From jon.bates at summitmotors.com.au  Fri Dec  1 04:01:10 2006
From: jon.bates at summitmotors.com.au (Jon Bates)
Date: Fri Dec  1 04:01:25 2006
Subject: Viruses being blocked by filename rules,
	not being picked up by ClamAV
Message-ID: <200612010401.kB141BNf023636@summitmotors.com.au>



I've changed something, and viruses are no longer being picked up by Clamav,
but they are being picked up by the filename rules blocking executables
instead. I checked the obvious settings (Virus Scanning, Virus Scanner
Definitions etc)..

I'm not sure what I've done to cause this. It's obviously having a negative
affect on my reporting, as well as causing my server trying to send 'blocked
filename' reports to the spoofed sender addresses of the virus emails - eek!

Any suggestions would be appreciated.

Thanks!

Jon

From r.berber at computer.org  Fri Dec  1 04:26:54 2006
From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=)
Date: Fri Dec  1 04:27:06 2006
Subject: Viruses being blocked by filename rules, not being picked up
 by ClamAV
In-Reply-To: <200612010401.kB141BNf023636@summitmotors.com.au>
References: <200612010401.kB141BNf023636@summitmotors.com.au>
Message-ID: <ekoaue$trv$1@sea.gmane.org>

Jon Bates wrote:
> 
> I've changed something, and viruses are no longer being picked up by Clamav,
> but they are being picked up by the filename rules blocking executables
> instead. I checked the obvious settings (Virus Scanning, Virus Scanner
> Definitions etc)..
> 
> I'm not sure what I've done to cause this. It's obviously having a negative
> affect on my reporting, as well as causing my server trying to send 'blocked
> filename' reports to the spoofed sender addresses of the virus emails - eek!
> 
> Any suggestions would be appreciated.

What version of clamav do you have installed?  I'm not sure but there was some
reports about 0.90rc2 not working with MS, you can revert to 0.88.6 .

Check the obvious, does the MS log show that messages are being scanned for viruses?

If not, then check MS configuration file, see if clamavmodule is set in "Virus
Scanners".
-- 
Ren? Berber

From jon.bates at summitmotors.com.au  Fri Dec  1 05:35:38 2006
From: jon.bates at summitmotors.com.au (Jon Bates)
Date: Fri Dec  1 05:35:47 2006
Subject: Viruses being blocked by filename rules,
	not being picked up by ClamAV
Message-ID: <200612010535.kB15ZdbF013064@summitmotors.com.au>

Ren? Berber Wrote:
 
> What version of clamav do you have installed?  I'm not sure but there was
some
> reports about 0.90rc2 not working with MS, you can revert to 0.88.6 .

> Check the obvious, does the MS log show that messages are being scanned
for viruses?

> If not, then check MS configuration file, see if clamavmodule is set in
"Virus
> Scanners".
> -- 
> Ren? Berber


Thanks for the reply Rene,
 
Current ClamAV version is 0.88.6.
 
Log shows: 
 
Dec  1 16:31:43  MailScanner[28665]: New Batch: Found 2 messages waiting
Dec  1 16:31:43  MailScanner[28665]: New Batch: Scanning 1 messages, 10461
bytes
Dec  1 16:31:44  MailScanner[28515]: Virus and Content Scanning: Starting

... so I assume this means that it's working?
 
Option: Virus Scanners = clamav
 
 
There's nothing obvious that I can see from that :(

From febrianto at sioenasia.com  Fri Dec  1 06:21:33 2006
From: febrianto at sioenasia.com (Budi Febrianto)
Date: Fri Dec  1 06:16:42 2006
Subject: Viruses being blocked by filename rules,
	not being picked up by ClamAV
In-Reply-To: <200612010535.kB15ZdbF013064@summitmotors.com.au>
Message-ID: <OF900954EB.B5555A91-ON47257237.00228B61-47257237.0022B5A9@sioenasia.com>



mailscanner-bounces@lists.mailscanner.info wrote on 12/01/2006 12:35:38 PM:

> Ren? Berber Wrote:
>
> > What version of clamav do you have installed?  I'm not sure but there
was
> some
> > reports about 0.90rc2 not working with MS, you can revert to 0.88.6 .
>
> > Check the obvious, does the MS log show that messages are being scanned
> for viruses?
>
> > If not, then check MS configuration file, see if clamavmodule is set in
> "Virus
> > Scanners".
> > --
> > Ren? Berber
>
>
> Thanks for the reply Rene,
>
> Current ClamAV version is 0.88.6.
>
> Log shows:
>
> Dec  1 16:31:43  MailScanner[28665]: New Batch: Found 2 messages waiting
> Dec  1 16:31:43  MailScanner[28665]: New Batch: Scanning 1 messages,
10461
> bytes
> Dec  1 16:31:44  MailScanner[28515]: Virus and Content Scanning: Starting
>
> ... so I assume this means that it's working?
>
> Option: Virus Scanners = clamav
>
>
> There's nothing obvious that I can see from that :(

I think I have the same problem, not exactly the same.
Viruses are still detected, but there are some suspicous virus but not
detected by clamav, but by filename rules. One of the file is
update-something.exe.
MailScanner version 4.54.6 with clamav 0.88.6

Budi Febrianto

From r.berber at computer.org  Fri Dec  1 06:16:33 2006
From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=)
Date: Fri Dec  1 06:18:26 2006
Subject: Viruses being blocked by filename rules, not being picked up
 by ClamAV
In-Reply-To: <200612010535.kB15ZdbF013064@summitmotors.com.au>
References: <200612010535.kB15ZdbF013064@summitmotors.com.au>
Message-ID: <ekohc1$gpf$1@sea.gmane.org>

Jon Bates wrote:
[snip]
> Current ClamAV version is 0.88.6.
>  
> Log shows: 
>  
> Dec  1 16:31:43  MailScanner[28665]: New Batch: Found 2 messages waiting
> Dec  1 16:31:43  MailScanner[28665]: New Batch: Scanning 1 messages, 10461
> bytes
> Dec  1 16:31:44  MailScanner[28515]: Virus and Content Scanning: Starting
> 
> ... so I assume this means that it's working?

Yes, it means that MS is going through the virus scan phase.

>  
> Option: Virus Scanners = clamav

Have you tried changing this into "Virus Scanners = clamavmodule".  This change
means something different of what you are using, option clamav uses the
lib/clamav-wrapper, clamavmodule uses the perl module (which you may, or may not
have installed -- `cpan -D Mail::ClamAV` will show if it is installed).

Or using the option as you have it, check virus.scanners.conf to see if the
corresponding line is correct.  Also, if you changed the wrapper, see what is
being executed (clamscan or clamdscan) and what options are used (with clamscan
the options are passed as parameters, with clamdscan the options are in
/etc/clamd.conf).  If using clamdscan, see if clamd is running.
-- 
Ren? Berber

From taz at taz-mania.com  Fri Dec  1 06:50:14 2006
From: taz at taz-mania.com (Dennis Willson)
Date: Fri Dec  1 06:50:22 2006
Subject: OT: Alpha of Milter-Spamtrap
Message-ID: <456FD0A6.4020005@taz-mania.com>

I put an alpha version of milter-spamtrap up on sourceforge.
http://sourceforge.net/projects/milter-spamtrap

I will do more testing this weekend and upload a new version. If anyone 
wants to download it and look it over that would be great.
I am also looking for some input on something. Originally, I had thought 
you would have a choice as to only save the IP addresses in a file or 
use the MySQL database or both. However, when I think back to when I did 
my dedicated spamtrap I hit about 1 million entries in a relatively 
short time. I think that is way too many for text files. I think I 
should keep the text files only for debug purposes, I think it would be 
un-workable to have it read in a million IP addresses from a text file 
on startup to do the blocking.

Features:
    - external editable text configuration file;
    - whitelists by an IP address (CIDR notation)
    - blocks servers that have previously sent Spam
    - fast in-memory cache of blacklisted servers
    - cache entries time-out after an hour so if they have been removed from
      the database they will go away. If milter-spamtrap receives 
another Spam
      from the same server, it will find it in the database and place it 
in the
      cache for another hour (only works with MySQL database support)
    - optional MySQL database of blacklisted servers
    - optional saving of Spam headers and/or body to show what caused the
      offending server to be placed on the blacklist
    - optional cron job to convert database entries to a BIND DNSBL zone 
file
      so you can share your blacklist with others
    - ability to mark an IP address as 'inactive' but not lose the listing
      so that a history can be maintained (only available when logging to a
      MySQL database)
    - ability to have one or more individual email addresses defined as 
honeypots
    - ability to have one or more whole domains defined as honeypots
    - optional extensive debug logging

From dhawal at netmagicsolutions.com  Fri Dec  1 09:03:51 2006
From: dhawal at netmagicsolutions.com (Dhawal Doshy)
Date: Fri Dec  1 09:04:05 2006
Subject: Block Backscatter Mails?
In-Reply-To: <456F2854.70501@net-com.de>
References: <456F1B6F.2090509@net-com.de> <456F231D.3020509@fsl.com>
	<456F2854.70501@net-com.de>
Message-ID: <456FEFF7.1010003@netmagicsolutions.com>

Matthias Kellermann wrote:
> Hi Steve,
> 
> Steve Freegard schrieb:
>> Hi Matthias,
>>
>> If you are using Sendmail - check out milter-null:
>> http://www.snertsoft.com/sendmail/milter-null/
>>
>> Cheers,
>> Steve.
> Thanks for your answer.
> 
> I'm using Postfix so I don't think I can use milter-null, can I?
> 
> Are there other plugins I could use?
> 
> Best Regards,
> Matthias

postfix > 2.3 supports the milter specification.. also read this 
http://www.postfix.org/BACKSCATTER_README.html AND search the postfix 
archives.

- dhawal
From vinay_poojary2000 at yahoo.co.in  Fri Dec  1 09:14:01 2006
From: vinay_poojary2000 at yahoo.co.in (vinay poojary)
Date: Fri Dec  1 09:14:12 2006
Subject: thks for the mailscanner  tool
Message-ID: <58837.36610.qm@web8313.mail.in.yahoo.com>

Dear Sir,
   
  I am using mailscanner with sendmail.The sendmail is installed with smtp-auth .I have no such problems with mailscanner .I am just enjoying the mailscanner configuration . 
   
  But presently i am facing the problem of addres spoofing .The people in my own company can change the from address and send mail to anyone via smtp auth .Is there any way i could stop these address spoofing .
   
  Thks in advance .
   
  Regards,
  vinay poojary 

 				
---------------------------------
 Find out what India is talking about on  - Yahoo! Answers India 
 Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8. Get it NOW
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061201/c6ef7cf8/attachment.html
From dhawal at netmagicsolutions.com  Fri Dec  1 09:22:28 2006
From: dhawal at netmagicsolutions.com (Dhawal Doshy)
Date: Fri Dec  1 09:22:48 2006
Subject: thks for the mailscanner  tool
In-Reply-To: <58837.36610.qm@web8313.mail.in.yahoo.com>
References: <58837.36610.qm@web8313.mail.in.yahoo.com>
Message-ID: <456FF454.7050508@netmagicsolutions.com>

vinay poojary wrote:
> Dear Sir,
>  
> I am using mailscanner with sendmail.The sendmail is installed with 
> smtp-auth .I have no such problems with mailscanner .I am just enjoying 
> the mailscanner configuration .
>  
> But presently i am facing the problem of addres spoofing .The people in 
> my own company can change the from address and send mail to anyone via 
> smtp auth .Is there any way i could stop these address spoofing .

This totally depends on your MTA (mailscanner comes much later in the 
picture).. for instance postfix can do this using 
reject_sender_login_mismatch (qmail can do this as well with an addon 
patch). Don't know about sendmail, maybe some sendmail experts can shed 
some more light,

- dhawal
From martinh at solidstatelogic.com  Fri Dec  1 09:24:27 2006
From: martinh at solidstatelogic.com (Martin Hepworth)
Date: Fri Dec  1 09:24:34 2006
Subject: thks for the mailscanner  tool
In-Reply-To: <58837.36610.qm@web8313.mail.in.yahoo.com>
References: <58837.36610.qm@web8313.mail.in.yahoo.com>
Message-ID: <456FF4CB.80008@solidstatelogic.com>

vinay poojary wrote:
> Dear Sir,
>  
> I am using mailscanner with sendmail.The sendmail is installed with 
> smtp-auth .I have no such problems with mailscanner .I am just enjoying 
> the mailscanner configuration .
>  
> But presently i am facing the problem of addres spoofing .The people in 
> my own company can change the from address and send mail to anyone via 
> smtp auth .Is there any way i could stop these address spoofing .
>  
> Thks in advance .
>  
> Regards,
> vinay poojary
> 
>

Vinay

1st point of call on this is a proper Acceptable Use Policy. If they use 
business computers for non-work things, they go the normal disciplinary 
procedures, or even straight to dismissal under gross misconduct. (never 
under estimate the power of HR policy!).

next bit depends on how the desktops are configured and how/why they can 
do this..

-- 
Martin Hepworth
Senior Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

From dhawal at netmagicsolutions.com  Fri Dec  1 09:34:37 2006
From: dhawal at netmagicsolutions.com (Dhawal Doshy)
Date: Fri Dec  1 09:34:47 2006
Subject: thks for the mailscanner  tool
In-Reply-To: <456FF4CB.80008@solidstatelogic.com>
References: <58837.36610.qm@web8313.mail.in.yahoo.com>
	<456FF4CB.80008@solidstatelogic.com>
Message-ID: <456FF72D.6060202@netmagicsolutions.com>

Martin Hepworth wrote:
> vinay poojary wrote:
>> Dear Sir,
>>  
>> I am using mailscanner with sendmail.The sendmail is installed with 
>> smtp-auth .I have no such problems with mailscanner .I am just 
>> enjoying the mailscanner configuration .
>>  
>> But presently i am facing the problem of addres spoofing .The people 
>> in my own company can change the from address and send mail to anyone 
>> via smtp auth .Is there any way i could stop these address spoofing .
>>  
>> Thks in advance .
>>  
>> Regards,
>> vinay poojary
> 
> Vinay
> 
> 1st point of call on this is a proper Acceptable Use Policy. If they use 
> business computers for non-work things, they go the normal disciplinary 
> procedures, or even straight to dismissal under gross misconduct. (never 
> under estimate the power of HR policy!).

i agree that this can taken up at a different level (read as catbert), i 
also think that poor passwords are also responsible for sender spoofing. 
We had a case a year back, where a "secure" SMTP server was used for UBE 
(via a korean IP), using authentication that was quite easy to guess 
(password = username). Now we now enforce stricter passwords ;-)

- dhawal
From john at tradoc.fr  Fri Dec  1 09:40:44 2006
From: john at tradoc.fr (John Wilcock)
Date: Fri Dec  1 09:40:54 2006
Subject: Heads up: New versions of F-Prot Antivirus for all UNIX platforms
Message-ID: <456FF89C.1010206@tradoc.fr>

<http://www.f-prot.com/news/gen_news/061201_release_unix467.html>

FRISK Software has released versions 4.6.7 of F-Prot Antivirus for all 
UNIX platforms.

These newest versions of F-Prot Antivirus for UNIX provide important 
bugfixes and fix a previously reported security flaw.

...

John.

-- 
-- Over 3000 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages    - www.tradoc.fr
From ljosnet at gmail.com  Fri Dec  1 10:57:19 2006
From: ljosnet at gmail.com (emm1)
Date: Fri Dec  1 10:57:22 2006
Subject: Blocking e-mail with special characters in username
Message-ID: <910ee2ac0612010257m2936e7b3ie55c0d8f1535f4d6@mail.gmail.com>

I have been having alot of e-mails like this one
from=<biographicalparallelism's@acbm.com>. How can I block e-mail that
contain characters like ' in the username/domain field?

Thanks!
From martinh at solidstatelogic.com  Fri Dec  1 11:06:06 2006
From: martinh at solidstatelogic.com (Martin Hepworth)
Date: Fri Dec  1 11:06:58 2006
Subject: Blocking e-mail with special characters in username
In-Reply-To: <910ee2ac0612010257m2936e7b3ie55c0d8f1535f4d6@mail.gmail.com>
References: <910ee2ac0612010257m2936e7b3ie55c0d8f1535f4d6@mail.gmail.com>
Message-ID: <45700C9E.8020902@solidstatelogic.com>

emm1 wrote:
> I have been having alot of e-mails like this one
> from=<biographicalparallelism's@acbm.com>. How can I block e-mail that
> contain characters like ' in the username/domain field?
> 
> Thanks!
best to look at what SA you've got.

Can you pastbin an example email with full headers etc and I can run it 
over my system to get an idea of what my compresive system will fire..

-- 
Martin Hepworth
Senior Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

From ljosnet at gmail.com  Fri Dec  1 11:34:21 2006
From: ljosnet at gmail.com (emm1)
Date: Fri Dec  1 11:34:24 2006
Subject: Blocking e-mail with special characters in username
In-Reply-To: <45700C9E.8020902@solidstatelogic.com>
References: <910ee2ac0612010257m2936e7b3ie55c0d8f1535f4d6@mail.gmail.com>
	<45700C9E.8020902@solidstatelogic.com>
Message-ID: <910ee2ac0612010334n24e10e61i15461db56ada9a45@mail.gmail.com>

Unfortunately I can't see because this server is a mail gateway
relay'ing to another server I have no access to. I was looking for a
way to block this at MTA level if possible.

On 12/1/06, Martin Hepworth <martinh@solidstatelogic.com> wrote:
> emm1 wrote:
> > I have been having alot of e-mails like this one
> > from=<biographicalparallelism's@acbm.com>. How can I block e-mail that
> > contain characters like ' in the username/domain field?
> >
> > Thanks!
> best to look at what SA you've got.
>
> Can you pastbin an example email with full headers etc and I can run it
> over my system to get an idea of what my compresive system will fire..
>
> --
> Martin Hepworth
> Senior Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
> **********************************************************************
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.
>
> **********************************************************************
>
> --
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
From john at tradoc.fr  Fri Dec  1 11:37:16 2006
From: john at tradoc.fr (John Wilcock)
Date: Fri Dec  1 11:37:21 2006
Subject: Blocking e-mail with special characters in username
In-Reply-To: <910ee2ac0612010257m2936e7b3ie55c0d8f1535f4d6@mail.gmail.com>
References: <910ee2ac0612010257m2936e7b3ie55c0d8f1535f4d6@mail.gmail.com>
Message-ID: <457013EC.9060504@tradoc.fr>

emm1 wrote:
> I have been having alot of e-mails like this one
> from=<biographicalparallelism's@acbm.com>. How can I block e-mail that
> contain characters like ' in the username/domain field?
> 
> Thanks!

I've been seeing a few of these, but all have scored well over 10 points 
largely thanks to SARE stocks rules.

If you want a specific rule, this should catch them:

header		local_FROM_APOSTROPHE	From =~ /\<\w[\w']{1,30}\@/


John.

-- 
-- Over 3000 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages    - www.tradoc.fr
From dean.plant at roke.co.uk  Fri Dec  1 12:01:30 2006
From: dean.plant at roke.co.uk (Plant, Dean)
Date: Fri Dec  1 12:02:33 2006
Subject: Can anyone tell me what this is?
Message-ID: <2181C5F19DD0254692452BFF3EAF1D6802671B51@rsys005a.comm.ad.roke.co.uk>

We have some messages from a customer that are being disarmed due to a
whole load of scripting in the message. I know I can turn disarming off
but I would like to know what this code is and what it is doing, has
anyone come across code like this before?

