugo Bellavance wrote: > Hi, > > I just received one funny spam. The subject is : "Bill Summary - > Invoice #26820". > > The body is "Invoice Code Change to Invoice Identifier" > > And there is a word document attached. I scanned it with bitdefender, > symantec, clamav, norman and AVG before opening it and it is... spam > (software sellers). > > Anyone getting these? > > Ugo > From glenn.steen at gmail.com Fri Aug 11 00:14:14 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Aug 11 00:14:19 2006 Subject: releasing mail from quarantine -- postfix In-Reply-To: <531F1E080638384C9623B00D71AA546D09F236@exchange.musicreports.com> References: <531F1E080638384C9623B00D71AA546D09F236@exchange.musicreports.com> Message-ID: <223f97700608101614s1c675203vbc9942f921ff261e@mail.gmail.com> On 11/08/06, James D. Parra wrote: > Hello, > > Followed the instructions from the link , but the message is a > 'human-readable' file and not a 'raw mail queue file'. Can it still be sent > to the user? There are embedded e-mails within it. No, you didn't follow it... not the right part at least... A bit further down there are perfectly good instructions for your case... (I know, since I wrote them:-). Here's a link (mind the wrapping) ---- http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:release_quarantined_mail#releasing_mail_from_the_quarantine_-_message_files ---- > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:pos > tfix:how_to:release_quarantined_mail > > Here is the dir' the file is stored in; > > master:/var/spool/MailScanner/quarantine/20060810 # ls -lR > 9D213185489.BA6DD/ > 9D213185489.BA6DD/: > total 892 > drwx------ 2 postfix postfix 4096 Aug 10 06:28 . > drwx------ 5 postfix postfix 4096 Aug 10 11:51 .. > -rwx------ 1 postfix postfix 897418 Aug 10 06:28 message > > Postcat can view the file named 'message'. I ran 'chmod 700 message', then > ran 'cp -p message /var/spool/postfic/incoming/9' which just sat there. > After wards, I ran 'cp -p message /var/spool/postfic/incoming/9D213185489', > which appeared to have went, but never made it to the user. What can I do > to get this message to the user? Postcat just *looks* like it doing its job, but it really isn't... Postfix as such isn't fooled though, and has probably put that message file into its corrupted folder (correctly so, one might add:). Use the sendmail (convenience command) method as outlined in the wiki, and you'll be fine. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Jamesp at MusicReports.com Fri Aug 11 00:44:05 2006 From: Jamesp at MusicReports.com (James D. Parra) Date: Fri Aug 11 00:44:17 2006 Subject: releasing mail from quarantine -- postfix Message-ID: <531F1E080638384C9623B00D71AA546D09F237@exchange.musicreports.com> >Postcat just *looks* like it doing its job, but it really isn't... >Postfix as such isn't fooled though, and has probably put that message >file into its corrupted folder (correctly so, one might add:). >Use the sendmail (convenience command) method as outlined in the wiki, >and you'll be fine. Hello Glen, Thanks for info. I didn't install sendmail on this server so I didn't think the 'sendmail' command would work. Although, it did work, but with one oddity; the message went through Mailscanner as was quarantined again! Oh boy. How can I get the message through to postfix without it getting quarantined again? Error; {Dangerous Content} MailScanner: Too many attachments in message Many thanks, ~James From ugob at camo-route.com Fri Aug 11 01:40:20 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Aug 11 01:40:30 2006 Subject: releasing mail from quarantine -- postfix In-Reply-To: <531F1E080638384C9623B00D71AA546D09F237@exchange.musicreports.com> References: <531F1E080638384C9623B00D71AA546D09F237@exchange.musicreports.com> Message-ID: James D. Parra wrote: >> Postcat just *looks* like it doing its job, but it really isn't... >> Postfix as such isn't fooled though, and has probably put that message >> file into its corrupted folder (correctly so, one might add:). >> Use the sendmail (convenience command) method as outlined in the wiki, >> and you'll be fine. > > Hello Glen, > > Thanks for info. I didn't install sendmail on this server so I didn't think > the 'sendmail' command would work. Although, it did work, but with one > oddity; the message went through Mailscanner as was quarantined again! Oh > boy. > > How can I get the message through to postfix without it getting quarantined > again? > > Error; {Dangerous Content} > MailScanner: Too many attachments in message Create a ruleset so that messages from the apache user (apache on redhat servers, nobody if compiled from source. Or you can use 127.0.0.1 but that is riskier. > > Many thanks, > > ~James > From andoni.auzmendi at robertwalters.com Fri Aug 11 08:37:34 2006 From: andoni.auzmendi at robertwalters.com (Andoni Auzmendi) Date: Fri Aug 11 08:37:59 2006 Subject: weird spam, included in a word document Message-ID: <5450254EC7E7B54193C8AEFD904AA36301B219@PAT.internal.robertwalters.com> My users only reported one of those yesterday but it may well be a new spamming trend. Andoni -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ken A Sent: 10 August 2006 23:29 To: MailScanner discussion Subject: Re: weird spam, included in a word document Just got subject: "August Payment Summary, Invoice #14677" Body was "ou MUST show the UCAR Invoice Number" back-to-school software sale spam in word doc... Ken A. Pacific.Net Ugo Bellavance wrote: > Hi, > > I just received one funny spam. The subject is : "Bill Summary - > Invoice #26820". > > The body is "Invoice Code Change to Invoice Identifier" > > And there is a word document attached. I scanned it with bitdefender, > symantec, clamav, norman and AVG before opening it and it is... spam > (software sellers). > > Anyone getting these? > > Ugo > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From a.peacock at chime.ucl.ac.uk Fri Aug 11 08:41:37 2006 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Fri Aug 11 08:42:01 2006 Subject: weird spam, included in a word document In-Reply-To: References: Message-ID: <44DC34B1.2000507@chime.ucl.ac.uk> Hi, Ugo Bellavance wrote: > Hi, > > I just received one funny spam. The subject is : "Bill Summary - > Invoice #26820". > > The body is "Invoice Code Change to Invoice Identifier" > > And there is a word document attached. I scanned it with bitdefender, > symantec, clamav, norman and AVG before opening it and it is... spam > (software sellers). > > Anyone getting these? > > Ugo > Getting loads, but they are all getting caught scoring about 10 SA points. -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From MailScanner at ecs.soton.ac.uk Fri Aug 11 08:46:00 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 11 08:46:25 2006 Subject: gOCR SpamAssassin plugin In-Reply-To: <44DBAB1C.1070009@nkpanama.com> References: <1E293D3FF63A3740B10AD5AAD88535D20226D0B5@UBIMAIL1.ubisoft.org> <44DBA616.6000003@ecs.soton.ac.uk> <44DBAB1C.1070009@nkpanama.com> Message-ID: <44DC35B8.5080809@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 milter-greylist on sendmail. I didn't realise there were different methods to use. Alex Neuman van der Hans wrote: > I've set it to as little as 30 seconds with success. People notice it > even less. > > May we inquire which of the many greylisting methods you used? > > Julian Field wrote: > >> The solution to this that I have just deployed here is "greylisting". I >> have set the delay time to 10 minutes, and the whitelist-remember time >> to 32 days. No-one notices the 10 minutes delay on the first email in a >> conversation, and 32 days means that the monthly email reminder messages >> from mailing lists are whitelisted. >> >> My users are *really* fussy, and I ran a trial of greylisting for a week >> with a few selected users who opted in to the trial. I purposely didn't >> tell them what I was changing so I could run a proper blind test. Not >> one of them noticed the 10 minute delay time. So I have just deployed it >> out to all 2000 users I have, and there have been no complaints at all. >> >> It has got rid of the single-image stock adverts completely. >> :-) >> >> >> Daniel Maher wrote: >> >>> I've noticed that a lot of the image spam uses bitmap (.bmp) images. Unfortunately, that SARE plugin appears to handle gif, png, and jpg images only. Does anybody know of a plugin that will recognise bmp's as well? >>> >>> -- >>> _ >>> ?v? Daniel Maher >>> /(_)\ Administrateur Syst?me Unix >>> ^ ^ Unix System Administrator >>> >>> Sentio aliquos togatos contra me conspirare. >>> >>>> -----Original Message----- >>>> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >>>> bounces@lists.mailscanner.info] On Behalf Of Michele Neylon:: >>>> Blacknight.ie >>>> Sent: August 7, 2006 9:53 AM >>>> To: MailScanner discussion >>>> Subject: Re: gOCR SpamAssassin plugin >>>> >>>> The one that Dallas posted on the SA users group seems to work well: >>>> >>>> http://www.rulesemporium.com/plugins.htm#imageinfo >>>> >>>> -- >>>> Mr Michele Neylon >>>> Blacknight Solutions >>>> Quality Business Hosting & Colocation >>>> http://www.blacknight.ie/ >>>> Tel. 1850 927 280 >>>> Intl. +353 (0) 59 9183072 >>>> Direct Dial: +353 (0)59 9183090 >>>> Fax. +353 (0) 59 9164239 >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE3DW4EfZZRxQVtlQRAqpKAJ9N3IldUhrW8OzuYOUqf2sGaPAkDQCeLqsP D35wAkQEkChtpHFGUFGQZP4= =Pa10 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From t.d.lee at durham.ac.uk Fri Aug 11 10:06:14 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Fri Aug 11 10:06:42 2006 Subject: MailScanner ANNOUNCE: Revision to 4.55 In-Reply-To: <44DB8FC4.8080302@ecs.soton.ac.uk> References: <44D77C7E.5010703@ecs.soton.ac.uk> <44DB8FC4.8080302@ecs.soton.ac.uk> Message-ID: On Thu, 10 Aug 2006, Julian Field wrote: > What I ended up doing in the end was shipping a version of Sys-Syslog > 0.17 that skips the "make test" stage, which can lock-up. > 0.16 doesn't work at all on some systems, and 0.17 "make test" locks up > on other systems. > > I wish the author of this could get his act together and produce some > code which worked, it would make my life a whole lot easier :-( Julian: Presumably you have informed the author, to alert him/her of the problems we have encountered? They might not be aware of any problems... If you have informed then, and if your request has fallen into a black hole, then perhaps someone here on the MailScanner list (especially, perhaps, if they are already a CPAN maintainer) might be persuaded (encouraged, cajoled, etc.) to adopt ownership of the module. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From mailscanner at mango.zw Fri Aug 11 10:31:07 2006 From: mailscanner at mango.zw (Jim Holland) Date: Fri Aug 11 10:38:18 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: <44DBA616.6000003@ecs.soton.ac.uk> Message-ID: On Thu, 10 Aug 2006, Julian Field wrote: > The solution to this that I have just deployed here is "greylisting". I > have set the delay time to 10 minutes, and the whitelist-remember time > to 32 days. No-one notices the 10 minutes delay on the first email in a > conversation, and 32 days means that the monthly email reminder messages > from mailing lists are whitelisted. > > My users are *really* fussy, and I ran a trial of greylisting for a week > with a few selected users who opted in to the trial. I purposely didn't > tell them what I was changing so I could run a proper blind test. Not > one of them noticed the 10 minute delay time. So I have just deployed it > out to all 2000 users I have, and there have been no complaints at all. I am puzzled to hear this, because the 10 minute delay time is set on your side - ie the delay time between connection attempts before your server will accept the connection. However it doesn't take into consideration the problem of the delay that will occur on the sending side between delivery attempts. Many systems will retry delivery only after a fairly long interval. The default for sendmail is 30 minutes, but some busy systems will have a default of as long as 4 hours. This means that in practice I would expect the real delay to be far longer than 10 minutes for many messages. Worse still, there are some systems that will treat a 451 error as a fatal error, and will not retry the mail. I have found this with Yahoo and Gmail, for example. (I was trying to force them to deliver to our secondary MX that has more bandwidth than we do because of their very annoying failure to implement the ESTMP "size" extension - meaning that we sometimes have to accept say 10 MB of traffic before we can then tell them that the message is too large.) Another concern is the impact that greylisting would have on the Internet if its adoption became widespread - it would mean that all mail servers would have to work twice as hard to deliver mail. I do find the delivery delays rather annoying as a sender of mail - seeing mail stuck in the mail queue waiting for some possibly unknown period of time before it gets accepted. That said, I am sure that greylisting does make a big impact on spam for those that implement it. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service > It has got rid of the single-image stock adverts completely. :-) > Daniel Maher wrote: > > I've noticed that a lot of the image spam uses bitmap (.bmp) images. Unfortunately, that SARE plugin appears to handle gif, png, and jpg images only. Does anybody know of a plugin that will recognise bmp's as well? > > > > -- > > _ > > ?v? Daniel Maher > > /(_)\ Administrateur Syst?me Unix > > ^ ^ Unix System Administrator > > > > Sentio aliquos togatos contra me conspirare. > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > >> bounces@lists.mailscanner.info] On Behalf Of Michele Neylon:: > >> Blacknight.ie > >> Sent: August 7, 2006 9:53 AM > >> To: MailScanner discussion > >> Subject: Re: gOCR SpamAssassin plugin > >> > >> The one that Dallas posted on the SA users group seems to work well: > >> > >> http://www.rulesemporium.com/plugins.htm#imageinfo > >> > >> -- > >> Mr Michele Neylon > >> Blacknight Solutions > >> Quality Business Hosting & Colocation > >> http://www.blacknight.ie/ > >> Tel. 1850 927 280 > >> Intl. +353 (0) 59 9183072 > >> Direct Dial: +353 (0)59 9183090 > >> Fax. +353 (0) 59 9164239 > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > > - -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@MailScanner.biz > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Get your PCs and servers from Transtec.de, very well built and reliable! > > > -----BEGIN PGP SIGNATURE----- > Version: PGP SDK 3.7.0 > Charset: ISO-8859-1 > > wj8DBQFE26YZEfZZRxQVtlQRAiItAJ9VIh871XcWBmt+vKCW2iNWNJq7rgCg/jO7 > XD/0cflE3euPCUqXSdxU6CI= > =vULH > -----END PGP SIGNATURE----- > > From support-lists at petdoctors.co.uk Fri Aug 11 11:17:46 2006 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Fri Aug 11 11:16:03 2006 Subject: Searching and recovering mails from /var/spool/mailScanner/archive Message-ID: <00c701c6bd2f$63f3ea40$1465a8c0@support01> Hi Folks, No doubt this has been asked before but I'm not having much luck searching for ideas so... I have to search and recover some emails from the MailScanner archive folders - are there any nice tools to do this before I start to do some scripting? Thanks Nigel Kendrick From MailScanner at ecs.soton.ac.uk Fri Aug 11 11:37:05 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 11 11:37:36 2006 Subject: MailScanner ANNOUNCE: Revision to 4.55 In-Reply-To: References: <44D77C7E.5010703@ecs.soton.ac.uk> <44DB8FC4.8080302@ecs.soton.ac.uk> Message-ID: <44DC5DD1.5040004@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Lee wrote: > On Thu, 10 Aug 2006, Julian Field wrote: > > >> What I ended up doing in the end was shipping a version of Sys-Syslog >> 0.17 that skips the "make test" stage, which can lock-up. >> 0.16 doesn't work at all on some systems, and 0.17 "make test" locks up >> on other systems. >> >> I wish the author of this could get his act together and produce some >> code which worked, it would make my life a whole lot easier :-( >> > > Julian: Presumably you have informed the author, to alert him/her of the > problems we have encountered? They might not be aware of any problems... > I've got a To Do list as long as your arm at the moment. Is there any chance someone else could do this for me please? The make test was locking up on some CentOS systems. Steve Swaney knows more details, he is the person who informed me in the first place. > If you have informed then, and if your request has fallen into a black > hole, then perhaps someone here on the MailScanner list (especially, > perhaps, if they are already a CPAN maintainer) might be persuaded > (encouraged, cajoled, etc.) to adopt ownership of the module. > > > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE3F3SEfZZRxQVtlQRAsVjAJ0dOo8VtV87bkPM/p5kKLVTQNX2kgCcCGvs ecaAgvoVXLfSJn9qVePbU/s= =4Wbh -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From pascal.maes at elec.ucl.ac.be Fri Aug 11 12:18:18 2006 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Fri Aug 11 12:18:27 2006 Subject: Problems on Solaris x86 Message-ID: <3067C01E-94D5-454F-9BD4-ADAD401906A8@elec.ucl.ac.be> Hello, I'm installing MailScanner 4.55.10 into a zone on a Solaris 10 x86 system. The MTA is postfix and MailScanner is running as the postfix User. I have the following problems : - there are no logging - when I run MailScanner in debug mode, it works : # ../bin/MailScanner In Debugging mode, not forking... Ignore errors about failing to find EOCD signature Stopping now as you are debugging me. and the mails which are in the queue are sent. - when I start MailScanner not in debug mode, it forks (until the limit), but nothing happens It's the same if I launch MailScanner in foreground : # ../bin/MailScanner MailScanner 4.55.10 starting in foreground mode - pid is [4162] About to fork child #1 of 10... Forked OK - new child is [4163] About to fork child #2 of 10... Forked OK - new child is [4164] ... About to fork child #10 of 10... Forked OK - new child is [4172] but nothing else. Of course, without any logging, it's not easy to find the problem Same problem with MailScanner 4.54-6 Any idea ? -- Pascal From MailScanner at ecs.soton.ac.uk Fri Aug 11 12:20:37 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 11 12:21:06 2006 Subject: OT - Greylisting In-Reply-To: References: Message-ID: <44DC6805.9040708@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jim Holland wrote: > On Thu, 10 Aug 2006, Julian Field wrote: > > >> The solution to this that I have just deployed here is "greylisting". I >> have set the delay time to 10 minutes, and the whitelist-remember time >> to 32 days. No-one notices the 10 minutes delay on the first email in a >> conversation, and 32 days means that the monthly email reminder messages >> from mailing lists are whitelisted. >> >> My users are *really* fussy, and I ran a trial of greylisting for a week >> with a few selected users who opted in to the trial. I purposely didn't >> tell them what I was changing so I could run a proper blind test. Not >> one of them noticed the 10 minute delay time. So I have just deployed it >> out to all 2000 users I have, and there have been no complaints at all. >> > > I am puzzled to hear this, because the 10 minute delay time is set on your > side - ie the delay time between connection attempts before your server > will accept the connection. However it doesn't take into consideration > the problem of the delay that will occur on the sending side between > delivery attempts. Many systems will retry delivery only after a fairly > long interval. The default for sendmail is 30 minutes, but some busy > systems will have a default of as long as 4 hours. This means that in > practice I would expect the real delay to be far longer than 10 minutes > for many messages. > > Worse still, there are some systems that will treat a 451 error as a fatal > error, and will not retry the mail. I have found this with Yahoo and > Gmail, for example. (I was trying to force them to deliver to our > secondary MX that has more bandwidth than we do because of their very > annoying failure to implement the ESTMP "size" extension - meaning that we > sometimes have to accept say 10 MB of traffic before we can then tell them > that the message is too large.) > There is a list of the known large sites that suffer this problem, you just put it in your greylist.conf file. The milter-greylist package comes with it already inserted for you. http://cvs.puremagic.com/viewcvs/greylisting/schema/whitelist_ip.txt?rev=1.12 > Another concern is the impact that greylisting would have on the Internet > if its adoption became widespread - it would mean that all mail servers > would have to work twice as hard to deliver mail. I do find the delivery > delays rather annoying as a sender of mail - seeing mail stuck in the mail > queue waiting for some possibly unknown period of time before it gets > accepted. > I agree with you. But in practice no-one appears to notice. After all, how many people sit there tail-ing their outgoing mail logs? > That said, I am sure that greylisting does make a big impact on spam for > those that implement it. > It certainly does. I quite agree that there are various aspects of greylisting with which I am not entirely happy, but the advantages for my users outweigh them substantially. My management, who are not PHB's at all, agree with me. I am in the lucky position of having bosses who I respect :-) >> It has got rid of the single-image stock adverts completely. :-) >> > > >> Daniel Maher wrote: >> >>> I've noticed that a lot of the image spam uses bitmap (.bmp) images. Unfortunately, that SARE plugin appears to handle gif, png, and jpg images only. Does anybody know of a plugin that will recognise bmp's as well? >>> >>> -- >>> _ >>> ?v? Daniel Maher >>> /(_)\ Administrateur Syst?me Unix >>> ^ ^ Unix System Administrator >>> >>> Sentio aliquos togatos contra me conspirare. >>> >>>> -----Original Message----- >>>> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >>>> bounces@lists.mailscanner.info] On Behalf Of Michele Neylon:: >>>> Blacknight.ie >>>> Sent: August 7, 2006 9:53 AM >>>> To: MailScanner discussion >>>> Subject: Re: gOCR SpamAssassin plugin >>>> >>>> The one that Dallas posted on the SA users group seems to work well: >>>> >>>> http://www.rulesemporium.com/plugins.htm#imageinfo >>>> >>>> -- >>>> Mr Michele Neylon >>>> Blacknight Solutions >>>> Quality Business Hosting & Colocation >>>> http://www.blacknight.ie/ >>>> Tel. 1850 927 280 >>>> Intl. +353 (0) 59 9183072 >>>> Direct Dial: +353 (0)59 9183090 >>>> Fax. +353 (0) 59 9164239 >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >> - -- >> Julian Field >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@MailScanner.biz >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> Get your PCs and servers from Transtec.de, very well built and reliable! >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP SDK 3.7.0 >> Charset: ISO-8859-1 >> >> wj8DBQFE26YZEfZZRxQVtlQRAiItAJ9VIh871XcWBmt+vKCW2iNWNJq7rgCg/jO7 >> XD/0cflE3euPCUqXSdxU6CI= >> =vULH >> -----END PGP SIGNATURE----- >> >> >> > > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE3GgGEfZZRxQVtlQRAr9mAKCBl9c9OVzvCerwHzbgVoyWHQ1e2QCgsDLK BvSzpboCTRXZFWQZZokaIpw= =//bR -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From dave.list at pixelhammer.com Fri Aug 11 13:30:14 2006 From: dave.list at pixelhammer.com (DAve) Date: Fri Aug 11 13:30:26 2006 Subject: weird spam, included in a word document In-Reply-To: <44DC34B1.2000507@chime.ucl.ac.uk> References: <44DC34B1.2000507@chime.ucl.ac.uk> Message-ID: <44DC7856.9090504@pixelhammer.com> Anthony Peacock wrote: > Hi, > > Ugo Bellavance wrote: >> Hi, >> >> I just received one funny spam. The subject is : "Bill Summary - >> Invoice #26820". >> >> The body is "Invoice Code Change to Invoice Identifier" >> >> And there is a word document attached. I scanned it with bitdefender, >> symantec, clamav, norman and AVG before opening it and it is... spam >> (software sellers). >> >> Anyone getting these? >> >> Ugo >> > > Getting loads, but they are all getting caught scoring about 10 SA points. > Can you post your test results? Our SA is missing them completely. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From jayesha_shinde at yahoo.com Fri Aug 11 13:34:04 2006 From: jayesha_shinde at yahoo.com (jay shi) Date: Fri Aug 11 13:34:07 2006 Subject: Rul set for Spam Subject Text ??? Message-ID: <20060811123404.94338.qmail@web54407.mail.yahoo.com> Hi , I am using MailScanner 4.48.4 with multidomain sendmail. For low Score SPAM i am using this Spam Subject Text = {possible spam} as a tag One of my domain ask me, he dont't want this tag , but other domains are demanding this feature. i want to write rule set for above condition,i made the required rulset but it is not working.Is any one knows how to write this rule set ? Thanks & Regards Jayesh __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From alex at nkpanama.com Fri Aug 11 13:35:19 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Fri Aug 11 13:35:34 2006 Subject: gOCR SpamAssassin plugin In-Reply-To: <44DC35B8.5080809@ecs.soton.ac.uk> References: <1E293D3FF63A3740B10AD5AAD88535D20226D0B5@UBIMAIL1.ubisoft.org> <44DBA616.6000003@ecs.soton.ac.uk> <44DBAB1C.1070009@nkpanama.com> <44DC35B8.5080809@ecs.soton.ac.uk> Message-ID: <44DC7987.3000605@nkpanama.com> Julian Field wrote: > milter-greylist on sendmail. I didn't realise there were different > methods to use. For one of the lists, you can see: http://projects.puremagic.com/greylisting/links.html From a.peacock at chime.ucl.ac.uk Fri Aug 11 13:39:28 2006 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Fri Aug 11 13:40:03 2006 Subject: weird spam, included in a word document In-Reply-To: <44DC7856.9090504@pixelhammer.com> References: <44DC34B1.2000507@chime.ucl.ac.uk> <44DC7856.9090504@pixelhammer.com> Message-ID: <44DC7A80.8090104@chime.ucl.ac.uk> Hi, DAve wrote: > Anthony Peacock wrote: >> Hi, >> >> Ugo Bellavance wrote: >>> Hi, >>> >>> I just received one funny spam. The subject is : "Bill Summary - >>> Invoice #26820". >>> >>> The body is "Invoice Code Change to Invoice Identifier" >>> >>> And there is a word document attached. I scanned it with >>> bitdefender, symantec, clamav, norman and AVG before opening it and >>> it is... spam (software sellers). >>> >>> Anyone getting these? >>> >>> Ugo >>> >> >> Getting loads, but they are all getting caught scoring about 10 SA >> points. >> > > Can you post your test results? Our SA is missing them completely. One recent one: 3.50 BAYES_99 Bayesian spam probability is 99 to 100% 2.17 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 1.00 RCVD_IN_JANET_DUL Relay in JANET MAPS RBL+ DUL 1.46 RCVD_IN_SORBS_WEB SORBS: sender is a abuseable web server 3.90 RCVD_IN_XBL Received via a relay in Spamhaus XBL Another one: 3.50 BAYES_99 Bayesian spam probability is 99 to 100% 2.17 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 1.56 RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net 1.00 RCVD_IN_JANET_DUL Relay in JANET MAPS RBL+ DUL 1.95 RCVD_IN_NJABL_DUL NJABL: dialup sender did non-local SMTP 2.05 RCVD_IN_SORBS_DUL SORBS: sent directly from dynamic IP address 1.46 RCVD_IN_SORBS_WEB SORBS: sender is a abuseable web server 3.90 RCVD_IN_XBL Received via a relay in Spamhaus XBL -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From shuttlebox at gmail.com Fri Aug 11 13:48:43 2006 From: shuttlebox at gmail.com (shuttlebox) Date: Fri Aug 11 13:48:45 2006 Subject: Rul set for Spam Subject Text ??? In-Reply-To: <20060811123404.94338.qmail@web54407.mail.yahoo.com> References: <20060811123404.94338.qmail@web54407.mail.yahoo.com> Message-ID: <625385e30608110548h3d5390i7ec88e7b5a29db10@mail.gmail.com> On 8/11/06, jay shi wrote: > Hi , > I am using MailScanner 4.48.4 with multidomain > sendmail. For low Score SPAM i am using this > Spam Subject Text = {possible spam} as a tag > One of my domain ask me, he dont't want this tag > , but other domains are demanding this feature. > i want to write rule set for above condition,i > made > the required rulset but it is not working.Is any one > knows how to write this rule set ? Use a ruleset with yes/no on this option: Spam Modify Subject = yes If it doesn't work, post your ruleset to help us help you. -- /peter From dave.list at pixelhammer.com Fri Aug 11 14:02:12 2006 From: dave.list at pixelhammer.com (DAve) Date: Fri Aug 11 14:02:19 2006 Subject: weird spam, included in a word document In-Reply-To: <44DC7A80.8090104@chime.ucl.ac.uk> References: <44DC34B1.2000507@chime.ucl.ac.uk> <44DC7856.9090504@pixelhammer.com> <44DC7A80.8090104@chime.ucl.ac.uk> Message-ID: <44DC7FD4.4020203@pixelhammer.com> Anthony Peacock wrote: > Hi, > > DAve wrote: >> Anthony Peacock wrote: >>> Hi, >>> >>> Ugo Bellavance wrote: >>>> Hi, >>>> >>>> I just received one funny spam. The subject is : "Bill Summary >>>> - Invoice #26820". >>>> >>>> The body is "Invoice Code Change to Invoice Identifier" >>>> >>>> And there is a word document attached. I scanned it with >>>> bitdefender, symantec, clamav, norman and AVG before opening it and >>>> it is... spam (software sellers). >>>> >>>> Anyone getting these? >>>> >>>> Ugo >>>> >>> >>> Getting loads, but they are all getting caught scoring about 10 SA >>> points. >>> >> >> Can you post your test results? Our SA is missing them completely. > > One recent one: > > 3.50 BAYES_99 Bayesian spam probability is 99 to 100% > 2.17 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) > 1.00 RCVD_IN_JANET_DUL Relay in JANET MAPS RBL+ DUL > 1.46 RCVD_IN_SORBS_WEB SORBS: sender is a abuseable web server > 3.90 RCVD_IN_XBL Received via a relay in Spamhaus XBL > > Another one: > > 3.50 BAYES_99 Bayesian spam probability is 99 to 100% > 2.17 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) > 1.56 RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net > 1.00 RCVD_IN_JANET_DUL Relay in JANET MAPS RBL+ DUL > 1.95 RCVD_IN_NJABL_DUL NJABL: dialup sender did non-local SMTP > 2.05 RCVD_IN_SORBS_DUL SORBS: sent directly from dynamic IP address > 1.46 RCVD_IN_SORBS_WEB SORBS: sender is a abuseable web server > 3.90 RCVD_IN_XBL Received via a relay in Spamhaus XBL > Feeding Bayes this morning, can't use NJABL as we are an ISP, no SpamCop thanks, no DCC, XBL? well mine are certainly coming from different IP's than yours. Thanks, DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From pascal.maes at elec.ucl.ac.be Fri Aug 11 15:38:47 2006 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Fri Aug 11 15:39:00 2006 Subject: Fwd: Problems on Solaris x86 References: <3067C01E-94D5-454F-9BD4-ADAD401906A8@elec.ucl.ac.be> Message-ID: <0E611EF3-805C-4950-A45E-0BF390F1F2C6@elec.ucl.ac.be> D?but du message r?exp?di? : > > Hello, > > > I'm installing MailScanner 4.55.10 into a zone on a Solaris 10 x86 > system. > The MTA is postfix and MailScanner is running as the postfix User. > > I have the following problems : > > - there are no logging In Log.pm we have : eval { if ($^O !~ /solaris|sunos|irix/i) { Sys::Syslog::setlogsock('unix'); } # else { # Sys::Syslog::setlogsock('stream'); # } It seems that for solaris, it should be 'inet' instead of 'unix' > - when I run MailScanner in debug mode, it works : > > # ../bin/MailScanner > In Debugging mode, not forking... > Ignore errors about failing to find EOCD signature > Stopping now as you are debugging me. > > and the mails which are in the queue are sent. > > - when I start MailScanner not in debug mode, it forks (until > the limit), but nothing happens > It's the same if I launch MailScanner in foreground : > > # ../bin/MailScanner > MailScanner 4.55.10 starting in foreground mode - pid is [4162] > About to fork child #1 of 10... > Forked OK - new child is [4163] > About to fork child #2 of 10... > Forked OK - new child is [4164] > ... > About to fork child #10 of 10... > Forked OK - new child is [4172] > > but nothing else. > > Of course, without any logging, it's not easy to find the problem > > Same problem with MailScanner 4.54-6 > > Any idea ? Now, when I start MailScanner I have the following lines in the logfile : Aug 11 16:26:38 localhost MailScanner[6498]: MailScanner E-Mail Virus Scanner version 4.55.10 starting... Aug 11 16:26:38 localhost MailScanner[6498]: Using SpamAssassin results cache Aug 11 16:26:38 localhost MailScanner[6498]: Connected to SpamAssassin cache database Aug 11 16:26:38 localhost MailScanner[6498]: MailScanner E-Mail Virus Scanner version 4.55.10 starting... Aug 11 16:26:38 localhost MailScanner[6498]: Using SpamAssassin results cache Aug 11 16:26:38 localhost MailScanner[6498]: Connected to SpamAssassin cache database but each mail remains in /var/spool/postfix/hold/ In debugging mode, I get : # /opt/MailScanner/bin/check_mailscanner Starting MailScanner... In Debugging mode, not forking... Aug 11 16:34:40 localhost MailScanner[6532]: MailScanner E-Mail Virus Scanner version 4.55.10 starting... Aug 11 16:34:41 localhost MailScanner[6532]: Using SpamAssassin results cache Aug 11 16:34:41 localhost MailScanner[6532]: Connected to SpamAssassin cache database Aug 11 16:34:40 localhost MailScanner[6532]: MailScanner E-Mail Virus Scanner version 4.55.10 starting... Aug 11 16:34:41 localhost MailScanner[6532]: Using SpamAssassin results cache Aug 11 16:34:41 localhost MailScanner[6532]: Connected to SpamAssassin cache database Aug 11 16:34:43 localhost MailScanner[6532]: Using locktype = flock Aug 11 16:34:43 localhost MailScanner[6532]: New Batch: Scanning 1 messages, 1232 bytes Aug 11 16:34:43 localhost MailScanner[6532]: Spam Checks: Starting -- Pascal From t.d.lee at durham.ac.uk Fri Aug 11 15:39:08 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Fri Aug 11 15:39:40 2006 Subject: MailScanner ANNOUNCE: Revision to 4.55 In-Reply-To: <44DC5DD1.5040004@ecs.soton.ac.uk> References: <44D77C7E.5010703@ecs.soton.ac.uk> <44DB8FC4.8080302@ecs.soton.ac.uk> <44DC5DD1.5040004@ecs.soton.ac.uk> Message-ID: On Fri, 11 Aug 2006, Julian Field wrote: > [...] > I've got a To Do list as long as your arm at the moment. Is there any > chance someone else could do this for me please? > > The make test was locking up on some CentOS systems. Steve Swaney knows > more details, he is the person who informed me in the first place. > [...] OK. Although I'm piggy-in-the-middle, unaffected by this problem, I'm attempting to get it raised with the Sys::Syslog folk. Steve Swaney (or someone else): Could you provide me with a concise description of the problem (and relevant OS environments) about this Sys::Syslog 0.17 problem, please? Thanks. (Am I correct in understanding that this problem was new at 0.17?) -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From jflowers at ezo.net Fri Aug 11 16:36:06 2006 From: jflowers at ezo.net (Jim Flowers) Date: Fri Aug 11 16:36:20 2006 Subject: Bypass spam scan based on header Message-ID: <20060811153613.M23587@ezo.net> My solution was to add a small hack to the CreateList subroutine (line 112) in SQLBlackWhiteList.pm to add a list of names to the whitelist hash just before it returns. As written, these email addresses are whitelisted globally (for all users) in MailScanner. The same technique could be used for a per-domain or per-user basis with a bit more code. ----------------------------------------------------------------------------- if ($type eq 'whitelist') { my $fh = new FileHandle; my $filename = "/usr/local/share/assp/whitelist"; $fh->open("< $filename") or die "Cannot open config file $filename, $!"; while(<$fh>) { chomp; s/^#.*$//; s/^\s*//g; s/\s*$//g; next if /^$/; if(/^([^@]+@[^@]+\.[A-Za-z]{2,4}).*$/) { # validate and strip off trailing digits $BlackWhite->{'default'}{$1} = 1; } } close $fh; } ---------------------------------------------------------------------------- In this case the names in /usr/local/share/assp/whitelist are of the form username@domain.tld and also have a trailing ^B[0-9]* that is removed by the regexp. This expression may have to be modified to suit the file format. This subroutine is run on startup and at least every 15 minutes. -- Jim Flowers -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From lshaw at emitinc.com Fri Aug 11 16:52:07 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Fri Aug 11 16:52:17 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: References: Message-ID: On Fri, 11 Aug 2006, Jim Holland wrote: > Another concern is the impact that greylisting would have on the Internet > if its adoption became widespread - it would mean that all mail servers > would have to work twice as hard to deliver mail. Actually, it's only some mail servers. Greylisting lets known senders through without a delay. Mail servers that are mostly sending messages to recipients who recognize them would not see delays. Mail servers that are mostly sending messages to those who don't recognize them would see the delays. So, it makes mail servers up to twice as hard. Also, while I agree that it would increase the load, in general I think decreasing spam is worth some increased load. Sure, it's a slippery slope (one could imagine things getting so bloated that it takes 5 minutes of CPU time to deliver one message, if we keep on adding limitless spam-fighting strategy), but on the other hand, 10 seconds of CPU time spent catching spam automatically is cheaper than 10 seconds of a human's time deleting it manually. - Logan From mikej at rogers.com Fri Aug 11 17:01:30 2006 From: mikej at rogers.com (Mike Jakubik) Date: Fri Aug 11 17:01:13 2006 Subject: MS unable to detect From address from DSN and failure notice emails Message-ID: <44DCA9DA.8030403@rogers.com> The other day i noticed that Always looked up last and the mailwatch logging script is not logging the From address on any DSN or failure type emails sent by the mailer-daemon@ or postmaster@. The problem is bigger than just logging itself, as this influences the scoring with the rule NO_REAL_NAME, so a lot of them get marked as spam. Here are two example headers: Received: from mail.kanapure.net (unknown [61.211.239.203]) by mx1.fkpeterson.com (Postfix) with SMTP id D6E41172D1 for ; Thu, 27 Jul 2006 21:58:03 -0400 (EDT) Received: (qmail 19303 invoked for bounce); 28 Jul 2006 02:04:22 -0000 Date: 28 Jul 2006 02:04:22 -0000 From: MAILER-DAEMON@mail.kanapure.net To: yingrown8@fkpeterson.com Subject: failure notice Message-Id: <20060728015803.D6E41172D1@mx1.fkpeterson.com> Received: from mail.fkpeterson.com (unknown [192.168.0.1]) by mx1.fkpeterson.com (Postfix) with ESMTP id 6F85A17306 for ; Thu, 27 Jul 2006 21:44:37 -0400 (EDT) From: postmaster@fkpeterson.com To: anisimi@citizensbankia.com Date: Thu, 27 Jul 2006 21:46:16 -0400 MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="9B095B5ADSN=_01C6AF6C96E49C7200000282mail.fkpeterson." X-DSNContext: 7ce717b1 - 1158 - 00000002 - 00000000 Message-ID: Subject: Delivery Status Notification (Failure) This got marked as spam, and the From field is never logged. Any ideas? postfix-2.2.11 p5-Mail-SpamAssassin-3.1.3 MailScanner-4.54.6 From mkettler at evi-inc.com Fri Aug 11 17:10:33 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Aug 11 17:10:48 2006 Subject: MS unable to detect From address from DSN and failure notice emails In-Reply-To: <44DCA9DA.8030403@rogers.com> References: <44DCA9DA.8030403@rogers.com> Message-ID: <44DCABF9.6060903@evi-inc.com> Mike Jakubik wrote: > The other day i noticed that Always looked up last and the mailwatch > logging script is not logging the From address on any DSN or failure > type emails sent by the mailer-daemon@ or postmaster@. The problem is > bigger than just logging itself, as this influences the scoring with the > rule NO_REAL_NAME, so a lot of them get marked as spam. Here are two > example headers: Most DSN's are sent with a From: HEADER that contains mailer-daemon, or postmaster. However by RFC requirements the ENVELOPE From is <> (empty or null address). This much should explain the logging, as MailScanner is logging the envelope from, not the content of the body-text From: header. Sendmail MTA's copy the envelope from to the "Return-Path" header upon delivery. I'm not sure what postfix does, but you might want to check it. To see what your MTA is using, this message should have an envelope from of "mailscanner-bounces@lists.mailscanner.info", not mkettler@evi-inc.com. The NO_REAL_NAME bit does influence the score, but that alone shouldn't be causing these to be tagged as spam.. What other SA rules are firing off here? From matt at coders.co.uk Fri Aug 11 17:17:22 2006 From: matt at coders.co.uk (Matt Hampton) Date: Fri Aug 11 17:17:08 2006 Subject: MS unable to detect From address from DSN and failure notice emails In-Reply-To: <44DCA9DA.8030403@rogers.com> References: <44DCA9DA.8030403@rogers.com> Message-ID: <44DCAD92.3070105@coders.co.uk> > > This got marked as spam, and the From field is never logged. Any ideas? > > postfix-2.2.11 > p5-Mail-SpamAssassin-3.1.3 > MailScanner-4.54.6 > The From field that gets as far as MailWatch is from the Envelope and not from the message headers. The envelope will be from "<>" (the Null sender) and therefore there is nothing for MW to log. matt From drew at themarshalls.co.uk Fri Aug 11 17:21:46 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Fri Aug 11 17:22:00 2006 Subject: Fwd: Problems on Solaris x86 In-Reply-To: <0E611EF3-805C-4950-A45E-0BF390F1F2C6@elec.ucl.ac.be> References: <3067C01E-94D5-454F-9BD4-ADAD401906A8@elec.ucl.ac.be> <0E611EF3-805C-4950-A45E-0BF390F1F2C6@elec.ucl.ac.be> Message-ID: <42275.194.70.180.170.1155313306.squirrel@webmail.r-bit.net> On Fri, August 11, 2006 15:38, Pascal Maes wrote: > Now, when I start MailScanner I have the following lines in the > logfile : > > Aug 11 16:26:38 localhost MailScanner[6498]: MailScanner E-Mail Virus > Scanner version 4.55.10 starting... > Aug 11 16:26:38 localhost MailScanner[6498]: Using SpamAssassin > results cache > Aug 11 16:26:38 localhost MailScanner[6498]: Connected to > SpamAssassin cache database > Aug 11 16:26:38 localhost MailScanner[6498]: MailScanner E-Mail Virus > Scanner version 4.55.10 starting... > Aug 11 16:26:38 localhost MailScanner[6498]: Using SpamAssassin > results cache > Aug 11 16:26:38 localhost MailScanner[6498]: Connected to > SpamAssassin cache database > > but each mail remains in /var/spool/postfix/hold/ > > In debugging mode, I get : > > # /opt/MailScanner/bin/check_mailscanner > Starting MailScanner... > In Debugging mode, not forking... > Aug 11 16:34:40 localhost MailScanner[6532]: MailScanner E-Mail Virus > Scanner version 4.55.10 starting... > Aug 11 16:34:41 localhost MailScanner[6532]: Using SpamAssassin > results cache > Aug 11 16:34:41 localhost MailScanner[6532]: Connected to > SpamAssassin cache database > Aug 11 16:34:40 localhost MailScanner[6532]: MailScanner E-Mail Virus > Scanner version 4.55.10 starting... > Aug 11 16:34:41 localhost MailScanner[6532]: Using SpamAssassin > results cache > Aug 11 16:34:41 localhost MailScanner[6532]: Connected to > SpamAssassin cache database > Aug 11 16:34:43 localhost MailScanner[6532]: Using locktype = flock > Aug 11 16:34:43 localhost MailScanner[6532]: New Batch: Scanning 1 > messages, 1232 bytes > Aug 11 16:34:43 localhost MailScanner[6532]: Spam Checks: Starting And no mention of delivery (Or completion of scanning)? At this log point the batch is only being scanned for spam and not viruses. Can you turn on SpamAssassin debugging in MailScanner.conf and re-run the debug, it may yield something such as a permissions error in one of the SA processes. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From mikej at rogers.com Fri Aug 11 17:25:48 2006 From: mikej at rogers.com (Mike Jakubik) Date: Fri Aug 11 17:25:32 2006 Subject: MS unable to detect From address from DSN and failure notice emails In-Reply-To: <44DCABF9.6060903@evi-inc.com> References: <44DCA9DA.8030403@rogers.com> <44DCABF9.6060903@evi-inc.com> Message-ID: <44DCAF8C.2030102@rogers.com> Matt Kettler wrote: > Mike Jakubik wrote: > >> The other day i noticed that Always looked up last and the mailwatch >> logging script is not logging the From address on any DSN or failure >> type emails sent by the mailer-daemon@ or postmaster@. The problem is >> bigger than just logging itself, as this influences the scoring with the >> rule NO_REAL_NAME, so a lot of them get marked as spam. Here are two >> example headers: >> > > Most DSN's are sent with a From: HEADER that contains mailer-daemon, or > postmaster. However by RFC requirements the ENVELOPE From is <> (empty or null > address). > > This much should explain the logging, as MailScanner is logging the envelope > from, not the content of the body-text From: header. Sendmail MTA's copy the > envelope from to the "Return-Path" header upon delivery. I'm not sure what > postfix does, but you might want to check it. To see what your MTA is using, > this message should have an envelope from of > "mailscanner-bounces@lists.mailscanner.info", not mkettler@evi-inc.com. > > Thanks for the info, here is what i saw in the headers: Return-Path: X-MailScanner-From: mailscanner-bounces@lists.mailscanner.info Perhaps i should take this issue up on the postfix lists? But im sure as soon as i mention MailScanner, i wont get much help :P > The NO_REAL_NAME bit does influence the score, but that alone shouldn't be > causing these to be tagged as spam.. What other SA rules are firing off here? > > The server actually had a SPF problem caused by a firewall, so every email was failing. From drew at themarshalls.co.uk Fri Aug 11 17:45:29 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Fri Aug 11 17:45:50 2006 Subject: MS unable to detect From address from DSN and failure notice emails In-Reply-To: <44DCAF8C.2030102@rogers.com> References: <44DCA9DA.8030403@rogers.com> <44DCABF9.6060903@evi-inc.com> <44DCAF8C.2030102@rogers.com> Message-ID: <42310.194.70.180.170.1155314729.squirrel@webmail.r-bit.net> On Fri, August 11, 2006 17:25, Mike Jakubik wrote: > Matt Kettler wrote: >> Most DSN's are sent with a From: HEADER that contains mailer-daemon, or >> postmaster. However by RFC requirements the ENVELOPE From is <> (empty >> or null >> address). >> >> This much should explain the logging, as MailScanner is logging the >> envelope >> from, not the content of the body-text From: header. Sendmail MTA's copy >> the >> envelope from to the "Return-Path" header upon delivery. I'm not sure >> what >> postfix does, but you might want to check it. To see what your MTA is >> using, >> this message should have an envelope from of >> "mailscanner-bounces@lists.mailscanner.info", not mkettler@evi-inc.com. Postfix does exactly the same. The Null sender is usually just shown as Return-Path: <> in the headers, which would explain the MW logging. Sadly I agree about the postfix list, mention MailScanner and you tend to be on a looser :-( Having said that Weitse is usually pretty good about following RFCs so I am confident that Postfix will be properly behaved with DSNs. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From mike at tc3net.com Fri Aug 11 18:05:18 2006 From: mike at tc3net.com (Michael Baird) Date: Fri Aug 11 17:59:02 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: References: Message-ID: <1155315918.31265.3.camel@mike-new2.tc3net.com> On Fri, 2006-08-11 at 10:52 -0500, Logan Shaw wrote: > On Fri, 11 Aug 2006, Jim Holland wrote: > > Another concern is the impact that greylisting would have on the Internet > > if its adoption became widespread - it would mean that all mail servers > > would have to work twice as hard to deliver mail. > > Actually, it's only some mail servers. Greylisting lets known > senders through without a delay. Mail servers that are mostly > sending messages to recipients who recognize them would not > see delays. Mail servers that are mostly sending messages > to those who don't recognize them would see the delays. So, > it makes mail servers up to twice as hard. > > Also, while I agree that it would increase the load, in > general I think decreasing spam is worth some increased load. > Sure, it's a slippery slope (one could imagine things getting > so bloated that it takes 5 minutes of CPU time to deliver one > message, if we keep on adding limitless spam-fighting strategy), > but on the other hand, 10 seconds of CPU time spent catching > spam automatically is cheaper than 10 seconds of a human's > time deleting it manually. Greylisting decreases load immeasurably on a mailscanner system, the cost of greylisting is much less then allowing the message to go through the mailscanner sytem. I deployed it several months ago, it really is a good tool, and I've had very few complaints (10000 users). Regards Michael Baird From Kevin_Miller at ci.juneau.ak.us Fri Aug 11 18:09:58 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Aug 11 18:10:03 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: <1155315918.31265.3.camel@mike-new2.tc3net.com> Message-ID: Michael Baird wrote: > Greylisting decreases load immeasurably on a mailscanner system, the > cost of greylisting is much less then allowing the message to go > through the mailscanner sytem. I deployed it several months ago, it > really is a good tool, and I've had very few complaints (10000 users). I just use Sendmails greet pause which is 10 seconds to set up and works a treat - does greylisting add significant control or improvement over that? Anybody using them in tandom or is one or the other to be preferred? ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From mikea at mikea.ath.cx Fri Aug 11 18:10:30 2006 From: mikea at mikea.ath.cx (mikea) Date: Fri Aug 11 18:10:35 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: <1155315918.31265.3.camel@mike-new2.tc3net.com>; from mike@tc3net.com on Fri, Aug 11, 2006 at 01:05:18PM -0400 References: <1155315918.31265.3.camel@mike-new2.tc3net.com> Message-ID: <20060811121030.A64675@mikea.ath.cx> On Fri, Aug 11, 2006 at 01:05:18PM -0400, Michael Baird wrote: > On Fri, 2006-08-11 at 10:52 -0500, Logan Shaw wrote: > > On Fri, 11 Aug 2006, Jim Holland wrote: > > > Another concern is the impact that greylisting would have on the Internet > > > if its adoption became widespread - it would mean that all mail servers > > > would have to work twice as hard to deliver mail. > > > > Actually, it's only some mail servers. Greylisting lets known > > senders through without a delay. Mail servers that are mostly > > sending messages to recipients who recognize them would not > > see delays. Mail servers that are mostly sending messages > > to those who don't recognize them would see the delays. So, > > it makes mail servers up to twice as hard. > > > > Also, while I agree that it would increase the load, in > > general I think decreasing spam is worth some increased load. > > Sure, it's a slippery slope (one could imagine things getting > > so bloated that it takes 5 minutes of CPU time to deliver one > > message, if we keep on adding limitless spam-fighting strategy), > > but on the other hand, 10 seconds of CPU time spent catching > > spam automatically is cheaper than 10 seconds of a human's > > time deleting it manually. > Greylisting decreases load immeasurably on a mailscanner system, the > cost of greylisting is much less then allowing the message to go through > the mailscanner sytem. I deployed it several months ago, it really is a > good tool, and I've had very few complaints (10000 users). My complaints have, almost without exception, come from users who think that E-mail should show up in their inboxes Right DamnIt _NOW_. There have been a few cases in which the sender's system has mishandled the retry or totally failed to retry; I've whitelisted some of those, and the rest were non-work-related and so could go hang[1]. [1] It's a corporate mailsystem, not an ISP, and the policy is that employees get to use it for personal purposes, but if their personal mail gets blocked as a result of our filters, that's just too bad. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From davidn at keymarkinc.com Fri Aug 11 18:16:37 2006 From: davidn at keymarkinc.com (David Nalley) Date: Fri Aug 11 18:16:33 2006 Subject: Searching and recovering mails from /var/spool/mailScanner/archive Message-ID: <81214BB68B68BF4586FE1D82E7B3C472C0BE92@kmex01.keymark.dom> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well, if you have MailWatch for MailScanner installed you can do quite a bit of searching based on just about anything other than the body of the email. Otherwise I think it's probably a job for grep and the like. Hope it hel > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Nigel Kendrick > Sent: Friday, August 11, 2006 6:18 AM > To: 'MailScanner discussion' > Subject: Searching and recovering mails from > /var/spool/mailScanner/archive > > Hi Folks, > > No doubt this has been asked before but I'm not having much > luck searching for ideas so... > > I have to search and recover some emails from the MailScanner > archive folders - are there any nice tools to do this before > I start to do some scripting? > > Thanks > > Nigel Kendrick > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) iD8DBQFE3LtsU7rV35qFz0QRAmL2AJ9hwNmyPvqLDVlUSwmY8Q6XcVbYrwCcDPKq LtOrvfUqXJNrGMZY/GyU4fw= =bc4Y -----END PGP SIGNATURE----- From mikea at mikea.ath.cx Fri Aug 11 18:38:43 2006 From: mikea at mikea.ath.cx (mikea) Date: Fri Aug 11 18:38:47 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: ; from Kevin_Miller@ci.juneau.ak.us on Fri, Aug 11, 2006 at 09:09:58AM -0800 References: <1155315918.31265.3.camel@mike-new2.tc3net.com> Message-ID: <20060811123843.B64675@mikea.ath.cx> On Fri, Aug 11, 2006 at 09:09:58AM -0800, Kevin Miller wrote: > Michael Baird wrote: > > > Greylisting decreases load immeasurably on a mailscanner system, the > > cost of greylisting is much less then allowing the message to go > > through the mailscanner sytem. I deployed it several months ago, it > > really is a good tool, and I've had very few complaints (10000 users). > > I just use Sendmails greet pause which is 10 seconds to set up and works > a treat - does greylisting add significant control or improvement over > that? Anybody using them in tandom or is one or the other to be > preferred? I use both. Greet-pause is set to 15 seconds, and catches an _awful_ lot of them: Date Count of greet-pause violations 710 133315 711 101527 712 88888 713 75372 714 59143 715 51436 716 46033 717 62931 718 76228 719 75158 720 63901 721 58222 722 47463 723 32425 724 52248 725 51581 726 55579 727 52790 728 48447 729 33630 730 31434 731 50976 801 61121 802 53625 803 120052 804 44719 805 34369 806 40633 807 55260 808 43413 809 44840 810 47917 Many of these are same-IP woodpeckers. I'll look at a way to display the actual number of unique IP addresses that violated greet-pause per day. Greylisting catches a lot more: the count of mails that actually got to MailScanner went down big-time when I turned greylisting on. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From Kevin_Miller at ci.juneau.ak.us Fri Aug 11 18:46:03 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Aug 11 18:46:06 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: <20060811123843.B64675@mikea.ath.cx> Message-ID: mikea wrote: > I use both. > > Greet-pause is set to 15 seconds, and catches an _awful_ lot of them: > Date Count of greet-pause violations > 710 133315 ... > 810 47917 > > Many of these are same-IP woodpeckers. I'll look at a way to display > the actual number of unique IP addresses that violated greet-pause per > day. > > Greylisting catches a lot more: the count of mails that actually got > to MailScanner went down big-time when I turned greylisting on. Cool. How'd you generate the counts? Real Soon Now I'm going to implement milter-ahead (sleazy Exchange server on the back end, sigh) so maybe I'll get milter-gris at the same time. Killing spam is *so* much fun... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From gmane at tippingmar.com Fri Aug 11 19:57:28 2006 From: gmane at tippingmar.com (Mark Nienberg) Date: Fri Aug 11 19:57:47 2006 Subject: 70_sare_stocks.cf In-Reply-To: <44D18987.4070400@maddoc.net> References: <44D18987.4070400@maddoc.net> Message-ID: Doc Schneider wrote: > I added a "tweak" to the rule set that should catch more of these dang > image spams. > > For those of you running "SARE_STOCK" please let me know if these are > now being caught. After about a week of running the new rule set I realized that in addition to catching more of those dang image spams, I was also getting a lot of false positives. We receive a lot of messages from persons who write in html and attach a small gif image in their signature (usually a company logo). In fact, lots of my users do the same in their signatures (don't get me started). Consequently, I have had to disable the gif rules in the rule set. Mark From alex at nkpanama.com Fri Aug 11 20:07:52 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Fri Aug 11 20:08:04 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: References: Message-ID: <44DCD588.1050602@nkpanama.com> Kevin Miller wrote: > Michael Baird wrote: > >> Greylisting decreases load immeasurably on a mailscanner system, the >> cost of greylisting is much less then allowing the message to go >> through the mailscanner sytem. I deployed it several months ago, it >> really is a good tool, and I've had very few complaints (10000 users). > > I just use Sendmails greet pause which is 10 seconds to set up and works > a treat - does greylisting add significant control or improvement over > that? Anybody using them in tandom or is one or the other to be > preferred? > > > ...Kevin I use both *everywhere*. Now if I could have greet_pause auto-whitelist after a certain threshold... :-) From mikea at mikea.ath.cx Fri Aug 11 20:17:32 2006 From: mikea at mikea.ath.cx (mikea) Date: Fri Aug 11 20:17:36 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: <44DCD588.1050602@nkpanama.com>; from alex@nkpanama.com on Fri, Aug 11, 2006 at 02:07:52PM -0500 References: <44DCD588.1050602@nkpanama.com> Message-ID: <20060811141732.A65410@mikea.ath.cx> On Fri, Aug 11, 2006 at 02:07:52PM -0500, Alex Neuman van der Hans wrote: > Kevin Miller wrote: > > Michael Baird wrote: > > > >> Greylisting decreases load immeasurably on a mailscanner system, the > >> cost of greylisting is much less then allowing the message to go > >> through the mailscanner sytem. I deployed it several months ago, it > >> really is a good tool, and I've had very few complaints (10000 users). > > > > I just use Sendmails greet pause which is 10 seconds to set up and works > > a treat - does greylisting add significant control or improvement over > > that? Anybody using them in tandom or is one or the other to be > > preferred? > > > > > > ...Kevin > I use both *everywhere*. Now if I could have greet_pause auto-whitelist > after a certain threshold... :-) You could, if you were willing to dynamically edit your access file and then do a makemap hash. It probably could be rigged so that it wasn't terribly dangerous. One way might be to batch the updates, and run them every hour or so, saving the data to files with timestamp data as part of the name. Hmmmmmm ... . -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From alex at nkpanama.com Fri Aug 11 20:23:48 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Fri Aug 11 20:24:11 2006 Subject: OT - Greylisting In-Reply-To: <20060811141732.A65410@mikea.ath.cx> References: <44DCD588.1050602@nkpanama.com> <20060811141732.A65410@mikea.ath.cx> Message-ID: <44DCD944.7050003@nkpanama.com> mikea wrote: > > You could, if you were willing to dynamically edit your access file > and then do a makemap hash. It probably could be rigged so that it > wasn't terribly dangerous. One way might be to batch the updates, and > run them every hour or so, saving the data to files with timestamp > data as part of the name. Hmmmmmm ... . > Hmmm indeed... Sounds like a nice weekend project... but, alas, IANAP... :-( From jaearick at colby.edu Fri Aug 11 21:00:53 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Fri Aug 11 21:06:30 2006 Subject: nasty bug in SA.pm (I think) Message-ID: Julian, I've been intermittantly chasing this bug for several releases now, and I think that I may have it cornered. The problem: if I start MS with my /etc/init.d script, MS just loops and does nothing. If I start it via /opt/MailScanner/bin/check_mailscanner from cron, MailScanner works. The syslog output for a loop up looks like: MailScanner[25980]: MailScanner E-Mail Virus Scanner version 4.55.10 starting... MailScanner[25980]: Read 748 hostnames from the phishing whitelist MailScanner[25980]: Config: calling custom init function IPBlock MailScanner[25980]: Initialising IP blocking MailScanner[25980]: Read 128 IP blocking entries from /etc/MailScanner/IPBlock.conf MailScanner[25980]: Using SpamAssassin results cache MailScanner[25980]: Connected to SpamAssassin cache database (repeat ad nauseum) So I started putting in info syslog messages into lib/MailScanner/SA.pm after the "cache database" message to trace what happened. Attached is my modified version of SA.pm. I never get anything after the info msg "got to here3". So I stared at SA.pm. You commented out line 287: #if (MailScanner::Config::Value('compilespamassassinonce')) { at some point, which commented out half of a curly-bracket block. I can't find where the right curly-bracket for this line is, and I think something is mis-aligned here. Using the power feature of vi whereby you put the cursor over a bracket, paren, etc and then hit "%", I don't find the closing curly bracket for line 72 ("sub initialise {"). This routine seems mangled and I think this is the root cause of the loop-up bug. But I can't figure out where the closing bracket for line 287 might be. Have I found this loopup bug in the mangled bracketing of initialise??? Jeff Earickson Colby College -------------- next part -------------- # # MailScanner - SMTP E-Mail Virus Scanner # Copyright (C) 2002 Julian Field # # $Id: SA.pm 3553 2006-05-09 19:51:10Z sysjkf $ # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # The author, Julian Field, can be contacted by email at # Jules@JulianField.net # or by paper mail at # Julian Field # Dept of Electronics & Computer Science # University of Southampton # Southampton # SO17 1BJ # United Kingdom # package MailScanner::SA; use strict 'vars'; use strict 'refs'; no strict 'subs'; # Allow bare words for parameter %'s #use English; # Needed for $PERL_VERSION to work in all versions of Perl use IO; use POSIX qw(:signal_h); # For Solaris 9 SIG bug workaround use DBI; use Compress::Zlib; use vars qw($VERSION); ### The package version, both in 1.23 style *and* usable by MakeMaker: $VERSION = substr q$Revision: 3553 $, 10; # Attributes are # # my($LOCK_SH) = 1; my($LOCK_EX) = 2; my($LOCK_NB) = 4; my($LOCK_UN) = 8; my $SAversion; # SpamAssassin version number my @SAsuccessqueue; # queue of failure history my $SAsuccessqsum; # current sum of history queue my($SAspamtest, $SABayesLock, $SABayesRebuildLock, $SpamAssassinInstalled); my($SQLiteInstalled, $cachedbh, $cachefilename, $NextCacheExpire); my $HamCacheLife = 30*60; # Lifetime of non-spam from first seen my $SpamCacheLife = 5*60; # Lifetime of low-scoring spam from first seen my $HighSpamCacheLife = 3*60*60; # Lifetime of high spam from last seen my $VirusesCacheLife = 48*60*60; # Lifetime of viruses from last seen my $ExpireFrequency = 10*60; # How often to run the expiry of the cache sub initialise { my($RebuildBayes, $WantLintOnly) = @_; # Start by rebuilding the Bayes database? my(%settings, $val, $val2, $prefs); # Initialise the class variables @SAsuccessqueue = (); $SAsuccessqsum = 0; # Can't just do this when sendmail.pl loads, as we are still running as # root then & spamassassin will get confused when we are later running # as something else. # Only do this if we want to use SpamAssassin and therefore have it installed. # Justin Mason advises only creating 1 Mail::SpamAssassin object, so I do it # here while we are starting up. # N.B. SpamAssassin will use home dir defined in ENV{HOME} # 'if $ENV{HOME} =~ /\//' # So, set ENV{HOME} to desired directory, or undef it to force it to get home # using getpwnam of $> (EUID) unless (MailScanner::Config::IsSimpleValue('usespamassassin') && !MailScanner::Config::Value('usespamassassin')) { $settings{dont_copy_prefs} = 1; # Removes need for home directory # This file is now read directly by SpamAssassin's normal startup code. #$prefs = MailScanner::Config::Value('spamassassinprefsfile'); #$settings{userprefs_filename} = $prefs if defined $prefs; $val = $MailScanner::SA::Debug; $settings{debug} = $val; # for unusual bayes and auto whitelist database locations $val = MailScanner::Config::Value('spamassassinuserstatedir'); $settings{userstate_dir} = $val if $val ne ""; $val = MailScanner::Config::Value('spamassassinlocalrulesdir'); $settings{LOCAL_RULES_DIR} = $val if $val ne ""; $val = MailScanner::Config::Value('spamassassinlocalstatedir'); $settings{LOCAL_STATE_DIR} = $val if $val ne ""; $val = MailScanner::Config::Value('spamassassindefaultrulesdir'); $settings{DEF_RULES_DIR} = $val if $val ne ""; $val = MailScanner::Config::Value('spamassassininstallprefix'); # For version 3 onwards, shouldn't cause problems with earlier code $val2 = MailScanner::Config::Value('spamassassinautowhitelist'); $settings{use_auto_whitelist} = $val2?1:0; $settings{save_pattern_hits} = 1; if ($val ne "") { # ie. if SAinstallprefix is set # for finding rules in the absence of the above settings $settings{PREFIX} = $val; # for finding the SpamAssassin libraries # Use unshift rather than push so that their given location is # always searched *first* and not last in the include path. #my $perl_vers = $PERL_VERSION < 5.006 ? $PERL_VERSION # : sprintf("%vd",$PERL_VERSION); my $perl_vers = $] < 5.006 ? $] : sprintf("%vd",$^V); unshift @INC, "$val/lib/perl5/site_perl/$perl_vers"; } # Now we have the path built, try to find the SpamAssassin modules unless (eval "require Mail::SpamAssassin") { MailScanner::Log::WarnLog("You want to use SpamAssassin but have not installed it."); MailScanner::Log::WarnLog("Please download http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/install-Clam-SA.tar.gz and unpack it and run ./install.sh to install it, then restart MailScanner."); MailScanner::Log::WarnLog("I will run without SpamAssassin for now, you will not detect much spam until you install SpamAssassin."); $SpamAssassinInstalled = 0; return; } # SpamAssassin "require"d okay. $SpamAssassinInstalled = 1; # Find the version number $SAversion = $Mail::SpamAssassin::VERSION + 0.0; # # Load the SQLite support for the SA data cache # $SQLiteInstalled = 0; unless (MailScanner::Config::IsSimpleValue('usesacache') && !MailScanner::Config::Value('usesacache')) { unless (eval "require DBD::SQLite") { MailScanner::Log::WarnLog("WARNING: You are trying to use the SpamAssassin cache but your DBI and/or DBD::SQLite Perl modules are not properly installed!"); $SQLiteInstalled = 0; } else { $SQLiteInstalled = 1; unless (eval "require Digest::MD5") { MailScanner::Log::WarnLog("WARNING: You are trying to use the SpamAssassin cache but your Digest::MD5 Perl module is not properly installed!"); $SQLiteInstalled = 0; } else { MailScanner::Log::InfoLog("Using SpamAssassin results cache"); $SQLiteInstalled = 1; # # # Put the SA cache database initialisation code here! # # $MailScanner::SA::cachefilename = MailScanner::Config::Value("sacache"); $MailScanner::SA::cachedbh = DBI->connect( "dbi:SQLite:$MailScanner::SA::cachefilename", "","",{PrintError=>0,InactiveDestroy=>1}); $NextCacheExpire = $ExpireFrequency+time; if ($MailScanner::SA::cachedbh) { MailScanner::Log::InfoLog("Connected to SpamAssassin cache database"); # Rebuild all the tables and indexes. The PrintError=>0 will make it # fail quietly if they already exist. $MailScanner::SA::cachedbh->do("CREATE TABLE cache (md5 TEXT, count INTEGER, last TIMESTAMP, first TIMESTAMP, sasaysspam INT, sahighscoring INT, sascore FLOAT, saheader BLOB, salongreport BLOB, virusinfected INT)"); $MailScanner::SA::cachedbh->do("CREATE UNIQUE INDEX md5_uniq ON cache(md5)"); $MailScanner::SA::cachedbh->do("CREATE INDEX last_seen_idx ON cache(last)"); $MailScanner::SA::cachedbh->do("CREATE INDEX first_seen_idx ON cache(first)"); $SQLiteInstalled = 1; SetCacheTimes(); # Now expire all the old tokens CacheExpire() unless $WantLintOnly; } else { MailScanner::Log::WarnLog("Could not create SpamAssassin cache database %s", $MailScanner::SA::cachefilename); $SQLiteInstalled = 0; print STDERR "Could not create SpamAssassin cache database $MailScanner::SA::cachefilename\n" if $WantLintOnly; } } } } MailScanner::Log::InfoLog("got to here"); $MailScanner::SA::SAspamtest = new Mail::SpamAssassin(\%settings); if ($WantLintOnly) { my $errors = $MailScanner::SA::SAspamtest->lint_rules(); if ($errors) { print STDERR "SpamAssassin reported an error.\n"; $MailScanner::SA::SAspamtest->debug_diagnostics(); } else { print STDERR "SpamAssassin reported no errors.\n"; } return; } MailScanner::Log::InfoLog("got to here2"); # Rebuild the Bayes database if it is due $MailScanner::SA::BayesRebuildLock = MailScanner::Config::Value( 'lockfiledir') . '/MS.bayes.rebuild.lock'; $MailScanner::SA::BayesRebuildStartLock = MailScanner::Config::Value('lockfiledir') . '/MS.bayes.starting.lock'; $MailScanner::SA::WaitForRebuild = MailScanner::Config::Value('bayeswait'); $MailScanner::SA::DoingBayesRebuilds = MailScanner::Config::Value('bayesrebuild'); if ($RebuildBayes) { #MailScanner::Log::InfoLog('SpamAssassin Bayes database rebuild preparing'); # Tell the other children that we are trying to start a rebuild my $RebuildStartH = new FileHandle; unless ($RebuildStartH->open("+>$MailScanner::SA::BayesRebuildStartLock")) { MailScanner::Log::WarnLog("Bayes rebuild process could not write to " . "%s to signal starting", $MailScanner::SA::BayesRebuildStartLock); } # Get an exclusive lock on the bayes rebuild lock file my $RebuildLockH = new FileHandle; if ($RebuildLockH->open("+>$MailScanner::SA::BayesRebuildLock")) { flock($RebuildLockH, $LOCK_EX) or MailScanner::Log::WarnLog("Failed to get exclusive lock on %s, %s", $MailScanner::SA::BayesRebuildLock, $!); # Do the actual expiry run $0 = 'MailScanner: rebuilding Bayes database'; MailScanner::Log::InfoLog('SpamAssassin Bayes database rebuild starting'); eval { $MailScanner::SA::SAspamtest->init(1) if $SAversion<3; $MailScanner::SA::SAspamtest->init_learner({ force_expire => 1, learn_to_journal => 0, wait_for_lock => 1, caller_will_untie => 1}); $MailScanner::SA::SAspamtest->rebuild_learner_caches({ verbose => 0, showdots => 0}); $MailScanner::SA::SAspamtest->finish_learner(); }; MailScanner::Log::WarnLog("SpamAssassin Bayes database rebuild " . "failed with error: %s", $@) if $@; # Unlock the bayes rebuild lock file unlink($MailScanner::SA::BayesRebuildLock); flock($RebuildLockH, $LOCK_UN); $RebuildLockH->close(); MailScanner::Log::InfoLog('SpamAssassin Bayes database rebuild completed'); } # Now the rebuild has properly finished, we let the other children back unlink $MailScanner::SA::BayesRebuildStartLock; $RebuildStartH->close(); } if (MailScanner::Config::Value('spamassassinautowhitelist')) { # JKF 14/6/2002 Enable the auto-whitelisting functionality MailScanner::Log::InfoLog("Enabling SpamAssassin auto-whitelist functionality..."); if ($SAversion<3) { require Mail::SpamAssassin::DBBasedAddrList; # create a factory for the persistent address list my $addrlistfactory = Mail::SpamAssassin::DBBasedAddrList->new(); $MailScanner::SA::SAspamtest->set_persistent_address_list_factory ($addrlistfactory); } } # If the Bayes database lock file is still present due to the process # being killed, we must delete it. The difficult bit is finding it. # Wrap this in an eval for those using old versions of SA which don't # have the Bayes engine at all. eval { my $t = $MailScanner::SA::SAspamtest; $MailScanner::SA::SABayesLock = $t->sed_path($t->{conf}->{bayes_path}) . '.lock'; #print STDERR "SA bayes lock is $MailScanner::SA::SABayesLock\n"; }; MailScanner::Log::InfoLog("got to here3"); #print STDERR "Bayes lock is at $MailScanner::SA::SABayesLock\n"; # JKF 7/1/2002 Commented out due to it causing false positives # JKF 7/6/2002 Now has a config switch # JKF 12/6/2002 Remember to read the prefs file #if (MailScanner::Config::Value('compilespamassassinonce')) { # Saves me recompiling all the modules every time # Need to delete lock file now or compile_now may never return unlink $MailScanner::SA::SABayesLock; # If they are using MCP at all, then we need to compile SA differently # here due to object clashes within SA. if (MailScanner::Config::IsSimpleValue('mcpchecks') && !MailScanner::Config::Value('mcpchecks')) { # They are definitely not using MCP $MailScanner::SA::SAspamtest->compile_now(); } else { # They are possibly using MCP somewhere # Next line should have a 0 parameter in it #$MailScanner::SA::SAspamtest->compile_now(0); $MailScanner::SA::SAspamtest->read_scoreonly_config($prefs); } #print STDERR "In initialise, spam report is \"" . # $MailScanner::SA::SAspamtest->{conf}->{report_template} . "\"\n"; #JKF$MailScanner::SA::SAspamtest->compile_now(); # Apparently this doesn't do anything after compile_now() #$MailScanner::SA::SAspamtest->read_scoreonly_config($prefs); } MailScanner::Log::InfoLog("got to here4"); # Turn off warnings again, as SpamAssassin switches them on $^W = 0; MailScanner::Log::InfoLog("got to here5"); } # Set all the cache expiry timings from the cachetiming conf option sub SetCacheTimes { my $line = MailScanner::Config::Value('cachetiming'); $line =~ s/^\D+//; return unless $line; my @numbers = split /\D+/, $line; return unless @numbers; $HamCacheLife = $numbers[0] if $numbers[0]; $SpamCacheLife = $numbers[1] if $numbers[1]; $HighSpamCacheLife = $numbers[2] if $numbers[2]; $VirusesCacheLife = $numbers[3] if $numbers[3]; $ExpireFrequency = $numbers[4] if $numbers[4]; #print STDERR "Timings are \"" . join(' ',@numbers) . "\"\n"; } # Constructor. sub new { my $type = shift; my $this = {}; bless $this, $type; return $this; } # Do the SpamAssassin checks on the passed in message sub Checks { my $message = shift; # If they never actually installed SpamAssassin, then just bail out quietly. return (0,0,"",0,"") unless $SpamAssassinInstalled; my($dfhandle); my($dfilename, $dfile, @WholeMessage, $SAResult, $SAHitList); my($HighScoring, $SAScore, $maxsize, $SAReport, $GSHits); my $GotFromCache = undef; # Did the result come from the cache? $GSHits = $message->{gshits} || 0.0; # Bail out and fake a miss if too many consecutive SA checks failed my $maxfailures = MailScanner::Config::Value('maxspamassassintimeouts'); # If we get maxfailures consecutive timeouts, then disable the # SpamAssassin RBL checks in an attempt to get it working again. # If it continues to time out for another maxfailures consecutive # attempts, then disable it completely. if ($maxfailures>0) { if ($SAsuccessqsum>=2*$maxfailures) { return (0,0, sprintf(MailScanner::Config::LanguageValue($message,'sadisabled'), 2*$maxfailures), 0); } elsif ($SAsuccessqsum>$maxfailures) { $MailScanner::SA::SAspamtest->{conf}->{local_tests_only} = 1; } elsif ($SAsuccessqsum==$maxfailures) { $MailScanner::SA::SAspamtest->{conf}->{local_tests_only} = 1; MailScanner::Log::WarnLog("Disabling SpamAssassin network checks"); } } # If the Bayes rebuild is in progress, then either wait for it to # complete, or just bail out as we are busy. # Get a shared lock on the bayes rebuild lock file. # If we don't want to wait for it, then do a non-blocking call and # just return if it couldn't be locked. my $BayesIsLocked = 0; my($RebuildLockH, $Lockopen); if ($MailScanner::SA::DoingBayesRebuilds) { # If the lock file exists at all, do not try to get a lock on it. # Shared locks are handed out even when someone else is trying to # get an exclusive lock, so long as at least 1 other shared lock # already exists. if (-e $MailScanner::SA::BayesRebuildStartLock) { # Do we wait for Bayes rebuild to occur? if ($MailScanner::SA::WaitForRebuild) { $0 = 'MailScanner: waiting for Bayes rebuild'; # Wait quietly for the file to disappear # This must not take more than 1 hour or we are in trouble! #MailScanner::Log::WarnLog("Waiting for rebuild start request to disappear"); my $waiter = 0; for ($waiter = 0; $waiter<3600 && -e $MailScanner::SA::BayesRebuildStartLock; $waiter+=10) { sleep 10; #MailScanner::Log::WarnLog("Waiting for start request to disappear"); } # Did it take too long? unlink $MailScanner::SA::BayesRebuildStartLock if $waiter>=3590; #MailScanner::Log::WarnLog("Start request has disappeared"); $0 = 'MailScanner: checking with SpamAssassin'; } else { # Return saying we are skipping SpamAssassin this time return (0,0, 'SpamAssassin rebuilding', 0); } } $Lockopen = 0; $RebuildLockH = new FileHandle; if (open($RebuildLockH, "+>" . $MailScanner::SA::BayesRebuildLock)) { print $RebuildLockH "SpamAssassin Bayes database locked for use by " . "MailScanner $$\n"; #MailScanner::Log::InfoLog("Bayes lock is $RebuildLockH"); #MailScanner::Log::InfoLog("Bayes lock is read-write"); $Lockopen = 1; #The lock file already exists, so just open for reading } elsif (open($RebuildLockH, $MailScanner::SA::BayesRebuildLock)) { #MailScanner::Log::InfoLog("Bayes lock is $RebuildLockH"); #MailScanner::Log::InfoLog("Bayes lock is read-only"); $Lockopen = 1; } else { # Could not open the file at all $Lockopen = 0; MailScanner::Log::WarnLog("Could not open Bayes rebuild lock file %s, %s", $MailScanner::SA::BayesRebuildLock, $!); } if ($Lockopen) { #MailScanner::Log::InfoLog("Bayes lock is open"); if ($MailScanner::SA::WaitForRebuild) { # Do a normal lock and wait for it flock($RebuildLockH, $LOCK_SH) or MailScanner::Log::WarnLog("At start of SA checks could not get " . "shared lock on %s, %s", $MailScanner::SA::BayesRebuildLock, $!); $BayesIsLocked = 1; } else { #MailScanner::Log::InfoLog("Bayes lock2 is %s", $RebuildLockH); if (flock($RebuildLockH, ($LOCK_SH | $LOCK_NB))) { #MailScanner::Log::InfoLog("Got non-blocking shared lock on Bayes lock"); $BayesIsLocked = 1; } else { #MailScanner::Log::InfoLog("Skipping Bayes due to %s", $!); $RebuildLockH->close(); #MailScanner::Log::InfoLog("Skipping SpamAssassin while waiting for Bayes database to rebuild"); return (0,0, 'SpamAssassin rebuilding', 0); } } } else { MailScanner::Log::WarnLog("At start of SA checks could not open %s, %s", $MailScanner::SA::BayesRebuildLock, $!); } } $maxsize = MailScanner::Config::Value('maxspamassassinsize'); # Construct the array of lines of the header and body of the message # JKF 30/1/2002 Don't chop off the line endings. Thanks to Andreas Piper # for this. # For SpamAssassin 3 we add the "EnvelopeFrom" header to make SPF work my $fromheader = MailScanner::Config::Value('envfromheader', $message); $fromheader =~ s/:$//; # Build a list of all the headers, so we can remove any $fromheader that # is already in there. my @SAheaders = $global::MS->{mta}->OriginalMsgHeaders($message, "\n"); @SAheaders = grep !