Sample data from the message source below. The whole source is here
http://deanplant.bulldoghome.com/pages/deanplant%5Fbulldoghome%5Fcom/mai
l.txt

Thanks

Dean

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML dir=ltr><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<SCRIPT language=javascript id=dstimeout
src="/dana-cached/js/sessiontimeout.js"></SCRIPT>

<SCRIPT language=javascript id=dsshimdata> var DanaShimData="var
DSJsFuncs =
[null,null,[{nm:\"dJ\",flg:0x37},{nm:\"go\",flg:0xf},],null,[{nm:\"eval\
",flg:0x57},{nm:\"item\"
,flg:0xf},{nm:\"send\",lcnm:\"send\",flg:0xb},{nm:\"href\",flg:0xf},{nm:
\"save\",lcnm:\"save\",flg:0xb},{nm:\"open\",lcnm:\"open\",flg:0x3b},{nm
:\"load\",lcnm:\"load\",flg:0
x3b},],[{nm:\"write\",flg:0x3f},{nm:\"close\",flg:0x3f},{nm:\"Print\",fl
g:0xf},{nm:\"Start\",lcnm:\"start\",flg:0xb},],[{nm:\"Upload\",flg:0xf},
{nm:\"assign\",flg:0xf},{nm:\
"frames\",flg:0xf},{nm:\"getURL\",lcnm:\"geturl\",flg:0x12},{nm:\"reload
\",lcnm:\"reload\",flg:0x3b},],[{nm:\"writeln\",flg:0x3f},{nm:\"GotoURL\
",flg:0xe},{nm:\"AddRoot\",lc
nm:\"addroot\",flg:0xb},{nm:\"Refresh\",lcnm:\"refresh\",flg:0xb},{nm:\"
LoadURL\",lcnm:\"loadurl\",flg:0xb},{nm:\"Install\",flg:0xf},{nm:\"postU
RL\",lcnm:\"posturl\",flg:0x1
2},{nm:\"replace\",flg:0x12f},],[{nm:\"Download\",lcnm:\"download\",flg:
0xb},{nm:\"toString\",flg:0xe},{nm:\"InitPath\",flg:0xe},{nm:\"navigate\
",lcnm:\"navigate\",flg:0x1b}
,{nm:\"addParam\",lcnm:\"addparam\",flg:0xb},{nm:\"SetParam\",flg:0xd},{
nm:\"LaunchPT\",lcnm:\"launchpt\",flg:0xb},{nm:\"showHelp\",flg:0xf},],[
{nm:\"selectrow\",flg:0x16},{
nm:\"Navigate2\",flg:0xe},{nm:\"LaunchOIS\",flg:0xd},],[{nm:\"Initialize
\",lcnm:\"initialize\",flg:0xb},{nm:\"OpenAtPage\",flg:0xf},{nm:\"SetEnv
Info\",flg:0xf},{nm:\"setTime
out\",flg:0xc1f},{nm:\"childNodes\",flg:0x2f},{nm:\"SetGSPSURL\",lcnm:\"
setgspsurl\",flg:0xb},{nm:\"SetDataURL\",lcnm:\"setdataurl\",flg:0xb},{n
m:\"DownloadEx\",flg:0xe},],[
{nm:\"setInterval\",flg:0x881f},{nm:\"appendChild\",flg:0xf},{nm:\"execC
ommand\",flg:0xe},{nm:\"createPopup\",flg:0xf},{nm:\"StartUpLoad\",flg:0
xf},{nm:\"addBehavior\",flg:0
x1f},{nm:\"OpenSession\",flg:0xf},],[{nm:\"setAttribute\",flg:0x3f},{nm:
\"InitLanguage\",flg:0xe},{nm:\"EditDocument\",flg:0xf},{nm:\"RetrieveDa
ta\",flg:0xf},{nm:\"StartUpLo
ad2\",flg:0xf},{nm:\"CreateObject\",lcnm:\"createobject\",flg:0xb},{nm:\
"startRequest\",flg:0xf},{nm:\"ViewDocument\",flg:0xf},{nm:\"addHierarch
y\",flg:0xf},{nm:\"ModifyProc
21\",flg:0xf},],[{nm:\"DispDocItemEx\",flg:0x16},{nm:\"navigateFrame\",f
lg:0xf},{nm:\"createElement\",flg:0x2f},{nm:\"startDownload\",lcnm:\"sta
rtdownload\",flg:0xb},{nm:\"V
iewDocument2\",flg:0xf},{nm:\"openNewWindow\",flg:0x17},{nm:\"replaceEnt
ity\",flg:0x16},{nm:\"SubmitChanges\",lcnm:\"submitchanges\",flg:0xb},{n
m:\"EditDocument2\",flg:0xf},
],[{nm:\"DownloadAttach\",flg:0xe},{nm:\"SetURLHeadInfo\",flg:0xf},{nm:\
"ProcessRPCInfo\",flg:0xe},],[{nm:\"SetURLHeadInfo2\",flg:0xf},{nm:\"Ope
nPopupWindow\",flg:0xe},{nm:\
"addInternalItem\",flg:0xe},{nm:\"showModalDialog\",flg:0x1081f},],[{nm:
\"createStyleSheet\",flg:0xf},{nm:\"AppendToStrCache\",flg:0xe},],[{nm:\
"SetAttachFileInfo\",flg:0xf}
,{nm:\"getResponseHeader\",lcnm:\"getresponseheader\",flg:0xb},{nm:\"Cre
ateNewDocument\",flg:0xf},],[{nm:\"SetAttachFileInfo2\",flg:0xf},{nm:\"S
etAttachFileInfo3\",flg:0xf},
{nm:\"CreateNewDocument2\",flg:0xf},{nm:\"createContextualFragment\",flg
:0xe},{nm:\"SetReportDataDirect\",flg:0xf},{nm:\"insertAdjacentHTML\",fl
g:0xf},{nm:\"showModelessDial
og\",flg:0x1f},{nm:\"FlushBasicCredentials\",flg:0xf},],];var DSJsProps
=
[null,null,null,[{nm:\"SRC\",flg:0x301e},{nm:\"URL\",flg:0x301f},{nm:\"s
rc\",flg:0x301f},],[{nm:\"h
ref\",flg:0x301f},{nm:\"port\",flg:0x301f},{nm:\"host\",flg:0x201f},],nu
ll,[{nm:\"WebURL\",flg:0x300f},{nm:\"domain\",flg:0x301f},{nm:\"action\"
,flg:0x301f},{nm:\"frames\",f
lg:0x200f},{nm:\"length\",flg:0x200f},{nm:\"DSHost\",flg:0x100f},{nm:\"s
earch\",flg:0x201f},{nm:\"cookie\",flg:0x301f},{nm:\"filter\",flg:0x301f
},],[{nm:\"DataURL\",lcnm:\"d
ataurl\",flg:0x100b},{nm:\"BaseURL\",flg:0x100e},{nm:\"BaseUrl\",flg:0x1
00e},],[{nm:\"pathname\",flg:0x301f},{nm:\"referrer\",flg:0x200f},{nm:\"
DataPath\",flg:0x100f},{nm:\"
protocol\",flg:0x200f},{nm:\"codeBase\",flg:0x100e},{nm:\"location\",flg
:0x701f},{nm:\"hostname\",flg:0x200f},],[{nm:\"innerHTML\",flg:0x101f},{
nm:\"ReportURL\",flg:0x100f},
{nm:\"IsapiName\",flg:0x100f},{nm:\"outerHTML\",flg:0x101f},],[{nm:\"has
doctype\",flg:0x201f},{nm:\"childNodes\",flg:0x201f},{nm:\"background\",
flg:0x301f},{nm:\"firstChild\
",flg:0x201f},{nm:\"designMode\",flg:0x100e},],[{nm:\"AnnDataPath\",flg:
0x100f},],[{nm:\"documentHTML\",lcnm:\"documenthtml\",flg:0x100b},{nm:\"
ReportSource\",flg:0x100f},],
null,[{nm:\"BitmapDataPath\",flg:0x100f},],[{nm:\"backgroundImage\",flg:
0x300f},],null,null,null,];";
eval(DanaShimData);
var DanaActiveXParamsData="var DanaActiveXParams = [[
'5220CB21-C88D-11CF-B347-00AA00A28331',   [       ['LPKPath', 1]   ]],[
'3BFFE033-BF43-11D5-A271-00A024A51325',   [       ['General_ServerName',
2],      ['General_URL', 1]   ]],[
'5BDBA960-6534-11D3-97C7-00500422B550',   [   ['FullUrl', 1]   ]],[
'00120000-B1BA-11CE-ABC6-F5B2E79D9E3F',   [       ['BitmapDataPath', 1]
]],[ '00130000-B1BA-11CE-ABC6-F5B2E79D9E3F',   [
['BitmapDataPath', 1]   ]],[ '05D96F71-87C6-11D3-9BE4-00902742D6E0',   [
['General_Ser
verName', 2],   ['General_URL', 1]   ]],[
'D27CDB6E-AE6D-11CF-96B8-444553540000',   [   ['Movie', 1],   ['Src', 1]
]],[ '1E2941E3-8E63-11D4-9D5A-00902742D6E0',   [   ['Gen
eral_ServerName', 2],   ['General_URL', 1]   ]],[
'ADB880A6-D8FF-11CF-9377-00AA003B7A11',   [   ['Item1', 1]   ]],[
'E008A543-CEFB-4559-912F-C27C2B89F13B',   [         ['Gen
eral_ServerName', 2],   ['General_URL', 1]   ]],];var DanaJVMClassIds =
['CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA','CAFEEFAC-0014-0001-0000-ABCDEFF
EDCBA','CAFEEFAC-0012-0002-00
00-ABCDEFFEDCBA','CAFEEFAC-0012-0003-0000-ABCDEFFEDCBA','CAFEEFAC-0014-0
002-0000-ABCDEFFEDCBA','8AD9C840-044E-11D1-B3E9-00805F499D93','CAFEEFAC-
0012-0000-0000-ABCDEFFEDCBA',
'CAFEEFAC-0013-0000-0000-ABCDEFFEDCBA',];";
From vinay_poojary2000 at yahoo.co.in  Fri Dec  1 12:11:51 2006
From: vinay_poojary2000 at yahoo.co.in (vinay poojary)
Date: Fri Dec  1 12:11:57 2006
Subject: thks for the mailscanner  tool
In-Reply-To: <456FF72D.6060202@netmagicsolutions.com>
Message-ID: <154729.55974.qm@web8317.mail.in.yahoo.com>

Dear Sir,
   
  It does not requires any username / password for the auth .The user can use his own username / password and only change the email address in the email client .So to stop email spoofing in u r own organistaion is difficult .
   
  can we have any option for email spoofing in mailscanner .
   
  Regards,
  vinay poojary 

Dhawal Doshy <dhawal@netmagicsolutions.com> wrote:
  Martin Hepworth wrote:
> vinay poojary wrote:
>> Dear Sir,
>> 
>> I am using mailscanner with sendmail.The sendmail is installed with 
>> smtp-auth .I have no such problems with mailscanner .I am just 
>> enjoying the mailscanner configuration .
>> 
>> But presently i am facing the problem of addres spoofing .The people 
>> in my own company can change the from address and send mail to anyone 
>> via smtp auth .Is there any way i could stop these address spoofing .
>> 
>> Thks in advance .
>> 
>> Regards,
>> vinay poojary
> 
> Vinay
> 
> 1st point of call on this is a proper Acceptable Use Policy. If they use 
> business computers for non-work things, they go the normal disciplinary 
> procedures, or even straight to dismissal under gross misconduct. (never 
> under estimate the power of HR policy!).

i agree that this can taken up at a different level (read as catbert), i 
also think that poor passwords are also responsible for sender spoofing. 
We had a case a year back, where a "secure" SMTP server was used for UBE 
(via a korean IP), using authentication that was quite easy to guess 
(password = username). Now we now enforce stricter passwords ;-)

- dhawal
-- 
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 


 				
---------------------------------
 Find out what India is talking about on  - Yahoo! Answers India 
 Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8. Get it NOW
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061201/5532aca5/attachment.html
From gerard at seibercom.net  Fri Dec  1 12:18:20 2006
From: gerard at seibercom.net (Gerard Seibert)
Date: Fri Dec  1 12:18:10 2006
Subject: Blocking e-mail with special characters in username
In-Reply-To: <910ee2ac0612010257m2936e7b3ie55c0d8f1535f4d6@mail.gmail.com>
References: <910ee2ac0612010257m2936e7b3ie55c0d8f1535f4d6@mail.gmail.com>
Message-ID: <20061201071747.198B.GERARD@seibercom.net>

On Friday December 01, 2006 at 05:57:19 (AM) emm1 wrote:

> I have been having alot of e-mails like this one
> from=<biographicalparallelism's@acbm.com>. How can I block e-mail that
> contain characters like ' in the username/domain field?


What MTA are you employing?

-- 
Gerard
From gordon at itnt.co.za  Fri Dec  1 12:41:25 2006
From: gordon at itnt.co.za (Gordon Colyn)
Date: Fri Dec  1 12:41:49 2006
Subject: mail size delivery delay
Message-ID: <022601c71546$0733fc90$0b02a8c0@Gordon>

ITNT Banner CampaignIs there a way to force delayed deliveries on mail that 
is larger than a certain size?

i.e., if mail is bigger than 50mb's hold in queue until after 6pm and then 
release.

Thanks

Gordon Colyn
InTheNet Technologies
www.itnt.co.za
MSN: gordoncolyn@hotmail.com
SKYPE: gordoncolyn
086 123 ITNT (4868)
086 682 5204 (Fax)
+27 (0)83 296 7534
Confidentiality: This e-mail including any attachments is intended for the 
above named addressee(s) only and contains confidential information. If you 
have received this email in error you must take no action based on its 
contents, nor must you reproduce or show the e-mail or any attachments or 
any part thereof or communicate the contents to anyone; please reply to the 
sender of this e-mail informing them of the error.
Viruses: We recommend that in keeping with good computing practice the 
recipient should ensure that e-mails received are virus free before opening. 

From davi at jvsinfo.com.br  Fri Dec  1 14:30:46 2006
From: davi at jvsinfo.com.br (davi@jvsinfo.com.br)
Date: Fri Dec  1 14:18:38 2006
Subject: DSPAM + MailScanner
In-Reply-To: <200612011200.kB1C0JAH007142@bkserver.blacknight.ie>
Message-ID: <OFA3FFA931.99AEEAA1-ON03257237.004F5D2B-83257237.004A3B53@jvsinfo.com.br>

List,

 I use DSPAM with postfix, but a whant to use under MailScanner, like 
this, can you get rid this ???

DSPAM + POSTFIX

1. smtp
2. forward dspam
3. smtp again
4. mailscanner
5. sa
6.smtp
7. user

DSPAM + MailScanner

1. smtp
2. mailscanner
3. dspam
4. sa
6. smtp
7. user

Davi Baldin
JVS do Brasil - IBM BP Premier
davi@jvsinfo.com.br
(19) 3254-1266
(19) 9266-6793 ** NOVO **
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061201/2a3455b3/attachment.html
From dean.plant at roke.co.uk  Fri Dec  1 14:54:13 2006
From: dean.plant at roke.co.uk (Plant, Dean)
Date: Fri Dec  1 14:58:43 2006
Subject: MailScanner in the Red Hat Magazine
Message-ID: <2181C5F19DD0254692452BFF3EAF1D6802671B52@rsys005a.comm.ad.roke.co.uk>

Came across this today.

How to set up a home email server
(without being spammed to death)
by Stuart R. Kirk

Why host your own mail?

There are many reasons to host your own email. Perhaps you don't like
the limits placed on you by your current ISP. Maybe they aren't willing
to host the domain you want, or give you the access you want. And if
they do fit your needs, they want to charge a small fortune. Maybe you
want complete privacy. Or perhaps you just want to access your email
from anywhere using a web-based frontend. The list goes on and on...

There are several many ways to accomplish this task. Everyone has their
preferred MTA program, but for the purposes of this article, we'll use
sendmail. The same can also be done using postfix, or exim. Each
approach has its own merits.

Let's get started......

http://www.redhat.com/magazine/025nov06/features/email/index.html#parttw
o
From alex at nkpanama.com  Fri Dec  1 14:26:29 2006
From: alex at nkpanama.com (Alex Neuman van der Hans)
Date: Fri Dec  1 15:24:26 2006
Subject: thks for the mailscanner  tool
In-Reply-To: <154729.55974.qm@web8317.mail.in.yahoo.com>
References: <154729.55974.qm@web8317.mail.in.yahoo.com>
Message-ID: <45703B95.8070903@nkpanama.com>

Sender spoofing within the message is something very difficult to stop 
because proper authentication wasn't part of the original e-mail 
specification everybody uses. You can always make it easier to spot by 
adding information to the header.

If you're using sendmail, you can always turn on REC_FULL_AUTH so you 
can see WHO authenticated and sent the e-mail.

I usually find the file at /usr/share/sendmail-cf/m4 called cfhead.m4, 
where there's a line that says:

define(`confRECEIVED_HEADER', `_REC_HDR_
         _REC_AUTH_$?{auth_ssf} bits=${auth_ssf}$.)
         _REC_BY_
         _REC_TLS_
         _REC_END_')

and change it so it says:

define(`confRECEIVED_HEADER', `_REC_HDR_
         _REC_FULL_AUTH_$?{auth_ssf} bits=${auth_ssf}$.)
         _REC_BY_
         _REC_TLS_
         _REC_END_')

The difference is "REC_AUTH" inserts "authenticated user" on the 
message's headers, but REC_FULL_AUTH inserts "authenticated user XXXX". 
You can check my own headers to see the difference.

You can always add
"Envelope From Header = X-%org-name%-MailScanner-From:"

...but I suspect that would also be vulnerable to spoofing.

Other methods could include using MCP with rulesets so that:
Is Definitely MCP = %mcp-dir%/mcp.rules


From:	alice@mydomain	and	From:192.168.1.3 no
From:	bob@mydomain	and	From:192.168.1.4 no
FromOrTo:	default		yes

This way (I suspect, I don't use MCP *that* much, so check first) 
"spoofed" e-mail will be dealt with using MCP.

This wouldn't be invulnerable, however, to IP address hijacking. *That* 
could be issued using a switch smart enough to care about IPs-to-MAC 
addresses, or by using ARP tricks at your sendmail box so that IP-to-MAC 
is enforced.

However, some NIC drivers allow you to spoof the MAC (and you can 
trivially do it in operating systems other than Windows.


vinay poojary wrote:
> Dear Sir,
>  
> It does not requires any username / password for the auth .The user can 
> use his own username / password and only change the email address in the 
> email client .So to stop email spoofing in u r own organistaion is 
> difficult .
>  
> can we have any option for email spoofing in mailscanner .
>  
> Regards,
> vinay poojary
> 
> */Dhawal Doshy <dhawal@netmagicsolutions.com>/* wrote:
> 
>     Martin Hepworth wrote:
>      > vinay poojary wrote:
>      >> Dear Sir,
>      >>
>      >> I am using mailscanner with sendmail.The sendmail is installed with
>      >> smtp-auth .I have no such problems with mailscanner .I am just
>      >> enjoying the mailscanner configuration .
>      >>
>      >> But presently i am facing the problem of addres spoofing .The
>     people
>      >> in my own company can change the from address and send mail to
>     anyone
>      >> via smtp auth .Is there any way i could stop these address
>     spoofing .
>      >>
>      >> Thks in advance .
>      >>
>      >> Regards,
>      >> vinay poojary
>      >
>      > Vinay
>      >
>      > 1st point of call on this is a proper Acceptable Use Policy. If
>     they use
>      > business computers for non-work things, they go the normal
>     disciplinary
>      > procedures, or even straight to dismissal under gross misconduct.
>     (never
>      > under estimate the power of HR policy!).
> 
>     i agree that this can taken up at a different level (read as
>     catbert), i
>     also think that poor passwords are also responsible for sender
>     spoofing.
>     We had a case a year back, where a "secure" SMTP server was used for
>     UBE
>     (via a korean IP), using authentication that was quite easy to guess
>     (password = username). Now we now enforce stricter passwords ;-)
> 
>     - dhawal
>     -- 
>     MailScanner mailing list
>     mailscanner@lists.mailscanner.info
>     http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
>     Before posting, read http://wiki.mailscanner.info/posting
> 
>     Support MailScanner development - buy the book off the website!
> 
> 
> ------------------------------------------------------------------------
> Find out what India is talking about on - Yahoo! Answers India 
> <http://us.rd.yahoo.com/mail/in/yanswers/*http://in.answers.yahoo.com/>
> Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8. 
> Get it NOW 
> <http://us.rd.yahoo.com/mail/in/messengertagline/*http://in.messenger.yahoo.com> 
> 
> 
From ka at pacific.net  Fri Dec  1 17:35:28 2006
From: ka at pacific.net (Ken A)
Date: Fri Dec  1 17:32:56 2006
Subject: sa caching mechanism
In-Reply-To: <223f97700611290103r2ebdc29btf56175f00e1d9f5a@mail.gmail.com>
References: <456CC791.9060505@pacific.net>
	<223f97700611290103r2ebdc29btf56175f00e1d9f5a@mail.gmail.com>
Message-ID: <457067E0.6080202@pacific.net>



Glenn Steen wrote:
> On 29/11/06, Ken A <ka@pacific.net> wrote:
>>
>> Is there any way to tell MailScanner that some SA scores should NOT be
>> cached? I'd like to be able to have MailScanner cache scores unless
>> certain (per user) SA rules are hit.
>>
>> For example: If a milter puts a header into a message that is based on a
>> user preference that is later used by SA to subtract or add to that
>> message's score, I'd like that score to NOT be cached, since it should
>> only apply to that message.
>>
>> I know Julian is quite busy, so I'm going to go beat on the code, but
>> hoping perhaps someone else has come across this?
>>
> Not much help, but the "Cache SpamAssassin Results" setting can eb a
> ruleset... And it could be a CustomFunction... So if you can (somehow)
> in that function get hold of the info you need to decide, that would
> likely be the best way to go.
> 

Ah! Good idea. As I said the info I need (header added by milter or 
something else) is in the message headers, so it should be available 
there somewhere in the Message object.
Thanks,
Ken A.
Pacific.Net

From mikes at hartwellcorp.com  Fri Dec  1 17:37:14 2006
From: mikes at hartwellcorp.com (Michael St. Laurent)
Date: Fri Dec  1 17:39:19 2006
Subject: Some mail coming in without attachments
Message-ID: <3BF93070B3D1B047BA7ABF612958950DF78CE9@hcex.hartwellcorp.com>

I've got two reports of emails being delivered without the Word document
attachments they were sent with.  Several attempts to send each of them
and each time the mail was delivered but there was no attachment.
 