/^$fromheader\:/i, @SAheaders; @SAheaders = grep !/^\s*$/, @SAheaders; # ditch blank lines push(@WholeMessage, $fromheader . ': ' . $message->{from} . "\n") if $fromheader; #push(@WholeMessage, $global::MS->{mta}->OriginalMsgHeaders($message, "\n")); push(@WholeMessage, @SAheaders); #print STDERR "Headers are : " . join(', ', @WholeMessage) . "\n"; unless (@WholeMessage) { flock($RebuildLockH, $LOCK_UN) if $BayesIsLocked; $RebuildLockH->close() if $MailScanner::SA::DoingBayesRebuilds; return (0,0, MailScanner::Config::LanguageValue($message, 'sanoheaders'), 0); } push(@WholeMessage, "\n"); my(@WholeBody); $message->{store}->ReadBody(\@WholeBody, $maxsize); push(@WholeMessage, @WholeBody); # Work out the MD5 sum of the body my($testcache,$md5,$md5digest); if ($SQLiteInstalled) { $testcache = MailScanner::Config::Value("usesacache",$message); $testcache = ($testcache =~ /1/)?1:0; $md5 = Digest::MD5->new; eval { $md5->add(@WholeBody) }; if ($@ ne "" || @WholeBody<=1) { # The eval failed $md5digest = "unknown"; $testcache = 0; } else { # The md5->add worked okay, so use the results # Get the MD5 digest of the message body $md5digest = $md5->hexdigest; } # Store it for later $message->{md5} = $md5digest; #print STDERR "MD5 digest is $md5digest\n"; } else { $testcache = 0; #print STDERR "Not going to use cache\n"; } # Now construct the SpamAssassin object for version < 3 my $spammail; $spammail = Mail::SpamAssassin::NoMailAudit->new('data'=>\@WholeMessage) if $SAversion<3; if ($testcache) { if (my $cachehash = CheckCache($md5digest)) { #print STDERR "Cache hit for " . $message->{id} . "\n"; MailScanner::Log::InfoLog("SpamAssassin cache hit for message %s", $message->{id}); # Read the cache result and update the timestamp ***** ($SAResult, $HighScoring, $SAHitList, $SAScore, $SAReport) = ($cachehash->{sasaysspam}, $cachehash->{sahighscoring}, uncompress($cachehash->{saheader}), $cachehash->{sascore}, uncompress($cachehash->{salongreport})); # Log the fact we got it from the cache. Must not add the "cached" # word on the front here or it will be put into the cache itself! $GotFromCache = 1; #print STDERR "Cache results are $SAResult, $HighScoring, $SAHitList, $SAScore, $SAReport\n"; # Unlock and close the lockfile flock($RebuildLockH, $LOCK_UN) if $MailScanner::SA::DoingBayesRebuilds; # $BayesIsLocked; $RebuildLockH->close() if $MailScanner::SA::DoingBayesRebuilds; } else { # Do the actual SpamAssassin call #print STDERR "Cache miss for " . $message->{id} . "\n"; # Test it for spam-ness if ($SAversion<3) { ($SAResult, $HighScoring, $SAHitList, $SAScore, $SAReport) = SAForkAndTest($GSHits, $MailScanner::SA::SAspamtest, $spammail, $message); } else { #print STDERR "Check 1, report template = \"" . # $MailScanner::SA::SAspamtest->{conf}->{report_template} . "\"\n"; ($SAResult, $HighScoring, $SAHitList, $SAScore, $SAReport) = SAForkAndTest($GSHits, $MailScanner::SA::SAspamtest, \@WholeMessage, $message); } # Log the fact we didn't get it from the cache. Must not add the # "not cached" word on the front here or it will be put into the # cache itself! $GotFromCache = 0; #MailScanner::Log::WarnLog("Done SAForkAndTest"); #print STDERR "SAResult = $SAResult\nHighScoring = $HighScoring\n" . # "SAHitList = $SAHitList\n"; # Write the record to the cache ***** CacheResult($md5digest, $SAResult, $HighScoring, compress($SAHitList), $SAScore, compress($SAReport)); # Unlock and close the lockfile flock($RebuildLockH, $LOCK_UN) if $MailScanner::SA::DoingBayesRebuilds; # $BayesIsLocked; $RebuildLockH->close() if $MailScanner::SA::DoingBayesRebuilds; } # Add the cached / not cached tag to $SAHitList if appropriate if (defined($GotFromCache)) { if ($GotFromCache) { $SAHitList = MailScanner::Config::LanguageValue($message, 'cached') . ', ' . $SAHitList; } else { $SAHitList = MailScanner::Config::LanguageValue($message, 'notcached') . ', ' . $SAHitList; } } } else { # No cache here # Test it for spam-ness if ($SAversion<3) { ($SAResult, $HighScoring, $SAHitList, $SAScore, $SAReport) = SAForkAndTest($GSHits, $MailScanner::SA::SAspamtest, $spammail, $message); } else { #print STDERR "Check 1, report template = \"" . # $MailScanner::SA::SAspamtest->{conf}->{report_template} . "\"\n"; ($SAResult, $HighScoring, $SAHitList, $SAScore, $SAReport) = SAForkAndTest($GSHits, $MailScanner::SA::SAspamtest, \@WholeMessage, $message); } #MailScanner::Log::WarnLog("Done SAForkAndTest"); #print STDERR "SAResult = $SAResult\nHighScoring = $HighScoring\n" . # "SAHitList = $SAHitList\n"; # Unlock and close the lockfile flock($RebuildLockH, $LOCK_UN) if $MailScanner::SA::DoingBayesRebuilds; # $BayesIsLocked; $RebuildLockH->close() if $MailScanner::SA::DoingBayesRebuilds; } return ($SAResult, $HighScoring, $SAHitList, $SAScore, $SAReport); } # Look up the passed MD5 in the cache database and return true/false sub CheckCache { my $md5 = shift; my($sql, $sth); $sql = "SELECT md5, count, last, first, sasaysspam, sahighscoring, sascore, saheader, salongreport FROM cache WHERE md5=?"; my $hash = $MailScanner::SA::cachedbh->selectrow_hashref($sql,undef,$md5); if (defined($hash)) { # Cache hit! #print STDERR "Cache hit $hash!\n"; # Update the counter and timestamp $sql = "UPDATE cache SET count=count+1, last=strftime('%s','now') WHERE md5=?"; $sth = $MailScanner::SA::cachedbh->prepare($sql); $sth->execute($md5); return $hash; } else { # Cache miss... we'll create the cache record after SpamAssassin has run. #print STDERR "Cache miss!\n"; return undef; } } # Check to see if the cache should have an expiry run done, do it if so. sub CheckForCacheExpire { # Check to see if a cache expiry run is needed CacheExpire() if $NextCacheExpire<=time; # NextCacheExpire is updated by CacheExpire() so not needed here. } sub CacheResult { my ($md5, $SAResult, $HighScoring, $SAHitList, $SAScore, $SAReport) = @_; my $dbh = $MailScanner::SA::cachedbh; #print STDERR "dbh is $dbh and cachedbh is $MailScanner::SA::cachedbh\n"; my $sql = "INSERT INTO cache (md5, count, last, first, sasaysspam, sahighscoring, sascore, saheader, salongreport) VALUES (?,?,?,?,?,?,?,?,?)"; my $sth = $dbh->prepare($sql); #print STDERR "$sth, $@\n"; my $now = time; $sth->execute($md5,1,$now,$now, $SAResult, $HighScoring, $SAScore, $SAHitList, $SAReport); } # Expire records from the cache database sub CacheExpire { my $expire1 = shift || $HamCacheLife; # non-spam my $expire2 = shift || $SpamCacheLife; # low-scoring spam my $expire3 = shift || $HighSpamCacheLife; # everything else except viruses my $expire4 = shift || $VirusesCacheLife; # viruses return unless $SQLiteInstalled; my $sth = $MailScanner::SA::cachedbh->prepare(" DELETE FROM cache WHERE ( (sasaysspam=0 AND virusinfected<1 AND first<=(strftime('%s','now')-?)) OR (sasaysspam>0 AND sahighscoring=0 AND virusinfected<1 AND first<=(strftime('%s','now')-?)) OR (sasaysspam>0 AND sahighscoring>0 AND virusinfected<1 AND last<=(strftime('%s','now')-?)) OR (virusinfected>=1 AND last<=(strftime('%s','now')-?)) )"); MailScanner::Log::DieLog("Database complained about this: %s. I suggest you delete your %s file and let me re-create it for you", $DBI::errstr, MailScanner::Config::Value("sacache")) unless $sth; my $rows = $sth->execute($expire1, $expire2, $expire3, $expire4); $sth->finish; MailScanner::Log::InfoLog("Expired %s records from the SpamAssassin cache", $rows) if $rows>0; # This is when we should do our next cache expiry (20 minutes from now) $NextCacheExpire = time + $ExpireFrequency; } # Add the virus information to the cache entry so we can keep infected # attachment details a lot longer than normal spam. sub AddVirusStats { my($message) = @_; #my $virus; return unless $message; return unless $SQLiteInstalled && MailScanner::Config::Value("usesacache",$message) =~ /1/; my $sth = $MailScanner::SA::cachedbh->prepare('UPDATE cache SET virusinfected=? WHERE md5=?'); ## Also print 1 line for each report about this message. These lines ## contain all the info above, + the attachment filename and text of ## each report. #my($file, $text, @report_array); #while(($file, $text) = each %{$message->{allreports}}) { # $file = "the entire message" if $file eq ""; # # Use the sanitised filename to avoid problems caused by people forcing # # logging of attachment filenames which contain nasty SQL instructions. # $file = $message->{file2safefile}{$file} or $file; # $text =~ s/\n/ /; # Make sure text report only contains 1 line # $text =~ s/\t/ /; # and no tab characters # push (@report_array, $text); #} # #my $reports = join(",",@report_array); ## This regexp only works for clamav #if ($reports =~ /(.+) contains (\S+)/) { $virus = $2; } $sth->execute($message->{virusinfected}, $message->{md5}) or MailScanner::Log::WarnLog($DBI::errstr); } # Fork and test with SpamAssassin. This implements a timeout on the execution # of the SpamAssassin checks, which occasionally take a *very* long time to # terminate due to regular expression backtracking and other nasties. sub SAForkAndTest { my($GSHits, $Test, $Mail, $Message) = @_; my($pipe); my($SAHitList, $SAHits, $SAReqHits, $IsItSpam, $IsItHighScore, $AutoLearn); my($HighScoreVal, $pid2delete, $IncludeScores, $SAReport, $queuelength); my $PipeReturn = 0; #print STDERR "Check 2, is \"" . $Test->{conf}->{report_template} . "\"\n"; $IncludeScores = MailScanner::Config::Value('listsascores', $Message); $queuelength = MailScanner::Config::Value('satimeoutlen', $Message); $pipe = new IO::Pipe or MailScanner::Log::DieLog('Failed to create pipe, %s, try reducing ' . 'the maximum number of unscanned messages per batch', $!); #$readerfh = new FileHandle; #$writerfh = new FileHandle; #($readerfh, $writerfh) = FileHandle::pipe; my $pid = fork(); die "Can't fork: $!" unless defined($pid); if ($pid == 0) { # In the child my($spamness, $SAResult, $HitList, @HitNames, $Hit); $pipe->writer(); #close($readerfh); #POSIX::setsid(); #select($writerfh); #$| = 1; # Line buffering, not block buffering $pipe->autoflush(); # Do the actual tests and work out the integer result if ($SAversion<3) { $spamness = $Test->check($Mail); } else { my $mail = $Test->parse($Mail, 1); $spamness = $Test->check($mail); } print $pipe ($SAversion<3?$spamness->get_hits():$spamness->get_score()) . "\n"; $HitList = $spamness->get_names_of_tests_hit(); if ($IncludeScores) { @HitNames = split(/\s*,\s*/, $HitList); $HitList = ""; foreach $Hit (@HitNames) { $HitList .= ($HitList?', ':'') . $Hit . ' ' . sprintf("%1.2f", $spamness->{conf}->{scores}->{$Hit}); } } # Get the autolearn status if ($SAversion<3) { # Old code if (!defined $spamness->{auto_learn_status}) { $AutoLearn = "no"; } elsif ($spamness->{auto_learn_status}) { $AutoLearn = "spam"; } else { $AutoLearn = "not spam"; } } else { # New code $spamness->learn(); $AutoLearn = $spamness->{auto_learn_status}; $AutoLearn = 'no' if $AutoLearn eq 'failed' || $AutoLearn eq ""; $AutoLearn = 'not spam' if $AutoLearn eq 'ham'; } #if (!defined $spamness->{auto_learn_status} || $spamness->{auto_learn_status} eq 'no') { # $AutoLearn = "no"; #} elsif ($spamness->{auto_learn_status}) { # $AutoLearn = "spam"; #} else { # $AutoLearn = "not spam"; #} #sleep 30 if rand(3)>=2.0; print $pipe $AutoLearn . "\n"; print $pipe $HitList . "\n"; # JKF New code here to print out the full spam report $HitList = $spamness->get_report(); $HitList =~ tr/\n/\0/; print $pipe $HitList . "\n"; $spamness->finish(); $pipe->close(); $pipe = undef; exit 0; # $SAResult; } eval { $pipe->reader(); local $SIG{ALRM} = sub { die "Command Timed Out" }; alarm MailScanner::Config::Value('spamassassintimeout'); $SAHits = <$pipe>; #print STDERR "Read SAHits = $SAHits " . scalar(localtime) . "\n"; $AutoLearn = <$pipe>; $SAHitList = <$pipe>; $SAReport = <$pipe>; #print STDERR "Read SAHitList = $SAHitList " . scalar(localtime) . "\n"; # Not sure if next 2 lines should be this way round... waitpid $pid, 0; $pipe->close(); $PipeReturn = $?; alarm 0; $pid = 0; chomp $SAHits; chomp $AutoLearn; chomp $SAHitList; $SAHits = $SAHits + 0.0; #$safailures = 0; # This was successful so zero counter # We got a result so store a success push @SAsuccessqueue, 0; # Roll the queue along one $SAsuccessqsum += (shift @SAsuccessqueue)?1:-1 if @SAsuccessqueue>$queuelength; #print STDERR "Success: sum = $SAsuccessqsum\n"; $SAsuccessqsum = 0 if $SAsuccessqsum<0; }; alarm 0; # Workaround for bug in perl shipped with Solaris 9, # it doesn't unblock the SIGALRM after handling it. eval { my $unblockset = POSIX::SigSet->new(SIGALRM); sigprocmask(SIG_UNBLOCK, $unblockset) or die "Could not unblock alarm: $!\n"; }; # Construct the hit-list including the score we got. my($longHitList); $SAReqHits = MailScanner::Config::Value('reqspamassassinscore',$Message)+0.0; $longHitList = MailScanner::Config::LanguageValue($Message, 'score') . '=' . ($SAHits+0.0) . ', ' . MailScanner::Config::LanguageValue($Message, 'required') .' ' . $SAReqHits; $longHitList .= ", autolearn=$AutoLearn" unless $AutoLearn eq 'no'; $longHitList .= ", $SAHitList" if $SAHitList; $SAHitList = $longHitList; # Note to self: I only close the KID in the parent, not in the child. # Catch failures other than the alarm MailScanner::Log::DieLog("SpamAssassin failed with real error: $@") if $@ and $@ !~ /Command Timed Out/; # In which case any failures must be the alarm #if ($@ or $pid>0) { if ($pid>0) { $pid2delete = $pid; my $maxfailures = MailScanner::Config::Value('maxspamassassintimeouts'); # Increment the "consecutive" counter #$safailures++; if ($maxfailures>0) { # We got a failure push @SAsuccessqueue, 1; $SAsuccessqsum++; # Roll the queue along one $SAsuccessqsum += (shift @SAsuccessqueue)?1:-1 if @SAsuccessqueue>$queuelength; #print STDERR "Failure: sum = $SAsuccessqsum\n"; $SAsuccessqsum = 0 if $SAsuccessqsum<0; if ($SAsuccessqsum>$maxfailures && @SAsuccessqueue>=$queuelength) { MailScanner::Log::WarnLog("SpamAssassin timed out (with no network" . " checks) and was killed, failure %d of %d", $SAsuccessqsum, $maxfailures*2); } else { MailScanner::Log::WarnLog("SpamAssassin timed out and was killed, " . "failure %d of %d", $SAsuccessqsum, $maxfailures); } } else { MailScanner::Log::WarnLog("SpamAssassin timed out and was killed"); } # Make the report say SA was killed $SAHitList = MailScanner::Config::LanguageValue($Message, 'satimedout'); $SAHits = 0; # Kill the running child process my($i); kill 15, $pid; # Was -15 # Wait for up to 10 seconds for it to die for ($i=0; $i<5; $i++) { sleep 1; waitpid($pid, &POSIX::WNOHANG); ($pid=0),last unless kill(0, $pid); kill 15, $pid; # Was -15 } # And if it didn't respond to 11 nice kills, we kill -9 it if ($pid) { kill 9, $pid; # Was -9 waitpid $pid, 0; # 2.53 } # As the child process must now be dead, remove the Bayes database # lock file if it exists. Only delete the lock file if it mentions # $pid2delete in its contents. if ($pid2delete && $MailScanner::SA::SABayesLock) { my $lockfh = new FileHandle; if ($lockfh->open($MailScanner::SA::SABayesLock)) { my $line = $lockfh->getline(); chomp $line; $line =~ /(\d+)$/; my $pidinlock = $1; if ($pidinlock =~ /$pid2delete/) { unlink $MailScanner::SA::SABayesLock; MailScanner::Log::InfoLog("Delete bayes lockfile for %s",$pid2delete); } $lockfh->close(); } } #unlink $MailScanner::SA::SABayesLock if $MailScanner::SA::SABayesLock; } #MailScanner::Log::WarnLog("8 PID is $pid"); # SpamAssassin is known to play with the umask umask 0077; # Safety net # The return from the pipe is a measure of how spammy it was MailScanner::Log::DebugLog("SpamAssassin returned $PipeReturn"); #$PipeReturn = $PipeReturn>>8; if ($SAHits && ($SAHits+$GSHits>=$SAReqHits)) { $IsItSpam = 1; } else { $IsItSpam = 0; } $HighScoreVal = MailScanner::Config::Value('highspamassassinscore',$Message); if ($SAHits && $HighScoreVal>0 && ($SAHits+$GSHits>=$HighScoreVal)) { $IsItHighScore = 1; } else { $IsItHighScore = 0; } #print STDERR "Check 3, is \"" . $Test->{conf}->{report_template} . "\"\n"; return ($IsItSpam, $IsItHighScore, $SAHitList, $SAHits, $SAReport); } sub SATest { my($GSHits, $Test, $Mail, $Message) = @_; my($SAHitList, $SAHits, $SAReqHits, $IsItSpam, $IsItHighScore, $AutoLearn); my($HighScoreVal, $pid2delete, $IncludeScores, $SAReport, $queuelength); my $PipeReturn = 0; $IncludeScores = MailScanner::Config::Value('listsascores', $Message); $queuelength = MailScanner::Config::Value('satimeoutlen', $Message); my($spamness, $SAResult, $HitList, @HitNames, $Hit); # Do the actual tests and work out the integer result if ($SAversion<3) { $spamness = $Test->check($Mail); } else { my $mail = $Test->parse($Mail, 1); $spamness = $Test->check($mail); } # 1st output is get_hits or get_score \n $SAHits = ($SAversion<3?$spamness->get_hits():$spamness->get_score()) + 0.0; $HitList = $spamness->get_names_of_tests_hit(); if ($IncludeScores) { @HitNames = split(/\s*,\s*/, $HitList); $HitList = ""; foreach $Hit (@HitNames) { $HitList .= ($HitList?', ':'') . $Hit . ' ' . sprintf("%1.2f", $spamness->{conf}->{scores}->{$Hit}); } } # Get the autolearn status if ($SAversion<3) { # Old code if (!defined $spamness->{auto_learn_status}) { $AutoLearn = "no"; } elsif ($spamness->{auto_learn_status}) { $AutoLearn = "spam"; } else { $AutoLearn = "not spam"; } } else { # New code $spamness->learn(); $AutoLearn = $spamness->{auto_learn_status}; $AutoLearn = 'no' if $AutoLearn eq 'failed' || $AutoLearn eq ""; $AutoLearn = 'not spam' if $AutoLearn eq 'ham'; } # 3rd output is $HitList \n $SAHitList = $HitList; # JKF New code here to print out the full spam report $HitList = $spamness->get_report(); $HitList =~ tr/\n/\0/; # 4th output is $HitList \n which is now full spam report $SAReport = $HitList . "\n"; $spamness->finish(); #print STDERR "Read SAHits = $SAHits " . scalar(localtime) . "\n"; # Construct the hit-list including the score we got. my($longHitList); $SAReqHits = MailScanner::Config::Value('reqspamassassinscore',$Message)+0.0; $longHitList = MailScanner::Config::LanguageValue($Message, 'score') . '=' . ($SAHits+0.0) . ', ' . MailScanner::Config::LanguageValue($Message, 'required') .' ' . $SAReqHits; $longHitList .= ", autolearn=$AutoLearn" unless $AutoLearn eq 'no'; $longHitList .= ", $SAHitList" if $SAHitList; $SAHitList = $longHitList; # SpamAssassin is known to play with the umask umask 0077; # Safety net if ($SAHits && ($SAHits+$GSHits>=$SAReqHits)) { $IsItSpam = 1; } else { $IsItSpam = 0; } $HighScoreVal = MailScanner::Config::Value('highspamassassinscore',$Message); if ($SAHits && $HighScoreVal>0 && ($SAHits+$GSHits>=$HighScoreVal)) { $IsItHighScore = 1; } else { $IsItHighScore = 0; } return ($IsItSpam, $IsItHighScore, $SAHitList, $SAHits, $SAReport); } 1; From jaearick at colby.edu Fri Aug 11 21:15:59 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Fri Aug 11 21:18:50 2006 Subject: nasty bug in SA.pm (I think) In-Reply-To: References: Message-ID: Julian, More input (late on a Friday afternoon)... I can't find the closing bracket for "sub SAForkAndTest {" (line 722) either. I notice another commented-out if at line whose curly bracket marries up with the closing bracket for SAForkAndTest at line 955. Methinks that multiple commented-out if brackets hid this bug well.... Jeff Earickson Colby College On Fri, 11 Aug 2006, Jeff A. Earickson wrote: > Date: Fri, 11 Aug 2006 16:00:53 -0400 (EDT) > From: Jeff A. Earickson > Reply-To: MailScanner discussion > To: mailscanner mailing list > Subject: nasty bug in SA.pm (I think) > > Julian, > > I've been intermittantly chasing this bug for several releases now, > and I think that I may have it cornered. The problem: if I start > MS with my /etc/init.d script, MS just loops and does nothing. If > I start it via /opt/MailScanner/bin/check_mailscanner from cron, > MailScanner works. > > The syslog output for a loop up looks like: > > MailScanner[25980]: MailScanner E-Mail Virus Scanner version 4.55.10 > starting... > MailScanner[25980]: Read 748 hostnames from the phishing whitelist > MailScanner[25980]: Config: calling custom init function IPBlock > MailScanner[25980]: Initialising IP blocking > MailScanner[25980]: Read 128 IP blocking entries from > /etc/MailScanner/IPBlock.conf > MailScanner[25980]: Using SpamAssassin results cache > MailScanner[25980]: Connected to SpamAssassin cache database > (repeat ad nauseum) > > So I started putting in info syslog messages into lib/MailScanner/SA.pm > after the "cache database" message to trace what happened. Attached > is my modified version of SA.pm. I never get anything after the info > msg "got to here3". > > So I stared at SA.pm. You commented out line 287: > > #if (MailScanner::Config::Value('compilespamassassinonce')) { > > at some point, which commented out half of a curly-bracket block. > I can't find where the right curly-bracket for this line is, and I > think something is mis-aligned here. > > Using the power feature of vi whereby you put the cursor over a > bracket, paren, etc and then hit "%", I don't find the closing curly bracket > for line 72 ("sub initialise {"). This routine seems > mangled and I think this is the root cause of the loop-up bug. > But I can't figure out where the closing bracket for line 287 might be. > Have I found this loopup bug in the mangled bracketing of initialise??? > > Jeff Earickson > Colby College From jgolden at ci.grand-rapids.mi.us Fri Aug 11 21:25:05 2006 From: jgolden at ci.grand-rapids.mi.us (Golden, James) Date: Fri Aug 11 21:25:40 2006 Subject: [SOLVED] Retreiving attachments In-Reply-To: <96B97733-3A62-4EA1-B891-89CC62240015@ecs.soton.ac.uk> References: <31495172.1155092215238.JavaMail.root@dash.grand-rapids.mi.us> Message-ID: <1155327906.8023.1.camel@doit-b8wsw21.grand-rapids.mi.us> It wasn't my decision. I work on contract, and it was the employers decision. On Wed, 2006-08-09 at 09:11 +0100, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > If you like MailScanner that much, why are you going to deploy those > Barracudas? > A commercial setup of MailScanner (such as DefenderMX from > www.fsl.com) will outperform Barracudas and is considerably cheaper. > There is a detailed feature and price comparison on www.fsl.com. > > On 9 Aug 2006, at 03:56, Golden, James wrote: > > > Sorry for being so stupid. After looking through it again, I see > > what you were doing. 4 hours sleep a night catches up with you > > after awhile. > > > > Thanks for all the help. > > > > We will be implementing the Barracuda's appliances here in the next > > 5 weeks or so, that is why I am trying to "skate" by with this > > setup for now. I figure what I am learning here will still help > > out when we move to those appliances. > > > > Although I have to say with the exception of the file attachment > > thing, since I upgraded and setup everything correctly (I think) > > everyone has been noticing the difference here! In fact the guy > > who handles the antivirus wasn't too happy with me, because now > > more viruses are being caught as spam first. Our virus numbers in > > email went from 200 - 300 a day to 1 - 10! > > > > Thanks all (Julian?!) for this fantastic software combination!. It > > ROCKS! > > > > Thanks all who have helped with replies (especially Stephen), and > > have put up with me! > > > > James Golden > > > > > > > > ----- Original Message ----- > > From: mailscanner-bounces@lists.mailscanner.info on behalf of > > Stephen Swaney > > Sent: Tue, 8/8/2006 10:55am > > To: 'MailScanner discussion' > > Subject: RE: Retreiving attachments > > > > > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > >> bounces@lists.mailscanner.info] On Behalf Of Rob Morin > >> Sent: Tuesday, August 08, 2006 9:35 AM > >> To: MailScanner discussion > >> Subject: Re: Retreiving attachments > >> > >> On another note, has anyone come up with a way to retrieve > >> quarantined > >> attachments without the intervention of the sys admin? Meaning the > >> end > >> user can get them themselves? > >> > >> I thought i heard a while back of some app to do this? > >> > >> Have a good one! > >> > >> Rob Morin > >> Dido InterNet Inc. > >> Montreal, Canada > >> Http://www.dido.ca > >> 514-990-4444 > >> > >> > >> > >> Golden, James wrote: > >>> Thanks for the answer. Sorry for the long delay in the thanks > >>> departments. > >>> > >>> One more question here, > >>> > >>> Can I put more than one rules file in the Mailscanner.conf. > >>> Currently > >>> I am pointing to a ruleset already. > >>> > >>> Currently mine looks like this > >>> > >>> Filename Rules = %etc-dir%/filename.rules.conf > >>> > >>> so would it look like this? > >>> > >>> Filename Rules = %rules-dir%/filename.rules %etc- > >> dir%/filename.rules.conf > >>> > >>> Or would I need to combine the .rules file into the .conf file > >>> > >>> Thanks for the help. > >>> > >>> James > >>> > >>> > >>> > >>> On Fri, 2006-08-04 at 17:50 -0400, Stephen Swaney wrote: > >>>>> -----Original Message----- > >>>>> From: mailscanner-bounces@lists.mailscanner.info > >>>>> >> bounces@lists.mailscanner.info> [mailto:mailscanner- > >>>>> bounces@lists.mailscanner.info > >> ] On Behalf Of Golden, James > >>>>> Sent: Friday, August 04, 2006 5:10 PM > >>>>> To: MailScanner discussion > >>>>> Subject: Re: Retreiving attachments > >>>>> > >>>>> The attachments seem to be .doc or .xls or others and the client > >> always > >>>>> seems to be Outlook. > >>>>> > >>>>> On Fri, 2006-08-04 at 16:38 -0400, Golden, James wrote: > >>>>> > >>>>> > >>>>> Hello, > >>>>> > >>>>> I've have been wasting my whole day trying to figure out > >>>>> how to do > >>>>> this. Can anyone could help besides telling me to install > >>>>> Mailwatch > >>>>> (because it's not an option right now). > >>>>> > >>>>> I have messages that are being snagged by MailScanner > >>>>> because the > >>>>> attachment is too large. When I go to the directory the > >>>>> attachment > >> is in > >>>>> binary in the message. > >>>>> > >>>>> I tried using a sendmail -t < message, but of course it > >>>>> gets snagged > >>>>> again by MS. Is there an option I'm missing to store the > >>>>> attachments > >>>>> separately from the message, is there a way to send this on > >>>>> without > >> it > >>>>> being scanned? Is there a way to get the attachment out of the > >> message? > >>>>> > >>>>> I need help soon as this is becoming a large issue today > >>>>> (about 6 > >>>>> end users) and my boss is hearing about it! > >>>>> > >>>>> Thanks, > >>>>> > >>>>> James > >>>> > >>>> You need to create a rule sets that exempt the localhost from > >> attachment > >>>> filename and filetype checking. If you have a Red Hat, CentOS or > >>>> SuSE > >>>> system, the following paths will be correct. They will vary on > >>>> other > >> systems > >>>> but the same principals will work. > >>>> > >>>> First create two files: > >>>> > >>>> /etc/MailScanner/filename.rules.allowall.conf > >>>> /etc/MailScanner/filetype.rules.allowall.conf > >>>> > >>>> The contents of each file will be identical: > >>>> > >>>> allow *. - - > >>>> > >>>> The spaces MUST be Tabs so the contents of both files is really: > >>>> > >>>> allow*.->Tab>- > >>>> > >>>> Then create the file /etc/MailScanner/rules/filename.rules. The > >> contents of > >>>> this file should be: > >>>> > >>>> # Allow all filenames from localhost > >>>> From: 127.0.0.0 /etc/MailScanner/filename.rules.allowall.conf > >>>> # Default entry > >>>> FromOrTo: default /etc/MailScanner/ > >>>> filename.rules.conf > >>>> > >>>> Then create the file /etc/MailScanner/rules/filetype.rules. The > >> contents of > >>>> this file should be: > >>>> > >>>> # Allow all filetypes from localhost > >>>> From: 127.0.0.0 /etc/MailScanner/filetype.rules.allowall.conf > >>>> # Default entry > >>>> FromOrTo: default /etc/MailScanner/ > >>>> filetype.rules.conf > >>>> > >>>> Then edit /etc/MailScanner.conf to call the new rulesets. Change > >>>> the > >> setting > >>>> for Filename Rules to be: > >>>> > >>>> Filename Rules = %rules-dir%/filename.rules > >>>> > >>>> And change the setting for Filetype Rules to be: > >>>> > >>>> Filetype Rules = %rules-dir%/filetype.rules > >>>> > >>>> Then reload MailScanner. > >>>> > >>>> You should now be able to release the files using the `sendmail - > >>>> t < > >>>> message` command without MailScanner re-quarantining the files. > >>>> > >>>> Have a nice weekend. > >>>> > >>>> Steve > >>>> Stephen Swaney > >>>> Fort Systems Ltd. > >>>> stephen.swaney@fsl.com > >>>> www.fsl.com > > > > Open Source: MailWatch for MailScanner mailwatch.sourceforge.net > > Commercial (based on MailScanner and MailWatch) DefenderMX www.fsl.com > > > > Please contact me off list for more information about either. > > > > Thanks, > > > > Steve > > > > Stephen Swaney > > Fort Systems Ltd. > > stephen.swaney@fsl.com > > www.fsl.com > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > - -- > Julian Field > MailScanner@ecs.soton.ac.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP SDK 3.7.0 > Charset: US-ASCII > > wj8DBQFE2ZjAEfZZRxQVtlQRAtbQAKDSbEKggJwSMy75sFjxi8pPr2PYGgCaA0pu > A+YoIVWhhVgszzkXQPHrq+A= > =7c6C > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > MailScanner thanks transtec Computers for their support. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060811/a8cb7f5d/attachment.html From ssilva at sgvwater.com Fri Aug 11 21:49:38 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Aug 11 21:50:17 2006 Subject: Tips on how to use ruleset for 'Spam Lists To Be Spam' In-Reply-To: <7.0.1.0.0.20060808103633.0480b4b0@1bigthink.com> References: <7.0.1.0.0.20060808103633.0480b4b0@1bigthink.com> Message-ID: dnsadmin 1bigthink.com spake the following on 8/8/2006 7:43 AM: > Hello All, > > T-Mobile's mailservers (tmodns.net) got black listed on numerous BLs. I > have a handful of IMPORTANT mail users on my server sending mail with > T-Mobile's servers right now. > > I have: > Spam Lists To Be Spam = 3 > in MailScanner.conf and T-Mobile's mail server makes four of my lists. > They are good, long-used and trusted BLs. > > Spam List = SBL+XBL SPEWS ORDB-RBL spamcop.net spamhaus.org spamhaus-XBL > SORBS-S > PAM SORBS-ZOMBIE SORBS-HTTP DSBL SORBS-DNSBL SORBS-SMTP SORBS-WEB > SORBS-BLOCK NJ > ABL I think SBL+XBL and spamhaus-XBL are redundant, as anything in the second would probably be in the first. > > I don't want to open the rest of my users to the amount of spam these > BLs help protect from. I would like these T-Mobile users to be able to > send without getting tagged as spam, however. > > How can I set up a ruleset like this for individual users or individual > domains? > #Spam Lists To Be Spam = /etc/MailScanner/spam.lists.count > > > Thanks, > Glenn > -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Fri Aug 11 22:01:04 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Aug 11 22:01:27 2006 Subject: Hylafax on a MailScanner pc In-Reply-To: <1964AAFBC212F742958F9275BF63DBB03B1AEC@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB03B1AEC@winchester.andrewscompanies.com> Message-ID: sandrews@andrewscompanies.com spake the following on 8/9/2006 3:33 PM: > Ahem...all faxes are junk faxes. It's the 21st century for christ's > sake. > As long as a signed and faxed document is legally binding, it is a necessary evil. Someday, maybe a signed e-mail will be accepted as easily, but until then. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Fri Aug 11 22:03:45 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Aug 11 22:05:10 2006 Subject: quarantine password-protected files In-Reply-To: <531F1E080638384C9623B00D71AA546D09F229@exchange.musicreports.com> References: <531F1E080638384C9623B00D71AA546D09F229@exchange.musicreports.com> Message-ID: James D. Parra spake the following on 8/9/2006 5:24 PM: >> I have been just storing all messages for a short period of time. Then you > can >> release anything you need to, and you can set up the system to kill after a >> set number of days. Mailwatch makes this even easier. > > Hello Scott, > > How do you set this up if you're not using mailwatch? > > Thank you, > > ~James MailScanner adds a cron job that you have to edit to enable this. I think it is in /etc/cron.daily -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From octaviomaiden at yahoo.com Fri Aug 11 22:45:07 2006 From: octaviomaiden at yahoo.com (Octavio) Date: Fri Aug 11 22:45:11 2006 Subject: agains mailscanner In-Reply-To: <1155327906.8023.1.camel@doit-b8wsw21.grand-rapids.mi.us> Message-ID: <20060811214507.14896.qmail@web38906.mail.mud.yahoo.com> Hi, as many of you Im on the postfix list too, I notice that most of the user of this list prefer amavis-new and recently I see that some of them dont recoment MailScanner with postfix because it has several fails like lost and damage messages? I use MailScanner in several severs without these kind of problems. do you have any idea why some people think so? Octavio __________________________________________________ Correo Yahoo! Espacio para todos tus mensajes, antivirus y antispam ?gratis! Reg?strate ya - http://correo.espanol.yahoo.com/ From lshaw at emitinc.com Fri Aug 11 23:26:57 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Fri Aug 11 23:27:09 2006 Subject: nasty bug in SA.pm (I think) In-Reply-To: References: Message-ID: On Fri, 11 Aug 2006, Jeff A. Earickson wrote: > So I stared at SA.pm. You commented out line 287: > > #if (MailScanner::Config::Value('compilespamassassinonce')) { > > at some point, which commented out half of a curly-bracket block. > I can't find where the right curly-bracket for this line is, and I > think something is mis-aligned here. > > Using the power feature of vi whereby you put the cursor over a > bracket, paren, etc and then hit "%", I don't find the closing curly bracket > for line 72 ("sub initialise {"). This routine seems > mangled and I think this is the root cause of the loop-up bug. Beware of using "%" in vi on Perl code. vi's "%" feature was written for C, and as you may have noticed, Perl's syntax is not exactly the same as C's. :-) (It is similar enough to make "%" work most of the time, though.) In particular, vi really doesn't understand braces that are commented out with Perl comments: while (1) { bar1(); # this brace will confuse vi ---> } bar2(); } Try putting your cursor on the "{" right after the "while" and hitting "%". You'll see it matching against the wrong brace. In fact, I think that's what is happening with SA.pm. An easy way to test it is to just delete the comment line with the brace that's confusing vi. We are probably at different MailScanner versions since the corresponding line on mine is at 285, but if you delete the line with 'compilespamassassinonce' on it, then try to match braces with "%", everything looks good. - Logan From ssilva at sgvwater.com Sat Aug 12 00:14:37 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Aug 12 00:14:49 2006 Subject: agains mailscanner In-Reply-To: <20060811214507.14896.qmail@web38906.mail.mud.yahoo.com> References: <1155327906.8023.1.camel@doit-b8wsw21.grand-rapids.mi.us> <20060811214507.14896.qmail@web38906.mail.mud.yahoo.com> Message-ID: Octavio spake the following on 8/11/2006 2:45 PM: > Hi, as many of you Im on the postfix list too, I > notice that most of the user of this list prefer > amavis-new and recently I see that some of them dont > recoment MailScanner with postfix because it has > several fails like lost and damage messages? > > I use MailScanner in several severs without these kind > of problems. do you have any idea why some people > think so? > > Octavio > > __________________________________________________ > Correo Yahoo! > Espacio para todos tus mensajes, antivirus y antispam ?gratis! > Reg?strate ya - http://correo.espanol.yahoo.com/ Because that is the "party line" from the author of Postfix. He and Julian have been at odds for a long time as to how MailScanner works, and how it is against the way that Weitse wants programs to interact with postfix. Many people have resolved the early conflicts, but the story over at postfix.org hasn't changed much. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From drew at themarshalls.co.uk Sat Aug 12 00:49:38 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Sat Aug 12 00:49:58 2006 Subject: agains mailscanner In-Reply-To: <20060811214507.14896.qmail@web38906.mail.mud.yahoo.com> References: <20060811214507.14896.qmail@web38906.mail.mud.yahoo.com> Message-ID: <54D41FFA-1573-4DBC-899C-DB438B52B46B@themarshalls.co.uk> On 11 Aug 2006, at 22:45, Octavio wrote: > Hi, as many of you Im on the postfix list too, I > notice that most of the user of this list prefer > amavis-new and recently I see that some of them dont > recoment MailScanner with postfix because it has > several fails like lost and damage messages? > > I use MailScanner in several severs without these kind > of problems. do you have any idea why some people > think so? I think this sums it up really http://wiki.mailscanner.info/doku.php? id=documentation:configuration:mta:postfix:politics It's all about 'That's not the way I intended it to work'. Followed by 'I'm right and you are wrong 'cause it's my code' type attitudes. Bottom line is it works and without mangling, truncating or causing the recipient to catch some nasty disease. Although much claimed, so far 2.3.x has not broken MS either... Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From jaearick at colby.edu Sat Aug 12 01:59:56 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Sat Aug 12 02:03:47 2006 Subject: nasty bug in SA.pm (I think) In-Reply-To: References: Message-ID: I came to this realization after a good dinner tonight. Sigh. Jeff Earickson On Fri, 11 Aug 2006, Logan Shaw wrote: > Date: Fri, 11 Aug 2006 17:26:57 -0500 (CDT) > From: Logan Shaw > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: nasty bug in SA.pm (I think) > > On Fri, 11 Aug 2006, Jeff A. Earickson wrote: >> So I stared at SA.pm. You commented out line 287: >> >> #if (MailScanner::Config::Value('compilespamassassinonce')) { >> >> at some point, which commented out half of a curly-bracket block. >> I can't find where the right curly-bracket for this line is, and I >> think something is mis-aligned here. >> >> Using the power feature of vi whereby you put the cursor over a >> bracket, paren, etc and then hit "%", I don't find the closing curly >> bracket for line 72 ("sub initialise {"). This routine seems >> mangled and I think this is the root cause of the loop-up bug. > > Beware of using "%" in vi on Perl code. vi's "%" feature was > written for C, and as you may have noticed, Perl's syntax is > not exactly the same as C's. :-) (It is similar enough to make > "%" work most of the time, though.) > > In particular, vi really doesn't understand braces that are > commented out with Perl comments: > > while (1) > { > bar1(); > > # this brace will confuse vi ---> } > > bar2(); > } > > Try putting your cursor on the "{" right after the "while" and > hitting "%". You'll see it matching against the wrong brace. > > In fact, I think that's what is happening with SA.pm. An easy > way to test it is to just delete the comment line with the brace > that's confusing vi. We are probably at different MailScanner > versions since the corresponding line on mine is at 285, but > if you delete the line with 'compilespamassassinonce' on it, > then try to match braces with "%", everything looks good. > > - Logan > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From jaearick at colby.edu Sat Aug 12 01:58:57 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Sat Aug 12 02:03:51 2006 Subject: nasty bug in SA.pm (I think NOT) In-Reply-To: References: Message-ID: Julian, I need those brain cells back that I killed off in college drinking games. Once I made myself a copy of SA.pm with no comments in it, the curly brackets lined up like I would expect. I will continue attempting to corner this bug via syslog info msgs from the main bin/MailScanner code. Nevermind... Jeff Earickson Colby College On Fri, 11 Aug 2006, Jeff A. Earickson wrote: > Date: Fri, 11 Aug 2006 16:15:59 -0400 (EDT) > From: Jeff A. Earickson > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: nasty bug in SA.pm (I think) > > Julian, > > More input (late on a Friday afternoon)... > > I can't find the closing bracket for "sub SAForkAndTest {" (line 722) > either. I notice another commented-out if at line whose curly > bracket marries up with the closing bracket for SAForkAndTest at line > 955. Methinks that multiple commented-out if brackets hid this bug > well.... > > Jeff Earickson > Colby College > > On Fri, 11 Aug 2006, Jeff A. Earickson wrote: > >> Date: Fri, 11 Aug 2006 16:00:53 -0400 (EDT) >> From: Jeff A. Earickson >> Reply-To: MailScanner discussion >> To: mailscanner mailing list >> Subject: nasty bug in SA.pm (I think) >> >> Julian, >> >> I've been intermittantly chasing this bug for several releases now, >> and I think that I may have it cornered. The problem: if I start >> MS with my /etc/init.d script, MS just loops and does nothing. If >> I start it via /opt/MailScanner/bin/check_mailscanner from cron, >> MailScanner works. >> >> The syslog output for a loop up looks like: >> >> MailScanner[25980]: MailScanner E-Mail Virus Scanner version 4.55.10 >> starting... >> MailScanner[25980]: Read 748 hostnames from the phishing whitelist >> MailScanner[25980]: Config: calling custom init function IPBlock >> MailScanner[25980]: Initialising IP blocking >> MailScanner[25980]: Read 128 IP blocking entries from >> /etc/MailScanner/IPBlock.conf >> MailScanner[25980]: Using SpamAssassin results cache >> MailScanner[25980]: Connected to SpamAssassin cache database >> (repeat ad nauseum) >> >> So I started putting in info syslog messages into lib/MailScanner/SA.pm >> after the "cache database" message to trace what happened. Attached >> is my modified version of SA.pm. I never get anything after the info >> msg "got to here3". >> >> So I stared at SA.pm. You commented out line 287: >> >> #if (MailScanner::Config::Value('compilespamassassinonce')) { >> >> at some point, which commented out half of a curly-bracket block. >> I can't find where the right curly-bracket for this line is, and I >> think something is mis-aligned here. >> >> Using the power feature of vi whereby you put the cursor over a >> bracket, paren, etc and then hit "%", I don't find the closing curly >> bracket for line 72 ("sub initialise {"). This routine seems >> mangled and I think this is the root cause of the loop-up bug. >> But I can't figure out where the closing bracket for line 287 might be. >> Have I found this loopup bug in the mangled bracketing of initialise??? >> >> Jeff Earickson >> Colby College > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From doc at maddoc.net Sat Aug 12 03:30:33 2006 From: doc at maddoc.net (Doc Schneider) Date: Sat Aug 12 03:30:42 2006 Subject: 70_sare_stocks.cf In-Reply-To: References: <44D18987.4070400@maddoc.net> Message-ID: <44DD3D49.9070508@maddoc.net> Mark Nienberg wrote: > Doc Schneider wrote: >> I added a "tweak" to the rule set that should catch more of these dang >> image spams. >> >> For those of you running "SARE_STOCK" please let me know if these are >> now being caught. > > > After about a week of running the new rule set I realized that in > addition to catching more of those dang image spams, I was also getting > a lot of false positives. We receive a lot of messages from persons who > write in html and attach a small gif image in their signature (usually a > company logo). In fact, lots of my users do the same in their > signatures (don't get me started). Consequently, I have had to disable > the gif rules in the rule set. > > Mark > Mark, You got more problems than the SARE_GIF_ATTACH if simple small images are being caught and FP mails. Since it only has a score of 0.75 which shouldn't be FP anything. But of course as with anything YMMV. -- -Doc Lincoln, NE. http://www.genealogyforyou.com/ http://www.cairnproductions.com/ From mike at tc3net.com Sat Aug 12 04:18:30 2006 From: mike at tc3net.com (Michael Baird) Date: Sat Aug 12 04:18:45 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: References: Message-ID: <1155352710.4625.7.camel@localhost.localdomain> On Fri, 2006-08-11 at 09:09 -0800, Kevin Miller wrote: > Michael Baird wrote: > > > Greylisting decreases load immeasurably on a mailscanner system, the > > cost of greylisting is much less then allowing the message to go > > through the mailscanner sytem. I deployed it several months ago, it > > really is a good tool, and I've had very few complaints (10000 users). > > I just use Sendmails greet pause which is 10 seconds to set up and works > a treat - does greylisting add significant control or improvement over > that? Anybody using them in tandom or is one or the other to be > preferred? Yes it does, I also use greet pause, they really are two entirely different ideas. Sendmail's greet pause is looking for smtp clients that don't follow RFC properly (send data without waiting for acknowledgement), while Greylisting relies on receiving mail from proper smtp servers (they are told to retry delivery in a time period). Most of the rogue dictionary attacking virus spambots will ignore this, and will get caught in the greylist. It's an easy setup and low impact, hardly noticeable by clients (I set my greylist time to 1 minute, with a 7 day whitelist). Just give it a try, I've been really impressed with the results since I've been running it. I use the one from http://hcpnet.free.fr/milter-greylist/, with SPF checks enabled. Regards Michael Baird From pascal.maes at elec.ucl.ac.be Sat Aug 12 07:37:11 2006 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Sat Aug 12 07:37:24 2006 Subject: Fwd: Problems on Solaris x86 In-Reply-To: <200608112017.k7BKH9nZ007922@bkserver.blacknight.ie> References: <200608112017.k7BKH9nZ007922@bkserver.blacknight.ie> Message-ID: <42C50569-9DC4-4D4B-AF8C-D9F7A3A70F25@elec.ucl.ac.be> > > Message: 16 > Date: Fri, 11 Aug 2006 17:21:46 +0100 (BST) > From: "Drew Marshall" > Subject: Re: Fwd: Problems on Solaris x86 > To: "MailScanner discussion" > Message-ID: > <42275.194.70.180.170.1155313306.squirrel@webmail.r-bit.net> > Content-Type: text/plain;charset=iso-8859-1 > > On Fri, August 11, 2006 15:38, Pascal Maes wrote: >> Now, when I start MailScanner I have the following lines in the >> logfile : >> >> [...] > > And no mention of delivery (Or completion of scanning)? At this log > point > the batch is only being scanned for spam and not viruses. Can you > turn on > SpamAssassin debugging in MailScanner.conf and re-run the debug, it > may > yield something such as a permissions error in one of the SA > processes. > > Drew > Well I didn't send all the stuff because it's long. Here it is 1) in debugging mode 1.a) the message is stored in /var/spool/postfix/hold/ Aug 12 08:14:02 smtp-2-3 postfix/smtpd[8758]: [ID 197553 mail.info] connect from gaia.elec.ucl.ac.be[130.104.236.1] Aug 12 08:14:27 smtp-2-3 clamsmtpd: [ID 738258 mail.info] 100010: accepted connection from: 127.0.0.1 Aug 12 08:14:27 smtp-2-3 postfix/smtpd[8760]: [ID 197553 mail.info] connect from localhost[127.0.0.1] Aug 12 08:14:27 smtp-2-3 postfix/smtpd[8758]: [ID 197553 mail.info] NOQUEUE: client=gaia.elec.ucl.ac.be[130.104.236.1] Aug 12 08:14:27 smtp-2-3 postfix/smtpd[8760]: [ID 197553 mail.info] EA0A918F9B: client=gaia.elec.ucl.ac.be[130.104.236.1] Aug 12 08:14:50 smtp-2-3 postfix/cleanup[8761]: [ID 197553 mail.info] EA0A918F9B: hold: header Received: from smtp-2.dynsipr.ucl.ac.be (localhost [127.0.0.1])??by smtp-2.dynsipr.ucl.ac.be (Postfix) with ESMTP id EA0A918F9B??for ; Sat, 12 Aug 2006 08:14:27 +0200 (CEST) from gaia.elec.ucl.ac.be[130.104.236.1]; from= to= proto=SMTP helo= Aug 12 08:14:50 smtp-2-3 postfix/cleanup[8761]: [ID 197553 mail.info] EA0A918F9B: message- id=<20060812061427.EA0A918F9B@smtp-2.dynsipr.ucl.ac.be> Aug 12 08:14:50 smtp-2-3 clamsmtpd: [ID 842912 mail.info] 100010: from=mp@elec.ucl.ac.be, to=pascal.maes@uclouvain.be, status=CLEAN Aug 12 08:14:50 smtp-2-3 postfix/smtpd[8760]: [ID 197553 mail.info] disconnect from localhost[127.0.0.1] Aug 12 08:14:51 smtp-2-3 postfix/smtpd[8758]: [ID 197553 mail.info] disconnect from gaia.elec.ucl.ac.be[130.104.236.1] 1.b) MailScanner is launched in debugging mode # /opt/MailScanner/bin/MailScanner In Debugging mode, not forking... Aug 12 08:16:00 localhost MailScanner[8763]: MailScanner E-Mail Virus Scanner version 4.55.10 starting... [8763] dbg: logger: adding facilities: all [8763] dbg: logger: logging level is DBG [8763] dbg: generic: SpamAssassin version 3.1.4 [8763] dbg: config: score set 0 chosen. [8763] dbg: util: running in taint mode? no [8763] dbg: message: ---- MIME PARSER START ---- [8763] dbg: message: main message type: text/plain [8763] dbg: message: parsing normal part [8763] dbg: message: added part, type: text/plain [8763] dbg: message: ---- MIME PARSER END ---- [8763] dbg: dns: is Net::DNS::Resolver available? yes [8763] dbg: dns: Net::DNS version: 0.58 [8763] dbg: ignore: test message to precompile patterns and load modules [8763] dbg: config: using "/etc/mail/spamassassin" for site rules pre files [8763] dbg: config: read file /etc/mail/spamassassin/init.pre [8763] dbg: config: read file /etc/mail/spamassassin/v310.pre [8763] dbg: config: read file /etc/mail/spamassassin/v312.pre [8763] dbg: config: using "/usr/local/share/spamassassin" for sys rules pre files [8763] dbg: config: using "/usr/local/share/spamassassin" for default rules dir [8763] dbg: config: read file /usr/local/share/spamassassin/10_misc.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 20_advance_fee.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 20_anti_ratware.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 20_body_tests.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 20_compensate.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 20_dnsbl_tests.cf [8763] dbg: config: read file /usr/local/share/spamassassin/20_drugs.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 20_fake_helo_tests.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 20_head_tests.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 20_html_tests.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 20_meta_tests.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 20_net_tests.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 20_phrases.cf [8763] dbg: config: read file /usr/local/share/spamassassin/20_porn.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 20_ratware.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 20_uri_tests.cf [8763] dbg: config: read file /usr/local/share/spamassassin/23_bayes.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 25_accessdb.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 25_antivirus.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 25_body_tests_es.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 25_body_tests_pl.cf [8763] dbg: config: read file /usr/local/share/spamassassin/25_dcc.cf [8763] dbg: config: read file /usr/local/share/spamassassin/25_dkim.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 25_domainkeys.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 25_hashcash.cf [8763] dbg: config: read file /usr/local/share/spamassassin/25_pyzor.cf [8763] dbg: config: read file /usr/local/share/spamassassin/25_razor2.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 25_replace.cf [8763] dbg: config: read file /usr/local/share/spamassassin/25_spf.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 25_textcat.cf [8763] dbg: config: read file /usr/local/share/spamassassin/25_uribl.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 30_text_de.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 30_text_fr.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 30_text_it.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 30_text_nl.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 30_text_pl.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 30_text_pt_br.cf [8763] dbg: config: read file /usr/local/share/spamassassin/50_scores.cf [8763] dbg: config: read file /usr/local/share/spamassassin/60_awl.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 60_whitelist.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 60_whitelist_dkim.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 60_whitelist_spf.cf [8763] dbg: config: read file /usr/local/share/spamassassin/ 60_whitelist_subject.cf [8763] dbg: config: using "/etc/mail/spamassassin" for site rules dir [8763] dbg: config: read file /etc/mail/spamassassin/local.cf [8763] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf Aug 12 08:16:02 localhost MailScanner[8763]: Using SpamAssassin results cache Aug 12 08:16:02 localhost MailScanner[8763]: Connected to SpamAssassin cache database [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [8763] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x81bd304) [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC [8763] dbg: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x9c9aea0) [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [8763] dbg: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH (0x9cbaa00) [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC [8763] dbg: dcc: network tests on, registering DCC [8763] dbg: plugin: registered Mail::SpamAssassin::Plugin::DCC=HASH (0x9c9de74) [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [8763] dbg: razor2: razor2 is available, version 2.61 [8763] dbg: plugin: registered Mail::SpamAssassin::Plugin::Razor2=HASH (0x9ca007c) [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC [8763] dbg: reporter: network tests on, attempting SpamCop [8763] dbg: plugin: registered Mail::SpamAssassin::Plugin::SpamCop=HASH(0xa0aa358) [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC [8763] dbg: plugin: registered Mail::SpamAssassin::Plugin::AWL=HASH (0xa0db39c) [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC [8763] dbg: plugin: registered Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0xa0e13d8) [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::TextCat from @INC [8763] dbg: textcat: loading languages file... [8763] dbg: textcat: loaded 73 language models [8763] dbg: plugin: registered Mail::SpamAssassin::Plugin::TextCat=HASH(0xa0c4658) [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC [8763] dbg: plugin: registered Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0xaac7418) [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC [8763] dbg: plugin: registered Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0xaae6eb4) [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC [8763] dbg: plugin: registered Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0xaaea380) [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayCountry from @INC [8763] dbg: plugin: registered Mail::SpamAssassin::Plugin::RelayCountry=HASH(0xaaed5ac) [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [8763] dbg: plugin: did not register Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x9d8cf94), already registered [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC [8763] dbg: plugin: did not register Mail::SpamAssassin::Plugin::Hashcash=HASH(0x9d8cf64), already registered [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [8763] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF=HASH(0xaaea578), already registered [8763] dbg: plugin: loading Mail::SpamAssassin::Plugin::DKIM from @INC [8763] dbg: plugin: registered Mail::SpamAssassin::Plugin::DKIM=HASH (0xab309bc) ... lot of stuff [8763] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH (0xaaea380) implements 'finish_parsing_end' [8763] dbg: replacetags: replacing tags [8763] dbg: replacetags: done replacing tags [8763] dbg: bayes: tie-ing to DB file R/O /var/spool/spamassassin/ bayes_toks [8763] dbg: bayes: tie-ing to DB file R/O /var/spool/spamassassin/ bayes_seen [8763] dbg: bayes: found bayes db version 3 [8763] dbg: bayes: DB journal sync: last sync: 1155304906 [8763] dbg: config: score set 3 chosen. [8763] dbg: message: ---- MIME PARSER START ---- [8763] dbg: message: main message type: text/plain [8763] dbg: message: parsing normal part [8763] dbg: message: added part, type: text/plain [8763] dbg: message: ---- MIME PARSER END ---- ... and a lot of info from Spamassassin [8766] dbg: learn: auto-learn? ham=0.1, spam=8, body-points=0, head- points=1.477, learned-points=-0.74 [8766] dbg: learn: auto-learn? no: inside auto-learn thresholds, not considered ham or spam Ignore errors about failing to find EOCD signature Aug 12 08:16:18 localhost MailScanner[8763]: Message EA0A918F9B.9CB24 from 127.0.0.1 (mp@elec.ucl.ac.be) to uclouvain.be is n'est pas un polluriel, SpamAssassin (score=1.612, requis 5, BAYES_20 -0.74, MSGID_FROM_MTA_ID 1.39, NO_REAL_NAME 0.96, SPF_HELO_PASS -0.00, SPF_PASS -0.00) Aug 12 08:16:18 localhost MailScanner[8763]: Virus and Content Scanning: Starting Stopping now as you are debugging me. # Aug 12 08:16:27 localhost MailScanner[8763]: Requeue: EA0A918F9B. 9CB24 to 7754518F9C Aug 12 08:16:27 localhost MailScanner[8763]: Uninfected: Delivered 1 messages Aug 12 08:16:27 smtp-2-3 postfix/qmgr[6626]: [ID 197553 mail.info] 7754518F9C: from=, size=1134, nrcpt=1 (queue active) Aug 12 08:16:27 localhost MailScanner[8763]: MailScanner child dying of old age Aug 12 08:16:27 smtp-2-3 postfix/smtp[8773]: [ID 197553 mail.info] 7754518F9C: to=, orig_to=, relay=gaia.elec.ucl.ac.be [130.104.236.1]:25, delay=120, delays=119/0.01/0.04/0.27, dsn=2.0.0, status=sent (250 2.0.0 k7C6H0RQ011339 Message accepted for delivery) Aug 12 08:16:27 smtp-2-3 postfix/qmgr[6626]: [ID 197553 mail.info] 7754518F9C: removed As you see, the message is sent. 2) in "real" mode 2.a) MailScanner is launched (only one child) # /opt/MailScanner/bin/MailScanner Aug 12 08:24:26 localhost MailScanner[8820]: MailScanner E-Mail Virus Scanner version 4.55.10 starting... Aug 12 08:24:28 localhost MailScanner[8820]: Using SpamAssassin results cache Aug 12 08:24:28 localhost MailScanner[8820]: Connected to SpamAssassin cache database 2.b) a message has been sent Aug 12 08:25:20 smtp-2-3 postfix/smtpd[8821]: [ID 197553 mail.info] connect from gaia.elec.ucl.ac.be[130.104.236.1] Aug 12 08:25:31 smtp-2-3 clamsmtpd: [ID 739282 mail.info] 100011: accepted connection from: 127.0.0.1 Aug 12 08:25:31 smtp-2-3 postfix/smtpd[8824]: [ID 197553 mail.info] connect from localhost[127.0.0.1] Aug 12 08:25:31 smtp-2-3 postfix/smtpd[8821]: [ID 197553 mail.info] NOQUEUE: client=gaia.elec.ucl.ac.be[130.104.236.1] Aug 12 08:25:31 smtp-2-3 postfix/smtpd[8824]: [ID 197553 mail.info] CA55418F9B: client=gaia.elec.ucl.ac.be[130.104.236.1] Aug 12 08:25:37 smtp-2-3 postfix/cleanup[8825]: [ID 197553 mail.info] CA55418F9B: hold: header Received: from smtp-2.dynsipr.ucl.ac.be (localhost [127.0.0.1])??by smtp-2.dynsipr.ucl.ac.be (Postfix) with ESMTP id CA55418F9B??for ; Sat, 12 Aug 2006 08:25:31 +0200 (CEST) from gaia.elec.ucl.ac.be[130.104.236.1]; from= to= proto=SMTP helo= Aug 12 08:25:37 smtp-2-3 postfix/cleanup[8825]: [ID 197553 mail.info] CA55418F9B: message- id=<20060812062531.CA55418F9B@smtp-2.dynsipr.ucl.ac.be> Aug 12 08:25:38 smtp-2-3 clamsmtpd: [ID 847008 mail.info] 100011: from=mp@elec.ucl.ac.be, to=pascal.maes@uclouvain.be, status=CLEAN Aug 12 08:25:38 smtp-2-3 postfix/smtpd[8824]: [ID 197553 mail.info] disconnect from localhost[127.0.0.1] Aug 12 08:25:41 smtp-2-3 postfix/smtpd[8821]: [ID 197553 mail.info] disconnect from gaia.elec.ucl.ac.be[130.104.236.1] # ps -ef | grep MailScanner postfix 8835 2400 0 08:26:59 ? 0:00 /usr/bin/perl -I/ opt/MailScanner/lib /opt/MailScanner/bin/MailScanner postfix 8836 8835 34 08:26:59 ? 0:25 /usr/bin/perl -I/ opt/MailScanner/lib /opt/MailScanner/bin/MailScanner but the message remains in the queue # ls -l /var/spool/postfix/hold/C total 4 -rwx------ 1 postfix postfix 1212 Aug 12 08:25 CA55418F9B* Another strange thing is that MailScanner is comsumming CPU : # date ; ps -ef | grep MailScanner Sat Aug 12 08:34:23 CEST 2006 root 8860 8715 0 08:34:24 pts/4 0:00 grep MailScanner postfix 8835 2400 0 08:26:59 ? 0:00 /usr/bin/perl -I/ opt/MailScanner/lib /opt/MailScanner/bin/MailScanner postfix 8836 8835 50 08:26:59 ? 7:23 /usr/bin/perl -I/ opt/MailScanner/lib /opt/MailScanner/bin/MailScanner # top load averages: 1.71, 75.23, 74.48 08:34:40 45 processes: 42 sleeping, 3 on cpu CPU states: 49.4% idle, 50.2% user, 0.4% kernel, 0.0% iowait, 0.0% swap Memory: 2047M real, 1140M free, 647M swap in use, 2854M swap free PID USERNAME LWP PRI NICE SIZE RES STATE TIME CPU COMMAND 8836 postfix 1 10 0 85M 73M cpu/1 7:40 49.91% MailScanner 8861 root 1 59 0 3176K 1216K cpu/0 0:00 0.02% top -- Pascal From chris at kimptoc.net Sat Aug 12 11:41:09 2006 From: chris at kimptoc.net (Chris Kimpton) Date: Sat Aug 12 11:45:07 2006 Subject: New MS on Gentoo Linux References: Message-ID: Hi Erik, Erik van der Leun hal9000.nl> writes: > > Hi hi, > > On gentoo linux, I choose to use the perl thingies from portage, instead > of the perl modules delivered with MailScanner... > > This ends up with the wrong name for the module needed when starting > MailScanner, namelijk DiskSpace.pm in stead of Df.pm. I fixed it quickly > by creating a simple symlink. > Thanks for this - do you know which is correct Df or DiskSpace - that is, who needs to fix it MailScanner or Gentoo... Thanks, Chris From drew at themarshalls.co.uk Sat Aug 12 12:46:17 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Sat Aug 12 12:46:36 2006 Subject: Problems on Solaris x86 In-Reply-To: <42C50569-9DC4-4D4B-AF8C-D9F7A3A70F25@elec.ucl.ac.be> References: <200608112017.k7BKH9nZ007922@bkserver.blacknight.ie> <42C50569-9DC4-4D4B-AF8C-D9F7A3A70F25@elec.ucl.ac.be> Message-ID: <7DBCF01F-D1E8-482F-A7A9-E177EC313C19@themarshalls.co.uk> On 12 Aug 2006, at 07:37, Pascal Maes wrote: > > Well I didn't send all the stuff because it's long. > > # /opt/MailScanner/bin/MailScanner > Aug 12 08:24:26 localhost MailScanner[8820]: MailScanner E-Mail > Virus Scanner version 4.55.10 starting... > Aug 12 08:24:28 localhost MailScanner[8820]: Using SpamAssassin > results cache > Aug 12 08:24:28 localhost MailScanner[8820]: Connected to > SpamAssassin cache database > > 2.b) a message has been sent > > Aug 12 08:25:20 smtp-2-3 postfix/smtpd[8821]: [ID 197553 mail.info] > connect from gaia.elec.ucl.ac.be[130.104.236.1] > Aug 12 08:25:31 smtp-2-3 clamsmtpd: [ID 739282 mail.info] 100011: > accepted connection from: 127.0.0.1 > Aug 12 08:25:31 smtp-2-3 postfix/smtpd[8824]: [ID 197553 mail.info] > connect from localhost[127.0.0.1] > Aug 12 08:25:31 smtp-2-3 postfix/smtpd[8821]: [ID 197553 mail.info] > NOQUEUE: client=gaia.elec.ucl.ac.be[130.104.236.1] > Aug 12 08:25:31 smtp-2-3 postfix/smtpd[8824]: [ID 197553 mail.info] > CA55418F9B: client=gaia.elec.ucl.ac.be[130.104.236.1] > Aug 12 08:25:37 smtp-2-3 postfix/cleanup[8825]: [ID 197553 > mail.info] CA55418F9B: hold: header Received: from > smtp-2.dynsipr.ucl.ac.be (localhost [127.0.0.1])??by > smtp-2.dynsipr.ucl.ac.be (Postfix) with ESMTP id CA55418F9B??for > ; Sat, 12 Aug 2006 08:25:31 +0200 (CEST) > from gaia.elec.ucl.ac.be[130.104.236.1]; from= > to= proto=SMTP helo= > Aug 12 08:25:37 smtp-2-3 postfix/cleanup[8825]: [ID 197553 > mail.info] CA55418F9B: message- > id=<20060812062531.CA55418F9B@smtp-2.dynsipr.ucl.ac.be> > Aug 12 08:25:38 smtp-2-3 clamsmtpd: [ID 847008 mail.info] 100011: > from=mp@elec.ucl.ac.be, to=pascal.maes@uclouvain.be, status=CLEAN > Aug 12 08:25:38 smtp-2-3 postfix/smtpd[8824]: [ID 197553 mail.info] > disconnect from localhost[127.0.0.1] > Aug 12 08:25:41 smtp-2-3 postfix/smtpd[8821]: [ID 197553 mail.info] > disconnect from gaia.elec.ucl.ac.be[130.104.236.1] And there no MailScanner log entry below this? I notice you are running hashed queues. Have you followed this http:// wiki.mailscanner.info/doku.php? id=documentation:configuration:mta:postfix:installation#problems_or_erro rs particularly the hashed queue bit? Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From mailscanner at ecs.soton.ac.uk Sat Aug 12 14:39:18 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 12 14:39:29 2006 Subject: Searching and recovering mails from /var/spool/mailScanner/archive In-Reply-To: <00c701c6bd2f$63f3ea40$1465a8c0@support01> References: <00c701c6bd2f$63f3ea40$1465a8c0@support01> Message-ID: <44DDDA06.2060503@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MailWatch. Nigel Kendrick wrote: > Hi Folks, > > No doubt this has been asked before but I'm not having much luck searching > for ideas so... > > I have to search and recover some emails from the MailScanner archive > folders - are there any nice tools to do this before I start to do some > scripting? > > Thanks > > Nigel Kendrick > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE3doIEfZZRxQVtlQRAqowAKCTVvmVBkQYbyzIt8VydN1/mdIRrQCfUJB1 m88kC2Dvmpffq12uMhyT358= =PQPV -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Sat Aug 12 14:41:24 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 12 14:41:32 2006 Subject: Problems on Solaris x86 In-Reply-To: <3067C01E-94D5-454F-9BD4-ADAD401906A8@elec.ucl.ac.be> References: <3067C01E-94D5-454F-9BD4-ADAD401906A8@elec.ucl.ac.be> Message-ID: <44DDDA84.5060109@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pascal Maes wrote: > Hello, > > > I'm installing MailScanner 4.55.10 into a zone on a Solaris 10 x86 system. > The MTA is postfix and MailScanner is running as the postfix User. > > I have the following problems : > > - there are no logging Either download my latest version of MailScanner 4.55 or install Sys::Syslog 0.17. And skip the "make test" bit when installing that module, it hangs on some systems. > - when I run MailScanner in debug mode, it works : > > # ../bin/MailScanner > In Debugging mode, not forking... > Ignore errors about failing to find EOCD signature > Stopping now as you are debugging me. > > and the mails which are in the queue are sent. > > - when I start MailScanner not in debug mode, it forks (until the > limit), but nothing happens > It's the same if I launch MailScanner in foreground : > > # ../bin/MailScanner > MailScanner 4.55.10 starting in foreground mode - pid is [4162] > About to fork child #1 of 10... > Forked OK - new child is [4163] > About to fork child #2 of 10... > Forked OK - new child is [4164] > ... > About to fork child #10 of 10... > Forked OK - new child is [4172] > > but nothing else. > > Of course, without any logging, it's not easy to find the problem > > Same problem with MailScanner 4.54-6 Check the "Lock Type" you are using. You should be able to leave it blank for Postfix. > > Any idea ? > > -- > Pascal > > > > --MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE3dqGEfZZRxQVtlQRAuaJAJ4pCnXRJAuMF1gFKioT5VRkSt2BYQCgraOS OKaSIdHGP8qqivTa3p6qFVU= =KZee -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Sat Aug 12 14:44:16 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 12 14:44:26 2006 Subject: Rul set for Spam Subject Text ??? In-Reply-To: <20060811123404.94338.qmail@web54407.mail.yahoo.com> References: <20060811123404.94338.qmail@web54407.mail.yahoo.com> Message-ID: <44DDDB30.9060802@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Write a ruleset called something like /etc/MailScanner/spam.tag.rules containing FromOrTo: domain1.com no FromOrTo: default yes and then put Spam Modify Subject = %rules-dir%/spam.tag.rules in MailScanner.conf. Then restart MailScanner. jay shi wrote: > Hi , > I am using MailScanner 4.48.4 with multidomain > sendmail. For low Score SPAM i am using this > Spam Subject Text = {possible spam} as a tag > One of my domain ask me, he dont't want this tag > , but other domains are demanding this feature. > i want to write rule set for above condition,i > made > the required rulset but it is not working.Is any one > knows how to write this rule set ? > > Thanks & Regards > Jayesh > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE3dsyEfZZRxQVtlQRAmlmAKDpAUdAkPQct7VGZv0SxRJ/cPakpgCg2ntP 0eRYTK+1yi63JqByw67pGW4= =qFZD -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From pascal.maes at elec.ucl.ac.be Sat Aug 12 14:46:27 2006 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Sat Aug 12 14:46:36 2006 Subject: Problems on Solaris x86 In-Reply-To: <7DBCF01F-D1E8-482F-A7A9-E177EC313C19@themarshalls.co.uk> References: <200608112017.k7BKH9nZ007922@bkserver.blacknight.ie> <42C50569-9DC4-4D4B-AF8C-D9F7A3A70F25@elec.ucl.ac.be> <7DBCF01F-D1E8-482F-A7A9-E177EC313C19@themarshalls.co.uk> Message-ID: Le 12 ao?t 06 ? 