Redhat Linux 9:
MailScanner-4.56.8-1 from the RPM install
ClamAV 0.88.6 & SpamAssassin 3.1.7 from the easy installation package
 
These packages were updated to the latest versions only a few weeks ago.
So far the only other problem reported is a higher instance of virus
mails getting through to the secondary virus scanner (which is running
on the internal Exchange server).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061201/0273ecc3/attachment.html
From ljosnet at gmail.com  Fri Dec  1 18:44:01 2006
From: ljosnet at gmail.com (emm1)
Date: Fri Dec  1 18:44:14 2006
Subject: Blocking e-mail with special characters in username
In-Reply-To: <20061201071747.198B.GERARD@seibercom.net>
References: <910ee2ac0612010257m2936e7b3ie55c0d8f1535f4d6@mail.gmail.com>
	<20061201071747.198B.GERARD@seibercom.net>
Message-ID: <910ee2ac0612011044kc29449bx6180d425ba4fc7e9@mail.gmail.com>

Sendmail on FreeBSD 6.1

On 12/1/06, Gerard Seibert <gerard@seibercom.net> wrote:
> On Friday December 01, 2006 at 05:57:19 (AM) emm1 wrote:
>
> > I have been having alot of e-mails like this one
> > from=<biographicalparallelism's@acbm.com>. How can I block e-mail that
> > contain characters like ' in the username/domain field?
>
>
> What MTA are you employing?
>
> --
> Gerard
> --
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
From ssilva at sgvwater.com  Fri Dec  1 19:10:36 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Fri Dec  1 19:13:21 2006
Subject: Some mail coming in without attachments
In-Reply-To: <3BF93070B3D1B047BA7ABF612958950DF78CE9@hcex.hartwellcorp.com>
References: <3BF93070B3D1B047BA7ABF612958950DF78CE9@hcex.hartwellcorp.com>
Message-ID: <ekpur6$agq$1@sea.gmane.org>

Michael St. Laurent spake the following on 12/1/2006 9:37 AM:
> I've got two reports of emails being delivered without the Word document
> attachments they were sent with.  Several attempts to send each of them
> and each time the mail was delivered but there was no attachment.
>  
> Redhat Linux 9:
> MailScanner-4.56.8-1 from the RPM install
> ClamAV 0.88.6 & SpamAssassin 3.1.7 from the easy installation package
>  
> These packages were updated to the latest versions only a few weeks
> ago.  So far the only other problem reported is a higher instance of
> virus mails getting through to the secondary virus scanner (which is
> running on the internal Exchange server).
> 
Look for the obvious things like tnef encoded files being sent from an outlook
user to an outlook express user. You really need to look at the message source
and see if the attachments really aren't there.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From mike at vesol.com  Fri Dec  1 19:16:58 2006
From: mike at vesol.com (Mike Kercher)
Date: Fri Dec  1 19:18:49 2006
Subject: Some mail coming in without attachments
In-Reply-To: <3BF93070B3D1B047BA7ABF612958950DF78CE9@hcex.hartwellcorp.com>
Message-ID: <EAE39E9E242F774099806D1052118953370A94@samba2003.home.middlefinger.net>

Any log entries?
 
 


________________________________

	From: mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael
St. Laurent
	Sent: Friday, December 01, 2006 11:37 AM
	To: mailscanner@lists.mailscanner.info
	Subject: Some mail coming in without attachments
	
	
	I've got two reports of emails being delivered without the Word
document attachments they were sent with.  Several attempts to send each
of them and each time the mail was delivered but there was no
attachment.
	 
	Redhat Linux 9:
	MailScanner-4.56.8-1 from the RPM install
	ClamAV 0.88.6 & SpamAssassin 3.1.7 from the easy installation
package
	 
	These packages were updated to the latest versions only a few
weeks ago.  So far the only other problem reported is a higher instance
of virus mails getting through to the secondary virus scanner (which is
running on the internal Exchange server).

From mikes at hartwellcorp.com  Fri Dec  1 19:23:49 2006
From: mikes at hartwellcorp.com (Michael St. Laurent)
Date: Fri Dec  1 19:26:01 2006
Subject: Some mail coming in without attachments
Message-ID: <3BF93070B3D1B047BA7ABF612958950DF78CEA@hcex.hartwellcorp.com>

I thought the same thing at first but the attachment went through when
it was sent to a web mail account.

-----Original Message-----
From: mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott
Silva
Sent: Friday, December 01, 2006 11:11 AM
To: mailscanner@lists.mailscanner.info
Subject: Re: Some mail coming in without attachments

Michael St. Laurent spake the following on 12/1/2006 9:37 AM:
> I've got two reports of emails being delivered without the Word
document
> attachments they were sent with.  Several attempts to send each of
them
> and each time the mail was delivered but there was no attachment.
>  
> Redhat Linux 9:
> MailScanner-4.56.8-1 from the RPM install
> ClamAV 0.88.6 & SpamAssassin 3.1.7 from the easy installation package
>  
> These packages were updated to the latest versions only a few weeks
> ago.  So far the only other problem reported is a higher instance of
> virus mails getting through to the secondary virus scanner (which is
> running on the internal Exchange server).
> 
Look for the obvious things like tnef encoded files being sent from an
outlook
user to an outlook express user. You really need to look at the message
source
and see if the attachments really aren't there.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

-- 
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
From gerard at seibercom.net  Fri Dec  1 19:39:59 2006
From: gerard at seibercom.net (Gerard Seibert)
Date: Fri Dec  1 19:39:55 2006
Subject: Blocking e-mail with special characters in username
In-Reply-To: <910ee2ac0612011044kc29449bx6180d425ba4fc7e9@mail.gmail.com>
References: <20061201071747.198B.GERARD@seibercom.net>
	<910ee2ac0612011044kc29449bx6180d425ba4fc7e9@mail.gmail.com>
Message-ID: <20061201143619.E845.GERARD@seibercom.net>

On Friday December 01, 2006 at 01:44:01 (PM) emm1 wrote:

> Sendmail on FreeBSD 6.1


Sorry, I cannot help you. If you were using Postfix, there are header
checks <http://www.postfix.org/uce.html#header_checks> that could be
used for that purpose. You might want to check with the Sendmail(TM)
group and see what they recommend.

-- 
Gerard
From TGFurnish at herffjones.com  Fri Dec  1 21:19:33 2006
From: TGFurnish at herffjones.com (Furnish, Trever G)
Date: Fri Dec  1 21:19:51 2006
Subject: Blocking e-mail with special characters in username
Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC4D5@inex3.herffjones.hj-int>

Y'know I assumed the snertsoft milters all did this, because of a line
mentioning possible error codes where one of the codes was "invalid
characters in local from", but I'm running milter-ahead and lots of
these are still making it into mailscanner.

Then again, are you sure ' is an invalid character?

Hmmm...I guess you actually didn't say that you cared whether it was
invalid or not.  Ok, I'm going back to sleep now. :) 

> -----Original Message-----
> From: mailscanner-bounces@lists.mailscanner.info 
> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of emm1
> Sent: Friday, December 01, 2006 5:57 AM
> To: MailScanner discussion
> Subject: Blocking e-mail with special characters in username
> 
> I have been having alot of e-mails like this one 
> from=<biographicalparallelism's@acbm.com>. How can I block 
> e-mail that contain characters like ' in the username/domain field?
> 
> Thanks!
> --
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website! 
> 
From ssilva at sgvwater.com  Fri Dec  1 21:25:04 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Fri Dec  1 21:30:10 2006
Subject: Some mail coming in without attachments
In-Reply-To: <3BF93070B3D1B047BA7ABF612958950DF78CEA@hcex.hartwellcorp.com>
References: <3BF93070B3D1B047BA7ABF612958950DF78CEA@hcex.hartwellcorp.com>
Message-ID: <ekq6nc$5i6$1@sea.gmane.org>

Michael St. Laurent spake the following on 12/1/2006 11:23 AM:
> I thought the same thing at first but the attachment went through when
> it was sent to a web mail account.
> 
> -----Original Message-----
> From: mailscanner-bounces@lists.mailscanner.info
> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott
> Silva
> Sent: Friday, December 01, 2006 11:11 AM
> To: mailscanner@lists.mailscanner.info
> Subject: Re: Some mail coming in without attachments
> 
> Michael St. Laurent spake the following on 12/1/2006 9:37 AM:
>> I've got two reports of emails being delivered without the Word
> document
>> attachments they were sent with.  Several attempts to send each of
> them
>> and each time the mail was delivered but there was no attachment.
>>  
>> Redhat Linux 9:
>> MailScanner-4.56.8-1 from the RPM install
>> ClamAV 0.88.6 & SpamAssassin 3.1.7 from the easy installation package
>>  
>> These packages were updated to the latest versions only a few weeks
>> ago.  So far the only other problem reported is a higher instance of
>> virus mails getting through to the secondary virus scanner (which is
>> running on the internal Exchange server).
>>
> Look for the obvious things like tnef encoded files being sent from an
> outlook
> user to an outlook express user. You really need to look at the message
> source
> and see if the attachments really aren't there.
> 
But the webmail program might have TNEF decoding built in to it. You really
need to look at the message source on the machine that has the problem. If the
receiver is outlook express, it is very common. It doesn't even say there is
an attachment most of the time.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From gerard at seibercom.net  Fri Dec  1 22:22:45 2006
From: gerard at seibercom.net (Gerard Seibert)
Date: Fri Dec  1 22:22:36 2006
Subject: Blocking e-mail with special characters in username
In-Reply-To: <910ee2ac0612010257m2936e7b3ie55c0d8f1535f4d6@mail.gmail.com>
References: <910ee2ac0612010257m2936e7b3ie55c0d8f1535f4d6@mail.gmail.com>
Message-ID: <20061201171850.52D6.GERARD@seibercom.net>

On Friday December 01, 2006 at 05:57:19 (AM) emm1 wrote:

> I have been having alot of e-mails like this one
> from=<biographicalparallelism's@acbm.com>. How can I block e-mail that
> contain characters like ' in the username/domain field?

After some checking, mainly RFC2822, it would appear that the apostrophe
(') is legal in the email header although some MUA's do choke on it.
Unless you can concoct some legitimate reason for bouncing the mail,
perhaps just sending it to the bit bucket would be a better solution.

-- 
Gerard

From Kevin_Miller at ci.juneau.ak.us  Fri Dec  1 22:23:46 2006
From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller)
Date: Fri Dec  1 22:23:53 2006
Subject: Slightly OT:  sfm-sav milter
Message-ID: <D1587DCF6294524BAFA2C9944312FCC863B9D7@city-exch-w3e.cbj.local>

I just posted the following to the smf-sav list, but thought I'd give
folks here a heads up too, since I know some are using smf-sav milter...

===========
The spammers are up to their old tricks apparently.  I noticed this in
my logs today:

-------------------------------------------------
Nov 30 19:06:23 mx2 smf-sav[22911]: sender check succeeded:
<burlkevin_miller@ci.juneau.ak.us>, 124.120.38.30,
ppp-124.120.38.30.revip2.asianet.co.th, [00:00:03]
Nov 30 19:06:24 mx2 smf-sav[22911]: recipient check failed:
<burlkevin_miller@ci.juneau.ak.us>, 124.120.38.30,
ppp-124.120.38.30.revip2.asianet.co.th,
<burlkevin_miller@ci.juneau.ak.us>, [00:00:00]
-------------------------------------------------

There are numerous entries where they use some phoney address as the
from=, which generally fail.  I guess they figured they'd have a better
chance of getting their spam through if they forged an address from my
domain, but configured their server to verify it.

There's nobody here called burlkevin_miller@ci.juneau.ak.us (as
evidenced by the recipient check failing) so they must be configuring
their server to validate the address during the callback.  I'm not sure
how the callback works; apparently it just queries the server that is
attempting to send rather than looking up the valid mx servers in DNS
and querying them which might be a better way to do the sender
verifications.  I don't know what that would do to overhead or if it
would break any rules.

If the spammer used both a valid sender and recipient id their spam
would get through (although most likely it would then be caught by other
spam filters).  This may be a case of spam being reflected off a valid
domain instead of actually being targeted to me.  Who knows?

At any rate, it seems the spammers have figured out a way to spoof
sender verification.  It's a sure thing I don't have any email servers
in asia...

...Kevin
-- 
Kevin Miller                Registered Linux User No: 307357
CBJ MIS Dept.               Network Systems Admin., Mail Admin.
155 South Seward Street     ph: (907) 586-0242
Juneau, Alaska 99801        fax: (907 586-4500
 
From kopels at english.fsu.edu  Fri Dec  1 22:55:10 2006
From: kopels at english.fsu.edu (Scott Kopel)
Date: Fri Dec  1 22:55:35 2006
Subject: SpamAssassin Cache?
Message-ID: <7.0.0.16.2.20061201174221.039e1950@english.fsu.edu>

An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061201/ee9e63f0/attachment.html
From r.berber at computer.org  Fri Dec  1 23:13:03 2006
From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=)
Date: Fri Dec  1 23:13:24 2006
Subject: Slightly OT:  sfm-sav milter
In-Reply-To: <D1587DCF6294524BAFA2C9944312FCC863B9D7@city-exch-w3e.cbj.local>
References: <D1587DCF6294524BAFA2C9944312FCC863B9D7@city-exch-w3e.cbj.local>
Message-ID: <ekqcu1$pjh$1@sea.gmane.org>

Kevin Miller wrote:

> I just posted the following to the smf-sav list, but thought I'd give
> folks here a heads up too, since I know some are using smf-sav milter...
> 
> ===========
> The spammers are up to their old tricks apparently.  I noticed this in
> my logs today:
> 
> -------------------------------------------------
> Nov 30 19:06:23 mx2 smf-sav[22911]: sender check succeeded:
> <burlkevin_miller@ci.juneau.ak.us>, 124.120.38.30,
> ppp-124.120.38.30.revip2.asianet.co.th, [00:00:03]
> Nov 30 19:06:24 mx2 smf-sav[22911]: recipient check failed:
> <burlkevin_miller@ci.juneau.ak.us>, 124.120.38.30,
> ppp-124.120.38.30.revip2.asianet.co.th,
> <burlkevin_miller@ci.juneau.ak.us>, [00:00:00]
> -------------------------------------------------
> 
> There are numerous entries where they use some phoney address as the
> from=, which generally fail.  I guess they figured they'd have a better
> chance of getting their spam through if they forged an address from my
> domain, but configured their server to verify it.

A variation of dictionary attacks... smarter, but it could be easily made more
accurate.

SnertSoft's milter-error would stop the queries if smf-sav signal an error when
the ckeck fails (I don't use smf-sav but, for instance, gray listing a sender
does produce an error, and when the sender retries too fast too often,
milter-error kicks and black list them for a longer period).

[snip]
-- 
Ren? Berber

From taz at taz-mania.com  Fri Dec  1 23:14:32 2006
From: taz at taz-mania.com (Dennis Willson)
Date: Fri Dec  1 23:14:38 2006
Subject: Slightly OT:  sfm-sav milter
In-Reply-To: <D1587DCF6294524BAFA2C9944312FCC863B9D7@city-exch-w3e.cbj.local>
Message-ID: <web-8850066@namesystems.net>

Actually smf-sav is SUPPOSE to do an mx lookup (and the code is in 
there) to do the sender verification.

I've tested this and it works on mine. Since so many large ISPs (and 
myself) don't send and receive from the same server and the sending 
server doen't actually know the recipients it would break sav if it 
didn't do the mx lookup.

Normally smf-sav does mx lookups of the mail-from and uses the 
mailertable to do the rcpt-to lookup.


On Fri, 1 Dec 2006 13:23:46 -0900
  "Kevin Miller" <Kevin_Miller@ci.juneau.ak.us> wrote:
>I just posted the following to the smf-sav list, but thought I'd give
>folks here a heads up too, since I know some are using smf-sav 
>milter...
>
>===========
>The spammers are up to their old tricks apparently.  I noticed this 
>in
>my logs today:
>
>-------------------------------------------------
>Nov 30 19:06:23 mx2 smf-sav[22911]: sender check succeeded:
><burlkevin_miller@ci.juneau.ak.us>, 124.120.38.30,
>ppp-124.120.38.30.revip2.asianet.co.th, [00:00:03]
>Nov 30 19:06:24 mx2 smf-sav[22911]: recipient check failed:
><burlkevin_miller@ci.juneau.ak.us>, 124.120.38.30,
>ppp-124.120.38.30.revip2.asianet.co.th,
><burlkevin_miller@ci.juneau.ak.us>, [00:00:00]
>-------------------------------------------------
>
>There are numerous entries where they use some phoney address as the
>from=, which generally fail.  I guess they figured they'd have a 
>better
>chance of getting their spam through if they forged an address from 
>my
>domain, but configured their server to verify it.
>
>There's nobody here called burlkevin_miller@ci.juneau.ak.us (as
>evidenced by the recipient check failing) so they must be configuring
>their server to validate the address during the callback.  I'm not 
>sure
>how the callback works; apparently it just queries the server that is
>attempting to send rather than looking up the valid mx servers in DNS
>and querying them which might be a better way to do the sender
>verifications.  I don't know what that would do to overhead or if it
>would break any rules.
>
>If the spammer used both a valid sender and recipient id their spam
>would get through (although most likely it would then be caught by 
>other
>spam filters).  This may be a case of spam being reflected off a 
>valid
>domain instead of actually being targeted to me.  Who knows?
>
>At any rate, it seems the spammers have figured out a way to spoof
>sender verification.  It's a sure thing I don't have any email 
>servers
>in asia...
>
>...Kevin
>-- 
>Kevin Miller                Registered Linux User No: 307357
>CBJ MIS Dept.               Network Systems Admin., Mail Admin.
>155 South Seward Street     ph: (907) 586-0242
>Juneau, Alaska 99801        fax: (907 586-4500
>  
>-- 
>MailScanner mailing list
>mailscanner@lists.mailscanner.info
>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>Before posting, read http://wiki.mailscanner.info/posting
>
>Support MailScanner development - buy the book off the website! 


--------------------------------------------------
Dennis Willson

taz@taz-mania.com
http://www.taz-mania.com

Ham (Extra Class): ka6lsw
Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, 
Gas Blender

Owner: Kepnet Internet Services

Life should not be a journey to the grave with the intention of 
arriving safely in a nice looking and well preserved body, but rather 
to skid in broadside, thoroughly used up, totally worn out, and loudly 
proclaiming, "WOW! WHAT A RIDE!"
From kopels at english.fsu.edu  Fri Dec  1 23:19:22 2006
From: kopels at english.fsu.edu (Scott Kopel)
Date: Fri Dec  1 23:20:24 2006
Subject: SpamAssassin Cache? nevermind sorry
In-Reply-To: <7.0.0.16.2.20061201174221.039e1950@english.fsu.edu>
References: <7.0.0.16.2.20061201174221.039e1950@english.fsu.edu>
Message-ID: <7.0.0.16.2.20061201181803.039ce398@english.fsu.edu>

An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061201/869b34e8/attachment.html
From Kevin_Miller at ci.juneau.ak.us  Fri Dec  1 23:42:10 2006
From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller)
Date: Fri Dec  1 23:42:16 2006
Subject: Slightly OT:  sfm-sav milter
In-Reply-To: <web-8850066@namesystems.net>
Message-ID: <D1587DCF6294524BAFA2C9944312FCC863B9DA@city-exch-w3e.cbj.local>

Dennis Willson wrote:
> Actually smf-sav is SUPPOSE to do an mx lookup (and the code is in
> there) to do the sender verification.
> 
> I've tested this and it works on mine. Since so many large ISPs (and
> myself) don't send and receive from the same server and the sending
> server doen't actually know the recipients it would break sav if it
> didn't do the mx lookup.
> 
> Normally smf-sav does mx lookups of the mail-from and uses the
> mailertable to do the rcpt-to lookup.

Hmmm.  That's what I'd have thought should happen, but doesn't seem to
be on my setup.  

Since I have the same note in to the smf list we'll see what light
Eugene can shed on it...

...Kevin
-- 
Kevin Miller                Registered Linux User No: 307357
CBJ MIS Dept.               Network Systems Admin., Mail Admin.
155 South Seward Street     ph: (907) 586-0242
Juneau, Alaska 99801        fax: (907 586-4500
From ka at pacific.net  Fri Dec  1 23:47:15 2006
From: ka at pacific.net (Ken A)
Date: Fri Dec  1 23:44:46 2006
Subject: sa caching mechanism
In-Reply-To: <457067E0.6080202@pacific.net>
References: <456CC791.9060505@pacific.net>	<223f97700611290103r2ebdc29btf56175f00e1d9f5a@mail.gmail.com>
	<457067E0.6080202@pacific.net>
Message-ID: <4570BF03.3040509@pacific.net>



Ken A wrote:
> 
> 
> Glenn Steen wrote:
>> On 29/11/06, Ken A <ka@pacific.net> wrote:
>>>
>>> Is there any way to tell MailScanner that some SA scores should NOT be
>>> cached? I'd like to be able to have MailScanner cache scores unless
>>> certain (per user) SA rules are hit.
>>>
>>> For example: If a milter puts a header into a message that is based on a
>>> user preference that is later used by SA to subtract or add to that
>>> message's score, I'd like that score to NOT be cached, since it should
>>> only apply to that message.
>>>
>>> I know Julian is quite busy, so I'm going to go beat on the code, but
>>> hoping perhaps someone else has come across this?
>>>
>> Not much help, but the "Cache SpamAssassin Results" setting can eb a
>> ruleset... And it could be a CustomFunction... So if you can (somehow)
>> in that function get hold of the info you need to decide, that would
>> likely be the best way to go.
>>
> 
> Ah! Good idea. As I said the info I need (header added by milter or 
> something else) is in the message headers, so it should be available 
> there somewhere in the Message object.

Worked great. Headers are in @{$message->{headers}}, so all I had to do 
was a regex on each one to find the header I was looking for and return 
0 when it's value matched. This turned off both the read from and write 
to the cache, which is exactly what I needed.
Thanks,
Ken A.
Pacific.Net


> Thanks,
> Ken A.
> Pacific.Net
> 
From alex at nkpanama.com  Fri Dec  1 23:53:26 2006
From: alex at nkpanama.com (Alex Neuman van der Hans)
Date: Sat Dec  2 00:02:41 2006
Subject: SpamAssassin Cache?
In-Reply-To: <7.0.0.16.2.20061201174221.039e1950@english.fsu.edu>
References: <7.0.0.16.2.20061201174221.039e1950@english.fsu.edu>
Message-ID: <4570C076.1080401@nkpanama.com>

MailScanner -V

should tell you what version it's using.

It's not necessarily a bad idea to install the latest ones from CPAN, I 
think.

Scott Kopel wrote:
> I recently upgraded to 4.56.8 and began getting this message
> 
> MailScanner: WARNING: You are trying to use the SpamAssassin cache
> but your
> DBI and/or DBD::SQLite Perl modules are not properly installed
> 
> 
> it goes away when I disable it in MailScanner.conf, however, I think I'd 
> like to use the feature. Should I want to use this feature?
> 
> I installed the above mentiones modules via the MailScanner install.sh 
> script and then reinstalled them manually, so I think they are installed 
> and working. is there any way to check?
> 
> Any help would be appreciated
> thanks
> 
> 
> 
> 
> Scott Kopel
> English Department - FSU
> 850 644 6177
> -- 
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
> believed to be clean.
> 
From alex at nkpanama.com  Fri Dec  1 23:47:50 2006
From: alex at nkpanama.com (Alex Neuman van der Hans)
Date: Sat Dec  2 00:02:44 2006
Subject: Some mail coming in without attachments
In-Reply-To: <3BF93070B3D1B047BA7ABF612958950DF78CEA@hcex.hartwellcorp.com>
References: <3BF93070B3D1B047BA7ABF612958950DF78CEA@hcex.hartwellcorp.com>
Message-ID: <4570BF26.20205@nkpanama.com>

It means the attachment is probably tnef encoded and the webmail program 
was probably smart enough to deal with it.

I had a problem once with a braindead M-Sexchange admin who insisted on 
RTF'ing all outgoing mail. The latest MailScanner version does replace 
tnef-encoded mail with its own non-tnef-encoded version, so you might 
want to look into that.

Michael St. Laurent wrote:
> I thought the same thing at first but the attachment went through when
> it was sent to a web mail account.
> 
> -----Original Message-----
> From: mailscanner-bounces@lists.mailscanner.info
> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott
> Silva
> Sent: Friday, December 01, 2006 11:11 AM
> To: mailscanner@lists.mailscanner.info
> Subject: Re: Some mail coming in without attachments
> 
> Michael St. Laurent spake the following on 12/1/2006 9:37 AM:
>> I've got two reports of emails being delivered without the Word
> document
>> attachments they were sent with.  Several attempts to send each of
> them
>> and each time the mail was delivered but there was no attachment.
>>  
>> Redhat Linux 9:
>> MailScanner-4.56.8-1 from the RPM install
>> ClamAV 0.88.6 & SpamAssassin 3.1.7 from the easy installation package
>>  
>> These packages were updated to the latest versions only a few weeks
>> ago.  So far the only other problem reported is a higher instance of
>> virus mails getting through to the secondary virus scanner (which is
>> running on the internal Exchange server).
>>
> Look for the obvious things like tnef encoded files being sent from an
> outlook
> user to an outlook express user. You really need to look at the message
> source
> and see if the attachments really aren't there.
> 
From alex at nkpanama.com  Fri Dec  1 23:48:58 2006
From: alex at nkpanama.com (Alex Neuman van der Hans)
Date: Sat Dec  2 00:02:45 2006
Subject: Some mail coming in without attachments
In-Reply-To: <ekq6nc$5i6$1@sea.gmane.org>
References: <3BF93070B3D1B047BA7ABF612958950DF78CEA@hcex.hartwellcorp.com>
	<ekq6nc$5i6$1@sea.gmane.org>
Message-ID: <4570BF6A.9030004@nkpanama.com>

You can always take the message source, copy the MIME attachment into a 
MIME decoder program (there are a couple available for Windows) and then 
get the winmail.dat file from that. Afterwards you can get another 
program to decode the winmail.dat program to get at the actual attachments.

Scott Silva wrote:
> Michael St. Laurent spake the following on 12/1/2006 11:23 AM:
>> I thought the same thing at first but the attachment went through when
>> it was sent to a web mail account.
>>
>> -----Original Message-----
>> From: mailscanner-bounces@lists.mailscanner.info
>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott
>> Silva
>> Sent: Friday, December 01, 2006 11:11 AM
>> To: mailscanner@lists.mailscanner.info
>> Subject: Re: Some mail coming in without attachments
>>
>> Michael St. Laurent spake the following on 12/1/2006 9:37 AM:
>>> I've got two reports of emails being delivered without the Word
>> document
>>> attachments they were sent with.  Several attempts to send each of
>> them
>>> and each time the mail was delivered but there was no attachment.
>>>  
>>> Redhat Linux 9:
>>> MailScanner-4.56.8-1 from the RPM install
>>> ClamAV 0.88.6 & SpamAssassin 3.1.7 from the easy installation package
>>>  
>>> These packages were updated to the latest versions only a few weeks
>>> ago.  So far the only other problem reported is a higher instance of
>>> virus mails getting through to the secondary virus scanner (which is
>>> running on the internal Exchange server).
>>>
>> Look for the obvious things like tnef encoded files being sent from an
>> outlook
>> user to an outlook express user. You really need to look at the message
>> source
>> and see if the attachments really aren't there.
>>
> But the webmail program might have TNEF decoding built in to it. You really
> need to look at the message source on the machine that has the problem. If the
> receiver is outlook express, it is very common. It doesn't even say there is
> an attachment most of the time.
> 
From mike at tc3net.com  Sat Dec  2 02:20:54 2006
From: mike at tc3net.com (Michael Baird)
Date: Sat Dec  2 02:16:58 2006
Subject: Slightly OT:  sfm-sav milter
In-Reply-To: <web-8850066@namesystems.net>
References: <web-8850066@namesystems.net>
Message-ID: <1165026055.4682.6.camel@localhost>

I have the address verification code only, which gives a step through of
an individual address for smf-sav. You can run it via the command line
and it will echo all the test. If someone wants a URL to it, mail me off
list. It only checks MX records, in my experience.

For Example

./sav burlkevin_miller@ci.juneau.ak.us
SAV v1.3.0 (C) 2005, 2006 by Eugene Kurmanin - http://smfs.sf.net/
ci.juneau.ak.us is handled (pri=10): mxg.ci.juneau.ak.us
ci.juneau.ak.us is handled (pri=15): mx2.ci.juneau.ak.us
ci.juneau.ak.us is handled (pri=20): mxl.ci.juneau.ak.us
Connecting to: mxg.ci.juneau.ak.us.
Could not connect to: mxg.ci.juneau.ak.us., Operation now in progress
Connecting to: mx2.ci.juneau.ak.us.
Connected to: mx2.ci.juneau.ak.us.
<<< 220 mx2.ci.juneau.ak.us ESMTP Sendmail 8.13.4/8.13.4/SuSE Linux 0.7;
Fri, 1
Dec 2006 17:13:40 -0900
>>> HELO yourhost.yourdomain.tld
<<< 250 mx2.ci.juneau.ak.us Hello mx2.tc3net.com [64.112.192.3], pleased
to meet
you
>>> MAIL FROM:<>
<<< 250 2.1.0 <>... Sender ok
>>> RCPT TO:<burlkevin_miller@ci.juneau.ak.us>
<<< 550 5.1.1 <burlkevin_miller@ci.juneau.ak.us>... Sorry, no mailbox
here by th
at name or mailbox is over quota
>>> RSET
<<< 250 2.0.0 Reset state
>>> MAIL FROM:<postmaster@yourdomain.tld>
<<< 553 5.1.8 <postmaster@yourdomain.tld>... Domain of sender address
postmaster
@yourdomain.tld does not exist
>>> RSET
<<< 250 2.0.0 Reset state
>>> QUIT
<<< 221 2.0.0 mx2.ci.juneau.ak.us closing connection
burlkevin_miller@ci.juneau.ak.us: Sender address verification failed.
Completed in 72 sec.


Regards
Michael Baird

> Actually smf-sav is SUPPOSE to do an mx lookup (and the code is in 
> there) to do the sender verification.
> 
> I've tested this and it works on mine. Since so many large ISPs (and 
> myself) don't send and receive from the same server and the sending 
> server doen't actually know the recipients it would break sav if it 
> didn't do the mx lookup.
> 
> Normally smf-sav does mx lookups of the mail-from and uses the 
> mailertable to do the rcpt-to lookup.
> 
> 
> On Fri, 1 Dec 2006 13:23:46 -0900
>   "Kevin Miller" <Kevin_Miller@ci.juneau.ak.us> wrote:
> >I just posted the following to the smf-sav list, but thought I'd give
> >folks here a heads up too, since I know some are using smf-sav 
> >milter...
> >
> >===========
> >The spammers are up to their old tricks apparently.  I noticed this 
> >in
> >my logs today:
> >
> >-------------------------------------------------
> >Nov 30 19:06:23 mx2 smf-sav[22911]: sender check succeeded:
> ><burlkevin_miller@ci.juneau.ak.us>, 124.120.38.30,
> >ppp-124.120.38.30.revip2.asianet.co.th, [00:00:03]
> >Nov 30 19:06:24 mx2 smf-sav[22911]: recipient check failed:
> ><burlkevin_miller@ci.juneau.ak.us>, 124.120.38.30,
> >ppp-124.120.38.30.revip2.asianet.co.th,
> ><burlkevin_miller@ci.juneau.ak.us>, [00:00:00]
> >-------------------------------------------------
> >
> >There are numerous entries where they use some phoney address as the
> >from=, which generally fail.  I guess they figured they'd have a 
> >better
> >chance of getting their spam through if they forged an address from 
> >my
> >domain, but configured their server to verify it.
> >
> >There's nobody here called burlkevin_miller@ci.juneau.ak.us (as
> >evidenced by the recipient check failing) so they must be configuring
> >their server to validate the address during the callback.  I'm not 
> >sure
> >how the callback works; apparently it just queries the server that is
> >attempting to send rather than looking up the valid mx servers in DNS
> >and querying them which might be a better way to do the sender
> >verifications.  I don't know what that would do to overhead or if it
> >would break any rules.
> >
> >If the spammer used both a valid sender and recipient id their spam
> >would get through (although most likely it would then be caught by 
> >other
> >spam filters).  This may be a case of spam being reflected off a 
> >valid
> >domain instead of actually being targeted to me.  Who knows?
> >
> >At any rate, it seems the spammers have figured out a way to spoof
> >sender verification.  It's a sure thing I don't have any email 
> >servers
> >in asia...
> >
> >...Kevin
> >-- 
> >Kevin Miller                Registered Linux User No: 307357
> >CBJ MIS Dept.               Network Systems Admin., Mail Admin.
> >155 South Seward Street     ph: (907) 586-0242
> >Juneau, Alaska 99801        fax: (907 586-4500
> >  
> >-- 
> >MailScanner mailing list
> >mailscanner@lists.mailscanner.info
> >http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> >Before posting, read http://wiki.mailscanner.info/posting
> >
> >Support MailScanner development - buy the book off the website! 
> 
> 
> --------------------------------------------------
> Dennis Willson
> 
> taz@taz-mania.com
> http://www.taz-mania.com
> 
> Ham (Extra Class): ka6lsw
> Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, 
> Gas Blender
> 
> Owner: Kepnet Internet Services
> 
> Life should not be a journey to the grave with the intention of 
> arriving safely in a nice looking and well preserved body, but rather 
> to skid in broadside, thoroughly used up, totally worn out, and loudly 
> proclaiming, "WOW! WHAT A RIDE!"

From jayesha_shinde at yahoo.com  Sat Dec  2 05:00:32 2006
From: jayesha_shinde at yahoo.com (jay shi)
Date: Sat Dec  2 05:00:36 2006
Subject: MS  queue problem
Message-ID: <20061202050032.60070.qmail@web54409.mail.yahoo.com>

Hi all ,
             Yesterday i got problem releated to the "inbound & outbound queue" . I have a buzy sendmail + MS + SAV + spamassassin which handling around  41,000 + mails.I am using sendmail as proxy to qmail. Sendmail server delivering mail through mailertable and relaytable to Qmail.So sendmail server is use for cleaning mails only. My setting in MS is as followes
Max Normal Queue Size = 800
Max Children = 10

             Now one outsider domain's user send a mail to my domain's user at 12:30 PM and my user got this mail at around 8.10 PM . Between this time the mail was in queue ( as log saying)
             But at around 5 PM the same  outsider domain's user send a same mail again to my domain's user. And my user get his mail within 4 minits.
             So my question is why the eralier mail was  stuck so much time in  " queue" ( around 7 hour ) 
             Is Mailscanner resolving domain name of the sender in inbound & outboubd  queue ,  before  delivering the mail to  user ? And how the mails are deliver from queue ( is it on FIFO base ? )

             I want tips on handling the mail queue ( inbound & outbound ) & what can be best setting for me
         wating for ur comments .. 

Thanks & Regards
Jayesh
 
---------------------------------
Check out the all-new Yahoo! Mail beta - Fire up a more powerful email and get things done faster.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061201/26b494fd/attachment.html
From taz at taz-mania.com  Sat Dec  2 05:17:24 2006
From: taz at taz-mania.com (Dennis Willson)
Date: Sat Dec  2 05:17:34 2006
Subject: MS  queue problem
In-Reply-To: <20061202050032.60070.qmail@web54409.mail.yahoo.com>
References: <20061202050032.60070.qmail@web54409.mail.yahoo.com>
Message-ID: <45710C64.6040907@taz-mania.com>

There could be a number of reasons.... One I found on my system 
(sendmail + MS + milter-greylist + SAV + spamassassin + clamav) and I 
process between 130,000 to 160,000 emails a day. I have two causes for 
this and one is milter-greylist. You don't list that so I won't describe 
that. But SAV will return a temp error back to the sender if it gets a 
temp error during verification. So if the sender uses something like 
milter-greylist then when SAV tries to verify the sender the senders 
milter-greylist will return a temp error which will cause SAV to return 
a temp error to the sender. This will cause the send to put the email in 
its queue to be resent later. However, if the sender send another email 
after the greylist timeout it will go right through while the original 
email won't go through until the senders email server processes it out 
of the queue.

Without more information I can't say for sure this is the problem. But 
is something I have seen myself.. Plus I have the additional delay of 
having greylisting myself so I can get a double greylist delay.

Hope this give a clue of what to look for.

jay shi wrote:
> Hi all ,
>              Yesterday i got problem releated to the "inbound & 
> outbound queue" . I have a buzy sendmail + MS + SAV + spamassassin 
> which handling around  41,000 + mails.I am using sendmail as proxy to 
> qmail. Sendmail server delivering mail through mailertable and 
> relaytable to Qmail.So sendmail server is use for cleaning mails only. 
> My setting in MS is as followes
> Max Normal Queue Size = 800
> Max Children = 10
>
>              Now one outsider domain's user send a mail to my domain's 
> user at 12:30 PM and my user got this mail at around 8.10 PM . Between 
> this time the mail was in queue ( as log saying)
>              But at around 5 PM the same  outsider domain's user send 
> a same mail again to my domain's user. And my user get his mail within 
> 4 minits.
>              So my question is why the eralier mail was  stuck so much 
> time in  " queue" ( around 7 hour )
>              Is Mailscanner resolving domain name of the sender in 
> inbound & outboubd  queue ,  before  delivering the mail to  user ? 
> And how the mails are deliver from queue ( is it on FIFO base ? )
>
>              I want tips on handling the mail queue ( inbound & 
> outbound ) & what can be best setting for me
>          wating for ur comments ..
>
> Thanks & Regards
> Jayesh
>
> ------------------------------------------------------------------------
> Check out the all-new Yahoo! Mail beta 
> <http://us.rd.yahoo.com/evt=43257/*http://advision.webevents.yahoo.com/mailbeta> 
> - Fire up a more powerful email and get things done faster. 
From bks at cal.interrasystems.com  Sat Dec  2 05:48:47 2006
From: bks at cal.interrasystems.com (Bibhas Kumar Samanta)
Date: Sat Dec  2 05:49:06 2006
Subject: automated sa-learn - sendmail/rhel/MS/SA
Message-ID: <004501c715d5$89a55680$a9a4c0c0@bkslaptop>

Hi,

I couldn't find the answer .. sorry if this has been discussed already.

I have installed MailScanner 4.56.8/ClamAV .088 and SA 3.1.7.
I have a mail server sendmail (8.13) running on RHEL4 box, users
pickup mail using pop3.

My users ( approx 300 ) use mixed kind of mail clients
Outlook Express/MS-Outlook/Mozilla/Thunderbird on
Win/Solaris/Linux boxes..