13:46, Drew Marshall a ?crit : > On 12 Aug 2006, at 07:37, Pascal Maes wrote: > >> >> Well I didn't send all the stuff because it's long. > >> >> # /opt/MailScanner/bin/MailScanner >> Aug 12 08:24:26 localhost MailScanner[8820]: MailScanner E-Mail >> Virus Scanner version 4.55.10 starting... >> Aug 12 08:24:28 localhost MailScanner[8820]: Using SpamAssassin >> results cache >> Aug 12 08:24:28 localhost MailScanner[8820]: Connected to >> SpamAssassin cache database >> >> 2.b) a message has been sent >> >> Aug 12 08:25:20 smtp-2-3 postfix/smtpd[8821]: [ID 197553 >> mail.info] connect from gaia.elec.ucl.ac.be[130.104.236.1] >> Aug 12 08:25:31 smtp-2-3 clamsmtpd: [ID 739282 mail.info] 100011: >> accepted connection from: 127.0.0.1 >> Aug 12 08:25:31 smtp-2-3 postfix/smtpd[8824]: [ID 197553 >> mail.info] connect from localhost[127.0.0.1] >> Aug 12 08:25:31 smtp-2-3 postfix/smtpd[8821]: [ID 197553 >> mail.info] NOQUEUE: client=gaia.elec.ucl.ac.be[130.104.236.1] >> Aug 12 08:25:31 smtp-2-3 postfix/smtpd[8824]: [ID 197553 >> mail.info] CA55418F9B: client=gaia.elec.ucl.ac.be[130.104.236.1] >> Aug 12 08:25:37 smtp-2-3 postfix/cleanup[8825]: [ID 197553 >> mail.info] CA55418F9B: hold: header Received: from >> smtp-2.dynsipr.ucl.ac.be (localhost [127.0.0.1])??by >> smtp-2.dynsipr.ucl.ac.be (Postfix) with ESMTP id CA55418F9B??for >> ; Sat, 12 Aug 2006 08:25:31 +0200 (CEST) >> from gaia.elec.ucl.ac.be[130.104.236.1]; from= >> to= proto=SMTP helo= >> Aug 12 08:25:37 smtp-2-3 postfix/cleanup[8825]: [ID 197553 >> mail.info] CA55418F9B: message- >> id=<20060812062531.CA55418F9B@smtp-2.dynsipr.ucl.ac.be> >> Aug 12 08:25:38 smtp-2-3 clamsmtpd: [ID 847008 mail.info] 100011: >> from=mp@elec.ucl.ac.be, to=pascal.maes@uclouvain.be, status=CLEAN >> Aug 12 08:25:38 smtp-2-3 postfix/smtpd[8824]: [ID 197553 >> mail.info] disconnect from localhost[127.0.0.1] >> Aug 12 08:25:41 smtp-2-3 postfix/smtpd[8821]: [ID 197553 >> mail.info] disconnect from gaia.elec.ucl.ac.be[130.104.236.1] > > And there no MailScanner log entry below this? No, just what you see below 2.a > > I notice you are running hashed queues. Have you followed this > http://wiki.mailscanner.info/doku.php? > id=documentation:configuration:mta:postfix:installation#problems_or_er > rors particularly the hashed queue bit? > I' m using postfix 2.3.2 and didn't made anything about the queues. The same configuration is working on a linux box and it works in debugging mode. -- Pascal From mailscanner at ecs.soton.ac.uk Sat Aug 12 14:47:38 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 12 14:47:47 2006 Subject: Fwd: Problems on Solaris x86 In-Reply-To: <0E611EF3-805C-4950-A45E-0BF390F1F2C6@elec.ucl.ac.be> References: <3067C01E-94D5-454F-9BD4-ADAD401906A8@elec.ucl.ac.be> <0E611EF3-805C-4950-A45E-0BF390F1F2C6@elec.ucl.ac.be> Message-ID: <44DDDBFA.9020503@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pascal Maes wrote: > > > D?but du message r?exp?di? : > >> >> Hello, >> >> >> I'm installing MailScanner 4.55.10 into a zone on a Solaris 10 x86 >> system. >> The MTA is postfix and MailScanner is running as the postfix User. >> >> I have the following problems : >> >> - there are no logging > > In Log.pm we have : > > eval { > if ($^O !~ /solaris|sunos|irix/i) { > Sys::Syslog::setlogsock('unix'); > } # else { > # Sys::Syslog::setlogsock('stream'); > # } > > It seems that for solaris, it should be 'inet' instead of 'unix' The latest news is that I should remove the setlogsock call completely, I will be asking the beta-testers group to test this for me. The Log.pm code may undergo quite a few changes in the next month or two. > > >> - when I run MailScanner in debug mode, it works : >> >> # ../bin/MailScanner >> In Debugging mode, not forking... >> Ignore errors about failing to find EOCD signature >> Stopping now as you are debugging me. >> >> and the mails which are in the queue are sent. >> >> - when I start MailScanner not in debug mode, it forks (until the >> limit), but nothing happens >> It's the same if I launch MailScanner in foreground : >> >> # ../bin/MailScanner >> MailScanner 4.55.10 starting in foreground mode - pid is [4162] >> About to fork child #1 of 10... >> Forked OK - new child is [4163] >> About to fork child #2 of 10... >> Forked OK - new child is [4164] >> ... >> About to fork child #10 of 10... >> Forked OK - new child is [4172] >> >> but nothing else. >> >> Of course, without any logging, it's not easy to find the problem >> >> Same problem with MailScanner 4.54-6 >> >> Any idea ? > > > Now, when I start MailScanner I have the following lines in the logfile : > > Aug 11 16:26:38 localhost MailScanner[6498]: MailScanner E-Mail Virus > Scanner version 4.55.10 starting... > Aug 11 16:26:38 localhost MailScanner[6498]: Using SpamAssassin results > cache > Aug 11 16:26:38 localhost MailScanner[6498]: Connected to SpamAssassin > cache database > Aug 11 16:26:38 localhost MailScanner[6498]: MailScanner E-Mail Virus > Scanner version 4.55.10 starting... > Aug 11 16:26:38 localhost MailScanner[6498]: Using SpamAssassin results > cache > Aug 11 16:26:38 localhost MailScanner[6498]: Connected to SpamAssassin > cache database > > but each mail remains in /var/spool/postfix/hold/ > > In debugging mode, I get : > > # /opt/MailScanner/bin/check_mailscanner > Starting MailScanner... > In Debugging mode, not forking... > Aug 11 16:34:40 localhost MailScanner[6532]: MailScanner E-Mail Virus > Scanner version 4.55.10 starting... > Aug 11 16:34:41 localhost MailScanner[6532]: Using SpamAssassin results > cache > Aug 11 16:34:41 localhost MailScanner[6532]: Connected to SpamAssassin > cache database > Aug 11 16:34:40 localhost MailScanner[6532]: MailScanner E-Mail Virus > Scanner version 4.55.10 starting... > Aug 11 16:34:41 localhost MailScanner[6532]: Using SpamAssassin results > cache > Aug 11 16:34:41 localhost MailScanner[6532]: Connected to SpamAssassin > cache database > Aug 11 16:34:43 localhost MailScanner[6532]: Using locktype = flock > Aug 11 16:34:43 localhost MailScanner[6532]: New Batch: Scanning 1 > messages, 1232 bytes > Aug 11 16:34:43 localhost MailScanner[6532]: Spam Checks: Starting > > > > > -- > Pascal > > > > --MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE3dv8EfZZRxQVtlQRAiYFAJ996I8JuSbPL6VSJwnArucGwq3regCgkVDq qHN9cafc5WhC6wz+xIHQVwI= =jLsF -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Sat Aug 12 14:59:40 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 12 14:59:50 2006 Subject: agains mailscanner In-Reply-To: <54D41FFA-1573-4DBC-899C-DB438B52B46B@themarshalls.co.uk> References: <20060811214507.14896.qmail@web38906.mail.mud.yahoo.com> <54D41FFA-1573-4DBC-899C-DB438B52B46B@themarshalls.co.uk> Message-ID: <44DDDECC.6030604@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Drew Marshall wrote: > On 11 Aug 2006, at 22:45, Octavio wrote: > >> Hi, as many of you Im on the postfix list too, I >> notice that most of the user of this list prefer >> amavis-new and recently I see that some of them dont >> recoment MailScanner with postfix because it has >> several fails like lost and damage messages? >> >> I use MailScanner in several severs without these kind >> of problems. do you have any idea why some people >> think so? > > I think this sums it up really > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:politics > > > It's all about 'That's not the way I intended it to work'. Followed by > 'I'm right and you are wrong 'cause it's my code' type attitudes. > > Bottom line is it works and without mangling, truncating or causing the > recipient to catch some nasty disease. Although much claimed, so far > 2.3.x has not broken MS either... MailScanner works just fine with Postfix. When I first designed MailScanner, and its support for Postfix, I dared to "think outside the box" and create a novel way of integrating with Postfix. Wietse didn't like that as he didn't think of it first :-) So he has been battling ever since to stop people using MailScanner with Postfix, with some success, despite the fact that it works perfectly well and won't lose or corrupt any of your mail. If you don't believe me, then try it and convince yourself. People have done things with MailScanner that I never dreamt of either, such as using it to filter web traffic, and using it to filter illicit images from mobile phone MMS text/picture messages on huge international mobile phone networks. I think that's fantastic and huge credit is due to them for create novel solutions to problems of their own! I can't say I have very much respect for the guy, but that's my personal opinion. On the subject of illicit image detection, particularly on mobile phone networks, I hope to contact one or two of you in the next day or two to see if you would be interested in joining development of this facility. And yes, MailScanner is used to filter MMS messages sent between phones on one of the largest multi-national mobile phone networks on the planet. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE3d7PEfZZRxQVtlQRAmn5AKCc+U6R2fcQk3/I/VeTntgv/EYInwCg25N0 yFu+dlUCWDkV3Vhtui+9Q44= =bBgp -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mike at tc3net.com Sat Aug 12 15:02:44 2006 From: mike at tc3net.com (Michael Baird) Date: Sat Aug 12 15:02:56 2006 Subject: Searching and recovering mails from /var/spool/mailScanner/archive In-Reply-To: <44DDDA06.2060503@ecs.soton.ac.uk> References: <00c701c6bd2f$63f3ea40$1465a8c0@support01> <44DDDA06.2060503@ecs.soton.ac.uk> Message-ID: <1155391365.4625.11.camel@localhost.localdomain> > MailWatch. > > Nigel Kendrick wrote: > > Hi Folks, > > > > No doubt this has been asked before but I'm not having much luck searching > > for ideas so... > > > > I have to search and recover some emails from the MailScanner archive > > folders - are there any nice tools to do this before I start to do some > > scripting? > > > > Thanks > > > > Nigel Kendrick > > > How with MailWatch? I've seen that answer before, is there documentation on how to use MailWatch to restore individual users from MailScanner archive directories? Or do we need to write our own scripting to find the message id's from MailWatch's database. Regards Michael Baird From mailscanner at ecs.soton.ac.uk Sat Aug 12 15:03:58 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 12 15:04:15 2006 Subject: nasty bug in SA.pm (I think) In-Reply-To: References: Message-ID: <44DDDFCE.3080707@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If there had been mis-matching brackets, then perl -c SA.pm would have failed. Remember that Perl compiles all the code before it starts running it, it isn't an interpreted scripting language, it's a compiled one. So the syntax basically has to be right before it will start executing anything (apart from things like eval "" code and stuff like that). Jeff A. Earickson wrote: > I came to this realization after a good dinner tonight. Sigh. > > Jeff Earickson > > On Fri, 11 Aug 2006, Logan Shaw wrote: > >> Date: Fri, 11 Aug 2006 17:26:57 -0500 (CDT) >> From: Logan Shaw >> Reply-To: MailScanner discussion >> To: MailScanner discussion >> Subject: Re: nasty bug in SA.pm (I think) >> >> On Fri, 11 Aug 2006, Jeff A. Earickson wrote: >>> So I stared at SA.pm. You commented out line 287: >>> >>> #if (MailScanner::Config::Value('compilespamassassinonce')) { >>> >>> at some point, which commented out half of a curly-bracket block. >>> I can't find where the right curly-bracket for this line is, and I >>> think something is mis-aligned here. >>> >>> Using the power feature of vi whereby you put the cursor over a >>> bracket, paren, etc and then hit "%", I don't find the closing curly >>> bracket for line 72 ("sub initialise {"). This routine seems >>> mangled and I think this is the root cause of the loop-up bug. >> >> Beware of using "%" in vi on Perl code. vi's "%" feature was >> written for C, and as you may have noticed, Perl's syntax is >> not exactly the same as C's. :-) (It is similar enough to make >> "%" work most of the time, though.) >> >> In particular, vi really doesn't understand braces that are >> commented out with Perl comments: >> >> while (1) >> { >> bar1(); >> >> # this brace will confuse vi ---> } >> >> bar2(); >> } >> >> Try putting your cursor on the "{" right after the "while" and >> hitting "%". You'll see it matching against the wrong brace. >> >> In fact, I think that's what is happening with SA.pm. An easy >> way to test it is to just delete the comment line with the brace >> that's confusing vi. We are probably at different MailScanner >> versions since the corresponding line on mine is at 285, but >> if you delete the line with 'compilespamassassinonce' on it, >> then try to match braces with "%", everything looks good. >> >> - Logan >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Get your PCs and servers from Transtec.de, very well built and reliable! -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE3d/QEfZZRxQVtlQRApuXAJ9QcjEohJ3d3t0qDcbbQA+mZjAy0gCePcxd Vy3ILt5jNc9BfLMFwtLXvjY= =QAPx -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From pascal.maes at elec.ucl.ac.be Sat Aug 12 15:06:07 2006 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Sat Aug 12 15:06:10 2006 Subject: Problems on Solaris x86 In-Reply-To: <44DDDA84.5060109@ecs.soton.ac.uk> References: <3067C01E-94D5-454F-9BD4-ADAD401906A8@elec.ucl.ac.be> <44DDDA84.5060109@ecs.soton.ac.uk> Message-ID: Le 12 ao?t 06 ? 15:41, Julian Field a ?crit : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Pascal Maes wrote: >> Hello, >> >> >> I'm installing MailScanner 4.55.10 into a zone on a Solaris 10 x86 >> system. >> The MTA is postfix and MailScanner is running as the postfix User. >> >> I have the following problems : >> >> - there are no logging > > Either download my latest version of MailScanner 4.55 or install > Sys::Syslog 0.17. > And skip the "make test" bit when installing that module, it hangs on > some systems. I have MailScanner 4.55.10-3 and Sys::Syslog is up to date (0.17). > >> - when I run MailScanner in debug mode, it works : >> >> # ../bin/MailScanner >> In Debugging mode, not forking... >> Ignore errors about failing to find EOCD signature >> Stopping now as you are debugging me. >> >> and the mails which are in the queue are sent. >> >> - when I start MailScanner not in debug mode, it forks (until the >> limit), but nothing happens >> It's the same if I launch MailScanner in foreground : >> >> # ../bin/MailScanner >> MailScanner 4.55.10 starting in foreground mode - pid is [4162] >> About to fork child #1 of 10... >> Forked OK - new child is [4163] >> About to fork child #2 of 10... >> Forked OK - new child is [4164] >> ... >> About to fork child #10 of 10... >> Forked OK - new child is [4172] >> >> but nothing else. >> >> Of course, without any logging, it's not easy to find the problem >> >> Same problem with MailScanner 4.54-6 > > Check the "Lock Type" you are using. You should be able to leave it > blank for Postfix. in MailScanner.conf : Lock Type = -- Pascal From mailscanner at ecs.soton.ac.uk Sat Aug 12 15:11:33 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 12 15:11:42 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: References: Message-ID: <44DDE195.3060001@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin Miller wrote: > Michael Baird wrote: > >> Greylisting decreases load immeasurably on a mailscanner system, the >> cost of greylisting is much less then allowing the message to go >> through the mailscanner sytem. I deployed it several months ago, it >> really is a good tool, and I've had very few complaints (10000 users). > > I just use Sendmails greet pause which is 10 seconds to set up and works > a treat - does greylisting add significant control or improvement over > that? Anybody using them in tandom or is one or the other to be > preferred? I use both, and I have had to turn the greetpause setting down to about 2 or 3 seconds, as some systems (such as NTMail) don't check properly for the welcome message before sending the HELO or EHLO. At that sort of setting, it has little benefit. And there is no easy way to set up a whitelist with greetpause. Greylisting (using milter-greylist) has a superb little whitelist facility, and shares the current greylist database between multiple MX's with minimal effort, using a TCP connection between each one. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE3eGWEfZZRxQVtlQRArXDAKCYHIHC+TwJPEGC9nTeYYCWKH9klwCgw8X/ Ox37MnqEyfYuTaJ52Ju6sEk= =rBze -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Sat Aug 12 15:19:20 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 12 15:19:30 2006 Subject: New MS on Gentoo Linux In-Reply-To: References: Message-ID: <44DDE368.3090707@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Kimpton wrote: > Hi Erik, > > Erik van der Leun hal9000.nl> writes: > >> Hi hi, >> >> On gentoo linux, I choose to use the perl thingies from portage, instead >> of the perl modules delivered with MailScanner... >> >> This ends up with the wrong name for the module needed when starting >> MailScanner, namelijk DiskSpace.pm in stead of Df.pm. I fixed it quickly >> by creating a simple symlink. >> > > Thanks for this - do you know which is correct Df or DiskSpace - that is, who > needs to fix it MailScanner or Gentoo... Message.pm contains: use Filesys::Df; in the latest code. And that is what is installed by the installation script install.sh. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE3eNrEfZZRxQVtlQRAgkUAKCWo9VLvp7HSa7ns1iv2Wax5U0hpgCgqZVa Ioh4ClX/YOkbPVGn6B7VvYE= =9CW3 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Sat Aug 12 15:28:51 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 12 15:28:58 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: <20060811121030.A64675@mikea.ath.cx> References: <1155315918.31265.3.camel@mike-new2.tc3net.com> <20060811121030.A64675@mikea.ath.cx> Message-ID: <44DDE5A3.2050607@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 mikea wrote: > On Fri, Aug 11, 2006 at 01:05:18PM -0400, Michael Baird wrote: >> On Fri, 2006-08-11 at 10:52 -0500, Logan Shaw wrote: >>> On Fri, 11 Aug 2006, Jim Holland wrote: >>>> Another concern is the impact that greylisting would have on the Internet >>>> if its adoption became widespread - it would mean that all mail servers >>>> would have to work twice as hard to deliver mail. >>> Actually, it's only some mail servers. Greylisting lets known >>> senders through without a delay. Mail servers that are mostly >>> sending messages to recipients who recognize them would not >>> see delays. Mail servers that are mostly sending messages >>> to those who don't recognize them would see the delays. So, >>> it makes mail servers up to twice as hard. >>> >>> Also, while I agree that it would increase the load, in >>> general I think decreasing spam is worth some increased load. >>> Sure, it's a slippery slope (one could imagine things getting >>> so bloated that it takes 5 minutes of CPU time to deliver one >>> message, if we keep on adding limitless spam-fighting strategy), >>> but on the other hand, 10 seconds of CPU time spent catching >>> spam automatically is cheaper than 10 seconds of a human's >>> time deleting it manually. >> Greylisting decreases load immeasurably on a mailscanner system, the >> cost of greylisting is much less then allowing the message to go through >> the mailscanner sytem. I deployed it several months ago, it really is a >> good tool, and I've had very few complaints (10000 users). > > My complaints have, almost without exception, come from users who think > that E-mail should show up in their inboxes Right DamnIt _NOW_. I have 2000 users who are just like that, they use email instead of the phone quite a lot of the time. And why not, after all, it's pretty instant and they get to re-phrase what they say before the recipient gets it. I do it myself. So I set the delay to 10 minutes, with the memory time set to 32 days. 32 days means you effectively whitelist all the monthly emails from mailing list servers, as I don't want to make list servers' lives any harder than they are already. I talked to some of my fussiest users, and to my top management, and persuaded them to take part in an email spam fight test for a week. I refused to tell them what I was doing, just that they wouldn't lose any real mail and were quite safe. After the test, I asked them for the experiences, particularly any "hunches" or "feelings" they had about what had happened in the past week. Not *one* person commented about any delay. I have now deployed it across the entire place, and they love it. So do a totally blind test with your fussiest users, like I did. And then go for it! :-) - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE3eWkEfZZRxQVtlQRAhoaAJ48Z0GIAA3sRuveD6qDeydhbLAXCwCffeSd U/0J395fdnqo+F8y6bqYETE= =uMcd -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From pascal.maes at elec.ucl.ac.be Sat Aug 12 16:03:50 2006 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Sat Aug 12 16:03:54 2006 Subject: Problems on Solaris x86 In-Reply-To: References: <3067C01E-94D5-454F-9BD4-ADAD401906A8@elec.ucl.ac.be> <44DDDA84.5060109@ecs.soton.ac.uk> Message-ID: <27072A17-4AC6-4865-BC0A-27D7B0A15EA3@elec.ucl.ac.be> Le 12 ao?t 06 ? 16:06, Pascal Maes a ?crit : >> >> Check the "Lock Type" you are using. You should be able to leave it >> blank for Postfix. > > in MailScanner.conf : > > Lock Type = > > I have copied /opt/MailScanner from the Solaris 10 x86 on a Solaris 9 Sparc box. It's the same configuration (with Lock Type = ) On the Solaris 9 (sparc) box, I have : # /opt/MailScanner/bin/MailScanner Aug 12 16:59:23 smtp1e MailScanner[29806]: MailScanner E-Mail Virus Scanner version 4.55.10 starting... Aug 12 16:59:28 smtp1 MailScanner[29806]: Using SpamAssassin results cache Aug 12 16:59:28 smtp1 MailScanner[29806]: Connected to SpamAssassin cache database Aug 12 16:59:35 smtp1 MailScanner[29806]: Using locktype = flock On the Solaris 10 (x86), in debugging mode, I have : # /opt/MailScanner/bin/MailScanner In Debugging mode, not forking... Aug 12 17:00:51 localhost MailScanner[19018]: MailScanner E-Mail Virus Scanner version 4.55.10 starting... Aug 12 17:00:52 localhost MailScanner[19018]: Using SpamAssassin results cache Aug 12 17:00:52 localhost MailScanner[19018]: Connected to SpamAssassin cache database Aug 12 17:00:54 localhost MailScanner[19018]: Using locktype = flock but in "normal"" mode : # /opt/MailScanner/bin/MailScanner Aug 12 17:02:11 localhost MailScanner[19025]: MailScanner E-Mail Virus Scanner version 4.55.10 starting... Aug 12 17:02:11 localhost MailScanner[19025]: Using SpamAssassin results cache Aug 12 17:02:11 localhost MailScanner[19025]: Connected to SpamAssassin cache database the line "Using locktype = flock" doesn't come -- Pascal From denis at croombs.org Sat Aug 12 16:03:48 2006 From: denis at croombs.org (Denis Croombs) Date: Sat Aug 12 16:04:14 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: <44DDE195.3060001@ecs.soton.ac.uk> Message-ID: <200608121505.k7CF5uWA020918@rack2.justlinux1.net> > >> Greylisting decreases load immeasurably on a mailscanner > system, the > >> cost of greylisting is much less then allowing the message to go > >> through the mailscanner sytem. I deployed it several > months ago, it > >> really is a good tool, and I've had very few complaints > (10000 users). > > > > I just use Sendmails greet pause which is 10 seconds to set up and > > works a treat - does greylisting add significant control or > > improvement over that? Anybody using them in tandom or is > one or the > > other to be preferred? > > I use both, and I have had to turn the greetpause setting > down to about > 2 or 3 seconds, as some systems (such as NTMail) don't check > properly for the welcome message before sending the HELO or > EHLO. At that sort of setting, it has little benefit. And > there is no easy way to set up a whitelist with greetpause. > > Greylisting (using milter-greylist) has a superb little > whitelist facility, and shares the current greylist database > between multiple MX's with minimal effort, using a TCP > connection between each one. I have been trying to install milter-greylist all day on my sendmail 8.12 & 8.13 systems (Redhat & Centos mixture), but keep getting the error "checking for smfi_register in -lmilter -lsm... no checking for smfi_register in -lmilter -lsmutil... no Required libmilter not found. Use --with-libmilter" I have tried google, but as yet have not found the answer, has any kind person give me a clue ? Thanks Denis From mailscanner at mango.zw Sat Aug 12 16:27:02 2006 From: mailscanner at mango.zw (Jim Holland) Date: Sat Aug 12 16:33:18 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: <44DDE195.3060001@ecs.soton.ac.uk> Message-ID: On Sat, 12 Aug 2006, Julian Field wrote: > Kevin Miller wrote: > > Michael Baird wrote: > > > >> Greylisting decreases load immeasurably on a mailscanner system, the > >> cost of greylisting is much less then allowing the message to go > >> through the mailscanner sytem. I deployed it several months ago, it > >> really is a good tool, and I've had very few complaints (10000 users). > > > > I just use Sendmails greet pause which is 10 seconds to set up and works > > a treat - does greylisting add significant control or improvement over > > that? Anybody using them in tandom or is one or the other to be > > preferred? > > I use both, and I have had to turn the greetpause setting down to about > 2 or 3 seconds, as some systems (such as NTMail) don't check properly > for the welcome message before sending the HELO or EHLO. At that sort of > setting, it has little benefit. And there is no easy way to set up a > whitelist with greetpause. I just put "GreetPause: 0" entries in the access file before the default entry. See sendmail notes: If FEATURE(`access_db') is enabled, an access database lookup with the GreetPause tag is done using client hostname, domain, IP address, or subnet to determine the pause time: GreetPause:my.domain 0 GreetPause:example.com 5000 GreetPause:10.1.2 2000 GreetPause:127.0.0.1 0 Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From pascal.maes at elec.ucl.ac.be Sat Aug 12 16:37:24 2006 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Sat Aug 12 16:37:27 2006 Subject: Problems on Solaris x86 In-Reply-To: <27072A17-4AC6-4865-BC0A-27D7B0A15EA3@elec.ucl.ac.be> References: <3067C01E-94D5-454F-9BD4-ADAD401906A8@elec.ucl.ac.be> <44DDDA84.5060109@ecs.soton.ac.uk> <27072A17-4AC6-4865-BC0A-27D7B0A15EA3@elec.ucl.ac.be> Message-ID: Le 12 ao?t 06 ? 17:03, Pascal Maes a ?crit : > > > > but in "normal"" mode : > > # /opt/MailScanner/bin/MailScanner > Aug 12 17:02:11 localhost MailScanner[19025]: MailScanner E-Mail > Virus Scanner version 4.55.10 starting... > Aug 12 17:02:11 localhost MailScanner[19025]: Using SpamAssassin > results cache > Aug 12 17:02:11 localhost MailScanner[19025]: Connected to > SpamAssassin cache database > > the line "Using locktype = flock" doesn't come > I add some InfoLog in MailScanner to see where the process is blocked. In lib/MailScanner/SA.pm : # If they are using MCP at all, then we need to compile SA differently # here due to object clashes within SA. if (MailScanner::Config::IsSimpleValue('mcpchecks') && !MailScanner::Config::Value('mcpchecks')) { # They are definitely not using MCP MailScanner::Log::InfoLog("7"); $MailScanner::SA::SAspamtest->compile_now(); MailScanner::Log::InfoLog("8"); I see the 7 but never the 8 Why $MailScanner::SA::SAspamtest->compile_now() dosen't finish ? -- Pascal From mikea at mikea.ath.cx Sat Aug 12 17:26:53 2006 From: mikea at mikea.ath.cx (mikea) Date: Sat Aug 12 17:26:57 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: <200608121505.k7CF5uWA020918@rack2.justlinux1.net>; from denis@croombs.org on Sat, Aug 12, 2006 at 04:03:48PM +0100 References: <44DDE195.3060001@ecs.soton.ac.uk> <200608121505.k7CF5uWA020918@rack2.justlinux1.net> Message-ID: <20060812112653.A71763@mikea.ath.cx> On Sat, Aug 12, 2006 at 04:03:48PM +0100, Denis Croombs wrote: > > >> Greylisting decreases load immeasurably on a mailscanner > > system, the > > >> cost of greylisting is much less then allowing the message to go > > >> through the mailscanner sytem. I deployed it several > > months ago, it > > >> really is a good tool, and I've had very few complaints > > (10000 users). > > > > > > I just use Sendmails greet pause which is 10 seconds to set up and > > > works a treat - does greylisting add significant control or > > > improvement over that? Anybody using them in tandom or is > > one or the > > > other to be preferred? > > > > I use both, and I have had to turn the greetpause setting > > down to about > > 2 or 3 seconds, as some systems (such as NTMail) don't check > > properly for the welcome message before sending the HELO or > > EHLO. At that sort of setting, it has little benefit. And > > there is no easy way to set up a whitelist with greetpause. > > > > Greylisting (using milter-greylist) has a superb little > > whitelist facility, and shares the current greylist database > > between multiple MX's with minimal effort, using a TCP > > connection between each one. > > I have been trying to install milter-greylist all day on my sendmail 8.12 & > 8.13 systems (Redhat & Centos mixture), but keep getting the error "checking > for smfi_register in -lmilter -lsm... no > checking for smfi_register in -lmilter -lsmutil... no > Required libmilter not found. Use --with-libmilter" > > I have tried google, but as yet have not found the answer, has any kind > person give me a clue ? You have to download and install libmilter to get pretty much any of Anthony Howe's milters to run. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From lday at txk.k12.ar.us Sat Aug 12 17:40:12 2006 From: lday at txk.k12.ar.us (James L. Day) Date: Sat Aug 12 17:40:16 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: References: Message-ID: <44DE046C.6010507@txk.k12.ar.us> How can I tell if Sendmail's greetpause is working? I don't see any evidence in the log files.. Thanks, Lynn Jim Holland wrote: > On Sat, 12 Aug 2006, Julian Field wrote: > > >> Kevin Miller wrote: >> >>> Michael Baird wrote: >>> >>> >>>> Greylisting decreases load immeasurably on a mailscanner system, the >>>> cost of greylisting is much less then allowing the message to go >>>> through the mailscanner sytem. I deployed it several months ago, it >>>> really is a good tool, and I've had very few complaints (10000 users). >>>> >>> I just use Sendmails greet pause which is 10 seconds to set up and works >>> a treat - does greylisting add significant control or improvement over >>> that? Anybody using them in tandom or is one or the other to be >>> preferred? >>> >> I use both, and I have had to turn the greetpause setting down to about >> 2 or 3 seconds, as some systems (such as NTMail) don't check properly >> for the welcome message before sending the HELO or EHLO. At that sort of >> setting, it has little benefit. And there is no easy way to set up a >> whitelist with greetpause. >> > > I just put "GreetPause: 0" entries in the access file before > the default entry. See sendmail notes: > > If FEATURE(`access_db') is enabled, an access database > lookup with the GreetPause tag is done using client > hostname, domain, IP address, or subnet to determine the > pause time: > > GreetPause:my.domain 0 > GreetPause:example.com 5000 > GreetPause:10.1.2 2000 > GreetPause:127.0.0.1 0 > > Regards > > Jim Holland > System Administrator > MANGO - Zimbabwe's non-profit e-mail service > > From mailscanner at ecs.soton.ac.uk Sat Aug 12 17:47:59 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sat Aug 12 17:48:12 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: <44DE046C.6010507@txk.k12.ar.us> References: <44DE046C.6010507@txk.k12.ar.us> Message-ID: <44DE063F.6060108@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 telnet port 25 and time the gap between the connection opening and the greeting text appearing. James L. Day wrote: > How can I tell if Sendmail's greetpause is working? I don't see any > evidence in the log files.. > > Thanks, > Lynn > > Jim Holland wrote: >> On Sat, 12 Aug 2006, Julian Field wrote: >> >> >>> Kevin Miller wrote: >>> >>>> Michael Baird wrote: >>>> >>>> >>>>> Greylisting decreases load immeasurably on a mailscanner system, the >>>>> cost of greylisting is much less then allowing the message to go >>>>> through the mailscanner sytem. I deployed it several months ago, it >>>>> really is a good tool, and I've had very few complaints (10000 users). >>>>> >>>> I just use Sendmails greet pause which is 10 seconds to set up and works >>>> a treat - does greylisting add significant control or improvement over >>>> that? Anybody using them in tandom or is one or the other to be >>>> preferred? >>>> >>> I use both, and I have had to turn the greetpause setting down to about >>> 2 or 3 seconds, as some systems (such as NTMail) don't check properly >>> for the welcome message before sending the HELO or EHLO. At that sort of >>> setting, it has little benefit. And there is no easy way to set up a >>> whitelist with greetpause. >>> >> I just put "GreetPause: 0" entries in the access file before >> the default entry. See sendmail notes: >> >> If FEATURE(`access_db') is enabled, an access database >> lookup with the GreetPause tag is done using client >> hostname, domain, IP address, or subnet to determine the >> pause time: >> >> GreetPause:my.domain 0 >> GreetPause:example.com 5000 >> GreetPause:10.1.2 2000 >> GreetPause:127.0.0.1 0 >> >> Regards >> >> Jim Holland >> System Administrator >> MANGO - Zimbabwe's non-profit e-mail service >> >> > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE3gZCEfZZRxQVtlQRAgCIAKDxvomKghdRbauMzRHOFBKt3lPoKACeJwzB C+Db1gdoooFhV/9x5CJbcX0= =e5ab -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From steve.swaney at fsl.com Sat Aug 12 17:53:36 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Sat Aug 12 17:53:41 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: <44DE046C.6010507@txk.k12.ar.us> Message-ID: <0aff01c6be2f$dac790d0$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of James L. Day > Sent: Saturday, August 12, 2006 12:40 PM > To: MailScanner discussion > Subject: Re: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) > > How can I tell if Sendmail's greetpause is working? I don't see any > evidence in the log files.. > > Thanks, > Lynn > You'll see tons of messages similar to: Aug 6 11:25:00 mta10 sendmail[7675]: k76FP0mR007675: rejecting commands from dsl-201-102-42-43.prod-infinitum.com.mx [201.102.42.43] due to pre-greeting traffic Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com > Jim Holland wrote: > > On Sat, 12 Aug 2006, Julian Field wrote: > > > > > >> Kevin Miller wrote: > >> > >>> Michael Baird wrote: > >>> > >>> > >>>> Greylisting decreases load immeasurably on a mailscanner system, the > >>>> cost of greylisting is much less then allowing the message to go > >>>> through the mailscanner sytem. I deployed it several months ago, it > >>>> really is a good tool, and I've had very few complaints (10000 > users). > >>>> > >>> I just use Sendmails greet pause which is 10 seconds to set up and > works > >>> a treat - does greylisting add significant control or improvement over > >>> that? Anybody using them in tandom or is one or the other to be > >>> preferred? > >>> > >> I use both, and I have had to turn the greetpause setting down to about > >> 2 or 3 seconds, as some systems (such as NTMail) don't check properly > >> for the welcome message before sending the HELO or EHLO. At that sort > of > >> setting, it has little benefit. And there is no easy way to set up a > >> whitelist with greetpause. > >> > > > > I just put "GreetPause: 0" entries in the access file before > > the default entry. See sendmail notes: > > > > If FEATURE(`access_db') is enabled, an access database > > lookup with the GreetPause tag is done using client > > hostname, domain, IP address, or subnet to determine the > > pause time: > > > > GreetPause:my.domain 0 > > GreetPause:example.com 5000 > > GreetPause:10.1.2 2000 > > GreetPause:127.0.0.1 0 > > > > Regards > > > > Jim Holland > > System Administrator > > MANGO - Zimbabwe's non-profit e-mail service > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From lday at txk.k12.ar.us Sat Aug 12 18:22:59 2006 From: lday at txk.k12.ar.us (James L. Day) Date: Sat Aug 12 18:23:02 2006 Subject: OT - Greylisting In-Reply-To: <0aff01c6be2f$dac790d0$287ba8c0@office.fsl> References: <0aff01c6be2f$dac790d0$287ba8c0@office.fsl> Message-ID: <44DE0E73.7030009@txk.k12.ar.us> Steve, I ran the test that Julian sent and the welcome prompt was delayed about 5 seconds. When I added the host I ran the test from to "access.db", the prompt appeared almost immediately. So, greet_delay does appear to work. I ran the following two commands and came up empty: MailFilter:/var/log# grep "rejecting commands" * MailFilter:/var/log# grep greeting * I have Sendmail checking against a couple of blacklists in rbldnsd and that has been blocking about 98% of what comes in. Is it possible that Sendmail is doing the RBL lookup and refusing the message before greet_delay kicks in? Thanks, Lynn Stephen Swaney wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of James L. Day >> Sent: Saturday, August 12, 2006 12:40 PM >> To: MailScanner discussion >> Subject: Re: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) >> >> How can I tell if Sendmail's greetpause is working? I don't see any >> evidence in the log files.. >> >> Thanks, >> Lynn >> >> > > You'll see tons of messages similar to: > > Aug 6 11:25:00 mta10 sendmail[7675]: k76FP0mR007675: rejecting commands > from dsl-201-102-42-43.prod-infinitum.com.mx [201.102.42.43] due to > pre-greeting traffic > > Steve > > Stephen Swaney > Fort Systems Ltd. > stephen.swaney@fsl.com > www.fsl.com > From David.While at uce.ac.uk Sat Aug 12 18:17:33 2006 From: David.While at uce.ac.uk (David While) Date: Sat Aug 12 18:24:41 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) References: <200608121505.k7CF5uWA020918@rack2.justlinux1.net> Message-ID: <294B4B3243E76C4BA4FF7F54003B3BE10116ABB3@exchangea.staff.uce.ac.uk> For the Redhat make sure that you have the sendmail-devel rpm installed. the libmilter is not part of the sendmail rpm but the sendmail development