Now my question is how do I automatically  train my mailserver MS/SA
for spam and ham. I normally 'deliver' my spam mails to users
with reconstructed subject.

Ideally I will want my users to forward their mails to two
aliases say spam@ and ham@ and sa-learn will
automatically train itself.

My questions :
1. Do I really need to train my SA in that way ?
2. If yes, how do I achieve that using my above preferred methods  ?
3. Users prefer not to get the spam mails delivered to their
   mail boxes.( it reduces their pain of not having 300 junk mails/day to)
   Rather it can be stored in the mail server itself.
   They will check that 'spam' mails from time to time using
   any suggested method ...
   Can you please suggest me any method ..
   

Sorry for the long mail .. but would really appreciate any
help/suggestion/pointers..

Bibhas Kr Samanta
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061202/023c4296/attachment.html
From strydom.dave at gmail.com  Sat Dec  2 07:33:04 2006
From: strydom.dave at gmail.com (Dave Strydom)
Date: Sat Dec  2 07:33:08 2006
Subject: OT: Spamcop BL - good or dangerous?
In-Reply-To: <456F2550.3060004@nkpanama.com>
References: <033f01c713a8$9301ca30$3701a8c0@lapxp>
	<20061129064650.794D.GERARD@seibercom.net>
	<456D78F8.6020302@blacknight.ie> <456F2550.3060004@nkpanama.com>
Message-ID: <fc38b710612012333ob3eaff0n34d854aa914d2f2d@mail.gmail.com>

I find using RBL +  5minute greylisting works wonders, cut down on
like 90% of our spam.
(ie: only greylist RBL listed servers).

Regards
Dave
From damian at workgroupsolutions.com  Sat Dec  2 15:05:33 2006
From: damian at workgroupsolutions.com (Damian Mendoza)
Date: Sat Dec  2 15:05:42 2006
Subject: Alpha of Milter-Spamtrap
In-Reply-To: <456FD0A6.4020005@taz-mania.com>
Message-ID: <0C941442AC84A8449448BA2207DD4F4D1910F0@core01.workgroupsolutions.com>

Hi,

Sounds like a great approach, but how do you prevent aol, hotmail,
geocities, yahoo mail, etc from getting into the backlist as spam sender
as spam appears to come from these domains.


Thanks,

Damian

-----Original Message-----
From: mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Dennis
Willson
Sent: Thursday, November 30, 2006 10:50 PM
To: mailscanner@lists.mailscanner.info; spamtools@lists.abuse.net
Subject: OT: Alpha of Milter-Spamtrap

I put an alpha version of milter-spamtrap up on sourceforge.
http://sourceforge.net/projects/milter-spamtrap

I will do more testing this weekend and upload a new version. If anyone 
wants to download it and look it over that would be great.
I am also looking for some input on something. Originally, I had thought

you would have a choice as to only save the IP addresses in a file or 
use the MySQL database or both. However, when I think back to when I did

my dedicated spamtrap I hit about 1 million entries in a relatively 
short time. I think that is way too many for text files. I think I 
should keep the text files only for debug purposes, I think it would be 
un-workable to have it read in a million IP addresses from a text file 
on startup to do the blocking.

Features:
    - external editable text configuration file;
    - whitelists by an IP address (CIDR notation)
    - blocks servers that have previously sent Spam
    - fast in-memory cache of blacklisted servers
    - cache entries time-out after an hour so if they have been removed
from
      the database they will go away. If milter-spamtrap receives 
another Spam
      from the same server, it will find it in the database and place it

in the
      cache for another hour (only works with MySQL database support)
    - optional MySQL database of blacklisted servers
    - optional saving of Spam headers and/or body to show what caused
the
      offending server to be placed on the blacklist
    - optional cron job to convert database entries to a BIND DNSBL zone

file
      so you can share your blacklist with others
    - ability to mark an IP address as 'inactive' but not lose the
listing
      so that a history can be maintained (only available when logging
to a
      MySQL database)
    - ability to have one or more individual email addresses defined as 
honeypots
    - ability to have one or more whole domains defined as honeypots
    - optional extensive debug logging

-- 
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
From jrudd at ucsc.edu  Sat Dec  2 16:06:15 2006
From: jrudd at ucsc.edu (John Rudd)
Date: Sat Dec  2 16:06:57 2006
Subject: Botnet 0.5 plugin
Message-ID: <4571A477.4030807@ucsc.edu>


Changes in 0.5:


1) in case there's a problem with SA reading the MTA's rdns value for 
the relay's hostname, Botnet will do a gethostbyaddr call _once_ per 
message.  This may incur a slight performance hit.  You can mitigate 
this by having a caching DNS server on whatever hosts are doing your 
spam assassin checks.

2) botnet_skip_domains allows you to specify domain name regular 
expressions which will be matched against the rdns value for the relay. 
  In the case of a match, no Botnet rules will hit.

3) hopefully fixed a small problem in the "IP in Hostname" check.  The 
hexidecimal and decimal octets are now checked in separate expressions.

4) added "mx" to the list of botnet_serverwords

5) added all of the rfc (forget which number) private IP blocks to 
botnet_skip_ip.


Unless people find bugs, have a better solution for #1, or think that #4 
causes too many misses, I think this might end up becoming the 1.0 
release in a week or two.  The 1.0 release will probably also include a 
file of suggested modifications to the meta rules, for people who want 
to link them in with DK, etc.  (I'll try to track those down, but it 
might be best to email me off-list with "Botnet Metarule Alternative" in 
the subject, for such suggestions).  And a I'll make a thank you note to 
various people who have contributed suggestions, code, feedback, stats, 
etc. somewhere in Botnet.txt.



http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar

(which is now a symlink to Botnet-0.5.tar ; the 0.4 is in the same 
directory as Botnet-0.4.tar)


Install instructions are in the files INSTALL and Botnet.txt


From ccampbell at brueggers.com  Sat Dec  2 16:09:18 2006
From: ccampbell at brueggers.com (Christian Campbell)
Date: Sat Dec  2 16:09:44 2006
Subject: Lint error in mailscanner.cf
Message-ID: <BBF8D28805D77C4899790ADA8F22FEAF0162AD61@neptune.brueggers.net>

Whlie running a spamassassin lint I receive:
 
[24833] warn: config: failed to parse line, skipping: use_auto_whitelist
0
[24833] warn: config: failed to parse line, skipping: use_dcc 0
 
My mailscanner.cf has those lines uncommented as I want DCC and
auto_whitelist disabled. 
 
Any ideas on how I can rid myself of these?
 
Thanks,
Christian
 
 
 
This is Fedora Core release 6 (Zod)
This is Perl version 5.008008 (5.8.8)
 
This is MailScanner version 4.56.8
Module versions are:
1.00    AnyDBM_File
1.16    Archive::Zip
1.04    Carp
1.119   Convert::BinHex
1.00    DirHandle
1.05    Fcntl
2.74    File::Basename
2.09    File::Copy
2.01    FileHandle
1.08    File::Path
0.16    File::Temp
0.90    Filesys::Df
1.35    HTML::Entities
3.55    HTML::Parser
2.37    HTML::TokeParser
1.22    IO
1.13    IO::File
1.13    IO::Pipe
1.74    Mail::Header
3.05    MIME::Base64
5.420   MIME::Decoder
5.420   MIME::Decoder::UU
5.420   MIME::Head
5.420   MIME::Parser
3.03    MIME::QuotedPrint
5.420   MIME::Tools
0.10    Net::CIDR
1.09    POSIX
1.78    Socket
1.4     Sys::Hostname::Long
0.18    Sys::Syslog
1.86    Time::HiRes
1.02    Time::localtime
 
Optional module versions are:
0.17    Convert::TNEF
1.814   DB_File
1.12    DBD::SQLite
1.52    DBI
1.15    Digest
1.01    Digest::HMAC
2.36    Digest::MD5
2.11    Digest::SHA1
0.44    Inline
0.17    Mail::ClamAV
3.001007        Mail::SpamAssassin
1.999001        Mail::SPF::Query
0.20    Net::CIDR::Lite
1.25    Net::IP
0.59    Net::DNS
missing Net::LDAP
1.94    Parse::RecDescent
missing SAVI
2.56    Test::Harness
0.62    Test::Simple
1.98    Text::Balanced
1.35    URI
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061202/ca839641/attachment.html
From mkettler at evi-inc.com  Sat Dec  2 16:26:58 2006
From: mkettler at evi-inc.com (Matt Kettler)
Date: Sat Dec  2 16:27:09 2006
Subject: Lint error in mailscanner.cf
In-Reply-To: <BBF8D28805D77C4899790ADA8F22FEAF0162AD61@neptune.brueggers.net>
References: <BBF8D28805D77C4899790ADA8F22FEAF0162AD61@neptune.brueggers.net>
Message-ID: <4571A952.5010700@evi-inc.com>

Christian Campbell wrote:
> Whlie running a spamassassin lint I receive:
>  
> [24833] warn: config: failed to parse line, skipping: use_auto_whitelist 0
> [24833] warn: config: failed to parse line, skipping: use_dcc 0
>  
> My mailscanner.cf has those lines uncommented as I want DCC and
> auto_whitelist disabled. 

If you're getting those messages, it's because you're using SA 3.1.x and you
don't have the AWL or DCC plugins loaded in your *.pre files.

At that point, the feature set is *completely* disabled, to the point that it
doesn't even understand those configuration options.

You can safely remove those options from your file, and as long as you don't
uncomment the plugins in your *.pre files, they won't run.
From MailScanner at ecs.soton.ac.uk  Sat Dec  2 17:17:59 2006
From: MailScanner at ecs.soton.ac.uk (Julian Field)
Date: Sat Dec  2 17:22:58 2006
Subject: MailScanner ANNOUNCE: 4.57 released
Message-ID: <4571B547.1090804@ecs.soton.ac.uk>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have just released a new stable version 4.57.

The major new features this time are these:

- - New configuration setting
  Max Spam Check Size = 150000
  All spam checks are skipped if the message is bigger than this. Spam
  messages are mostly fairly small, as the spammers cannot justify the
  cost of the bandwidth for huge messages.

- - The "Modify Subject" configuration options now all take "start" and "end"
  settings so that they can be added to the end of the Subject: line.

- - Speeded up the relaunch of MailScanner child processes, so a frequent
  "Restart Every" setting causes much less of a dip in performance.

Download as usual from
       www.mailscanner.info

Please buy the book!
(preferably from the website, not from Amazon, as I don't make any money 
if you buy it through Amazon, so you aren't helping the project :-(
Thank you to you all for your continuing support of the project, it is 
all very much appreciated.

If you want to advertise on the www.mailscanner.info site, do get in 
touch with me.
You can buy space for a logo at the bottom of every web page on the site.


The full Change Log is this:

02/12/2006 New in Version 4.57.6-1
==================================
* New Features and Improvements *
1 Added new configuration setting
  Max Spam Check Size = 150000
  If a message is bigger than this size, then all the spam checks are
  skipped and the messages is not spam.
  This saves a lot of time decoding and matching against huge messages.
  New languages.conf setting needing translation:
    skippedastoobig = not spam (too large)
2 Improved install-Clam-SA.tar.gz so that it contains version numbers of
  contents.
2 Phishing Whitelist is now also used with less strict phishing net.
3 Add of the "Modify Subject" configuration options now also take the values
  "start" and "end", so that you can move any of the Subject: line tags to
  the end of the line in case that is what you need to do.
4 Speeded up the relaunch of MailScanner child processes. So the detrimental
  effects of the delays caused by a MailScanner "restart" will be greatly
  reduced.
4 Released as release candidate for 4.57 on December 1st.
5 Bug in spam handling (spam would be delivered when it should not be) 
fixed.
  Thanks to Mirko Acimas for spotting and reporting this one.
5 Bug in ham handling (same problem was spam handling).
5 spam.lists.conf updated.


Jules

- -- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules@Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk



-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.1 (Build 1557)
Comment: Fetch my public key foot-print from www.mailscanner.info
Charset: ISO-8859-1

wj8DBQFFcbZrEfZZRxQVtlQRAurMAJ0SalPrgk5eLxDr2RRa9twqETmWQgCfRnKI
agl20W/zVQdbZAHKNc7bKLE=
=7A2x
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk

From taz at taz-mania.com  Sat Dec  2 21:14:31 2006
From: taz at taz-mania.com (Dennis Willson)
Date: Sat Dec  2 21:14:43 2006
Subject: Alpha of Milter-Spamtrap
In-Reply-To: <0C941442AC84A8449448BA2207DD4F4D1910F0@core01.workgroupsolutions.com>
References: <0C941442AC84A8449448BA2207DD4F4D1910F0@core01.workgroupsolutions.com>
Message-ID: <4571ECB7.6080009@taz-mania.com>

It doesn't matter what domain it comes from, The blacklist is made up of 
the IP address of the sending mail server (which cannot be spoofed for a 
full TCP conversion needed to send mail) so the email would have to 
really come from their mail servers. Spoofing the from address is not an 
issue. If a machine sends an email to one of the honeypot addresses then 
the IP address is recorded of the sender. The sender would have to have 
and send to one of the honeypot addresses, so you should not give out 
the honeypot address to real people.
In addition, you can whitelist IP addresses or address ranges in CIDR 
format so even if they send to a honeypot email address they won't be 
blacklisted.

To get the honeypot addresses distributed you can:
Post useless posts to a usenet group using the honeypot email addresses
Put the email address on a webpage in such a way as normal people 
viewing the page can't read it, but a Spam bots can
Find some emails that have a "remove" form and give the honeypot email 
address to be removed (even though it isn't subscribed)
And there are others ways as well



Damian Mendoza wrote:
> Hi,
>
> Sounds like a great approach, but how do you prevent aol, hotmail,
> geocities, yahoo mail, etc from getting into the backlist as spam sender
> as spam appears to come from these domains.
>
>
> Thanks,
>
> Damian
>
> -----Original Message-----
> From: mailscanner-bounces@lists.mailscanner.info
> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Dennis
> Willson
> Sent: Thursday, November 30, 2006 10:50 PM
> To: mailscanner@lists.mailscanner.info; spamtools@lists.abuse.net
> Subject: OT: Alpha of Milter-Spamtrap
>
> I put an alpha version of milter-spamtrap up on sourceforge.
> http://sourceforge.net/projects/milter-spamtrap
>
> I will do more testing this weekend and upload a new version. If anyone 
> wants to download it and look it over that would be great.
> I am also looking for some input on something. Originally, I had thought
>
> you would have a choice as to only save the IP addresses in a file or 
> use the MySQL database or both. However, when I think back to when I did
>
> my dedicated spamtrap I hit about 1 million entries in a relatively 
> short time. I think that is way too many for text files. I think I 
> should keep the text files only for debug purposes, I think it would be 
> un-workable to have it read in a million IP addresses from a text file 
> on startup to do the blocking.
>
> Features:
>     - external editable text configuration file;
>     - whitelists by an IP address (CIDR notation)
>     - blocks servers that have previously sent Spam
>     - fast in-memory cache of blacklisted servers
>     - cache entries time-out after an hour so if they have been removed
> from
>       the database they will go away. If milter-spamtrap receives 
> another Spam
>       from the same server, it will find it in the database and place it
>
> in the
>       cache for another hour (only works with MySQL database support)
>     - optional MySQL database of blacklisted servers
>     - optional saving of Spam headers and/or body to show what caused
> the
>       offending server to be placed on the blacklist
>     - optional cron job to convert database entries to a BIND DNSBL zone
>
> file
>       so you can share your blacklist with others
>     - ability to mark an IP address as 'inactive' but not lose the
> listing
>       so that a history can be maintained (only available when logging
> to a
>       MySQL database)
>     - ability to have one or more individual email addresses defined as 
> honeypots
>     - ability to have one or more whole domains defined as honeypots
>     - optional extensive debug logging
>
>   
From damian at workgroupsolutions.com  Sat Dec  2 21:52:13 2006
From: damian at workgroupsolutions.com (Damian Mendoza)
Date: Sat Dec  2 21:52:19 2006
Subject: Alpha of Milter-Spamtrap
In-Reply-To: <4571ECB7.6080009@taz-mania.com>
Message-ID: <0C941442AC84A8449448BA2207DD4F4D1910FB@core01.workgroupsolutions.com>

Thanks,

It makes sense now.


Regards,

Damian

-----Original Message-----
From: mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Dennis
Willson
Sent: Saturday, December 02, 2006 1:15 PM
To: MailScanner discussion
Subject: Re: Alpha of Milter-Spamtrap

It doesn't matter what domain it comes from, The blacklist is made up of

the IP address of the sending mail server (which cannot be spoofed for a

full TCP conversion needed to send mail) so the email would have to 
really come from their mail servers. Spoofing the from address is not an

issue. If a machine sends an email to one of the honeypot addresses then

the IP address is recorded of the sender. The sender would have to have 
and send to one of the honeypot addresses, so you should not give out 
the honeypot address to real people.
In addition, you can whitelist IP addresses or address ranges in CIDR 
format so even if they send to a honeypot email address they won't be 
blacklisted.

To get the honeypot addresses distributed you can:
Post useless posts to a usenet group using the honeypot email addresses
Put the email address on a webpage in such a way as normal people 
viewing the page can't read it, but a Spam bots can
Find some emails that have a "remove" form and give the honeypot email 
address to be removed (even though it isn't subscribed)
And there are others ways as well



Damian Mendoza wrote:
> Hi,
>
> Sounds like a great approach, but how do you prevent aol, hotmail,
> geocities, yahoo mail, etc from getting into the backlist as spam
sender
> as spam appears to come from these domains.
>
>
> Thanks,
>
> Damian
>
> -----Original Message-----
> From: mailscanner-bounces@lists.mailscanner.info
> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of
Dennis
> Willson
> Sent: Thursday, November 30, 2006 10:50 PM
> To: mailscanner@lists.mailscanner.info; spamtools@lists.abuse.net
> Subject: OT: Alpha of Milter-Spamtrap
>
> I put an alpha version of milter-spamtrap up on sourceforge.
> http://sourceforge.net/projects/milter-spamtrap
>
> I will do more testing this weekend and upload a new version. If
anyone 
> wants to download it and look it over that would be great.
> I am also looking for some input on something. Originally, I had
thought
>
> you would have a choice as to only save the IP addresses in a file or 
> use the MySQL database or both. However, when I think back to when I
did
>
> my dedicated spamtrap I hit about 1 million entries in a relatively 
> short time. I think that is way too many for text files. I think I 
> should keep the text files only for debug purposes, I think it would
be 
> un-workable to have it read in a million IP addresses from a text file

> on startup to do the blocking.
>
> Features:
>     - external editable text configuration file;
>     - whitelists by an IP address (CIDR notation)
>     - blocks servers that have previously sent Spam
>     - fast in-memory cache of blacklisted servers
>     - cache entries time-out after an hour so if they have been
removed
> from
>       the database they will go away. If milter-spamtrap receives 
> another Spam
>       from the same server, it will find it in the database and place
it
>
> in the
>       cache for another hour (only works with MySQL database support)
>     - optional MySQL database of blacklisted servers
>     - optional saving of Spam headers and/or body to show what caused
> the
>       offending server to be placed on the blacklist
>     - optional cron job to convert database entries to a BIND DNSBL
zone
>
> file
>       so you can share your blacklist with others
>     - ability to mark an IP address as 'inactive' but not lose the
> listing
>       so that a history can be maintained (only available when logging
> to a
>       MySQL database)
>     - ability to have one or more individual email addresses defined
as 
> honeypots
>     - ability to have one or more whole domains defined as honeypots
>     - optional extensive debug logging
>
>   
-- 
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
From nerijus at users.sourceforge.net  Sat Dec  2 23:42:02 2006
From: nerijus at users.sourceforge.net (Nerijus Baliunas)
Date: Sat Dec  2 23:42:14 2006
Subject: MailScanner ANNOUNCE: 4.57 released
In-Reply-To: <4571B547.1090804@ecs.soton.ac.uk>
References: <4571B547.1090804@ecs.soton.ac.uk>
Message-ID: <200612022342.kB2NgCcf026083@bkserver.blacknight.ie>

Hello,

I still get message corruption which I reported a few days ago when
using Postfix with milter-greylist 3.0.
New line and "              0" are added at the end
of every message, and a number (pid?) is added after all the headers,
but before MailScanner added ones.
Without using MailScanner:

MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-Disposition: INLINE
Message-Id: <20061130012532.A1DD78018B@mail.xxx.lt>
X-Greylist: Delayed for 00:02:18 by milter-greylist-3.0 (mail.xxx.lt [84.32.63.24]); Thu, 30 Nov 2006 03:25:32 +0200 (EET)


message body


With MailScanner:

MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-Disposition: INLINE
Message-Id: <20061130012900.EC8FC803DC@mail.xxx.lt>
           1389
X-xxx-MailScanner-Information: Please contact the ISP for more information
X-xxx-MailScanner: Found to be clean
X-xxx-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
        score=0.685, required 5, BAYES_00 -1.50, INVALID_MSGID 2.19)
X-xxx-MailScanner-From: xxx@xxx.lt
X-Spam-Status: No


message body
              0

Regards,
Nerijus
From michel at mitch-it.nl  Sun Dec  3 00:19:31 2006
From: michel at mitch-it.nl (Michel van der Klei)
Date: Sun Dec  3 00:19:52 2006
Subject: Greylisting (WAS: Re: MailScanner ANNOUNCE: 4.57 released)
In-Reply-To: <200612022342.kB2NgCcf026083@bkserver.blacknight.ie>
References: <4571B547.1090804@ecs.soton.ac.uk>
	<200612022342.kB2NgCcf026083@bkserver.blacknight.ie>
Message-ID: <20061203011931.d29a40c0.michel@mitch-it.nl>

On Sun, 3 Dec 2006 01:42:02 +0200 Nerijus Baliunas <nerijus@users.sourceforge.net> wrote:
> Hello,
> 
> I still get message corruption which I reported a few days ago when
> using Postfix with milter-greylist 3.0.

What are the big advantages of milter-greylist? I use postgrey in combination
with mailscanner and i'm very statisfied with the results. AFAIK is postgrey
the tool to use with postfix.
 
-- 

	Michel van der Klei 
	http://www.mitch-it.nl
From mkettler at evi-inc.com  Sun Dec  3 05:10:43 2006
From: mkettler at evi-inc.com (Matt Kettler)
Date: Sun Dec  3 05:11:11 2006
Subject: Greylisting (WAS: Re: MailScanner ANNOUNCE: 4.57 released)
In-Reply-To: <20061203011931.d29a40c0.michel@mitch-it.nl>
References: <4571B547.1090804@ecs.soton.ac.uk>	<200612022342.kB2NgCcf026083@bkserver.blacknight.ie>
	<20061203011931.d29a40c0.michel@mitch-it.nl>
Message-ID: <45725C53.90209@evi-inc.com>

Michel van der Klei wrote:
> On Sun, 3 Dec 2006 01:42:02 +0200 Nerijus Baliunas <nerijus@users.sourceforge.net> wrote:
>> Hello,
>>
>> I still get message corruption which I reported a few days ago when
>> using Postfix with milter-greylist 3.0.
> 
> What are the big advantages of milter-greylist? I use postgrey in combination
> with mailscanner and i'm very statisfied with the results. AFAIK is postgrey
> the tool to use with postfix.
>  

milter-greylist uses a really nice and flexible firewall-like ACL syntax. Using
the ACLs you can have all kinds of criteria to greylist on, and different delays
for each criteria.

Constructs like this are possible (this is vaguely how my config is structured):

whitelist (internal hosts)
whitelist (some friends)
greylist (src in NJABL-DUL) 1 hour
greylist (src in XBL) 4 hours
greylist (some hostname regex) 1hr
greylist (some ip range) 2hr
blacklist (anything from: *@evi-inc.com)
	(legitimate evi senders whitelisted above)
whitelist (everything else)

This allows me to use greylisting, but only on hosts that "look bad" for some
reason.

Others use the time variations to greylist "bad" hosts for a long period of
time, and greylist everyone else for a shorter period of time.

It's all in what you need from it.

From ka at pacific.net  Sun Dec  3 05:16:27 2006
From: ka at pacific.net (Ken A)
Date: Sun Dec  3 05:16:33 2006
Subject: Alpha of Milter-Spamtrap
In-Reply-To: <4571ECB7.6080009@taz-mania.com>
References: <0C941442AC84A8449448BA2207DD4F4D1910F0@core01.workgroupsolutions.com>
	<4571ECB7.6080009@taz-mania.com>
Message-ID: <45725DAB.3050408@pacific.net>

Dennis Willson wrote:
> It doesn't matter what domain it comes from, The blacklist is made up of 
> the IP address of the sending mail server (which cannot be spoofed for a 
> full TCP conversion needed to send mail) so the email would have to 
> really come from their mail servers. Spoofing the from address is not an 
> issue. If a machine sends an email to one of the honeypot addresses then 
> the IP address is recorded of the sender. The sender would have to have 
> and send to one of the honeypot addresses, so you should not give out 
> the honeypot address to real people.
> In addition, you can whitelist IP addresses or address ranges in CIDR 
> format so even if they send to a honeypot email address they won't be 
> blacklisted.
> 
> To get the honeypot addresses distributed you can:
> Post useless posts to a usenet group using the honeypot email addresses
> Put the email address on a webpage in such a way as normal people 
> viewing the page can't read it, but a Spam bots can
> Find some emails that have a "remove" form and give the honeypot email 
> address to be removed (even though it isn't subscribed)
> And there are others ways as well
> 
> 
> 
> Damian Mendoza wrote:
>> Hi,
>>
>> Sounds like a great approach, but how do you prevent aol, hotmail,
>> geocities, yahoo mail, etc from getting into the backlist as spam sender
>> as spam appears to come from these domains.
>>
>>
>> Thanks,
>>
>> Damian
>>
>> -----Original Message-----
>> From: mailscanner-bounces@lists.mailscanner.info
>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Dennis
>> Willson
>> Sent: Thursday, November 30, 2006 10:50 PM
>> To: mailscanner@lists.mailscanner.info; spamtools@lists.abuse.net
>> Subject: OT: Alpha of Milter-Spamtrap
>>
>> I put an alpha version of milter-spamtrap up on sourceforge.
>> http://sourceforge.net/projects/milter-spamtrap
>>
>> I will do more testing this weekend and upload a new version. If 
>> anyone wants to download it and look it over that would be great.
>> I am also looking for some input on something. Originally, I had thought
>>
>> you would have a choice as to only save the IP addresses in a file or 
>> use the MySQL database or both. However, when I think back to when I did
>>
>> my dedicated spamtrap I hit about 1 million entries in a relatively 
>> short time. I think that is way too many for text files. I think I 
>> should keep the text files only for debug purposes, I think it would 
>> be un-workable to have it read in a million IP addresses from a text 
>> file on startup to do the blocking.
>>
>> Features:
>>     - external editable text configuration file;
>>     - whitelists by an IP address (CIDR notation)
>>     - blocks servers that have previously sent Spam

Is there an option to tag instead of refuse mail? In keeping with 
MailScanner and SA's architecture, it might be more O.T. if it did :-)
Ken A
Pacific.Net


>>     - fast in-memory cache of blacklisted servers
>>     - cache entries time-out after an hour so if they have been removed
>> from
>>       the database they will go away. If milter-spamtrap receives 
>> another Spam
>>       from the same server, it will find it in the database and place it
>>
>> in the
>>       cache for another hour (only works with MySQL database support)
>>     - optional MySQL database of blacklisted servers
>>     - optional saving of Spam headers and/or body to show what caused
>> the
>>       offending server to be placed on the blacklist
>>     - optional cron job to convert database entries to a BIND DNSBL zone
>>
>> file
>>       so you can share your blacklist with others
>>     - ability to mark an IP address as 'inactive' but not lose the
>> listing
>>       so that a history can be maintained (only available when logging
>> to a
>>       MySQL database)
>>     - ability to have one or more individual email addresses defined 
>> as honeypots
>>     - ability to have one or more whole domains defined as honeypots
>>     - optional extensive debug logging
>>
>>   

From taz at taz-mania.com  Sun Dec  3 07:50:23 2006
From: taz at taz-mania.com (Dennis Willson)
Date: Sun Dec  3 07:50:35 2006
Subject: Alpha of Milter-Spamtrap
In-Reply-To: <45725DAB.3050408@pacific.net>
References: <0C941442AC84A8449448BA2207DD4F4D1910F0@core01.workgroupsolutions.com>	<4571ECB7.6080009@taz-mania.com>
	<45725DAB.3050408@pacific.net>
Message-ID: <457281BF.3050900@taz-mania.com>

Probably should take this discussion off the MailScanner mailing list... 
This project is on sourceforge and has its own mailing list.
The project can be found at www.sourceforge.net/projects/milter-spamtrap 
if you want to join the mailing list. I don't want to over-extend 
Julian's tolerance for some off-topic discussions.

As far as marking.... You could turn off the rejection in the milter 
itself and only have it collect the IP addresses and have it build the 
DNSBL zone file for BIND then use that DNSBL in MailScanner and have it 
mark the Spam from sources detected by the SpamTrap.

I could also make an addition, I could write a MailScanner custom 
function that directly accesses the Milter-Spamtrap database directly to 
have immediate use of the blacklisted IP addresses found by 
Milter-Spamtrap. I'll add that to my to-do list. I am also considering 
making an add-on to Mailwatch that will allow maintenance of the 
Milter-Spamtrap configuration and IP database. 

Ken A wrote:
> Dennis Willson wrote:
>> It doesn't matter what domain it comes from, The blacklist is made up 
>> of the IP address of the sending mail server (which cannot be spoofed 
>> for a full TCP conversion needed to send mail) so the email would 
>> have to really come from their mail servers. Spoofing the from 
>> address is not an issue. If a machine sends an email to one of the 
>> honeypot addresses then the IP address is recorded of the sender. The 
>> sender would have to have and send to one of the honeypot addresses, 
>> so you should not give out the honeypot address to real people.
>> In addition, you can whitelist IP addresses or address ranges in CIDR 
>> format so even if they send to a honeypot email address they won't be 
>> blacklisted.
>>
>> To get the honeypot addresses distributed you can:
>> Post useless posts to a usenet group using the honeypot email addresses
>> Put the email address on a webpage in such a way as normal people 
>> viewing the page can't read it, but a Spam bots can
>> Find some emails that have a "remove" form and give the honeypot 
>> email address to be removed (even though it isn't subscribed)
>> And there are others ways as well
>>
>>
>>
>> Damian Mendoza wrote:
>>> Hi,
>>>
>>> Sounds like a great approach, but how do you prevent aol, hotmail,
>>> geocities, yahoo mail, etc from getting into the backlist as spam 
>>> sender
>>> as spam appears to come from these domains.
>>>
>>>
>>> Thanks,
>>>
>>> Damian
>>>
>>> -----Original Message-----
>>> From: mailscanner-bounces@lists.mailscanner.info
>>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Dennis
>>> Willson
>>> Sent: Thursday, November 30, 2006 10:50 PM
>>> To: mailscanner@lists.mailscanner.info; spamtools@lists.abuse.net
>>> Subject: OT: Alpha of Milter-Spamtrap
>>>
>>> I put an alpha version of milter-spamtrap up on sourceforge.
>>> http://sourceforge.net/projects/milter-spamtrap
>>>
>>> I will do more testing this weekend and upload a new version. If 
>>> anyone wants to download it and look it over that would be great.
>>> I am also looking for some input on something. Originally, I had 
>>> thought
>>>
>>> you would have a choice as to only save the IP addresses in a file 
>>> or use the MySQL database or both. However, when I think back to 
>>> when I did
>>>
>>> my dedicated spamtrap I hit about 1 million entries in a relatively 
>>> short time. I think that is way too many for text files. I think I 
>>> should keep the text files only for debug purposes, I think it would 
>>> be un-workable to have it read in a million IP addresses from a text 
>>> file on startup to do the blocking.
>>>
>>> Features:
>>>     - external editable text configuration file;
>>>     - whitelists by an IP address (CIDR notation)
>>>     - blocks servers that have previously sent Spam
>
> Is there an option to tag instead of refuse mail? In keeping with 
> MailScanner and SA's architecture, it might be more O.T. if it did :-)
> Ken A
> Pacific.Net
>
>
>>>     - fast in-memory cache of blacklisted servers
>>>     - cache entries time-out after an hour so if they have been removed
>>> from
>>>       the database they will go away. If milter-spamtrap receives 
>>> another Spam
>>>       from the same server, it will find it in the database and 
>>> place it
>>>
>>> in the
>>>       cache for another hour (only works with MySQL database support)
>>>     - optional MySQL database of blacklisted servers
>>>     - optional saving of Spam headers and/or body to show what caused
>>> the
>>>       offending server to be placed on the blacklist
>>>     - optional cron job to convert database entries to a BIND DNSBL 
>>> zone
>>>
>>> file
>>>       so you can share your blacklist with others
>>>     - ability to mark an IP address as 'inactive' but not lose the
>>> listing
>>>       so that a history can be maintained (only available when logging
>>> to a
>>>       MySQL database)
>>>     - ability to have one or more individual email addresses defined 
>>> as honeypots
>>>     - ability to have one or more whole domains defined as honeypots
>>>     - optional extensive debug logging
>>>
>>>   
>
From michele at blacknight.ie  Sun Dec  3 08:39:39 2006
From: michele at blacknight.ie (Michele Neylon :: Blacknight)
Date: Sun Dec  3 08:39:42 2006
Subject: Greylisting (WAS: Re: MailScanner ANNOUNCE: 4.57 released)
In-Reply-To: <20061203011931.d29a40c0.michel@mitch-it.nl>
References: <4571B547.1090804@ecs.soton.ac.uk>	<200612022342.kB2NgCcf026083@bkserver.blacknight.ie>
	<20061203011931.d29a40c0.michel@mitch-it.nl>
Message-ID: <45728D4B.3040200@blacknight.ie>

Michel van der Klei wrote:
> On Sun, 3 Dec 2006 01:42:02 +0200 Nerijus Baliunas <nerijus@users.sourceforge.net> wrote:
>> Hello,
>>
>> I still get message corruption which I reported a few days ago when
>> using Postfix with milter-greylist 3.0.
> 
> What are the big advantages of milter-greylist? I use postgrey in combination
> with mailscanner and i'm very statisfied with the results. AFAIK is postgrey
> the tool to use with postfix.
>  
the milters are for sendmail afaik, while postfix has postgrey...

Is there any difference? Doubtful ...



-- 
Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
http://www.blacknight.ie/
http://blog.blacknight.ie/
Tel. 1850 927 280
Intl. +353 (0) 59  9183072
UK: 0870 163 0607
Fax. +353 (0) 59  9164239
From davi at jvsinfo.com.br  Sun Dec  3 14:03:01 2006
From: davi at jvsinfo.com.br (davi@jvsinfo.com.br)
Date: Sun Dec  3 13:18:32 2006
Subject: Passing Arguments in CustomFunctions
In-Reply-To: <200612031201.kB3C154j027608@bkserver.blacknight.ie>
Message-ID: <OF993ED274.0805374C-ON83257239.0046B108-83257239.0047B0BD@jvsinfo.com.br>

Dear list,

I am thinking about extending the capacities of the MailScanner in 
filtering e-mails and would like to use one CustomFunction instead of one 
ruleset. All called CustomFunction receives as argument $message, i whant 
to pass text parameter with this call like this:

Allow IFrame Tags = &RuleByUser('iframe')

Virus Scanners =  &RuleByUser('virusscanner')

Filename Rules = &RuleByUser('filename')

With this, a get one Function to process all requests, else i need 
FrameByUser, ScanByUser, FileNameByUser, allot functions, allot modules. 
Maybe this function return something from ldap server, sql server etc 
etc.....

any idea ??

Best regards,

Davi Baldin
JVS do Brasil - IBM BP Premier
davi@jvsinfo.com.br
(19) 3254-1266
(19) 9266-6793 ** NOVO **
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061203/77b8d4fa/attachment.html
From nerijus at users.sourceforge.net  Sun Dec  3 13:11:35 2006
From: nerijus at users.sourceforge.net (Nerijus Baliunas)
Date: Sun Dec  3 13:20:08 2006
Subject: Greylisting (WAS: Re: MailScanner ANNOUNCE: 4.57 released)
In-Reply-To: <45728D4B.3040200@blacknight.ie>
References: <4571B547.1090804@ecs.soton.ac.uk>	<200612022342.kB2NgCcf026083@bkserver.blacknight.ie><20061203011931.d29a40c0.michel@mitch-it.nl>
	<45728D4B.3040200@blacknight.ie>
Message-ID: <20061203132253.AE5B2FF10@mx-a.vdnet.lt>

On Sun, 03 Dec 2006 08:39:39 +0000 "Michele Neylon :: Blacknight" <michele@blacknight.ie> wrote:

> the milters are for sendmail afaik, while postfix has postgrey...

>From http://www.postfix.org/MILTER_README.html :

Postfix version 2.3 introduces support for the Sendmail version 8 Milter (mail filter) protocol. This protocol is used by applications that run outside the MTA to inspect SMTP events (CONNECT, DISCONNECT), SMTP commands (HELO, MAIL FROM, etc.) as well as mail content. All this happens before mail is queued.

The reason for adding Milter support to Postfix is that there exists a large collection of applications, not only to block unwanted mail, but also to verify authenticity (examples: SenderID+SPF and Domain keys) or to digitally sign mail (example: Domain keys). Having yet another Postfix-specific version of all that software is a poor use of human and system resources. 


So let's please stop arguing. Milter support for postfix is here and it will be used
more and more in the future.

Regards,
Nerijus
From r.berber at computer.org  Sun Dec  3 21:21:21 2006
From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=)
Date: Sun Dec  3 21:22:20 2006
Subject: Auth question (WAS: Botnet 0.5 plugin)
In-Reply-To: <4571A477.4030807__26444.2999767654$1165075916$gmane$org@ucsc.edu>
References: <4571A477.4030807__26444.2999767654$1165075916$gmane$org@ucsc.edu>
Message-ID: <ekvf4g$vco$1@sea.gmane.org>

John Rudd wrote:
[snip]
> http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar
> 
> (which is now a symlink to Botnet-0.5.tar ; the 0.4 is in the same
> directory as Botnet-0.4.tar)
[snip]

I've been using "botnet_pass_auth 1", and didn't quite understand what you meant
in a previous message about pseudo-header in '...fields in ... pseudo-header ...
is "auth="'; what I'm seeing (and try do avoid) is something like this:

> Received: via tmail-2002(14) ...
> Return-path: ...
> Envelope-to: ...
> Delivery-date: Sun, 03 Dec 2006 13:01:32 -0600
> Received: from mail.legosoft.com.mx ([200.52.129.137])
> 	by cactus-soft.dyndns.org with esmtps (TLSv1:AES256-SHA:256)
> 	(Exim 4.63)
> 	(envelope-from <...>)
> 	id J9POUJ-0001MC-JY
> 	for rberber@...; Sun, 03 Dec 2006 13:01:32 -0600
> Received: from MARISELA (dsl-189-149-70-163.prod-infinitum.com.mx [189.149.70.163] (may be forged))
> 	(authenticated bits=0)
1 -------^^^^^^^^^^^^^^^^^^^^
> 	by mail.legosoft.com.mx (8.13.8/8.13.8) with ESMTP id kB3G26P6019032
> 	for <rberber@...>; Sun, 3 Dec 2006 10:02:16 -0600 (CST)
> Message-Id: <200612031602.kB3G26P6019032@mail.legosoft.com.mx>
> From: "..." <...>
> To: "=?iso-8859-1?Q?'Ren=E9_Berber'?=" <rberber@...>
> Subject: ...
> Date: Sun, 3 Dec 2006 10:02:06 -0600
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> 	boundary="----=_NextPart_000_0003_01C716C2.1F3A00F0"
> X-Mailer: Microsoft Office Outlook, Build 11.0.5510
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
> Thread-Index: AccW9GD5UG5vVXnpT66NFT8U+/qKaQ==
> X-LegoSoft-MailScanner: Found to be clean
> X-LegoSoft-MailScanner-SpamCheck: no es spam (whitelisted),
> 	SpamAssassin (no almacenado, puntaje=5.456, requerido 5,
> 	autolearn=disabled, BOTNET, BOTNET_BADDNS, BOTNET_CLIENT,
> 	BOTNET_CLIENTWORDS, BOTNET_IPINHOSTNAME, HTML_MESSAGE,
2 ------^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 	MSGID_FROM_MTA_ID, RCVD_IN_SORBS_DUL)
> X-LegoSoft-MailScanner-From: ...
> X-Spam-Status: No

The user was (1) authenticated, and (2) Botnet didn't know about it so it scored
the message (which is whitelisted in MS).