rpm. David While -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info on behalf of Denis Croombs Sent: Sat 12/08/2006 16:03 To: 'MailScanner discussion' Cc: Subject: RE: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) > >> Greylisting decreases load immeasurably on a mailscanner > system, the > >> cost of greylisting is much less then allowing the message to go > >> through the mailscanner sytem. I deployed it several > months ago, it > >> really is a good tool, and I've had very few complaints > (10000 users). > > > > I just use Sendmails greet pause which is 10 seconds to set up and > > works a treat - does greylisting add significant control or > > improvement over that? Anybody using them in tandom or is > one or the > > other to be preferred? > > I use both, and I have had to turn the greetpause setting > down to about > 2 or 3 seconds, as some systems (such as NTMail) don't check > properly for the welcome message before sending the HELO or > EHLO. At that sort of setting, it has little benefit. And > there is no easy way to set up a whitelist with greetpause. > > Greylisting (using milter-greylist) has a superb little > whitelist facility, and shares the current greylist database > between multiple MX's with minimal effort, using a TCP > connection between each one. I have been trying to install milter-greylist all day on my sendmail 8.12 & 8.13 systems (Redhat & Centos mixture), but keep getting the error "checking for smfi_register in -lmilter -lsm... no checking for smfi_register in -lmilter -lsmutil... no Required libmilter not found. Use --with-libmilter" I have tried google, but as yet have not found the answer, has any kind person give me a clue ? Thanks Denis -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 6190 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060812/b2ba29d1/attachment-0001.bin From gmane at tippingmar.com Sat Aug 12 19:07:51 2006 From: gmane at tippingmar.com (Mark Nienberg) Date: Sat Aug 12 19:08:05 2006 Subject: 70_sare_stocks.cf In-Reply-To: <44DD3D49.9070508@maddoc.net> References: <44D18987.4070400@maddoc.net> <44DD3D49.9070508@maddoc.net> Message-ID: Doc Schneider wrote: > Mark Nienberg wrote: >> Doc Schneider wrote: >>> I added a "tweak" to the rule set that should catch more of these >>> dang image spams. >>> >>> For those of you running "SARE_STOCK" please let me know if these are >>> now being caught. >> >> >> After about a week of running the new rule set I realized that in >> addition to catching more of those dang image spams, I was also >> getting a lot of false positives. We receive a lot of messages from >> persons who write in html and attach a small gif image in their >> signature (usually a company logo). In fact, lots of my users do the >> same in their signatures (don't get me started). Consequently, I have >> had to disable the gif rules in the rule set. > Mark, > > You got more problems than the SARE_GIF_ATTACH if simple small images > are being caught and FP mails. Since it only has a score of 0.75 which > shouldn't be FP anything. But of course as with anything YMMV. It often triggers in combination with the meta rule SARE_GIF_STOX for a total of (0.75 + 1.66= 2.41). I'm not saying that many messages are pushed from non-spam to spam by the additional points, but in our mix of mail the points are added to many messages that are not spam, so the rule is not a very good indication of spaminess (again, in our mix of mail). I'm still using the rest of the ruleset though, with some success. Mark From alex at nkpanama.com Sat Aug 12 20:54:41 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Sat Aug 12 20:54:57 2006 Subject: agains mailscanner In-Reply-To: <44DDDECC.6030604@ecs.soton.ac.uk> References: <20060811214507.14896.qmail@web38906.mail.mud.yahoo.com> <54D41FFA-1573-4DBC-899C-DB438B52B46B@themarshalls.co.uk> <44DDDECC.6030604@ecs.soton.ac.uk> Message-ID: <44DE3201.3020108@nkpanama.com> Julian Field wrote: > People have done things with MailScanner that I never dreamt of either, > such as using it to filter web traffic, and using it to filter illicit > images from mobile phone MMS text/picture messages on huge international > mobile phone networks. I think that's fantastic and huge credit is due > to them for create novel solutions to problems of their own! How does one go about filtering web traffic with MailScanner? > > On the subject of illicit image detection, particularly on mobile phone > networks, I hope to contact one or two of you in the next day or two to > see if you would be interested in joining development of this facility. I'd like to help in any way I can... > > And yes, MailScanner is used to filter MMS messages sent between phones > on one of the largest multi-national mobile phone networks on the planet. I'm not surprised. From gordon at itnt.co.za Sun Aug 13 07:13:53 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Sun Aug 13 07:37:37 2006 Subject: gOCR SpamAssassin plugin References: <44D745A6.1050007@blacknight.ie> Message-ID: <003401c6bea2$ef2c6000$0d02a8c0@Gordon> I get this error after installing the plugin.... Any ideas, have copied the pm file to both perland site vendor dir's plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/ImageInfo.pm in @INC (@INC contains: lib /usr/lib/perl5/site_perl/5.8.7/i386-linux /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/5.8.7/i386-linux /usr/lib/perl5/5.8.7 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.7/i386-linux /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.6/i386-linux /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl) at (eval 33) line 1. plugin: failed to create instance of plugin Mail::SpamAssassin::Plugin::ImageInfo: Can't locate object method "new" via package "Mail::SpamAssassin::Plugin::ImageInfo" at (eval 34) line 1. Thansk Gordon ----- Original Message ----- From: "Michele Neylon:: Blacknight.ie" To: "MailScanner discussion" Sent: Monday, August 07, 2006 3:52 PM Subject: Re: gOCR SpamAssassin plugin The one that Dallas posted on the SA users group seems to work well: http://www.rulesemporium.com/plugins.htm#imageinfo -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From pascal.maes at elec.ucl.ac.be Sun Aug 13 08:06:38 2006 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Sun Aug 13 08:06:46 2006 Subject: Problems on Solaris x86 In-Reply-To: References: <3067C01E-94D5-454F-9BD4-ADAD401906A8@elec.ucl.ac.be> <44DDDA84.5060109@ecs.soton.ac.uk> <27072A17-4AC6-4865-BC0A-27D7B0A15EA3@elec.ucl.ac.be> Message-ID: <30173709-B06A-4C10-884F-9F0AF48984EA@elec.ucl.ac.be> Le 12 ao?t 06 ? 17:37, Pascal Maes a ?crit : > > Le 12 ao?t 06 ? 17:03, Pascal Maes a ?crit : > > > I add some InfoLog in MailScanner to see where the process is blocked. > > In lib/MailScanner/SA.pm : > > # If they are using MCP at all, then we need to compile SA > differently > # here due to object clashes within SA. > if (MailScanner::Config::IsSimpleValue('mcpchecks') && > !MailScanner::Config::Value('mcpchecks')) { > # They are definitely not using MCP > MailScanner::Log::InfoLog("7"); > $MailScanner::SA::SAspamtest->compile_now(); > MailScanner::Log::InfoLog("8"); > > > I see the 7 but never the 8 > > Why $MailScanner::SA::SAspamtest->compile_now() dosen't finish ? > > -- > Pascal > Finaly, it's the line $self->do_full_eval_tests($priority, \$fulltext); in SpamAssassin/PerMsgStatus.pm which blocks the process. When I put this line in comment, all is going "fine" Any idea ? -- Pascal From pravin.rane at gmail.com Sun Aug 13 10:50:39 2006 From: pravin.rane at gmail.com (Pravin Rane) Date: Sun Aug 13 10:50:41 2006 Subject: Insert New line at the end of mail Message-ID: <13c021a90608130250i3e516578td7115ad3f0c8bb1e@mail.gmail.com> How do I tell Mailscanner to insert new line at the end of mails who do not contain new line at the end. -- Regards Pravin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060813/bc121d6d/attachment.html From gordon at itnt.co.za Sun Aug 13 12:13:42 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Sun Aug 13 12:22:13 2006 Subject: gOCR SpamAssassin plugin References: <44D745A6.1050007@blacknight.ie> <003401c6bea2$ef2c6000$0d02a8c0@Gordon> Message-ID: <006101c6beca$b1943830$0d02a8c0@Gordon> Don't worry, fixed the problem, copied the file into the wrong directory... ----- Original Message ----- From: "Gordon Colyn" To: "MailScanner discussion" Sent: Sunday, August 13, 2006 8:13 AM Subject: Re: gOCR SpamAssassin plugin I get this error after installing the plugin.... Any ideas, have copied the pm file to both perland site vendor dir's plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/ImageInfo.pm in @INC (@INC contains: lib /usr/lib/perl5/site_perl/5.8.7/i386-linux /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/5.8.7/i386-linux /usr/lib/perl5/5.8.7 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.7/i386-linux /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.6/i386-linux /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl) at (eval 33) line 1. plugin: failed to create instance of plugin Mail::SpamAssassin::Plugin::ImageInfo: Can't locate object method "new" via package "Mail::SpamAssassin::Plugin::ImageInfo" at (eval 34) line 1. Thansk Gordon ----- Original Message ----- From: "Michele Neylon:: Blacknight.ie" To: "MailScanner discussion" Sent: Monday, August 07, 2006 3:52 PM Subject: Re: gOCR SpamAssassin plugin The one that Dallas posted on the SA users group seems to work well: http://www.rulesemporium.com/plugins.htm#imageinfo -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mailscanner at ecs.soton.ac.uk Sun Aug 13 17:12:52 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sun Aug 13 17:13:08 2006 Subject: agains mailscanner In-Reply-To: <44DE3201.3020108@nkpanama.com> References: <20060811214507.14896.qmail@web38906.mail.mud.yahoo.com> <54D41FFA-1573-4DBC-899C-DB438B52B46B@themarshalls.co.uk> <44DDDECC.6030604@ecs.soton.ac.uk> <44DE3201.3020108@nkpanama.com> Message-ID: <44DF4F84.2080802@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Neuman van der Hans wrote: > Julian Field wrote: >> People have done things with MailScanner that I never dreamt of >> either, such as using it to filter web traffic, and using it to filter >> illicit images from mobile phone MMS text/picture messages on huge >> international mobile phone networks. I think that's fantastic and huge >> credit is due to them for create novel solutions to problems of their >> own! > How does one go about filtering web traffic with MailScanner? Do a Google search for it, there certainly was an Apache module that used the MailScanner engine on web traffic. I can't remember the name, sorry. >> >> On the subject of illicit image detection, particularly on mobile >> phone networks, I hope to contact one or two of you in the next day or >> two to see if you would be interested in joining development of this >> facility. > I'd like to help in any way I can... I need people who do a minimum of 250,000 messages per day. >> >> And yes, MailScanner is used to filter MMS messages sent between >> phones on one of the largest multi-national mobile phone networks on >> the planet. > I'm not surprised. Thanks! - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE30+LEfZZRxQVtlQRAmi0AKCZ8va89WyCbT3rc7DS8F76dhb2CgCghxva 3JTRt1dzPKuAtp3+LE8Rb5w= =rLlD -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Sun Aug 13 17:14:53 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Sun Aug 13 17:15:08 2006 Subject: Insert New line at the end of mail In-Reply-To: <13c021a90608130250i3e516578td7115ad3f0c8bb1e@mail.gmail.com> References: <13c021a90608130250i3e516578td7115ad3f0c8bb1e@mail.gmail.com> Message-ID: <44DF4FFD.8050301@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You could do it by adding a blank line in "Sign Clean Messages". Pravin Rane wrote: > How do I tell Mailscanner to insert new line at the end of mails who do > not contain new line at the end. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE31ACEfZZRxQVtlQRAq3RAJ9UouqJSMMwme1soAbMmcb4fRGMZwCdFZ38 n5n1XKKcDp2Sg8IvjOuYrqM= =5msO -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From pravin.rane at gmail.com Mon Aug 14 04:00:09 2006 From: pravin.rane at gmail.com (Pravin Rane) Date: Mon Aug 14 04:00:11 2006 Subject: Insert New line at the end of mail In-Reply-To: <44DF4FFD.8050301@ecs.soton.ac.uk> References: <13c021a90608130250i3e516578td7115ad3f0c8bb1e@mail.gmail.com> <44DF4FFD.8050301@ecs.soton.ac.uk> Message-ID: <13c021a90608132000j1414c3a9h465ee37bdd3aed30@mail.gmail.com> Many Thanks Julian On 8/13/06, Julian Field wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > You could do it by adding a blank line in "Sign Clean Messages". > > Pravin Rane wrote: > > How do I tell Mailscanner to insert new line at the end of mails who do > > not contain new line at the end. > > - -- > Julian Field > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@MailScanner.biz > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > -----BEGIN PGP SIGNATURE----- > Version: PGP SDK 3.7.0 > Charset: ISO-8859-1 > > wj8DBQFE31ACEfZZRxQVtlQRAq3RAJ9UouqJSMMwme1soAbMmcb4fRGMZwCdFZ38 > n5n1XKKcDp2Sg8IvjOuYrqM= > =5msO > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Regards Pravin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060814/9c1fb92d/attachment.html From pascal.maes at elec.ucl.ac.be Mon Aug 14 09:20:52 2006 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Mon Aug 14 09:29:04 2006 Subject: Problems on Solaris x86 In-Reply-To: References: Message-ID: Le 13 ao?t 06 ? 10:14, Pascal Maes a ?crit : > Hello, > > I have installed MailScanner (4.55.10-3) on a solaris 10 (x86) box. > MailScanner is using SpamAssassin 3.1.4 > > I'm also using postfix and MailScanner is running as the user postfix. > > MailScanner, in debugging mode, is going fine. > When I run spamassassin -D --lint (as user postfix) all is going > fine too. > > But when I launch MailScanner in "normal" mode (with fork), the > call to > > $self->do_full_eval_tests($priority, \$fulltext); > > never finish; > > In MailScanner, we have > > $MailScanner::SA::SAspamtest = new Mail::SpamAssassin(\%settings); > $MailScanner::SA::SAspamtest->compile_now(); > > That's this last call which never finish except if the line > $self->do_full_eval_tests($priority, \$fulltext); > is commented. > > > Everything is going fine with the same config on a linux box or on > a solaris 9 sparc box > > > Any idea ? > I have made some other tests : - reactivate the line do_full_eval_tests - suppress everything except local.cf, init.pre, v310.pre anfd v312.pre from /etc/mail/spamassassin and comment all lines in this files. Restarting MailScanner and commenting out one line at a time, I found that the problem is with loadplugin Mail::SpamAssassin::Plugin::Razor2 When I test spamassassin, all is working fine : # spamassassin -D < sample-nonspam.txt |& grep -i razor [12725] dbg: config: read file /usr/local/share/spamassassin/ 25_razor2.cf [12725] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [12725] dbg: razor2: razor2 is available, version 2.82 [12725] dbg: plugin: registered Mail::SpamAssassin::Plugin::Razor2=HASH(0x8e53c24) [12725] dbg: plugin: registering glue method for check_razor2_range (Mail::SpamAssassin::Plugin::Razor2=HASH(0x8e53c24)) [12725] dbg: razor2: part=0 engine=4 contested=0 confidence=-17 [12725] dbg: razor2: part=0 engine=8 contested=0 confidence=0 [12725] dbg: razor2: part=0 engine=8 contested=0 confidence=0 [12725] dbg: razor2: part=0 engine=8 contested=0 confidence=0 [12725] dbg: razor2: part=0 engine=8 contested=0 confidence=0 [12725] dbg: razor2: part=0 engine=8 contested=0 confidence=0 [12725] dbg: razor2: part=0 engine=8 contested=0 confidence=0 [12725] dbg: razor2: results: spam? 0 [12725] dbg: razor2: results: engine 8, highest cf score: 0 [12725] dbg: razor2: results: engine 4, highest cf score: 0 [12725] dbg: plugin: registering glue method for check_razor2 (Mail::SpamAssassin::Plugin::Razor2=HASH(0x8e53c24)) but when the compile_now() function is called from the main MailScanner process, it doesn't finish and comsummes high CPU # ps -ef | grep MailScanner root 12755 1099 0 10:18:29 pts/5 0:00 grep MailScanner postfix 12714 12713 50 10:13:31 ? 4:57 /usr/bin/perl -I/ opt/MailScanner/lib /opt/MailScanner/bin/MailScanner postfix 12713 2400 0 10:13:31 ? 0:00 /usr/bin/perl -I/ opt/MailScanner/lib /opt/MailScanner/bin/MailScanner #top load averages: 1.04, 1.05, 1.02 10:18:12 50 processes: 47 sleeping, 3 on cpu CPU states: 49.5% idle, 50.2% user, 0.3% kernel, 0.0% iowait, 0.0% swap Memory: 2047M real, 1146M free, 680M swap in use, 2820M swap free PID USERNAME LWP PRI NICE SIZE RES STATE TIME CPU COMMAND 12714 postfix 1 20 0 53M 41M cpu/1 4:40 49.92% MailScanner 12749 root 1 59 0 3184K 1220K cpu/0 0:00 0.01% top -- Pascal From P.G.M.Peters at utwente.nl Mon Aug 14 10:30:19 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Mon Aug 14 10:30:25 2006 Subject: OT - Greylisting (was: Re: gOCR SpamAssassin plugin) In-Reply-To: <20060811141732.A65410@mikea.ath.cx> References: <44DCD588.1050602@nkpanama.com> <20060811141732.A65410@mikea.ath.cx> Message-ID: <44E042AB.3090306@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 mikea wrote on 11-8-2006 21:17: >> I use both *everywhere*. Now if I could have greet_pause auto-whitelist >> after a certain threshold... :-) > > You could, if you were willing to dynamically edit your access file > and then do a makemap hash. It probably could be rigged so that it > wasn't terribly dangerous. One way might be to batch the updates, and > run them every hour or so, saving the data to files with timestamp > data as part of the name. Hmmmmmm ... . With some extra effort you could update both the access file as well as the database. I believe one of MailScanner's CustomFunctions does something like that. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE4EKrelLo80lrIdIRArBvAKCm8wks0qc6d91kXIpL0qmzW+8iWgCfdvOQ h8MzS6+PsyasiYZ0H73P9lk= =0cG7 -----END PGP SIGNATURE----- From jayesha_shinde at yahoo.com Mon Aug 14 10:30:52 2006 From: jayesha_shinde at yahoo.com (jay shi) Date: Mon Aug 14 10:31:01 2006 Subject: Rul set for Spam Subject Text ??? Message-ID: <20060814093054.87090.qmail@web54402.mail.yahoo.com> Hi Thanks Peter for ur quick response. I am using MailScanner 4.48.4 with multidomain sendmail. For low Score SPAM i am using this Spam Subject Text = {possible spam} as a tag One of my domain (abc.com) ask me, he dont't want this tag , but other domains ( xyz.com,pqr.com ) are demanding this feature. i want to write rule set for above condition, Here is my rules for it in MailScanner.conf :-- Spam Modify Subject = yes Spam Subject Text = %rules-dir%/spam.subject.rules cat /etc/MailScanner/rules/spam.subject.rules From: @abc.com From: @xyz.com {possible spam} From: @pqr.com {possible spam} service MailScanner restart I may be wrong, if it plz correct me. Thanks & Regards Jayesh __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From martinh at solid-state-logic.com Mon Aug 14 10:54:10 2006 From: martinh at solid-state-logic.com (Martin Hepworth) Date: Mon Aug 14 10:54:24 2006 Subject: Rul set for Spam Subject Text ??? In-Reply-To: <20060814093054.87090.qmail@web54402.mail.yahoo.com> References: <20060814093054.87090.qmail@web54402.mail.yahoo.com> Message-ID: <44E04842.4060606@solid-state-logic.com> jay shi wrote: > Hi > Thanks Peter for ur quick response. > > I am using MailScanner 4.48.4 with multidomain > sendmail. For low Score SPAM i am using this > Spam Subject Text = {possible spam} as a tag > One of my domain (abc.com) ask me, he dont't > want this tag > , but other domains ( xyz.com,pqr.com ) are demanding > this feature. > i want to write rule set for above condition, > Here is my rules for it in MailScanner.conf :-- > > Spam Modify Subject = yes > Spam Subject Text = %rules-dir%/spam.subject.rules > > cat /etc/MailScanner/rules/spam.subject.rules > From: @abc.com > From: @xyz.com {possible spam} > From: @pqr.com {possible spam} > > service MailScanner restart > > I may be wrong, if it plz correct me. > > Thanks & Regards > Jayesh > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com close should be... To: @abc.com To: @xyz.com {possible spam} To: @pqr.com {possible spam} FromOrTo: Default {possible spam} or even To: @abc.com FromOrTo: Default {possible spam} -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From jaearick at colby.edu Mon Aug 14 15:23:24 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Mon Aug 14 15:29:50 2006 Subject: /etc/init.d script for Solaris? Message-ID: Hi, Could some kind Solaris 10 (or 9) MailScanner user, using a recent version of MailScanner, please send me their /etc/init.d start script for MailScanner? Offlist? Thanks, Jeff Earickson Colby College From edwardbruce at sbcglobal.net Mon Aug 14 16:44:26 2006 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Mon Aug 14 16:44:31 2006 Subject: agains mailscanner In-Reply-To: <44DF4F84.2080802@ecs.soton.ac.uk> References: <20060811214507.14896.qmail@web38906.mail.mud.yahoo.com> <54D41FFA-1573-4DBC-899C-DB438B52B46B@themarshalls.co.uk> <44DDDECC.6030604@ecs.soton.ac.uk> <44DE3201.3020108@nkpanama.com> <44DF4F84.2080802@ecs.soton.ac.uk> Message-ID: <44E09A5A.6000703@sbcglobal.net> Julian Field wrote: > > I need people who do a minimum of 250,000 messages per day. I can't type that fast :) From john at katy.com Mon Aug 14 17:36:57 2006 From: john at katy.com (John Schmerold) Date: Mon Aug 14 17:36:59 2006 Subject: OT - Outbound mail server integrated with FTP In-Reply-To: <44E042AB.3090306@utwente.nl> References: <44DCD588.1050602@nkpanama.com> <20060811141732.A65410@mikea.ath.cx> <44E042AB.3090306@utwente.nl> Message-ID: <44E0A6A9.6010303@katy.com> I'm looking for a solution to the problem of large (often duplicated) email attachments. It seems to me that a simple solution to the problem is to have a specially configured outbound mail server that detaches attachments from any email greater than 50K, generates an ftp account and inerts a message at top of the email saying "go to ftp://un:pw@ftpserver.com for attachment referenced in this email. If the server was really smart, it would generate a CRC of each outbound attachment so duplicates could be stored as one file. Anyone see anything like this? I've been doing some Googling, without great success. John Schmerold Katy Computer & Wireless 20 Meramec Station Rd Valley Park MO 63088 636-861-6900 v 775-227-6947 f From bpumphrey at WoodMacLaw.com Mon Aug 14 18:50:49 2006 From: bpumphrey at WoodMacLaw.com (Billy A. Pumphrey) Date: Mon Aug 14 18:50:53 2006 Subject: weird spam, included in a word document In-Reply-To: <44DC7FD4.4020203@pixelhammer.com> Message-ID: <04D932B0071FE34FA63EBB1977B48D15018155F1@woodenex.woodmaclaw.local> Mine did not show some of the hits as yours but I have the rules for them. I also have DCC installed too, obviously mine is out of date or something. Here are a few. I received 7 total thus far. 5 were caught as spam because of the RBL. Bayes is incorrectly being taught also, it looks like. Spam: Y Action(s): store, header, "X-Spam-Status:, Yes" High Scoring Spam: N SpamAssassin Spam: N Listed in RBL: Y Spam Whitelisted: N Spam Blacklisted: N SpamAssassin Autolearn: Y (not spam) SpamAssassin Score: -0.80 Spam Report: Score Matching Rule Description -1.80 ALL_TRUSTED Passed through trusted hosts only via SMTP 1.00 BAYES_60 Bayesian spam probability is 60 to 80% Spam: Y Action(s): store, header, "X-Spam-Status:, Yes" High Scoring Spam: N SpamAssassin Spam: N Listed in RBL: Y Spam Whitelisted: N Spam Blacklisted: N SpamAssassin Autolearn: Y (not spam) SpamAssassin Score: -1.17 Spam Report: Score Matching Rule Description -1.80 ALL_TRUSTED Passed through trusted hosts only via SMTP 0.00 BAYES_50 Bayesian spam probability is 40 to 60% 0.63 SARE_RECV_IP_218216 Passed through possible spammer relay or source From mailscanner at ecs.soton.ac.uk Mon Aug 14 19:34:25 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 14 19:34:42 2006 Subject: /etc/init.d script for Solaris? In-Reply-To: References: Message-ID: <44E0C231.8070009@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 PATH=/usr/bin:/bin SENDMAIL=/opt/sendmail/current MAILSCANNER=/opt/MailScanner case $1 in 'start') $SENDMAIL/bin/start.sendmail $MAILSCANNER/bin/check_mailscanner ;; 'stop') pid=`head -1 $SENDMAIL/etc/sendmail.pid` echo 'Stopping sendmail (out)...' kill $pid pid=`head -1 $SENDMAIL/etc/sendmail.in.pid` echo 'Stopping sendmail (in)...' kill $pid pid=`head -1 $MAILSCANNER/var/MailScanner.pid` /bin/kill $pid ;; *) echo "usage: /etc/rc2.d/S88sendmail.ecs {start|stop}" ;; esac =========================== and start.sendmail is this: =========================== #!/bin/sh # JKF 13/7/98 Start up sendmail. # Cleans up the queue directory as instructed in the # "Sendmail Installation and Operation Guide" before # starting the daemon. # JKF 15/6/99 Added hook to install my ECS sendmail setup automatically. SENDMAIL=/opt/sendmail/current QUEUE=/var/spool/mqueue INQUEUE=/var/spool/mqueue.in CF=$SENDMAIL/etc/sendmail.cf # Install everything if necessary (needed after careless Sun patching) [ -x $SENDMAIL/bin/install.sendmail ] && $SENDMAIL/bin/install.sendmail # Make placeholders for status files [ -d $SENDMAIL/var/status ] || mkdir $SENDMAIL/var/status [ -f $SENDMAIL/var/sendmail.st ] || touch $SENDMAIL/var/sendmail.st echo "Starting sendmail:\c" echo " clean up queue\c" for queuedir in $QUEUE $INQUEUE do cd $queuedir # remove zero length qf files for qffile in qf* do if [ -r $qffile ]; then if [ ! -s $qffile ]; then rm -f $qffile fi fi done # rename tf files to be qf if the qf does not exist for tffile in tf* do qffile=`echo $tffile | sed 's/t/q/'` # JKF 15/7/98 Put $qffile in quotes in case tffile = 'tf*' if [ -r $tffile -a ! -f "$qffile" ]; then mv $tffile $qffile else if [ -f $tffile ]; then rm -f $tffile fi fi done # remove df files with no corresponding qf files for dffile in df* do qffile=`echo $dffile | sed 's/d/q/'` if [ -r $dffile -a ! -f $qffile ]; then mv $dffile `echo $dffile | sed 's/d/D/'` fi done # announce files that have been saved during disaster recovery for xffile in [A-Z]f* do if [ -f $xffile ]; then echo " \c" fi done done # Now actually start the damn thing... $SENDMAIL/bin/sendmail -q15m $SENDMAIL/bin/sendmail -bd -OPrivacyOptions=noetrn - -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in #$SENDMAIL/bin/sendmail.in -bd -C $INCF echo ", sendmail" Jeff A. Earickson wrote: > Hi, > > Could some kind Solaris 10 (or 9) MailScanner user, using a recent > version of MailScanner, please send me their /etc/init.d > start script for MailScanner? Offlist? > > Thanks, > Jeff Earickson > Colby College - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE4MI5EfZZRxQVtlQRAmq9AKC4JQJvZoeYXaXaMqVU74rVAa3QfwCfV/ke L7cbrrMNHeBWptymiVQwCkA= =5JfV -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From root at doctor.nl2k.ab.ca Mon Aug 14 21:49:32 2006 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Mon Aug 14 21:50:22 2006 Subject: OT - Outbound mail server integrated with FTP In-Reply-To: <44E0A6A9.6010303@katy.com> References: <44DCD588.1050602@nkpanama.com> <20060811141732.A65410@mikea.ath.cx> <44E042AB.3090306@utwente.nl> <44E0A6A9.6010303@katy.com> Message-ID: <20060814204932.GB26850@doctor.nl2k.ab.ca> On Mon, Aug 14, 2006 at 11:36:57AM -0500, John Schmerold wrote: > I'm looking for a solution to the problem of large (often duplicated) > email attachments. It seems to me that a simple solution to the problem > is to have a specially configured outbound mail server that detaches > attachments from any email greater than 50K, generates an ftp account > and inerts a message at top of the email saying "go to > ftp://un:pw@ftpserver.com for attachment referenced in this email. > > If the server was really smart, it would generate a CRC of each outbound > attachment so duplicates could be stored as one file. > > Anyone see anything like this? I've been doing some Googling, without > great success. > FTP By Mail used to exist but was a bit unpopular. > John Schmerold > > Katy Computer & Wireless > 20 Meramec Station Rd > Valley Park MO 63088 > 636-861-6900 v > 775-227-6947 f > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at erus.co.uk Mon Aug 14 22:18:29 2006 From: alex at erus.co.uk (Alex Pimperton) Date: Mon Aug 14 22:09:24 2006 Subject: OT - Outbound mail server integrated with FTP In-Reply-To: <44E0A6A9.6010303@katy.com> Message-ID: On 14/8/2006, "John Schmerold" wrote: >I'm looking for a solution to the problem of large (often duplicated) >email attachments. It seems to me that a simple solution to the problem >is to have a specially configured outbound mail server that detaches >attachments from any email greater than 50K, generates an ftp account >and inerts a message at top of the email saying "go to >ftp://un:pw@ftpserver.com for attachment referenced in this email. > >If the server was really smart, it would generate a CRC of each When I asked about a similar sort of thing a few months ago Julian pointed me in the direction of his collegue. I quote: "Sounds like you need the quarantine management system one of my colleagues has written. Whenever it gets attachments that have been removed by MailScanner, the Attachment-Warning.txt gets a link in it which submits a request to the system to go and fetch the attachments from the appropriate mail server (it's designed to work with multiple MailScanners). We then require that a sysadmin looks at the request and, if appropriate, releases the attachments to the recipients by mailing them a link to a directory on the web server containing their attachments. You could always bypass the bit requiring the sysadmin to look at it. Saves a lot of mailstore space. Drop him a line at apl ecs.soton.ac.uk (Andy Landells)." I havn't had time to follow this suggestion up yet but it sounds promising. The alternative seems to be something along the lines of mailwatch+ mail size limits + quarantine, but this would only work for known local users. Should you solve this, please post here as myself (and probably a few others) would be interested to know how you got on. Regards, Alex From lshaw at emitinc.com Mon Aug 14 22:43:09 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Mon Aug 14 22:43:24 2006 Subject: OT - Outbound mail server integrated with FTP In-Reply-To: <20060814204932.GB26850@doctor.nl2k.ab.ca> References: <44DCD588.1050602@nkpanama.com> <20060811141732.A65410@mikea.ath.cx> <44E042AB.3090306@utwente.nl> <44E0A6A9.6010303@katy.com> <20060814204932.GB26850@doctor.nl2k.ab.ca> Message-ID: On Mon, 14 Aug 2006, Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > On Mon, Aug 14, 2006 at 11:36:57AM -0500, John Schmerold wrote: >> I'm looking for a solution to the problem of large (often duplicated) >> email attachments. It seems to me that a simple solution to the problem >> is to have a specially configured outbound mail server that detaches >> attachments from any email greater than 50K, generates an ftp account >> and inerts a message at top of the email saying "go to >> ftp://un:pw@ftpserver.com for attachment referenced in this email. >> >> If the server was really smart, it would generate a CRC of each outbound >> attachment so duplicates could be stored as one file. >> >> Anyone see anything like this? I've been doing some Googling, without >> great success. > FTP By Mail used to exist but was a bit unpopular. Wouldn't this be more like Mail By FTP? - Logan From jose.gonzalez at compac.com.mx Mon Aug 14 22:50:29 2006 From: jose.gonzalez at compac.com.mx (Jose Gonzalez) Date: Mon Aug 14 22:51:10 2006 Subject: About forwarding mail Message-ID: <44E0F025.7010002@compac.com.mx> Hello all. Something no common is happening with my mail server. Mail forwarding via .forward files was working fine, but recently, I think after install MailScanner, .forward files doesn't work any more, are silently ignored. Is there a relation between the use of MailScanner and .forward files? I'm using CentOS 4.3, mailscanner-4.55.10-3, sendmail-8.13, procmail-3.22-14, and f-prot + clamav antivirus. Thanks. From lshaw at emitinc.com Mon Aug 14 22:52:51 2006 From: lshaw at emitinc.com (Logan Shaw) Date: Mon Aug 14 22:53:02 2006 Subject: OT - Outbound mail server integrated with FTP In-Reply-To: <44E0A6A9.6010303@katy.com> References: <44DCD588.1050602@nkpanama.com> <20060811141732.A65410@mikea.ath.cx> <44E042AB.3090306@utwente.nl> <44E0A6A9.6010303@katy.com> Message-ID: On Mon, 14 Aug 2006, John Schmerold wrote: > I'm looking for a solution to the problem of large (often duplicated) email > attachments. It seems to me that a simple solution to the problem is to have > a specially configured outbound mail server that detaches attachments from > any email greater than 50K, generates an ftp account and inerts a message at > top of the email saying "go to ftp://un:pw@ftpserver.com for attachment > referenced in this email. > > If the server was really smart, it would generate a CRC of each outbound > attachment so duplicates could be stored as one file. I believe some versions of Lotus Notes used to do this, or so a friend of mine (who was a big Notes advocate) used to say. But, it only did it within the intranet. Still, could be valuable within a large corporation. My general thoughts on this idea are: 1) Breaks PGP, S/MIME, and anything else that signs message content (at least things that sign content at the MUA stage of things). This could be fixed if you're willing to change SMTP and let the MUA send attachments out of band (of the message body). 2) Breaks the ability to take your laptop somewhere with internet access in the airport lounge, download your e-mail, and run, and know that you got everything. Or at least it would until it were widespread enough that mail clients could be set up to fetch attachments automatically. 3) Makes firewall issues more complex, because delivery mechanisms for attachments are different than for the messages themselves. (Can every host your mail reach also reach your server later to download attachments?) 4) As a protocol, FTP sucks rocks, so avoid it like the plague. Use something sane, like HTTP, instead. HTTPS might be better. 5) Done properly, this could make it easier for users to send arbitrarily large attachments without causing problems. - Logan From raymond at prolocation.net Mon Aug 14 22:57:05 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Mon Aug 14 22:57:04 2006 Subject: About forwarding mail In-Reply-To: <44E0F025.7010002@compac.com.mx> References: <44E0F025.7010002@compac.com.mx> Message-ID: Hi! > Something no common is happening with my mail server. Mail forwarding via > .forward files was working fine, but recently, I think after install > MailScanner, .forward files doesn't work any more, are silently ignored. Is > there a relation between the use of MailScanner and .forward files? > > I'm using CentOS 4.3, mailscanner-4.55.10-3, sendmail-8.13, procmail-3.22-14, > and f-prot + clamav antivirus. A .forward should be a procmail/sendmail issue. MailScanner doesnt even know about any .forward... So i think, in short, no! Bye, Raymond. From x72m35 at gmail.com Tue Aug 15 04:46:35 2006 From: x72m35 at gmail.com (Lasantha Marian) Date: Tue Aug 15 04:49:41 2006 Subject: Can MailScanner Individualizing Filename/Filetype rules ? Message-ID: <44E1439B.9030909@gmail.com> Dear All, Is there a way to individualize the Filename and Filetype rules based on e-mail addresses ? If YES, a brief explanation is much appreciated. Eg: e-mail address xyz@abc.lk can receive all (*.*) while uvw@abc.lk can only receive PDF (*.pdf). Thanks in advance, Lasantha. From jon.bates at summitmotors.com.au Tue Aug 15 07:46:10 2006 From: jon.bates at summitmotors.com.au (Jon Bates) Date: Tue Aug 15 07:46:35 2006 Subject: OT - Multiple Virus Scanners Message-ID: <009001c6c036$7e575f20$5864a8c0@jonlaptop> Hi, I was just wondering what peoples opinions were on running multiple virus scanners with MailScanner. I'm currently only running ClamAV, and I was thinking about running one or two more. Could someone recommend what other scanner/s to use? My main concern is system resources. I would like something that doesn't load up the server too much more as ClamAV is quite light on resources from my experience with it. - Jon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20060815/830e7943/attachment.html From michele at blacknight.ie Tue Aug 15 07:58:07 2006 From: michele at blacknight.ie (Michele Neylon:: Blacknight.ie) Date: Tue Aug 15 07:58:28 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <009001c6c036$7e575f20$5864a8c0@jonlaptop> References: <009001c6c036$7e575f20$5864a8c0@jonlaptop> Message-ID: <44E1707F.3070103@blacknight.ie> Jon Bates wrote: > > Hi, > > I was just wondering what peoples opinions were on running multiple > virus scanners with MailScanner. I'm currently only running ClamAV, and > I was thinking about running one or two more. > Could someone recommend what other scanner/s to use? My main concern is > system resources. I would like something that doesn't load up the server > too much more as ClamAV is quite light on resources from my experience > with it. > > - Jon > F-prot is good... BitDefender - has its moments... -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239 From jrudd at ucsc.edu Tue Aug 15 08:26:33 2006 From: jrudd at ucsc.edu (John Rudd) Date: Tue Aug 15 08:27:02 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <009001c6c036$7e575f20$5864a8c0@jonlaptop> References: <009001c6c036$7e575f20$5864a8c0@jonlaptop> Message-ID: On Aug 14, 2006, at 11:46 PM, Jon Bates wrote: > ? > Hi, > ? > I was just wondering what peoples opinions were on running multiple > virus scanners with MailScanner. I'm currently only running ClamAV, > and I was thinking about running one or two more. > Could someone recommend what other scanner/s to use??My main concern > is system resources. I would like something that doesn't load up the > server too much more as ClamAV is quite light on resources from my > experience with it. > ? My opinion is: if you can run 2, do it. Always good to have an extra layer of defense, but don't cause more overhead than you need to. ClamAV is a _great_ choice for your first pass. From there, I remember an article that Kaspersky was very highly rated for protection ... but it's not available on a diverse set of platforms. If you can get it, go with them for your second layer. We use sophos, but we get a good price break (edu discount), and because we're a university, we're going to have put a big budget into whatever we get (due to our # of users). For other people, sophos is probably pretty pricey. Not sure who else to mention. I suppose it's worth looking at McAfee or something. From P.G.M.Peters at utwente.nl Tue Aug 15 08:44:07 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Tue Aug 15 08:45:08 2006 Subject: OT - Outbound mail server integrated with FTP In-Reply-To: References: <44DCD588.1050602@nkpanama.com> <20060811141732.A65410@mikea.ath.cx> <44E042AB.3090306@utwente.nl> <44E0A6A9.6010303@katy.com> Message-ID: <44E17B47.7080902@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Logan Shaw wrote on 14-8-2006 23:52: > My general thoughts on this idea are: > 2) Breaks the ability to take your laptop somewhere with internet > access in the airport lounge, download your e-mail, and run, > and know that you got everything. Or at least it would until > it were widespread enough that mail clients could be set up > to fetch attachments automatically. At least Thunderbird can fetch attachments automatically. There is a MIME type for that. But it is blocked by our MailScanner configuration. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE4XtHelLo80lrIdIRAuuDAKCbBijmq3oKdexVojafjmkuvvKcEwCfY+nT wv85z9Gg49TJ98EmmJe6fG8= =orT8 -----END PGP SIGNATURE----- From P.G.M.Peters at utwente.nl Tue Aug 15 08:55:33 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Tue Aug 15 08:55:37 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: References: <009001c6c036$7e575f20$5864a8c0@jonlaptop> Message-ID: <44E17DF5.3010402@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Rudd wrote on 15-8-2006 9:26: > My opinion is: if you can run 2, do it. Always good to have an extra > layer of defense, but don't cause more overhead than you need to. > > ClamAV is a _great_ choice for your first pass. Until recently we only had F-prot. Since this month we also use ClamAV. ClamAV gets more viruses than F-prot but they are mainly phishing attacks. Like this: ClamAV Module: msg-7834-833.html was infected: HTML.Phishing.Bank-626 Other viruses are detected by both but F-prot often doesn't know what virus it is: F-Prot: ./k7F3rsPS018425/Thomas.zip->bvpqirlyfk.exe could be a suspicious file (encrypted program in archive) While ClamAV mentions: ClamAV Module: msg-9011-774.html was infected: Worm.Bagle When only F-prot finds one it is usually an unknown virus too: F-Prot: ./k7F6ORPR032693/Ebay-Rechnung.pdf.zip->Ebay-Rechnung.pdf.exe could be infected with an unknown virus Of the 106 viruses detected today on one of our systems 56 were detected by both, 48 only by ClamAV and 2 only by F-prot. Of those 48 detected by only ClamAV only 1 was not a phishing attack. That one was infected with Worm.Lovgate.X (ClamAV name). - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE4X31elLo80lrIdIRAr++AKCFNFLmaC4n+Fk/34vD5tiGuPOHdwCcDO3a yiyzORGXZ5t612qmjuW4YEs= =jeAj -----END PGP SIGNATURE----- From shuttlebox at gmail.com Tue Aug 15 08:58:48 2006 From: shuttlebox at gmail.com (shuttlebox) Date: Tue Aug 15 08:58:51 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <009001c6c036$7e575f20$5864a8c0@jonlaptop> References: <009001c6c036$7e575f20$5864a8c0@jonlaptop> Message-ID: <625385e30608150058o52a8b30hd6a027defa972b90@mail.gmail.com> On 8/15/06, Jon Bates wrote: > Could someone recommend what other scanner/s to use? My main concern is > system resources. I would like something that doesn't load up the server too > much more as ClamAV is quite light on resources from my experience with it. I use between one and three scanners (Clam, eTrust, Trend) on my systems and I don't see much difference in performance. SA is the part that uses the most resources. -- /peter From MailScanner at ecs.soton.ac.uk Tue Aug 15 09:50:26 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 15 09:51:00 2006 Subject: www.mailscanner.info Message-ID: <44E18AD2.7070002@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It will come back up as soon as the DNS updates happen. In the mean time, please use www.emailscanner.info as that is a mirror of the site. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE4YrTEfZZRxQVtlQRAnXkAJoDEnBRIBD1P3YKx0r6TM40qVfrRQCgqXCN ob5Pzb2ccCvXX9SiCq+A3zY= =zF4F -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From anwarsanusi at gmail.com Tue Aug 15 10:18:26 2006 From: anwarsanusi at gmail.com (Anwar Sanusi) Date: Tue Aug 15 10:18:39 2006 Subject: MailScanner is not working Message-ID: <44E19162.5040106@gmail.com> Dear All, Please help me to fix my problem. We can not send or receive email because our email just stay at Incoming Queue Directory "/var/spool/mqueue.in". Please help me how to solve this problem ? Thanks & regards anwar From martinh at solid-state-logic.com Tue Aug 15 10:31:00 2006 From: martinh at solid-state-logic.com (Martin Hepworth) Date: Tue Aug 15 10:31:15 2006 Subject: MailScanner is not working In-Reply-To: <44E19162.5040106@gmail.com> References: <44E19162.5040106@gmail.com> Message-ID: <44E19454.6010509@solid-state-logic.com> Anwar Sanusi wrote: > Dear All, > > Please help me to fix my problem. > We can not send or receive email because our email just stay at Incoming > Queue Directory "/var/spool/mqueue.in". Please help me how to solve this > problem ? > > Thanks & regards > anwar > Anything in the maillog file to indicate any problems.. have you run MailScanner in Debug mode to see if there are any problems showing there? -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From anwarsanusi at gmail.com Tue Aug 15 10:35:00 2006 From: anwarsanusi at gmail.com (Anwar Sanusi) Date: Tue Aug 15 10:35:05 2006 Subject: MailScanner is not working In-Reply-To: <44E19454.6010509@solid-state-logic.com> References: <44E19162.5040106@gmail.com> <44E19454.6010509@solid-state-logic.com> Message-ID: <44E19544.7090009@gmail.com> Martin Hepworth wrote: > Anwar Sanusi wrote: > >> Dear All, >> >> Please help me to fix my problem. >> We can not send or receive email because our email just stay at >> Incoming Queue Directory "/var/spool/mqueue.in". Please help me how >> to solve this problem ? >> >> Thanks & regards >> anwar >> > Anything in the maillog file to indicate any problems.. > > have you run MailScanner in Debug mode to see if there are any > problems showing there? > i am new commer in Linux and Mail server ? can you advise where i can see maillog file ? and how to run debug mode ? thks for your advise Anwar From uxbod at splatnix.net Tue Aug 15 10:44:59 2006 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Aug 15 10:45:15 2006 Subject: MailScanner is not working In-Reply-To: <44E19544.7090009@gmail.com> References: <44E19544.7090009@gmail.com> Message-ID: <84f42fac8d3f0da4f49b6a5b5a4d79e6@localhost> tail /var/log/messages On Tue, 15 Aug 2006 16:35:00 +0700, Anwar Sanusi wrote: > Martin Hepworth wrote: > >> Anwar Sanusi wrote: >> >>> Dear All, >>> >>> Please help me to fix my problem. >>> We can not send or receive email because our email just stay at >>> Incoming Queue Directory "/var/spool/mqueue.in". Please help me how >>> to solve this problem ? >>> >>> Thanks & regards >>> anwar >>> >> Anything in the maillog file to indicate any problems.. >> >> have you run MailScanner in Debug mode to see if there are any >> problems showing there? >> > i am new commer in Linux and Mail server ? can you advise where i can > see maillog file ? > and how to run debug mode ? > thks for your advise > Anwar > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solid-state-logic.com Tue Aug 15 10:50:30 2006 From: martinh at solid-state-logic.com (Martin Hepworth) Date: Tue Aug 15 10:50:36 2006 Subject: MailScanner is not working In-Reply-To: <44E19544.7090009@gmail.com> References: <44E19162.5040106@gmail.com> <44E19454.6010509@solid-state-logic.com> <44E19544.7090009@gmail.com> Message-ID: <44E198E6.1050806@solid-state-logic.com> Anwar Sanusi wrote: > Martin Hepworth wrote: > >> Anwar Sanusi wrote: >> >>> Dear All, >>> >>> Please help me to fix my problem. >>> We can not send or receive email because our email just stay at >>> Incoming Queue Directory "/var/spool/mqueue.in". Please help me how >>> to solve this problem ? >>> >>> Thanks & regards >>> anwar >>> >> Anything in the maillog file to indicate any problems.. >> >> have you run MailScanner in Debug mode to see if there are any >> problems showing there? >> > i am new commer in Linux and Mail server ? can you advise where i can > see maillog file ? > and how to run debug mode ? > thks for your advise > Anwar > > Hi Normally it's in /var/log/maillog for debug mode, stop mailscanner, edit the MailScanner.conf and change BOTH debug options to 'yes' then run check_mailscanner. this output can be quite large and you may have to search the output quite carefully for any problems. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From anwarsanusi at gmail.com Tue Aug 15 11:09:00 2006 From: anwarsanusi at gmail.com (Anwar Sanusi) Date: Tue Aug 15 11:09:07 2006 Subject: MailScanner is not working In-Reply-To: <44E198E6.1050806@solid-state-logic.com> References: <44E19162.5040106@gmail.com> <44E19454.6010509@solid-state-logic.com> <44E19544.7090009@gmail.com> <44E198E6.1050806@solid-state-logic.com> Message-ID: <44E19D3C.7010302@gmail.com> Martin Hepworth wrote: > Anwar Sanusi wrote: > >> Martin Hepworth wrote: >> >>> Anwar Sanusi wrote: >>> >>>> Dear All, >>>> >>>> Please help me to fix my problem. >>>> We can not send or receive email because our email just stay at >>>> Incoming Queue Directory "/var/spool/mqueue.in". Please help me how >>>> to solve this problem ? >>>> >>>> Thanks & regards >>>> anwar >>>> >>> Anything in the maillog file to indicate any problems.. >>> >>> have you run MailScanner in Debug mode to see if there are any >>> problems showing there? >>> >> i am new commer in Linux and Mail server ? can you advise where i can >> see maillog file ? >> and how to run debug mode ? >> thks for your advise >> Anwar >> >> > Hi > > Normally it's in /var/log/maillog > > for debug mode, stop mailscanner, edit the MailScanner.conf and change > BOTH debug options to 'yes' then run check_mailscanner. > > this output can be quite large and you may have to search the output > quite carefully for any problems. > Thanks all our problem is seemly solved From sandrews at andrewscompanies.com Tue Aug 15 11:42:49 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Tue Aug 15 11:42:54 2006 Subject: MailScanner is not working Message-ID: <1964AAFBC212F742958F9275BF63DBB03B1B76@winchester.andrewscompanies.com> If you're a newcomer, I'd guess you made the same mistake I did and didn't config sendmail properly. If you don't remember doing anything with sendmail; let me know and I'll dig up the config I used. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Anwar Sanusi Sent: Tuesday, August 15, 2006 5:35 AM To: MailScanner discussion Subject: Re: MailScanner is not working Martin Hepworth wrote: > Anwar Sanusi wrote: > >> Dear All, >> >> Please help me to fix my problem. >> We can not send or receive email because our email just stay at >> Incoming Queue Directory "/var/spool/mqueue.in". Please help me how >> to solve this problem ? >> >> Thanks & regards >> anwar >> > Anything in the maillog file to indicate any problems.. > > have you run MailScanner in Debug mode to see if there are any > problems showing there? > i am new commer in Linux and Mail server ? can you advise where i can see maillog file ? and how to run debug mode ? thks for your advise Anwar -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From jon.bates at summitmotors.com.au Tue Aug 15 12:31:02 2006 From: jon.bates at summitmotors.com.au (Jon Bates) Date: Tue Aug 15 12:31:18 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <200608151101.k7FB0vMW022134@bkserver.blacknight.ie> Message-ID: <000601c6c05e$4d4f4fa0$0600a8c0@jonlaptop> > Until recently we only had F-prot. Since this month we also use ClamAV. > ClamAV gets more viruses than F-prot but they are mainly phishing > attacks. Like this: > ClamAV Module: msg-7834-833.html was infected: HTML.Phishing.Bank-626 > Other viruses are detected by both but F-prot often doesn't know what > virus it is: > F-Prot: ./k7F3rsPS018425/Thomas.zip->bvpqirlyfk.exe could be a > suspicious file (encrypted program in archive) > While ClamAV mentions: > ClamAV Module: msg-9011-774.html was infected: Worm.Bagle > When only F-prot finds one it is usually an unknown virus too: > F-Prot: ./k7F6ORPR032693/Ebay-Rechnung.pdf.zip->Ebay-Rechnung.pdf.exe > could be infected with an unknown virus > Of the 106 viruses detected today on one of our systems 56 were detected > by both, 48 only by ClamAV and 2 only by F-prot. Of those 48 detected by > only ClamAV only 1 was not a phishing attack. That one was infected > with Worm.Lovgate.X (ClamAV name). Wonderful. Thanks very much for your input guys. You've put me on the right track. I think I'll weigh up the cost of implementing the ones that you've mentioned and go from there. I've been spoiled by ClamAV - not having to pay a cent for excellent protection on my mail servers (although we've since made a donation as a token of thanks for an awesome product!). Unfortunately though, there isn't many other decent free alternatives to use as a secondary scanner. Oh well! Thanks again. Jon From glenn.steen at gmail.com Tue Aug 15 13:39:24 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Aug 15 13:39:29 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <000601c6c05e$4d4f4fa0$0600a8c0@jonlaptop> References: <200608151101.k7FB0vMW022134@bkserver.blacknight.ie> <000601c6c05e$4d4f4fa0$0600a8c0@jonlaptop> Message-ID: <223f97700608150539v4b32b34ajea5fd3da1531b8e1@mail.gmail.com> On 15/08/06, Jon Bates wrote: > > > Until recently we only had F-prot. Since this month we also use ClamAV. > > ClamAV gets more viruses than F-prot but they are mainly phishing > > attacks. Like this: > > ClamAV Module: msg-7834-833.html was infected: HTML.Phishing.Bank-626 > > > Other viruses are detected by both but F-prot often doesn't know what > > virus it is: > > F-Prot: ./k7F3rsPS018425/Thomas.zip->bvpqirlyfk.exe could be a > > suspicious file (encrypted program in archive) > > While ClamAV mentions: > > ClamAV Module: msg-9011-774.html was infected: Worm.Bagle > > > When only F-prot finds one it is usually an unknown virus too: > > F-Prot: ./k7F6ORPR032693/Ebay-Rechnung.pdf.zip->Ebay-Rechnung.pdf.exe > > could be infected with an unknown virus > > > Of the 106 viruses detected today on one of our systems 56 were detected > > by both, 48 only by ClamAV and 2 only by F-prot. Of those 48 detected by > > only ClamAV only 1 was not a phishing attack. That one was infected > > with Worm.Lovgate.X (ClamAV name). > > > Wonderful. Thanks very much for your input guys. You've put me on the right > track. > I think I'll weigh up the cost of implementing the ones that you've > mentioned and go from there. > I've been spoiled by ClamAV - not having to pay a cent for excellent > protection on my mail servers (although we've since made a donation as a > token of thanks for an awesome product!). Unfortunately though, there isn't > many other decent free alternatives to use as a secondary scanner. Oh well! > > Thanks again. > > Jon > That rather depends on the definition of "decent":-). If you run linux (or freebsd) there are at least BitDefender Command line. Sure, it's not as light as ClamAV, but not that bad either (all depends, of course:). And the price is right (free). If you have a site license for a commercial AV, you might be entiteled to download/use/update their *nix priduct too. This is true for at least McAfee. And finally there is Panda, which is not that great, but... not absolutely horrid (as it used to be). The download is free (freeware...), but you need a license to be able to download the signature updates. Check http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:bitdefender:install http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:mcafee:install http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:panda:install for more details. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From campbell at cnpapers.com Tue Aug 15 13:54:40 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Aug 15 13:54:51 2006 Subject: MailScanner is not working References: <44E19162.5040106@gmail.com> <44E19454.6010509@solid-state-logic.com> <44E19544.7090009@gmail.com><44E198E6.1050806@solid-state-logic.com> <44E19D3C.7010302@gmail.com> Message-ID: <007701c6c069$f9180d80$0705000a@DDF5DW71> Damn, you guys are good at fixing problems. Steve ----- Original Message ----- From: "Anwar Sanusi" To: "MailScanner discussion" Sent: Tuesday, August 15, 2006 6:09 AM Subject: Re: MailScanner is not working > Martin Hepworth wrote: > >> Anwar Sanusi wrote: >> >>> Martin Hepworth wrote: >>> >>>> Anwar Sanusi wrote: >>>> >>>>> Dear All, >>>>> >>>>> Please help me to fix my problem. >>>>> We can not send or receive email because our email just stay at >>>>> Incoming Queue Directory "/var/spool/mqueue.in". Please help me how >>>>> to solve this problem ? >>>>> >>>>> Thanks & regards >>>>> anwar >>>>> >>>> Anything in the maillog file to indicate any problems.. >>>> >>>> have you run MailScanner in Debug mode to see if there are any >>>> problems showing there? >>>> >>> i am new commer in Linux and Mail server ? can you advise where i can >>> see maillog file ? >>> and how to run debug mode ? >>> thks for your advise >>> Anwar >>> >>> >> Hi >> >> Normally it's in /var/log/maillog >> >> for debug mode, stop mailscanner, edit the MailScanner.conf and change >> BOTH debug options to 'yes' then run check_mailscanner. >> >> this output can be quite large and you may have to search the output >> quite carefully for any problems. >> > Thanks all our problem is seemly solved > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From drew at themarshalls.co.uk Tue Aug 15 14:06:11 2006 From: drew at themarshalls.co.uk (Drew Marshall) Date: Tue Aug 15 14:06:52 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <223f97700608150539v4b32b34ajea5fd3da1531b8e1@mail.gmail.com> References: <200608151101.k7FB0vMW022134@bkserver.blacknight.ie> <000601c6c05e$4d4f4fa0$0600a8c0@jonlaptop> <223f97700608150539v4b32b34ajea5fd3da1531b8e1@mail.gmail.com> Message-ID: <47100.194.70.180.170.1155647171.squirrel@webmail.r-bit.net> On Tue, August 15, 2006 13:39, Glenn Steen wrote: > If you run linux (or freebsd) there are at least BitDefender Command > line. Sure, it's not as light as ClamAV, but not that bad either (all > depends, of course:). And the price is right (free). I am not sure it is any more. On my to-do list (A fair way down :-( ) is to e-mail and formally ask them but looking at their curent site, I would suggest the BitDefender licence would appear to have changed... http://www.bitdefender.com/PRODUCT-80-en--BitDefender-Antivirus-Scanner-for-Unices.html (Check the bottom paragraph) Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. www.themarshalls.co.uk/policy From steve.swaney at fsl.com Tue Aug 15 14:27:22 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Tue Aug 15 14:27:25 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <47100.194.70.180.170.1155647171.squirrel@webmail.r-bit.net> Message-ID: <14c901c6c06e$8a641c30$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Drew Marshall > Sent: Tuesday, August 15, 2006 9:06 AM > To: MailScanner discussion > Subject: Re: OT - Multiple Virus Scanners > > On Tue, August 15, 2006 13:39, Glenn Steen wrote: > > If you run linux (or freebsd) there are at least BitDefender Command > > line. Sure, it's not as light as ClamAV, but not that bad either (all > > depends, of course:). And the price is right (free). > > I am not sure it is any more. On my to-do list (A fair way down :-( ) is > to e-mail and formally ask them but looking at their curent site, I would > suggest the BitDefender licence would appear to have changed... > > http://www.bitdefender.com/PRODUCT-80-en--BitDefender-Antivirus-Scanner- > for-Unices.html > (Check the bottom paragraph) > > Drew I mentioned a few weeks back that the Download link to the free Linux version was broken so this is no surprise. Anyone using AVG. The Linux file server version is $70 (US) for 5 servers for 2 years. I didn't see any license restrictions against using on an email gateway. I'll probably test against ClamAV. Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From glenn.steen at gmail.com Tue Aug 15 14:45:18 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Aug 15 14:45:30 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <47100.194.70.180.170.1155647171.squirrel@webmail.r-bit.net> References: <200608151101.k7FB0vMW022134@bkserver.blacknight.ie> <000601c6c05e$4d4f4fa0$0600a8c0@jonlaptop> <223f97700608150539v4b32b34ajea5fd3da1531b8e1@mail.gmail.com> <47100.194.70.180.170.1155647171.squirrel@webmail.r-bit.net> Message-ID: <223f97700608150645r3f6c11b1le24aee74013fbf80@mail.gmail.com> On 15/08/06, Drew Marshall wrote: > On Tue, August 15, 2006 13:39, Glenn Steen wrote: > > If you run linux (or freebsd) there are at least BitDefender Command > > line. Sure, it's not as light as ClamAV, but not that bad either (all > > depends, of course:). And the price is right (free). > > I am not sure it is any more. On my to-do list (A fair way down :-( ) is > to e-mail and formally ask them but looking at their curent site, I would > suggest the BitDefender licence would appear to have changed... > > http://www.bitdefender.com/PRODUCT-80-en--BitDefender-Antivirus-Scanner-for-Unices.html > (Check the bottom paragraph) > > Drew > How very annoying. IIRC I checked before sometime around April - May, and could still find/download the free version. Oh well, guess I'll have to keep my copy close then:-). Note that the "(previously) free version" is not the same as the one you cite above, so what they seem to have done is to have removed the "pure commandline version" (where freebsd was a beta level release) and added this "new" package with full support for freebsd (that is, provided I do remember correctly... they seem to have removed everything from their ftp server too. Sigh). Hm. Means I'll have to do something about that wiki-page, now doesn't it?-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From alex at ialex.net Tue Aug 15 14:28:54 2006 From: alex at ialex.net (Alex Short) Date: Tue Aug 15 14:58:15 2006 Subject: Winmail.dat / TNEF Issues 1 user receives, 1 user fails Message-ID: <19488.216.191.73.124.1155648534.squirrel@216.191.73.124> We are having issues with a particular user that never seems to get his winmail.dat files from a partner. Here is the strange thing. Partner emails user1@ourcompany.com,user2@ourcompany.com and TNEF extracts and sends user1 the word documents within but doesn't send to user2. In the logs it just says -- Aug 13 13:50:55 iomail-gw MailScanner[21126]: Corrupt TNEF winmail.dat that cannot be analysed in message k7DHonGJ024825 -- Version we are running -- MailScanner E-Mail Virus Scanner version 4.52.2 -- There is a great deal of correspondance between partner and user1&user2 and this has occured on the last 15 emails (user1 gets, user2 denied) Please help! From sandrews at andrewscompanies.com Tue Aug 15 15:22:05 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Tue Aug 15 15:22:12 2006 Subject: Winmail.dat / TNEF Issues 1 user receives, 1 user fails Message-ID: <1964AAFBC212F742958F9275BF63DBB03B1B83@winchester.andrewscompanies.com> 4.55.9-1 addressed some tnef issues re the exteneral tnef decompressor. Might want to have a try with that. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Short Sent: Tuesday, August 15, 2006 9:29 AM To: mailscanner@lists.mailscanner.info Subject: Winmail.dat / TNEF Issues 1 user receives, 1 user fails We are having issues with a particular user that never seems to get his winmail.dat files from a partner. Here is the strange thing. Partner emails user1@ourcompany.com,user2@ourcompany.com and TNEF extracts and sends user1 the word documents within but doesn't send to user2. In the logs it just says -- Aug 13 13:50:55 iomail-gw MailScanner[21126]: Corrupt TNEF winmail.dat that cannot be analysed in message k7DHonGJ024825 -- Version we are running -- MailScanner E-Mail Virus Scanner version 4.52.2 -- There is a great deal of correspondance between partner and user1&user2 and this has occured on the last 15 emails (user1 gets, user2 denied) Please help! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From gordon at itnt.co.za Tue Aug 15 15:24:24 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Tue Aug 15 15:24:59 2006 Subject: Nod32 installation Message-ID: <04c501c6c076$859de7f0$0a02a8c0@Gordon> ITNT Banner CampaignCan someone confirm what version of nod32 works with Mailscanner, I have tried to install nod32 for mail server but it doesn't get picked up by Mailscanner. Thanks Gordon Colyn From uxbod at splatnix.net Tue Aug 15 15:45:07 2006 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Aug 15 15:45:22 2006 Subject: Nod32 installation In-Reply-To: <04c501c6c076$859de7f0$0a02a8c0@Gordon> References: <04c501c6c076$859de7f0$0a02a8c0@Gordon> Message-ID: <3435f0a399dc1bdbe15214111e995401@localhost> I believe that it is the Linux File Server edition On Tue, 15 Aug 2006 16:24:24 +0200, "Gordon Colyn" wrote: > ITNT Banner CampaignCan someone confirm what version of nod32 works with > Mailscanner, I have tried to install nod32 for mail server but it doesn't > get picked up by Mailscanner. > > Thanks > > Gordon Colyn > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Aug 15 15:52:12 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 15 15:52:47 2006 Subject: Can MailScanner Individualizing Filename/Filetype rules ? In-Reply-To: <44E1439B.9030909@gmail.com> References: <44E1439B.9030909@gmail.com> Message-ID: <44E1DF9C.5020709@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes. Read up on it at wiki.mailscanner.info. It is documented in there, and in the book, is quite some detail. Lasantha Marian wrote: > Dear All, > > Is there a way to individualize the Filename and Filetype rules based > on e-mail addresses ? If YES, a brief explanation is much appreciated. > > Eg: e-mail address xyz@abc.lk can receive all (*.*) while uvw@abc.lk > can only receive PDF (*.pdf). > > Thanks in advance, > > Lasantha. - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE4d+dEfZZRxQVtlQRAr3dAJ0du+c3OtTKy8eq+Du8b0DJswV5LQCg6uNh l7QdRLYaPOLZc2Znx2RkoMQ= =N3pD -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Tue Aug 15 15:57:47 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 15 15:58:35 2006 Subject: Winmail.dat / TNEF Issues 1 user receives, 1 user fails In-Reply-To: <1964AAFBC212F742958F9275BF63DBB03B1B83@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB03B1B83@winchester.andrewscompanies.com> Message-ID: <44E1E0EB.1050402@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Also you could try the internal TNEF expander. Read the comments in MailScanner.conf for how to use it. sandrews@andrewscompanies.com wrote: > 4.55.9-1 addressed some tnef issues re the exteneral tnef decompressor. > Might want to have a try with that. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex > Short > Sent: Tuesday, August 15, 2006 9:29 AM > To: mailscanner@lists.mailscanner.info > Subject: Winmail.dat / TNEF Issues 1 user receives, 1 user fails > > We are having issues with a particular user that never seems to get his > winmail.dat files from a partner. > > Here is the strange thing. Partner emails > user1@ourcompany.com,user2@ourcompany.com and TNEF extracts and sends > user1 the word documents within but doesn't send to user2. In the logs > it just says > > -- > Aug 13 13:50:55 iomail-gw MailScanner[21126]: Corrupt TNEF winmail.dat > that cannot be analysed in message k7DHonGJ024825 > -- > > Version we are running > > -- > MailScanner E-Mail Virus Scanner version 4.52.2 > -- > > There is a great deal of correspondance between partner and user1&user2 > and this has occured on the last 15 emails (user1 gets, user2 denied) > > Please help! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE4eDsEfZZRxQVtlQRAn3yAKDkXugyvV+pk/aecLHWCQ17BcHt5gCfVYxB w8FnCJGdy0SxI3aA1guDlEg= =CusO -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Tue Aug 15 16:00:22 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 15 16:00:57 2006 Subject: Nod32 installation In-Reply-To: <04c501c6c076$859de7f0$0a02a8c0@Gordon> References: <04c501c6c076$859de7f0$0a02a8c0@Gordon> Message-ID: <44E1E186.1000506@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Where did you install Nod32? MailScanner assumes /usr/sbin unless you have it somewhere else. And you are using Virus Scanners = nod32-1.99 aren't you? Virus Scanners = nod32 is for old versions (this is documented in MailScanner.conf immediately above the "Virus Scanners" setting). If you have installed it elsewhere, then you need to tell MailScanner where it is by editing /etc/MailScanner/virus.scanners.conf Gordon Colyn wrote: > ITNT Banner CampaignCan someone confirm what version of nod32 works with > Mailscanner, I have tried to install nod32 for mail server but it doesn't > get picked up by Mailscanner. > > Thanks > > Gordon Colyn > > > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE4eGHEfZZRxQVtlQRAqozAKDwfWSO0HI+9YtAiFhft3IApzzdFQCcCaw2 tGkkzH+clULgvNNDoEvDjmc= =twat -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From Kevin_Miller at ci.juneau.ak.us Tue Aug 15 16:12:36 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Aug 15 16:12:41 2006 Subject: Can MailScanner Individualizing Filename/Filetype rules ? In-Reply-To: <44E1DF9C.5020709@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > Yes. > Read up on it at wiki.mailscanner.info. It is documented in there, and > in the book, is quite some detail. > > Lasantha Marian wrote: >> >> Is there a way to individualize the Filename and Filetype rules based >> on e-mail addresses ? If YES, a brief explanation is much >> appreciated. >> >> Eg: e-mail address xyz@abc.lk can receive all (*.*) while uvw@abc.lk >> can only receive PDF (*.pdf). You might also look through the archives (we still have archives, right?) for a thread with the subject "filename/type exceptions" . Last week I ask a similar question and got some good replies... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From ssilva at sgvwater.com Tue Aug 15 16:58:54 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 15 16:59:34 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <223f97700608150645r3f6c11b1le24aee74013fbf80@mail.gmail.com> References: <200608151101.k7FB0vMW022134@bkserver.blacknight.ie> <000601c6c05e$4d4f4fa0$0600a8c0@jonlaptop> <223f97700608150539v4b32b34ajea5fd3da1531b8e1@mail.gmail.com> <47100.194.70.180.170.1155647171.squirrel@webmail.r-bit.net> <223f97700608150645r3f6c11b1le24aee74013fbf80@mail.gmail.com> Message-ID: I'Glenn Steen spake the following on 8/15/2006 6:45 AM: > On 15/08/06, Drew Marshall wrote: >> On Tue, August 15, 2006 13:39, Glenn Steen wrote: >> > If you run linux (or freebsd) there are at least BitDefender Command >> > line. Sure, it's not as light as ClamAV, but not that bad either (all >> > depends, of course:). And the price is right (free). >> >> I am not sure it is any more. On my to-do list (A fair way down :-( ) is >> to e-mail and formally ask them but looking at their curent site, I would >> suggest the BitDefender licence would appear to have changed... >> >> http://www.bitdefender.com/PRODUCT-80-en--BitDefender-Antivirus-Scanner-for-Unices.html >> >> (Check the bottom paragraph) >> >> Drew >> > How very annoying. IIRC I checked before sometime around April - May, > and could still find/download the free version. Oh well, guess I'll > have to keep my copy close then:-). > Note that the "(previously) free version" is not the same as the one > you cite above, so what they seem to have done is to have removed the > "pure commandline version" (where freebsd was a beta level release) > and added this "new" package with full support for freebsd (that is, > provided I do remember correctly... they seem to have removed > everything from their ftp server too. Sigh). > > Hm. Means I'll have to do something about that wiki-page, now doesn't it?-) > I'm glad I downloaded it all a few months ago! ;-) Now to back it up to as many places as I can! I just sent an e-mail to get some idea of when it might stop working... We'll see if I get a response. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From listas at pegaso.fisica.unam.mx Tue Aug 15 17:21:22 2006 From: listas at pegaso.fisica.unam.mx (Javier Martinez) Date: Tue Aug 15 17:10:01 2006 Subject: no check for a user Message-ID: <20060815162122.GA9977@pegaso.fisica.unam.mx> Hi everybody, I have a problematic user, I have working mailscanner and spamassassin, but my user is complaining all time about his email. Is any posibility to use mailscanner for all my users and don't check email for this user?? Thanks a lot. Javier From ssilva at sgvwater.com Tue Aug 15 17:33:44 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 15 17:34:43 2006 Subject: MailScanner is not working In-Reply-To: <007701c6c069$f9180d80$0705000a@DDF5DW71> References: <44E19162.5040106@gmail.com> <44E19454.6010509@solid-state-logic.com> <44E19544.7090009@gmail.com><44E198E6.1050806@solid-state-logic.com> <44E19D3C.7010302@gmail.com> <007701c6c069$f9180d80$0705000a@DDF5DW71> Message-ID: Steve Campbell spake the following on 8/15/2006 5:54 AM: > Damn, you guys are good at fixing problems. > > Steve It sometimes happens when the children know you are calling "dad"! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Tue Aug 15 17:35:26 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 15 17:40:12 2006 Subject: Winmail.dat / TNEF Issues 1 user receives, 1 user fails In-Reply-To: <19488.216.191.73.124.1155648534.squirrel@216.191.73.124> References: <19488.216.191.73.124.1155648534.squirrel@216.191.73.124> Message-ID: Alex Short spake the following on 8/15/2006 6:28 AM: > We are having issues with a particular user that never seems to get his > winmail.dat files from a partner. > > Here is the strange thing. Partner emails > user1@ourcompany.com,user2@ourcompany.com and TNEF extracts and sends > user1 the word documents within but doesn't send to user2. In the logs it > just says > > -- > Aug 13 13:50:55 iomail-gw MailScanner[21126]: Corrupt TNEF winmail.dat > that cannot be analysed in message k7DHonGJ024825 > -- > > Version we are running > > -- > MailScanner E-Mail Virus Scanner version 4.52.2 > -- > > There is a great deal of correspondance between partner and user1&user2 > and this has occured on the last 15 emails (user1 gets, user2 denied) > > Please help! Which tnef are you using? The internal or external? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mailscanner at ecs.soton.ac.uk Tue Aug 15 17:41:42 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 15 17:41:57 2006 Subject: no check for a user In-Reply-To: <20060815162122.GA9977@pegaso.fisica.unam.mx> References: <20060815162122.GA9977@pegaso.fisica.unam.mx> Message-ID: <44E1F946.5050609@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You can use a ruleset on the "Scan Messages" setting. Rulesets are the most commonly asked question here, usually several times every day :-) Check in the wiki or in the book, they are documented all over the place. However, what I would advise is that you get a policy in place that forces people to have all their email scanned by MailScanner. What happens when this guy gets a virus and infects your network? When I first imposed MailScanner on my department, I had a couple of users who objected loudly, saying that there was no way they could get a virus. Within the first couple of months, both of them had come to me to apologise as MailScanner had saved them more than once! This is a management job. Don't let people say that they aren't going to have their email scanned. However, if you have to do it, here is how: In MailScanner.conf, put Scan Messages = %rules-dir%/scan.messages.rules In /etc/MailScanner/rules/scan.messages.rules put this To: awkward.sod@domain.com no FromOrTo: default yes Then do a service MailScanner reload to make it re-read the configuration, and from then on the user awkward.sod@domain.com will not have their mail scanned, but everyone else will. Javier Martinez wrote: > Hi everybody, > > I have a problematic user, I have working mailscanner and spamassassin, but my user is complaining all time about his email. Is any posibility to use > mailscanner for all my users and don't check email for this user?? > > Thanks a lot. > > Javier - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE4flJEfZZRxQVtlQRAjP3AJ9enhkablrr4FxJGohVaivWFP3DbgCg2ZX6 DbFcHRPDe7rRyWp3sLEFUZw= =t4yl -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From andoni.auzmendi at robertwalters.com Tue Aug 15 17:41:48 2006 From: andoni.auzmendi at robertwalters.com (Andoni Auzmendi) Date: Tue Aug 15 17:42:32 2006 Subject: no check for a user Message-ID: <5450254EC7E7B54193C8AEFD904AA36325E520@PAT.internal.robertwalters.com> Javier, In MailScanner.conf change Use SpamAssassin = yes to %rules-dir%/opt-out.rules. In the rules directory create opt-out.rules file with the following content: To: grumpyuser1@domain no To: grumpyuser2@domain no FromOrTo: default yes Andoni -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Javier Martinez Sent: 15 August 2006 17:21 To: mailscanner@lists.mailscanner.info Subject: no check for a user Hi everybody, I have a problematic user, I have working mailscanner and spamassassin, but my user is complaining all time about his email. Is any posibility to use mailscanner for all my users and don't check email for this user?? Thanks a lot. Javier -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From gborders at jlewiscooper.com Tue Aug 15 17:55:41 2006 From: gborders at jlewiscooper.com (Greg Borders) Date: Tue Aug 15 17:56:38 2006 Subject: no check for a user In-Reply-To: <20060815162122.GA9977@pegaso.fisica.unam.mx> References: <20060815162122.GA9977@pegaso.fisica.unam.mx> Message-ID: <44E1FC8D.30205@jlewiscooper.com> I just did something very similar to this for one of my users. You can use a couple of rules to deliver the messages for the specific user. Here's mine. in the MailScaner/rules directory, create a file highscoring.spam.actions.rules In that, add rules for users To: picky@example.com deliver store header "X-Spam-Status: Yes" To: finiky@* deliver store header "X-Spam-Status: Yes" FromOrTo: default delete store then make another rule file: non.spam.actions.rules In that, add rules for users To: picky@example.com deliver store header "X-Spam-Status: No" To: finiky@* deliver store header "X-Spam-Status: No" FromOrTo: default deliver store Then in the MailScanner.conf file, update the settings for spam to point to the new rules. High Scoring Spam Actions = %rules-dir%/highscoring.spam.actions.rules and Non Spam Actions = %rules-dir%/non.spam.actions.rules Restart MailScanner, and now your picky and finiky users will get all their mail delivered and only virus laden mails are slain. With the extra header spam status, Thunderbird clients can filter them to the users junk folder automatically, and then leave the house keeping to them. This method will allow you to still scan messages, and deliver them selectively. You can also tweak the other options as you see fit. Good luck! Greg. Borders Sys. Admin. JLC Co. Javier Martinez wrote: > Hi everybody, > > I have a problematic user, I have working mailscanner and spamassassin, but my user is complaining all time about his email. Is any posibility to use > mailscanner for all my users and don't check email for this user?? > > Thanks a lot. > > Javier > -- This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From nfeasey at utpress.utoronto.ca Tue Aug 15 18:06:17 2006 From: nfeasey at utpress.utoronto.ca (Feasey, Nicholas) Date: Tue Aug 15 18:06:36 2006 Subject: Specific From and To check rule In-Reply-To: <44E1F946.5050609@ecs.soton.ac.uk> Message-ID: <4B7800CC946F56478051DD71855D6E6C0346220A@POSTALSTATION> Forgive me if this has been discussed before... Is there a simple method in which MailScanner can be told to check the >From and the To address and, if it's from the same person, reject it. I want to stop those messages that state: From: @ To: @ ...which are really annoying. N From Kevin_Miller at ci.juneau.ak.us Tue Aug 15 18:22:37 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Aug 15 18:22:52 2006 Subject: no check for a user In-Reply-To: <20060815162122.GA9977@pegaso.fisica.unam.mx> Message-ID: Javier Martinez wrote: > Hi everybody, > > I have a problematic user, I have working mailscanner and > spamassassin, but my user is complaining all time about his email. Is > any posibility to use mailscanner for all my users and don't check > email for this user?? What is he complaining about? You could turn it off or on and he wouldn't see the difference. Well, except he'd get a lot more spam. But it doesn't slow delivery down noticably or anything. What does he think the problem is? ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From gordon at itnt.co.za Tue Aug 15 18:43:14 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Tue Aug 15 18:44:16 2006 Subject: Nod32 installation References: <04c501c6c076$859de7f0$0a02a8c0@Gordon> <44E1E186.1000506@ecs.soton.ac.uk> Message-ID: <005401c6c092$612c28c0$0d02a8c0@Gordon> Yep, installed in correct path and updated config to specified nod32-1.99. Looked in the files and picked up I don't have the file nod32 only have; nod32_update nod32d nod32mda nod32smtp nod32smfi nod32cli Gordon ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Tuesday, August 15, 2006 5:00 PM Subject: Re: Nod32 installation -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Where did you install Nod32? MailScanner assumes /usr/sbin unless you have it somewhere else. And you are using Virus Scanners = nod32-1.99 aren't you? Virus Scanners = nod32 is for old versions (this is documented in MailScanner.conf immediately above the "Virus Scanners" setting). If you have installed it elsewhere, then you need to tell MailScanner where it is by editing /etc/MailScanner/virus.scanners.conf Gordon Colyn wrote: > ITNT Banner CampaignCan someone confirm what version of nod32 works with > Mailscanner, I have tried to install nod32 for mail server but it doesn't > get picked up by Mailscanner. > > Thanks > > Gordon Colyn > > > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE4eGHEfZZRxQVtlQRAqozAKDwfWSO0HI+9YtAiFhft3IApzzdFQCcCaw2 tGkkzH+clULgvNNDoEvDjmc= =twat -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mailscanner at ecs.soton.ac.uk Tue Aug 15 19:16:57 2006 From: mailscanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 15 19:17:08 2006 Subject: Nod32 installation In-Reply-To: <005401c6c092$612c28c0$0d02a8c0@Gordon> References: <04c501c6c076$859de7f0$0a02a8c0@Gordon> <44E1E186.1000506@ecs.soton.ac.uk> <005401c6c092$612c28c0$0d02a8c0@Gordon> Message-ID: <44E20F99.4060205@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The program (the binary) should have been called nod32, but they might have changed that. Try this: cd /usr/sbin ln -s new32cli nod32 and then run MailScanner again. Gordon Colyn wrote: > Yep, installed in correct path and updated config to specified nod32-1.99. > Looked in the files and picked up I don't have the file nod32 only have; > > nod32_update > nod32d > nod32mda > nod32smtp > nod32smfi > nod32cli > > Gordon > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: Tuesday, August 15, 2006 5:00 PM > Subject: Re: Nod32 installation > > > > * PGP Signed by an unmatched address: 08/15/06 at 16:00:23 > * Julian Field > * 0x1415B654(L) > * PGP Signed by an unmatched address: 08/15/06 at 16:00:23 > > Where did you install Nod32? MailScanner assumes /usr/sbin unless you > have it somewhere else. And you are using > Virus Scanners = nod32-1.99 > aren't you? > Virus Scanners = nod32 > is for old versions (this is documented in MailScanner.conf immediately > above the "Virus Scanners" setting). > > If you have installed it elsewhere, then you need to tell MailScanner > where it is by editing /etc/MailScanner/virus.scanners.conf > > Gordon Colyn wrote: >> ITNT Banner CampaignCan someone confirm what version of nod32 works with >> Mailscanner, I have tried to install nod32 for mail server but it doesn't >> get picked up by Mailscanner. >> >> Thanks >> >> Gordon Colyn >> >> >> > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE4g+aEfZZRxQVtlQRArCCAJ9eNBU/DO+KjNZ0fm87YBmbI6bSngCfbGPK nQBPfmoZG8skMTJlJLX4l4c= =Us3M -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From JeremyBlonde at grant.k12.ca.us Tue Aug 15 19:26:45 2006 From: JeremyBlonde at grant.k12.ca.us (Jeremy Blonde) Date: Tue Aug 15 19:25:07 2006 Subject: MailScanner load Message-ID: I've been wanting to use Bayes for our mailscanner system, but I'm wondering now if the overhead is worth it. We have a new mailscanner box running with Postfix (under Gentoo Linux) and it works pretty well, we're filtering between 75-80% of our mail as spam. The box however, is hammered, it's running around 5-6 with spikes to 8-9. I've just turned off bayes and I'll see how the load is once it's processed all the back logged messages. We're averaging about 15,000-20,000 messages a day (probably more once the school year starts). Mailscanner is running on an HP DL320, hyper-threaded proc, 1 GB of RAM, and raid 1 drives. Is that normal for using bayes with mailscanner or do I need to tweak some things? (I'm already using tmpfs for a little bit of a speed up). Jeremy Blonde Instructional Technology - Server Support Grant Joint Union School District From gordon at itnt.co.za Tue Aug 15 19:28:22 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Tue Aug 15 19:28:42 2006 Subject: Nod32 installation References: <04c501c6c076$859de7f0$0a02a8c0@Gordon> <44E1E186.1000506@ecs.soton.ac.uk><005401c6c092$612c28c0$0d02a8c0@Gordon> <44E20F99.4060205@ecs.soton.ac.uk> Message-ID: <00ff01c6c098$96d1c650$0d02a8c0@Gordon> ok, will give it a bash, just got a demo version of nod32 fileserver version from nod seems that the file version scanner uses nod32, the files I mentioned below are for the mail server... ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Tuesday, August 15, 2006 8:16 PM Subject: Re: Nod32 installation -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The program (the binary) should have been called nod32, but they might have changed that. Try this: cd /usr/sbin ln -s new32cli nod32 and then run MailScanner again. Gordon Colyn wrote: > Yep, installed in correct path and updated config to specified nod32-1.99. > Looked in the files and picked up I don't have the file nod32 only have; > > nod32_update > nod32d > nod32mda > nod32smtp > nod32smfi > nod32cli > > Gordon > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: Tuesday, August 15, 2006 5:00 PM > Subject: Re: Nod32 installation > > > > * PGP Signed by an unmatched address: 08/15/06 at 16:00:23 > * Julian Field > * 0x1415B654(L) > * PGP Signed by an unmatched address: 08/15/06 at 16:00:23 > > Where did you install Nod32? MailScanner assumes /usr/sbin unless you > have it somewhere else. And you are using > Virus Scanners = nod32-1.99 > aren't you? > Virus Scanners = nod32 > is for old versions (this is documented in MailScanner.conf immediately > above the "Virus Scanners" setting). > > If you have installed it elsewhere, then you need to tell MailScanner > where it is by editing /etc/MailScanner/virus.scanners.conf > > Gordon Colyn wrote: >> ITNT Banner CampaignCan someone confirm what version of nod32 works with >> Mailscanner, I have tried to install nod32 for mail server but it doesn't >> get picked up by Mailscanner. >> >> Thanks >> >> Gordon Colyn >> >> >> > - -- Julian Field www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@MailScanner.biz PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP SDK 3.7.0 Charset: ISO-8859-1 wj8DBQFE4g+aEfZZRxQVtlQRArCCAJ9eNBU/DO+KjNZ0fm87YBmbI6bSngCfbGPK nQBPfmoZG8skMTJlJLX4l4c= =Us3M -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From gordon at itnt.co.za Tue Aug 15 19:36:26 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Tue Aug 15 19:36:45 2006 Subject: MailScanner load References: Message-ID: <010401c6c099$b74e5050$0d02a8c0@Gordon> I had the same problem with my box, maxed the load at about 5-6 doing 20k messages per day. Just increased my ram to 4gb and have seen the load drop to between 0.50 and 1.50 max when looking at stats with mailscanner! Now doing 25k and growing to 30k and the load is sitting at approx .75 to 1.5. Gordon ----- Original Message ----- From: "Jeremy Blonde" To: "MailScanner discussion" Sent: Tuesday, August 15, 2006 8:26 PM Subject: MailScanner load I've been wanting to use Bayes for our mailscanner system, but I'm wondering now if the overhead is worth it. We have a new mailscanner box running with Postfix (under Gentoo Linux) and it works pretty well, we're filtering between 75-80% of our mail as spam. The box however, is hammered, it's running around 5-6 with spikes to 8-9. I've just turned off bayes and I'll see how the load is once it's processed all the back logged messages. We're averaging about 15,000-20,000 messages a day (probably more once the school year starts). Mailscanner is running on an HP DL320, hyper-threaded proc, 1 GB of RAM, and raid 1 drives. Is that normal for using bayes with mailscanner or do I need to tweak some things? (I'm already using tmpfs for a little bit of a speed up). Jeremy Blonde Instructional Technology - Server Support Grant Joint Union School District -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From rpoe at plattesheriff.org Tue Aug 15 19:38:43 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Tue Aug 15 19:39:08 2006 Subject: MailScanner load In-Reply-To: References: Message-ID: <44E1CE66.65ED.00A2.0@plattesheriff.org> What's your swap utilization? 1gig of ram using tempfs and MailScanner sounds like too little ram... >>> "Jeremy Blonde" 8/15/2006 1:26 PM >>> I've been wanting to use Bayes for our mailscanner system, but I'm wondering now if the overhead is worth it. We have a new mailscanner box running with Postfix (under Gentoo Linux) and it works pretty well, we're filtering between 75-80% of our mail as spam. The box however, is hammered, it's running around 5-6 with spikes to 8-9. I've just turned off bayes and I'll see how the load is once it's processed all the back logged messages. We're averaging about 15,000-20,000 messages a day (probably more once the school year starts). Mailscanner is running on an HP DL320, hyper-threaded proc, 1 GB of RAM, and raid 1 drives. Is that normal for using bayes with mailscanner or do I need to tweak some things? (I'm already using tmpfs for a little bit of a speed up). Jeremy Blonde Instructional Technology - Server Support Grant Joint Union School District -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From JeremyBlonde at grant.k12.ca.us Tue Aug 15 19:46:21 2006 From: JeremyBlonde at grant.k12.ca.us (Jeremy Blonde) Date: Tue Aug 15 19:43:24 2006 Subject: MailScanner load Message-ID: The box reports that 500 k of swap is being used. I rarely have less than 200,000 k free of RAM with the average being 300,000 k. Jeremy Blonde Instructional Technology - Server Support Grant Joint Union School District -----Original Message----- From: Rob Poe [mailto:rpoe@plattesheriff.org] Sent: Tuesday, August 15, 2006 11:39 AM To: Jeremy Blonde; MailScanner discussion Subject: Re: MailScanner load What's your swap utilization? 1gig of ram using tempfs and MailScanner sounds like too little ram... >>> "Jeremy Blonde" 8/15/2006 1:26 PM >>> I've been wanting to use Bayes for our mailscanner system, but I'm wondering now if the overhead is worth it. We have a new mailscanner box running with Postfix (under Gentoo Linux) and it works pretty well, we're filtering between 75-80% of our mail as spam. The box however, is hammered, it's running around 5-6 with spikes to 8-9. I've just turned off bayes and I'll see how the load is once it's processed all the back logged messages. We're averaging about 15,000-20,000 messages a day (probably more once the school year starts). Mailscanner is running on an HP DL320, hyper-threaded proc, 1 GB of RAM, and raid 1 drives. Is that normal for using bayes with mailscanner or do I need to tweak some things? (I'm already using tmpfs for a little bit of a speed up). Jeremy Blonde Instructional Technology - Server Support Grant Joint Union School District -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From martinh at solid-state-logic.com Tue Aug 15 19:48:01 2006 From: martinh at solid-state-logic.com (Martin Hepworth) Date: Tue Aug 15 19:48:22 2006 Subject: MailScanner load In-Reply-To: References: Message-ID: <44E216E1.9020808@solid-state-logic.com> Jeremy Blonde wrote: > I've been wanting to use Bayes for our mailscanner system, but I'm > wondering now if the overhead is worth it. We have a new mailscanner > box running with Postfix (under Gentoo Linux) and it works pretty well, > we're filtering between 75-80% of our mail as spam. The box however, is > hammered, it's running around 5-6 with spikes to 8-9. I've just turned > off bayes and I'll see how the load is once it's processed all the back > logged messages. We're averaging about 15,000-20,000 messages a day > (probably more once the school year starts). Mailscanner is running on > an HP DL320, hyper-threaded proc, 1 GB of RAM, and raid 1 drives. > > Is that normal for using bayes with mailscanner or do I need to tweak > some things? > > (I'm already using tmpfs for a little bit of a speed up). > > Jeremy Blonde > Instructional Technology - Server Support > Grant Joint Union School District Jeremy do you process ALL email or drop stuff on the inbound MTA? If you can do a check on valid email addresses and drop invalid ones you'll drop your processing by over 50% in my experience. Also what SA rules are you running above the default ones - ie whats in /etc/mail/spamassassin. Do you run a local caching nameserver on the MS box? have you looked at the tuning stuff on the wiki - that box should be able to cope with 50-60k emails a day easy. BTW load average doesn't mean much - just X processes waiting for resources. As long as email is traversing MailScanner quickly (sub 30 seconds) load Ave doesn't mean much. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From daniel.maher at ubisoft.com Tue Aug 15 19:53:05 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Tue Aug 15 19:53:07 2006 Subject: MailScanner load Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D0D7@UBIMAIL1.ubisoft.org> I had three machines running MailScanner, doing around 500,000 mails per day across the group. Load was constantly around 20, and mail delays were rampant. Then I subscribed to the TrendMicro RBL, and integrated LDAP for destination verification at the MTA layer. The amount of mail that actually reaches MailScanner has been reduced by about 92% (not a typo, actual tracked statistic). The moral of the story is this: Adding more hardware is one thing. Tweaking MailScanner is another. But actually taking steps to eliminate spam at the earliest possible point - that's where you'll find real performance improvements. -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Gordon Colyn > Sent: August 15, 2006 2:36 PM > To: MailScanner discussion > Subject: Re: MailScanner load > > I had the same problem with my box, maxed the load at about 5-6 doing 20k > messages per day. Just increased my ram to 4gb and have seen the load > drop > to between 0.50 and 1.50 max when looking at stats with mailscanner! Now > doing 25k and growing to 30k and the load is sitting at approx .75 to 1.5. > > Gordon > > > > ----- Original Message ----- > From: "Jeremy Blonde" > To: "MailScanner discussion" > Sent: Tuesday, August 15, 2006 8:26 PM > Subject: MailScanner load > > > I've been wanting to use Bayes for our mailscanner system, but I'm > wondering now if the overhead is worth it. We have a new mailscanner > box running with Postfix (under Gentoo Linux) and it works pretty well, > we're filtering between 75-80% of our mail as spam. The box however, is > hammered, it's running around 5-6 with spikes to 8-9. I've just turned > off bayes and I'll see how the load is once it's processed all the back > logged messages. We're averaging about 15,000-20,000 messages a day > (probably more once the school year starts). Mailscanner is running on > an HP DL320, hyper-threaded proc, 1 GB of RAM, and raid 1 drives. > > Is that normal for using bayes with mailscanner or do I need to tweak > some things? > > (I'm already using tmpfs for a little bit of a speed up). > > Jeremy Blonde > Instructional Technology - Server Support > Grant Joint Union School District > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From Kevin_Miller at ci.juneau.ak.us Tue Aug 15 20:46:28 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Aug 15 20:46:36 2006 Subject: MailScanner load In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D0D7@UBIMAIL1.ubisoft.org> Message-ID: Daniel Maher wrote: > I had three machines running MailScanner, doing around 500,000 mails > per day across the group. Load was constantly around 20, and mail > delays were rampant. > > Then I subscribed to the TrendMicro RBL, and integrated LDAP for > destination verification at the MTA layer. The amount of mail that > actually reaches MailScanner has been reduced by about 92% (not a > typo, actual tracked statistic). > > The moral of the story is this: Adding more hardware is one thing. > Tweaking MailScanner is another. But actually taking steps to > eliminate spam at the earliest possible point - that's where you'll > find real performance improvements. I agree with Daniel here. Not sure if the OP is running Postfix or sendmail (too lazy to go back and look) but I saw a tremendous drop in the number of inbound messages getting past my MTA just turning on greet_pause in sendmail. Anything that can stop the spam messages during the handshaking will lighten the load on your servers considerably... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From ssilva at sgvwater.com Tue Aug 15 20:51:31 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 15 20:52:00 2006 Subject: no check for a user In-Reply-To: <20060815162122.GA9977@pegaso.fisica.unam.mx> References: <20060815162122.GA9977@pegaso.fisica.unam.mx> Message-ID: Javier Martinez spake the following on 8/15/2006 9:21 AM: > Hi everybody, > > I have a problematic user, I have working mailscanner and spamassassin, but my user is complaining all time about his email. Is any posibility to use > mailscanner for all my users and don't check email for this user?? > > Thanks a lot. > > Javier Why not just make sure his messages aren't signed or the subject lines aren't modified. Then he might just happily think you caved in to him. ;-) Then you are still protecting the rest of your users from his foolishness. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Tue Aug 15 20:58:49 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 15 20:59:27 2006 Subject: MailScanner load In-Reply-To: References: Message-ID: Jeremy Blonde spake the following on 8/15/2006 11:26 AM: > I've been wanting to use Bayes for our mailscanner system, but I'm > wondering now if the overhead is worth it. We have a new mailscanner > box running with Postfix (under Gentoo Linux) and it works pretty well, > we're filtering between 75-80% of our mail as spam. The box however, is > hammered, it's running around 5-6 with spikes to 8-9. I've just turned > off bayes and I'll see how the load is once it's processed all the back > logged messages. We're averaging about 15,000-20,000 messages a day > (probably more once the school year starts). Mailscanner is running on > an HP DL320, hyper-threaded proc, 1 GB of RAM, and raid 1 drives. > > Is that normal for using bayes with mailscanner or do I need to tweak > some things? > > (I'm already using tmpfs for a little bit of a speed up). > > Jeremy Blonde > Instructional Technology - Server Support > Grant Joint Union School District If you are using the default of 5 children per cpu with that little ram, you will probably swap. And a hyper-threaded proc isn't exactly the same as 2 processors. If you can't add ram, try backing off with the number of children, probably one at a time, until you get to the point of stabilization. You should be able to process that load with 2 - 3 children if the mail comes in evenly. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mike at tc3net.com Tue Aug 15 21:07:04 2006 From: mike at tc3net.com (Michael Baird) Date: Tue Aug 15 21:00:32 2006 Subject: MailScanner load In-Reply-To: References: Message-ID: <1155672424.14194.10.camel@mike-new2.tc3net.com> On Tue, 2006-08-15 at 11:46 -0800, Kevin Miller wrote: > Daniel Maher wrote: > > I had three machines running MailScanner, doing around 500,000 mails > > per day across the group. Load was constantly around 20, and mail > > delays were rampant. > > > > Then I subscribed to the TrendMicro RBL, and integrated LDAP for > > destination verification at the MTA layer. The amount of mail that > > actually reaches MailScanner has been reduced by about 92% (not a > > typo, actual tracked statistic). > > > > The moral of the story is this: Adding more hardware is one thing. > > Tweaking MailScanner is another. But actually taking steps to > > eliminate spam at the earliest possible point - that's where you'll > > find real performance improvements. > > I agree with Daniel here. Not sure if the OP is running Postfix or > sendmail (too lazy to go back and look) but I saw a tremendous drop in > the number of inbound messages getting past my MTA just turning on > greet_pause in sendmail. Anything that can stop the spam messages > during the handshaking will lighten the load on your servers > considerably... To beat a dead horse from another recent thread, check out greylist-milter, on my system it had a bigger impact then sendmail's greet_pause, took the load down a nicely. Regards Michael Baird From bbecken at aafp.org Tue Aug 15 21:10:46 2006 From: bbecken at aafp.org (Brad Beckenhauer) Date: Tue Aug 15 21:11:07 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <009001c6c036$7e575f20$5864a8c0@jonlaptop> References: <009001c6c036$7e575f20$5864a8c0@jonlaptop> Message-ID: <44E1E3F4.D87E.0068.3@aafp.org> >>>> jon.bates@summitmotors.com.au 8/15/2006 1:46 AM >>> > >Hi, > >I was just wondering what peoples opinions were on running multiple virus >scanners with MailScanner. I'm currently only running ClamAV, and I was >thinking about running one or two more. >Could someone recommend what other scanner/s to use? My main concern is >system resources. I would like something that doesn't load up the server too >much more as ClamAV is quite light on resources from my experience with it. > >- Jon Which of these Anti-virus products can run headless without any X or GUI installed? From daniel.maher at ubisoft.com Tue Aug 15 21:34:40 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Tue Aug 15 21:34:44 2006 Subject: OT - Multiple Virus Scanners Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20226D0DB@UBIMAIL1.ubisoft.org> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Brad Beckenhauer > Sent: August 15, 2006 4:11 PM > To: mailscanner@lists.mailscanner.info > Subject: Re: OT - Multiple Virus Scanners > > Which of these Anti-virus products can run headless without any X or > GUI installed? We use ClamAV on our incoming mail relays, which are 1U servers stacked into a cabinet at our data centre a few kilometers away. Needless to say, they are headless, and don't have X capabilities. -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. From alex at nkpanama.com Tue Aug 15 21:38:13 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Tue Aug 15 21:38:37 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <44E1E3F4.D87E.0068.3@aafp.org> References: <009001c6c036$7e575f20$5864a8c0@jonlaptop> <44E1E3F4.D87E.0068.3@aafp.org> Message-ID: <44E230B5.3050701@nkpanama.com> Brad Beckenhauer wrote: >>>>> jon.bates@summitmotors.com.au 8/15/2006 1:46 AM >>> >> Hi, >> >> I was just wondering what peoples opinions were on running multiple > virus >> scanners with MailScanner. I'm currently only running ClamAV, and I > was >> thinking about running one or two more. >> Could someone recommend what other scanner/s to use? My main concern > is >> system resources. I would like something that doesn't load up the > server too >> much more as ClamAV is quite light on resources from my experience > with it. >> - Jon > > Which of these Anti-virus products can run headless without any X or > GUI installed? All of them IIRC... From alex at nkpanama.com Tue Aug 15 21:41:29 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Tue Aug 15 21:41:39 2006 Subject: MailScanner load In-Reply-To: <44E1CE66.65ED.00A2.0@plattesheriff.org> References: <44E1CE66.65ED.00A2.0@plattesheriff.org> Message-ID: <44E23179.5070009@nkpanama.com> You *do* know that MailScanner causes swap, don't you? ;-) Rob Poe wrote: > What's your swap utilization? 1gig of ram using tempfs and MailScanner > sounds like too little ram... > > > >>>> "Jeremy Blonde" 8/15/2006 1:26 PM >>>> > I've been wanting to use Bayes for our mailscanner system, but I'm > wondering now if the overhead is worth it. We have a new mailscanner > box running with Postfix (under Gentoo Linux) and it works pretty > well, > we're filtering between 75-80% of our mail as spam. The box however, > is > hammered, it's running around 5-6 with spikes to 8-9. I've just > turned > off bayes and I'll see how the load is once it's processed all the > back > logged messages. We're averaging about 15,000-20,000 messages a day > (probably more once the school year starts). Mailscanner is running > on > an HP DL320, hyper-threaded proc, 1 GB of RAM, and raid 1 drives. > > Is that normal for using bayes with mailscanner or do I need to tweak > some things? > > (I'm already using tmpfs for a little bit of a speed up). > > Jeremy Blonde > Instructional Technology - Server Support > Grant Joint Union School District > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From alex at nkpanama.com Tue Aug 15 21:43:35 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Tue Aug 15 21:43:45 2006 Subject: Specific From and To check rule In-Reply-To: <4B7800CC946F56478051DD71855D6E6C0346220A@POSTALSTATION> References: <4B7800CC946F56478051DD71855D6E6C0346220A@POSTALSTATION> Message-ID: <44E231F7.1060203@nkpanama.com> Feasey, Nicholas wrote: > Forgive me if this has been discussed before... > > Is there a simple method in which MailScanner can be told to check the >>From and the To address and, if it's from the same person, reject it. > > I want to stop those messages that state: > > From: @ > To: @ > > ...which are really annoying. > > N Create a ruleset: in %rules-dir%/spam.blacklist.rules FromOrTo: default no From:user1@domain.com and To:user1@domain.com yes ... ... ... From:user99@domain.com and To:user99@domain.com yes Sounds silly, and resource-wasteful, but it should get the job done, I think. From alex at nkpanama.com Tue Aug 15 21:50:24 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Tue Aug 15 21:50:34 2006 Subject: OT: Misconfigured SA in SpamAssassin (ALL_TRUSTED) Message-ID: <44E23390.7090909@nkpanama.com> If someone here knows who the admin is for "netnation.nl" or "rinexpro.com" or "hostingconcepts", let them know that their ALL_TRUSTED is misfiring and letting an advance_fee message through their servers and getting them blacklisted. Check headers at "http://pastebin.ca/133329" if you need more info. From ssilva at sgvwater.com Tue Aug 15 21:59:41 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 15 22:00:30 2006 Subject: OT - Multiple Virus Scanners In-Reply-To: <44E1E3F4.D87E.0068.3@aafp.org> References: <009001c6c036$7e575f20$5864a8c0@jonlaptop> <44E1E3F4.D87E.0068.3@aafp.org> Message-ID: Brad Beckenhauer spake the following on 8/15/2006 1:10 PM: >>>>> jon.bates@summitmotors.com.au 8/15/2006 1:46 AM >>> >> Hi, >> >> I was just wondering what peoples opinions were on running multiple > virus >> scanners with MailScanner. I'm currently only running ClamAV, and I > was >> thinking about running one or two more. >> Could someone recommend what other scanner/s to use? My main concern > is >> system resources. I would like something that doesn't load up the > server too >> much more as ClamAV is quite light on resources from my experience > with it. >> - Jon > > Which of these Anti-virus products can run headless without any X or > GUI installed? MailScanner uses the command-line version of anti-virus products, so all of them if they still sell or have a command-line version available. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mauriciopcavalcanti at hotmail.com Tue Aug 15 22:03:16 2006 From: mauriciopcavalcanti at hotmail.com (Mauricio) Date: Tue Aug 15 22:05:15 2006 Subject: OT: Sendmail Violence In-Reply-To: Message-ID: Hi, I?m using Gentoo, sendmail and MS 4.56.1 and it was made to filter SPAM e redirect to an internal Exchange. I use ForkEachJob=true in sendmail. At this morning, my internal exchange crashes and made my queue (not mqueue.in) grows rapidly. When it Exchange returns, I use sendmail -q command and my load grows to 400. After that, I could not work and everything seems to be stopped what about 1 minute. When my server waked up (after this sendmail violence), I have no queue and no load. Anyone knows an issue to limit sendmail to not make a DOS on itself? Thanks in advance and sorry for OT, Mauricio. From ssilva at sgvwater.com Tue Aug 15 22:01:18 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 15 22:05:20 2006 Subject: MailScanner load In-Reply-To: <44E23179.5070009@nkpanama.com> References: <44E1CE66.65ED.00A2.0@plattesheriff.org> <44E23179.5070009@nkpanama.com> Message-ID: Alex Neuman van der Hans spake the following on 8/15/2006 1:41 PM: > You *do* know that MailScanner causes swap, don't you? ;-) > Some things never die! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From akostocker at gmail.com Tue Aug 15 23:04:06 2006 From: akostocker at gmail.com (Tony Stocker) Date: Tue Aug 15 23:04:09 2006 Subject: Whitelisting doesn't appear to work Message-ID: <7801ad8f0608151504v179f4f65pdb0b9307404df841@mail.gmail.com> Hello All, I've set some entries in /etc/MailScanner/rules/spam.whitelist.rules because I have had several messages marked as spam that were actually the MailScanner "Virus Detected" messages. I'm modifying the addresses slightly to protect myself, but let's say that my mailserver's address is "197.100.235.132", this then is the entry that I have in the spam.whitelist.rules file: From: 197.100.235. yes However, I am still getting "Virus Detected" messages marked as spam, (see slightly munged example below) even with this entry. What am I doing wrong? -------------------------------------------------------------------------------------------------------------------------- Return-Path: X-Original-To: postmaster Delivered-To: tony.stocker@pps-mail.example.com Received: by pps-mail.example.com (Postfix, from userid 89) id 82E008EA9A; Tue, 15 Aug 2006 17:49:21 -0400 (EDT) From: "MailScanner" To: postmaster@pps-mail.example.com Subject: { SPAM } Virus Detected Content-type: text/plain; charset=ISO-8859-1 Message-Id: <20060815214921.82E008EA9A@pps-mail.example.com> Date: Tue, 15 Aug 2006 17:49:21 -0400 (EDT) MIME-Version: 1.0 X-PPS-MailScanner-Information: Please contact the ISP for more information X-PPS-MailScanner: Found to be clean X-PPS-MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=3.723, required 3, BAYES_50 0.00, INFO_TLD 1.27, NO_RELAYS -0.00, SPOOF_COM2COM 2.45) X-PPS-MailScanner-SpamScore: sss X-PPS-MailScanner-From: postmaster@pps-mail.example.com X-Spam-Status: Yes The following e-mails were found to have: Virus Detected Sender: supprefnum48150724253494id@53.com IP Address: 197.100.235.38 Recipient: john.smithson@pps-mail.example.com Subject: Important Banking Mail From Fifth Third Bank MessageID: 86EEE8EA30.069FE Quarantine: Report: ClamAV Module: msg-30327-71.html was infected: HTML.Phishing.Bank-627 -------------------------------------------------------------------------------------------------------------------------- From alex at nkpanama.com Tue Aug 15 23:12:25 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Tue Aug 15 23:12:37 2006 Subject: Whitelisting doesn't appear to work In-Reply-To: <7801ad8f0608151504v179f4f65pdb0b9307404df841@mail.gmail.com> References: <7801ad8f0608151504v179f4f65pdb0b9307404df841@mail.gmail.com> Message-ID: <44E246C9.4080302@nkpanama.com> Then your server probably didn't mark it as SPAM, somebody