Does anybody know how to make SA (and Botnet) aware of the authentication?

I already added to SA's configuration:

> header LOCAL_AUTH_RCVD        Received =~ /\(authenticated bits=\d\)\n\s+by mail
> \.legosoft\.com\.mx /

but it may be syntactically incorrect, I'm not sure how to treat the newline so
I used "\s+", I could try "$\s+" instead.
-- 
Ren? Berber

P.S.  I don't see why the new Botnet.cf has "botnet_pass_domains  amazon\.com",
they don't use IP in Hostname (I checked logs and several messages from them,
they have a number, but it's unrelated to the IP).

From jrudd at ucsc.edu  Mon Dec  4 00:53:21 2006
From: jrudd at ucsc.edu (John Rudd)
Date: Mon Dec  4 00:53:48 2006
Subject: Auth question (WAS: Botnet 0.5 plugin)
In-Reply-To: <ekvf4g$vco$1@sea.gmane.org>
References: <4571A477.4030807__26444.2999767654$1165075916$gmane$org@ucsc.edu>
	<ekvf4g$vco$1@sea.gmane.org>
Message-ID: <45737181.6060005@ucsc.edu>

Ren? Berber wrote:
> John Rudd wrote:
> [snip]
>> http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar
>>
>> (which is now a symlink to Botnet-0.5.tar ; the 0.4 is in the same
>> directory as Botnet-0.4.tar)
> [snip]
> 
> I've been using "botnet_pass_auth 1", and didn't quite understand what you meant
> in a previous message about pseudo-header in '...fields in ... pseudo-header ...
> is "auth="'; what I'm seeing (and try do avoid) is something like this:
> 
>> Received: via tmail-2002(14) ...
>> Return-path: ...
>> Envelope-to: ...
>> Delivery-date: Sun, 03 Dec 2006 13:01:32 -0600
>> Received: from mail.legosoft.com.mx ([200.52.129.137])
>> 	by cactus-soft.dyndns.org with esmtps (TLSv1:AES256-SHA:256)
>> 	(Exim 4.63)
>> 	(envelope-from <...>)
>> 	id J9POUJ-0001MC-JY
>> 	for rberber@...; Sun, 03 Dec 2006 13:01:32 -0600
>> Received: from MARISELA (dsl-189-149-70-163.prod-infinitum.com.mx [189.149.70.163] (may be forged))
>> 	(authenticated bits=0)
> 1 -------^^^^^^^^^^^^^^^^^^^^
>> 	by mail.legosoft.com.mx (8.13.8/8.13.8) with ESMTP id kB3G26P6019032
>> 	for <rberber@...>; Sun, 3 Dec 2006 10:02:16 -0600 (CST)
>> Message-Id: <200612031602.kB3G26P6019032@mail.legosoft.com.mx>
>> From: "..." <...>
>> To: "=?iso-8859-1?Q?'Ren=E9_Berber'?=" <rberber@...>
>> Subject: ...
>> Date: Sun, 3 Dec 2006 10:02:06 -0600
>> MIME-Version: 1.0
>> Content-Type: multipart/alternative;
>> 	boundary="----=_NextPart_000_0003_01C716C2.1F3A00F0"
>> X-Mailer: Microsoft Office Outlook, Build 11.0.5510
>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
>> Thread-Index: AccW9GD5UG5vVXnpT66NFT8U+/qKaQ==
>> X-LegoSoft-MailScanner: Found to be clean
>> X-LegoSoft-MailScanner-SpamCheck: no es spam (whitelisted),
>> 	SpamAssassin (no almacenado, puntaje=5.456, requerido 5,
>> 	autolearn=disabled, BOTNET, BOTNET_BADDNS, BOTNET_CLIENT,
>> 	BOTNET_CLIENTWORDS, BOTNET_IPINHOSTNAME, HTML_MESSAGE,
> 2 ------^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> 	MSGID_FROM_MTA_ID, RCVD_IN_SORBS_DUL)
>> X-LegoSoft-MailScanner-From: ...
>> X-Spam-Status: No
> 
> The user was (1) authenticated, and (2) Botnet didn't know about it so it scored
> the message (which is whitelisted in MS).
> 
> Does anybody know how to make SA (and Botnet) aware of the authentication?


As far as I understand it, if SA is aware of it, it sets the "auth=" 
field in the Untrusted-Relays and/or Trusted-Relays pseudo-headers to 
something other than empty.

(the pseudo-headers are header-like fields that SA creates, and that you 
can check rules against, but that doesn't exist in the actual message; 
Trusted-Relays is a pseudo-header that contains information about all of 
the Received headers that match hosts in your trusted-networks and 
Untrusted-Relays is a pseudo-header that contains information about all 
of the other Received headers.)

How you get SA to recognize where and when Authentication happened isn't 
something I know.  But once SA does know, it should put that information 
into the auth= field.


> I already added to SA's configuration:
> 
>> header LOCAL_AUTH_RCVD        Received =~ /\(authenticated bits=\d\)\n\s+by mail
>> \.legosoft\.com\.mx /
>

I don't know if that actually makes SA populate the auth= field or not.

Might be good to ask all of this over on the SA list.

From r.berber at computer.org  Mon Dec  4 02:50:27 2006
From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=)
Date: Mon Dec  4 02:50:53 2006
Subject: Auth question (WAS: Botnet 0.5 plugin)
In-Reply-To: <45737181.6060005@ucsc.edu>
References: <4571A477.4030807__26444.2999767654$1165075916$gmane$org@ucsc.edu>	<ekvf4g$vco$1@sea.gmane.org>
	<45737181.6060005@ucsc.edu>
Message-ID: <el02dj$cuk$1@sea.gmane.org>

John Rudd wrote:
> Ren? Berber wrote:
[snip]
>> Does anybody know how to make SA (and Botnet) aware of the
>> authentication?
> 
> 
> As far as I understand it, if SA is aware of it, it sets the "auth="
> field in the Untrusted-Relays and/or Trusted-Relays pseudo-headers to
> something other than empty.
> 
> (the pseudo-headers are header-like fields that SA creates, and that you
> can check rules against, but that doesn't exist in the actual message;
> Trusted-Relays is a pseudo-header that contains information about all of
> the Received headers that match hosts in your trusted-networks and
> Untrusted-Relays is a pseudo-header that contains information about all
> of the other Received headers.)
> 
> How you get SA to recognize where and when Authentication happened isn't
> something I know.  But once SA does know, it should put that information
> into the auth= field.

OK, thanks for the explanation.

Using debug I can see what you are saying, SA did not put anything in the auth=
field :

dbg: metadata: X-Spam-Relays-Untrusted: [ ip=200.52.129.137
rdns=mail.legosoft.com.mx helo= by=cactus-soft.dyndns.org ident=
envfrom=...@legosoft.com.mx intl=0 id=J9POUJ-0001MC-JY auth= ] [
ip=189.149.70.163 rdns=dsl-189-149-70-163.prod-infinitum.com.mx helo=MARISELA
by=mail.legosoft.com.mx ident= envfrom= intl=0 id=kB3G26P6019032 auth= ]


>> I already added to SA's configuration:
>>
>>> header LOCAL_AUTH_RCVD        Received =~ /\(authenticated
>>> bits=\d\)\n\s+by mail
>>> \.legosoft\.com\.mx /
>>
> 
> I don't know if that actually makes SA populate the auth= field or not.
> 
> Might be good to ask all of this over on the SA list.

Yes, good idea (I see a similar message today, "skipping SPF checks for
authenticated users", same complaint LOCAL_AUTH_RCVD doesn't do anything useful).

I did some tests of the above, and LOCAL_AUTH_RCVD is adding 1.0 point to the
score.  It's probably a default score and the documentation I used is either
incomplete or wrong (Ref: http://wiki.apache.org/spamassassin/DynablockIssues).
-- 
Ren? Berber

From pete at enitech.com.au  Mon Dec  4 02:53:16 2006
From: pete at enitech.com.au (Peter Russell)
Date: Mon Dec  4 02:53:29 2006
Subject: Greylisting (WAS: Re: MailScanner ANNOUNCE: 4.57 released)
In-Reply-To: <20061203132253.AE5B2FF10@mx-a.vdnet.lt>
References: <4571B547.1090804@ecs.soton.ac.uk>	<200612022342.kB2NgCcf026083@bkserver.blacknight.ie><20061203011931.d29a40c0.michel@mitch-it.nl>	<45728D4B.3040200@blacknight.ie>
	<20061203132253.AE5B2FF10@mx-a.vdnet.lt>
Message-ID: <45738D9C.7000309@enitech.com.au>


Nerijus Baliunas wrote:
> On Sun, 03 Dec 2006 08:39:39 +0000 "Michele Neylon :: Blacknight" <michele@blacknight.ie> wrote:
> 
>> the milters are for sendmail afaik, while postfix has postgrey...
> 
>>From http://www.postfix.org/MILTER_README.html :
> 
> Postfix version 2.3 introduces support for the Sendmail version 8 Milter (mail filter) protocol. This protocol is used by applications that run outside the MTA to inspect SMTP events (CONNECT, DISCONNECT), SMTP commands (HELO, MAIL FROM, etc.) as well as mail content. All this happens before mail is queued.
> 
> The reason for adding Milter support to Postfix is that there exists a large collection of applications, not only to block unwanted mail, but also to verify authenticity (examples: SenderID+SPF and Domain keys) or to digitally sign mail (example: Domain keys). Having yet another Postfix-specific version of all that software is a poor use of human and system resources. 
> 
> 
> So let's please stop arguing. Milter support for postfix is here and it will be used
> more and more in the future.
> 
> Regards,
> Nerijus

Ok Hands up who wants to build 
Postfix-Milter-Individual-Files-for-Multi-Recipient-Emails.

From dhawal at netmagicsolutions.com  Mon Dec  4 10:09:00 2006
From: dhawal at netmagicsolutions.com (Dhawal Doshy)
Date: Mon Dec  4 10:09:22 2006
Subject: Greylisting (WAS: Re: MailScanner ANNOUNCE: 4.57 released)
In-Reply-To: <20061203132253.AE5B2FF10@mx-a.vdnet.lt>
References: <4571B547.1090804@ecs.soton.ac.uk>	<200612022342.kB2NgCcf026083@bkserver.blacknight.ie><20061203011931.d29a40c0.michel@mitch-it.nl>	<45728D4B.3040200@blacknight.ie>
	<20061203132253.AE5B2FF10@mx-a.vdnet.lt>
Message-ID: <4573F3BC.1030907@netmagicsolutions.com>

Nerijus Baliunas wrote:
> On Sun, 03 Dec 2006 08:39:39 +0000 "Michele Neylon :: Blacknight" <michele@blacknight.ie> wrote:
> 
>> the milters are for sendmail afaik, while postfix has postgrey...
> 
>>From http://www.postfix.org/MILTER_README.html :
> 
> Postfix version 2.3 introduces support for the Sendmail version 8 Milter (mail filter) protocol. This protocol is used by applications that run outside the MTA to inspect SMTP events (CONNECT, DISCONNECT), SMTP commands (HELO, MAIL FROM, etc.) as well as mail content. All this happens before mail is queued.
> 
> The reason for adding Milter support to Postfix is that there exists a large collection of applications, not only to block unwanted mail, but also to verify authenticity (examples: SenderID+SPF and Domain keys) or to digitally sign mail (example: Domain keys). Having yet another Postfix-specific version of all that software is a poor use of human and system resources. 
> 
> 
> So let's please stop arguing. Milter support for postfix is here and it will be used
> more and more in the future.
> 
> Regards,
> Nerijus

Just a suggestion.. have you seen apolicy 
(http://home.gna.org/apolicy/)? it's quite new so give it time to mature 
as a product. also see future plans for apolicy here 
https://gna.org/task/?group=apolicy

- dhawal
From stef at aoc-uk.com  Mon Dec  4 12:09:54 2006
From: stef at aoc-uk.com (Stef Morrell)
Date: Mon Dec  4 12:09:58 2006
Subject: Rules Mistake???
Message-ID: <120103F0F5EC264097BC0A06EC9D026A0111BF47@pardessus.aoc-uk.com>

I have a client who receives encrypted zip files from her accountant.
These end up marked as virus due to the inability of the scanning
engines to unpack them. I'm trying to disable virus scanning for this
(only) sender when sending to this specific user.

In MailScanner.conf I have:

Virus Scanning = %rules-dir%/antivirus.rules

and in my anti-virus.rules

To:	lotsofclients@clients.com 	yes
...
To:	thisclient@heraddress.com	and From:
accountant@heraccountant.co.uk   no
To:	thisclient@heraddress.com 	yes
...
FromOrTo: 	default		no

However this doesn't seem to stop the scanning. 

Where have I gone wrong?

Cheers

Stef
Stefan Morrell          | Operations Director
Tel: 0845 3452820       | Alpha Omega Computers Ltd
Fax: 0845 3452830       | Incorporating Level 5 Internet
stef@aoc-uk.com         | stef@l5net.net

Alpha Omega Computers LTD computer network solution providers putting
the technology in place that makes your information work for you. Visit
our website for more information about how Alpha Omega can enhance your
business. IMPORTANT: This E-Mail is confidential and may also be
privileged. If you are not the intended recipient, please notify us
immediately by telephoning +44 (0) 845 345 2820. Internet communications
are not necessarily secure and may be intercepted or changed after they
are sent. Alpha Omega Computers LTD does not accept liability for any
such changes. If you wish to confirm the origin or content of this
communication, please contact the sender using an alternative means of
communication. In messages of a non-business nature, the views and
opinions of the author are their own and do not necessarily reflect the
views and opinions of the organisation.
From gordon at itnt.co.za  Mon Dec  4 12:17:16 2006
From: gordon at itnt.co.za (Gordon Colyn)
Date: Mon Dec  4 12:17:52 2006
Subject: mail size delivery delay
References: <022601c71546$0733fc90$0b02a8c0@Gordon>
Message-ID: <02f601c7179e$26e916b0$0a02a8c0@Gordon>

Is there a way to force delayed deliveries on mail that is larger than a 
certain size?

i.e., if mail is bigger than 50mb's hold in queue until after 6pm and then 
release.

Thanks

Gordon Colyn
InTheNet Technologies
www.itnt.co.za
MSN: gordoncolyn@hotmail.com
SKYPE: gordoncolyn
086 123 ITNT (4868)
086 682 5204 (Fax)
+27 (0)83 296 7534
Confidentiality: This e-mail including any attachments is intended for the
above named addressee(s) only and contains confidential information. If you
have received this email in error you must take no action based on its
contents, nor must you reproduce or show the e-mail or any attachments or
any part thereof or communicate the contents to anyone; please reply to the
sender of this e-mail informing them of the error.
Viruses: We recommend that in keeping with good computing practice the
recipient should ensure that e-mails received are virus free before opening.

-- 
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

From edwardbruce at sbcglobal.net  Mon Dec  4 12:57:07 2006
From: edwardbruce at sbcglobal.net (Ed Bruce)
Date: Mon Dec  4 12:57:11 2006
Subject: MailScanner ANNOUNCE: 4.57 released
In-Reply-To: <4571B547.1090804@ecs.soton.ac.uk>
References: <4571B547.1090804@ecs.soton.ac.uk>
Message-ID: <45741B23.8010508@sbcglobal.net>

Julian Field wrote:
> I have just released a new stable version 4.57.
> <snip>
>
> The full Change Log is this:
>
> 02/12/2006 New in Version 4.57.6-1
> ==================================
> * New Features and Improvements *
> 1 Added new configuration setting
>   Max Spam Check Size = 150000
>   If a message is bigger than this size, then all the spam checks are
>   skipped and the messages is not spam.
>   This saves a lot of time decoding and matching against huge messages.
>   New languages.conf setting needing translation:
>     skippedastoobig = not spam (too large)
> 2 Improved install-Clam-SA.tar.gz so that it contains version numbers of
>   contents.
> 2 Phishing Whitelist is now also used with less strict phishing net.
> 3 Add of the "Modify Subject" configuration options now also take the
> values
>   "start" and "end", so that you can move any of the Subject: line tags to
>   the end of the line in case that is what you need to do.
> 4 Speeded up the relaunch of MailScanner child processes. So the
> detrimental
>   effects of the delays caused by a MailScanner "restart" will be greatly
>   reduced.
> 4 Released as release candidate for 4.57 on December 1st.
> 5 Bug in spam handling (spam would be delivered when it should not be)
> fixed.
>   Thanks to Mirko Acimas for spotting and reporting this one.
> 5 Bug in ham handling (same problem was spam handling).
> 5 spam.lists.conf updated.
I don't see any reference to the problem that at least two of us
experienced with logging to quarantine not working with the beta
release. Has this issue been resovled???
From res at ausics.net  Mon Dec  4 12:59:38 2006
From: res at ausics.net (Res)
Date: Mon Dec  4 12:59:58 2006
Subject: MailScanner ANNOUNCE: 4.57 released
In-Reply-To: <45741B23.8010508@sbcglobal.net>
References: <4571B547.1090804@ecs.soton.ac.uk> <45741B23.8010508@sbcglobal.net>
Message-ID: <Pine.LNX.4.64.0612042259040.19058@ebfjryy.nhfvpf.arg>

On Mon, 4 Dec 2006, Ed Bruce wrote:

> I don't see any reference to the problem that at least two of us
> experienced with logging to quarantine not working with the beta
> release. Has this issue been resovled???

Yes


-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From martinh at solidstatelogic.com  Mon Dec  4 13:00:41 2006
From: martinh at solidstatelogic.com (Martin Hepworth)
Date: Mon Dec  4 13:00:48 2006
Subject: MailScanner ANNOUNCE: 4.57 released
In-Reply-To: <45741B23.8010508@sbcglobal.net>
References: <4571B547.1090804@ecs.soton.ac.uk> <45741B23.8010508@sbcglobal.net>
Message-ID: <45741BF9.4060408@solidstatelogic.com>

Ed Bruce wrote:
> Julian Field wrote:
>> I have just released a new stable version 4.57.
>> <snip>
>>
>> The full Change Log is this:
>>
>> 02/12/2006 New in Version 4.57.6-1
>> ==================================
>> * New Features and Improvements *
>> 1 Added new configuration setting
>>   Max Spam Check Size = 150000
>>   If a message is bigger than this size, then all the spam checks are
>>   skipped and the messages is not spam.
>>   This saves a lot of time decoding and matching against huge messages.
>>   New languages.conf setting needing translation:
>>     skippedastoobig = not spam (too large)
>> 2 Improved install-Clam-SA.tar.gz so that it contains version numbers of
>>   contents.
>> 2 Phishing Whitelist is now also used with less strict phishing net.
>> 3 Add of the "Modify Subject" configuration options now also take the
>> values
>>   "start" and "end", so that you can move any of the Subject: line tags to
>>   the end of the line in case that is what you need to do.
>> 4 Speeded up the relaunch of MailScanner child processes. So the
>> detrimental
>>   effects of the delays caused by a MailScanner "restart" will be greatly
>>   reduced.
>> 4 Released as release candidate for 4.57 on December 1st.
>> 5 Bug in spam handling (spam would be delivered when it should not be)
>> fixed.
>>   Thanks to Mirko Acimas for spotting and reporting this one.
>> 5 Bug in ham handling (same problem was spam handling).
>> 5 spam.lists.conf updated.
> I don't see any reference to the problem that at least two of us
> experienced with logging to quarantine not working with the beta
> release. Has this issue been resovled???

yes it's been resolved



-- 
Martin Hepworth
Senior Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

From res at ausics.net  Mon Dec  4 13:05:23 2006
From: res at ausics.net (Res)
Date: Mon Dec  4 13:05:35 2006
Subject: Rules Mistake???
In-Reply-To: <120103F0F5EC264097BC0A06EC9D026A0111BF47@pardessus.aoc-uk.com>
References: <120103F0F5EC264097BC0A06EC9D026A0111BF47@pardessus.aoc-uk.com>
Message-ID: <Pine.LNX.4.64.0612042302590.19058@ebfjryy.nhfvpf.arg>

On Mon, 4 Dec 2006, Stef Morrell wrote:

> I have a client who receives encrypted zip files from her accountant.
> These end up marked as virus due to the inability of the scanning
> engines to unpack them. I'm trying to disable virus scanning for this
> (only) sender when sending to this specific user.
>
> In MailScanner.conf I have:
>
> Virus Scanning = %rules-dir%/antivirus.rules
>
> and in my anti-virus.rules
>
> To:	lotsofclients@clients.com 	yes
> ...
> To:	thisclient@heraddress.com	and From:
> accountant@heraccountant.co.uk   no
> To:	thisclient@heraddress.com 	yes
> ...
> FromOrTo: 	default		no
>
> However this doesn't seem to stop the scanning.
>
> Where have I gone wrong?

These rules look OK, have you tried rules in Scan  or Dangerouis Content 
Scan options to se eif its really one of those picking it up


-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From res at ausics.net  Mon Dec  4 13:06:18 2006
From: res at ausics.net (Res)
Date: Mon Dec  4 13:06:30 2006
Subject: mail size delivery delay
In-Reply-To: <02f601c7179e$26e916b0$0a02a8c0@Gordon>
References: <022601c71546$0733fc90$0b02a8c0@Gordon>
	<02f601c7179e$26e916b0$0a02a8c0@Gordon>
Message-ID: <Pine.LNX.4.64.0612042306030.19058@ebfjryy.nhfvpf.arg>

On Mon, 4 Dec 2006, Gordon Colyn wrote:

> Is there a way to force delayed deliveries on mail that is larger than a
> certain size?
>
> i.e., if mail is bigger than 50mb's hold in queue until after 6pm and then
> release.

You best tell us what your MTA is


-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From gordon at itnt.co.za  Mon Dec  4 13:55:10 2006
From: gordon at itnt.co.za (Gordon Colyn)
Date: Mon Dec  4 13:55:38 2006
Subject: mail size delivery delay
References: <022601c71546$0733fc90$0b02a8c0@Gordon><02f601c7179e$26e916b0$0a02a8c0@Gordon>
	<Pine.LNX.4.64.0612042306030.19058@ebfjryy.nhfvpf.arg>
Message-ID: <03a601c717ab$d5072450$0a02a8c0@Gordon>

oops sorry sendmail 8.13

----- Original Message ----- 
From: "Res" <res@ausics.net>
To: "MailScanner discussion" <mailscanner@lists.mailscanner.info>
Sent: Monday, December 04, 2006 3:06 PM
Subject: Re: mail size delivery delay


On Mon, 4 Dec 2006, Gordon Colyn wrote:

> Is there a way to force delayed deliveries on mail that is larger than a
> certain size?
>
> i.e., if mail is bigger than 50mb's hold in queue until after 6pm and then
> release.

You best tell us what your MTA is


-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


-- 
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

From edwardbruce at sbcglobal.net  Mon Dec  4 14:28:01 2006
From: edwardbruce at sbcglobal.net (Ed Bruce)
Date: Mon Dec  4 14:28:08 2006
Subject: MailScanner ANNOUNCE: 4.57 released
In-Reply-To: <45741BF9.4060408@solidstatelogic.com>
References: <4571B547.1090804@ecs.soton.ac.uk> <45741B23.8010508@sbcglobal.net>
	<45741BF9.4060408@solidstatelogic.com>
Message-ID: <45743071.8010605@sbcglobal.net>

Martin Hepworth wrote:
> Ed Bruce wrote:
>> I don't see any reference to the problem that at least two of us
>> experienced with logging to quarantine not working with the beta
>> release. Has this issue been resovled???
>
> yes it's been resolved
>
>
>
Thanks upgrading now.
From Richard.Frovarp at sendit.nodak.edu  Mon Dec  4 14:40:21 2006
From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp)
Date: Mon Dec  4 14:40:25 2006
Subject: Greylisting (WAS: Re: MailScanner ANNOUNCE: 4.57 released)
In-Reply-To: <20061203011931.d29a40c0.michel@mitch-it.nl>
References: <4571B547.1090804@ecs.soton.ac.uk>	<200612022342.kB2NgCcf026083@bkserver.blacknight.ie>
	<20061203011931.d29a40c0.michel@mitch-it.nl>
Message-ID: <45743355.2040006@sendit.nodak.edu>

Michel van der Klei wrote:
> On Sun, 3 Dec 2006 01:42:02 +0200 Nerijus Baliunas <nerijus@users.sourceforge.net> wrote:
>   
>> Hello,
>>
>> I still get message corruption which I reported a few days ago when
>> using Postfix with milter-greylist 3.0.
>>     
>
> What are the big advantages of milter-greylist? I use postgrey in combination
> with mailscanner and i'm very statisfied with the results. AFAIK is postgrey
> the tool to use with postfix.
>  
>   
milter-greylist allows syncing of the greylists amongst several servers. 
I did not see the other sendmail milters advertising that capability. I 
don't know if postgrey can do this or not.
From tpickhan at sks-systeme.de  Mon Dec  4 15:04:34 2006
From: tpickhan at sks-systeme.de (tpickhan@sks-systeme.de)
Date: Mon Dec  4 15:04:40 2006
Subject: Have a hit from a rule but don't know from wich ruleset it comes
Message-ID: <EF1C82DB68BD96498ACC52CAF9D2B49E13166C@webmail.sks-systeme.de>

Yesterday we had a false positive hit with an email. I took a look in
the log information from mailscanner and saw that there were several
rule hits for this ham.

Two of this are named as helo_dynamic_dhcp and helo_dynamic_ipaddr.

So these two rules were responsible for the detection as spam, although
the email was ham.

The question is in what rulesets theses rules are included so that I can
deactive this ruleset.

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061204/9cb40336/attachment.html
From Richard.Frovarp at sendit.nodak.edu  Mon Dec  4 15:26:03 2006
From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp)
Date: Mon Dec  4 15:26:10 2006
Subject: Have a hit from a rule but don't know from wich ruleset it comes
In-Reply-To: <EF1C82DB68BD96498ACC52CAF9D2B49E13166C@webmail.sks-systeme.de>
References: <EF1C82DB68BD96498ACC52CAF9D2B49E13166C@webmail.sks-systeme.de>
Message-ID: <45743E0B.7060005@sendit.nodak.edu>

tpickhan@sks-systeme.de wrote:
>
> Yesterday we had a false positive hit with an email. I took a look in 
> the log information from mailscanner and saw that there were several 
> rule hits for this ham.
>
> Two of this are named as helo_dynamic_dhcp and helo_dynamic_ipaddr.
>
> So these two rules were responsible for the detection as spam, 
> although the email was ham.
>
> The question is in what rulesets theses rules are included so that I 
> can deactive this ruleset.
>
>  
>
>  
>
>  
>
>

They are basic rules in the base set from SpamAssassin. Doing a grep -i 
helo_dynamic_dhcp /spam/rules/dir/on/your/system/* will find it. 
However, there are probably reasons for this rule to fire and you may 
want to look at those first. Who ever is running that server the email 
came from probably should fix their problem instead of you changing the 
scores.

Second you don't want to monkey with the rules in place. You need to 
edit your local.cf file to rescore those rules. Ask over on the 
SpamAssassin list as they can provide more guidance.

From rgreen at trayerproducts.com  Mon Dec  4 16:25:45 2006
From: rgreen at trayerproducts.com (Rodney Green)
Date: Mon Dec  4 16:26:23 2006
Subject: languages.conf file
Message-ID: <45744C09.2090003@trayerproducts.com>

/
/Hello,

I just upgraded to MailScanner 4.57.6 using the RPM distribution and 
install.sh.

As instructed, I ran "upgrade_languages_conf" at the end of the upgrade. 
I'm now getting the following message
in my mail log file.

"Looked up unknown string notcached in language translation file 
/etc/MailScanner/reports/en/languages.conf"

Now, when I ran "upgrade_languages_conf" I had copied and pasted the 
commands below from/to my shell session. In the process of doing this I 
messed up and the language files got zeroed out. I've copied the 
languages.conf file from the backup I did before upgrading to 
/etc/MailScanner/reports/en and started MailScanner. I'm now 
periodically getting that message in the log file.

1. Is this a real problem? Mail is being processed and all, it seems.
2. If it is a problem, how can I rebuild the languages.conf file to how 
it should be?

I did look for info on this and didn't find anything I thought was a 
definite solution.

Thanks,
Rod





-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

From dhawal at netmagicsolutions.com  Mon Dec  4 16:42:03 2006
From: dhawal at netmagicsolutions.com (Dhawal Doshy)
Date: Mon Dec  4 16:42:24 2006
Subject: Greylisting (WAS: Re: MailScanner ANNOUNCE: 4.57 released)
In-Reply-To: <45743355.2040006@sendit.nodak.edu>
References: <4571B547.1090804@ecs.soton.ac.uk>	<200612022342.kB2NgCcf026083@bkserver.blacknight.ie>	<20061203011931.d29a40c0.michel@mitch-it.nl>
	<45743355.2040006@sendit.nodak.edu>
Message-ID: <45744FDB.3030307@netmagicsolutions.com>

Richard Frovarp wrote:
> Michel van der Klei wrote:
>> On Sun, 3 Dec 2006 01:42:02 +0200 Nerijus Baliunas 
>> <nerijus@users.sourceforge.net> wrote:
>>  
>>> Hello,
>>>
>>> I still get message corruption which I reported a few days ago when
>>> using Postfix with milter-greylist 3.0.
>>>     
>>
>> What are the big advantages of milter-greylist? I use postgrey in 
>> combination
>> with mailscanner and i'm very statisfied with the results. AFAIK is 
>> postgrey
>> the tool to use with postfix.
>>  
>>   
> milter-greylist allows syncing of the greylists amongst several servers. 
> I did not see the other sendmail milters advertising that capability. I 
> don't know if postgrey can do this or not.

You could run postgrey as a TCP service say "inet:192.168.0.1:5678" and 
have a single instance servicing multiple servers. If you insist on 
local instances, see sqlgrey which can talk to a remote database (over 
TCP/IP). There are a variety of policy servers available to suit/fit 
most requirements but as the MILTER_README states.. why re-invent the 
wheel.. The postfix devels also state that policy servers are the 
*preferred* way of doing things and milters are the next best option.

Anyways, the compatibility of MailScanner with Postfix (with milters 
enabled) is important and needs be addressed (whenever Julian has time).

Nerijus, Glenn had mentioned that you send some raw samples (where 
privacy is not critical) of mails pre and post milters to Julian.. did 
you manage to do that?

- dhawal
From bob.jones at usg.edu  Mon Dec  4 17:53:04 2006
From: bob.jones at usg.edu (Bob Jones)
Date: Mon Dec  4 17:52:55 2006
Subject: syslog issue
Message-ID: <45746080.1070502@usg.edu>

Hey all.  I just upgraded to 4.57.6 (though this problem existed in the 
previous version as well) and am having an issue with logging.  Namely, 
I'm not getting any mailscanner log entries.  I've tested my syslog 
configuration and have successfully logged to mailscanner.conf with the 
logger command:

logger -plocal3.debug test

Here is the pertinent section of MailScanner.conf:

# Logging
# -------
#

# This is the syslog "facility" name that MailScanner uses. If you don't
# know what a syslog facility name is, then either don't change this value
# or else go and read "man syslog.conf". The default value of "mail" will
# cause the MailScanner logs to go into the same place as all your other
# mail logs.
Syslog Facility = local3

# Do you want to log the processing speed for each section of the code
# for a batch? This can be very useful for diagnosing speed problems,
# particularly in spam checking.
Log Speed = yes

# Do you want all spam to be logged? Useful if you want to gather
# spam statistics from your logs, but can increase the system load quite
# a bit if you get a lot of spam.
Log Spam = yes

# Do you want all non-spam to be logged? Useful if you want to see
# all the SpamAssassin reports of mail that was marked as non-spam.
# Note: It will generate a lot of log traffic.
Log Non Spam = yes

# Log all the filenames that are allowed by the Filename Rules, or just
# the filenames that are denied?
# This can also be the filename of a ruleset.
Log Permitted Filenames = no

# Log all the filenames that are allowed by the Filetype Rules, or just
# the filetypes that are denied?
# This can also be the filename of a ruleset.
Log Permitted Filetypes = no

# Log all occurrences of "Silent Viruses" as defined above?
# This can only be a simple yes/no value, not a ruleset.
Log Silent Viruses = yes

# Log all occurrences of HTML tags found in messages, that can be blocked.
# This will help you build up your whitelist of message sources for which
# particular HTML tags should be allowed, such as mail from newsletters
# and daily cartoon strips.
# This can also be the filename of a ruleset.
Log Dangerous HTML Tags = no

Any ideas?

-- 
Bob Jones
bob.jones@usg.edu
From r.berber at computer.org  Mon Dec  4 19:50:34 2006
From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=)
Date: Mon Dec  4 19:51:27 2006
Subject: syslog issue
In-Reply-To: <45746080.1070502@usg.edu>
References: <45746080.1070502@usg.edu>
Message-ID: <el1u69$igq$1@sea.gmane.org>

Bob Jones wrote:

> Hey all.  I just upgraded to 4.57.6 (though this problem existed in the
> previous version as well) and am having an issue with logging.  Namely,
> I'm not getting any mailscanner log entries.  I've tested my syslog
> configuration and have successfully logged to mailscanner.conf with the
> logger command:
> 
> logger -plocal3.debug test
> 
> Here is the pertinent section of MailScanner.conf:
> 
> Syslog Facility = local3
> Log Speed = yes
> Log Spam = yes
> Log Non Spam = yes
> Log Permitted Filenames = no
> Log Permitted Filetypes = no
> Log Silent Viruses = yes
> Log Dangerous HTML Tags = no
> 
> Any ideas?

If you are using Solaris, take a look at this message:

	http://permalink.gmane.org/gmane.mail.virus.mailscanner/44772

-- 
Ren? Berber

From bob.jones at usg.edu  Mon Dec  4 20:34:52 2006
From: bob.jones at usg.edu (Bob Jones)
Date: Mon Dec  4 20:34:45 2006
Subject: syslog issue
In-Reply-To: <el1u69$igq$1@sea.gmane.org>
References: <45746080.1070502@usg.edu> <el1u69$igq$1@sea.gmane.org>
Message-ID: <4574866C.4040602@usg.edu>

Ren? Berber wrote:
> Bob Jones wrote:
> 
>> Hey all.  I just upgraded to 4.57.6 (though this problem existed in the
>> previous version as well) and am having an issue with logging.  Namely,
>> I'm not getting any mailscanner log entries.  I've tested my syslog
>> configuration and have successfully logged to mailscanner.conf with the
>> logger command:
>>
>> logger -plocal3.debug test
>>
>> Here is the pertinent section of MailScanner.conf:
>>
>> Syslog Facility = local3
>> Log Speed = yes
>> Log Spam = yes
>> Log Non Spam = yes
>> Log Permitted Filenames = no
>> Log Permitted Filetypes = no
>> Log Silent Viruses = yes
>> Log Dangerous HTML Tags = no
>>
>> Any ideas?
> 
> If you are using Solaris, take a look at this message:
> 
> 	http://permalink.gmane.org/gmane.mail.virus.mailscanner/44772
> 

That was it.  Thanks!

-- 
Bob Jones
bob.jones@usg.edu
From nerijus at users.sourceforge.net  Mon Dec  4 20:42:36 2006
From: nerijus at users.sourceforge.net (Nerijus Baliunas)
Date: Mon Dec  4 20:50:14 2006
Subject: Greylisting (WAS: Re: MailScanner ANNOUNCE: 4.57 released)
In-Reply-To: <45744FDB.3030307@netmagicsolutions.com>
References: <4571B547.1090804@ecs.soton.ac.uk>	<200612022342.kB2NgCcf026083@bkserver.blacknight.ie>	<20061203011931.d29a40c0.michel@mitch-it.nl><45743355.2040006@sendit.nodak.edu>
	<45744FDB.3030307@netmagicsolutions.com>
Message-ID: <20061204205254.8300B11285@mx-a.vdnet.lt>

On Mon, 04 Dec 2006 22:12:03 +0530 Dhawal Doshy <dhawal@netmagicsolutions.com> wrote:

> Nerijus, Glenn had mentioned that you send some raw samples (where 
> privacy is not critical) of mails pre and post milters to Julian.. did 
> you manage to do that?

If you mean just raw messages - then yes, I sent them to Julian, but if you
mean queue files - then no (how/where should I take them from?).

Regards,
Nerijus
From Denis.Beauchemin at USherbrooke.ca  Mon Dec  4 21:03:52 2006
From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin)
Date: Mon Dec  4 21:04:24 2006
Subject: Rules Mistake???
In-Reply-To: <120103F0F5EC264097BC0A06EC9D026A0111BF47@pardessus.aoc-uk.com>
References: <120103F0F5EC264097BC0A06EC9D026A0111BF47@pardessus.aoc-uk.com>
Message-ID: <45748D38.9020708@USherbrooke.ca>

Stef Morrell a ?crit :
> I have a client who receives encrypted zip files from her accountant.
> These end up marked as virus due to the inability of the scanning
> engines to unpack them. I'm trying to disable virus scanning for this
> (only) sender when sending to this specific user.
>
> In MailScanner.conf I have:
>
> Virus Scanning = %rules-dir%/antivirus.rules
>
> and in my anti-virus.rules
>
> To:	lotsofclients@clients.com 	yes
> ...
> To:	thisclient@heraddress.com	and From:
> accountant@heraccountant.co.uk   no
> To:	thisclient@heraddress.com 	yes
> ...
> FromOrTo: 	default		no
>
> However this doesn't seem to stop the scanning. 
>
> Where have I gone wrong?
>
>
>   
Stef,

I think you should rather use:
# Should archives which contain any password-protected files be allowed?
# Leaving this set to "no" is a good way of protecting against all the
# protected zip files used by viruses at the moment.
# This can also be the filename of a ruleset.
Allow Password-Protected Archives = %rules-dir%/pwd.archives.rules

and:
# cat pwd.archives.rules
FromOrTo:   user1@yourdomain  yes
FromOrTo:   Default no

Denis

-- 
   _
  ?v?   Denis Beauchemin, analyste
 /(_)\  Universit? de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3595 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061204/1a69f782/smime.bin
From pete at enitech.com.au  Mon Dec  4 21:19:56 2006
From: pete at enitech.com.au (Peter Russell)
Date: Mon Dec  4 21:20:10 2006
Subject: languages.conf file
In-Reply-To: <45744C09.2090003@trayerproducts.com>
References: <45744C09.2090003@trayerproducts.com>
Message-ID: <457490FC.2080901@enitech.com.au>

The upgrade_languages.conf instructions at the end of the RPM 
mailscanner installation do not work for me either - though i cant 
remember what i do to fix, will upgrade to the newest version at the end 
of the week and let you know

Rodney Green wrote:
> /
> /Hello,
> 
> I just upgraded to MailScanner 4.57.6 using the RPM distribution and 
> install.sh.
> 
> As instructed, I ran "upgrade_languages_conf" at the end of the upgrade. 
> I'm now getting the following message
> in my mail log file.
> 
> "Looked up unknown string notcached in language translation file 
> /etc/MailScanner/reports/en/languages.conf"
> 
> Now, when I ran "upgrade_languages_conf" I had copied and pasted the 
> commands below from/to my shell session. In the process of doing this I 
> messed up and the language files got zeroed out. I've copied the 
> languages.conf file from the backup I did before upgrading to 
> /etc/MailScanner/reports/en and started MailScanner. I'm now 
> periodically getting that message in the log file.
> 
> 1. Is this a real problem? Mail is being processed and all, it seems.
> 2. If it is a problem, how can I rebuild the languages.conf file to how 
> it should be?
> 
> I did look for info on this and didn't find anything I thought was a 
> definite solution.
> 
> Thanks,
> Rod
> 
> 
> 
> 
> 
From Denis.Beauchemin at USherbrooke.ca  Mon Dec  4 21:22:04 2006
From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin)
Date: Mon Dec  4 21:22:32 2006
Subject: Greylisting (WAS: Re: MailScanner ANNOUNCE: 4.57 released)
In-Reply-To: <45743355.2040006@sendit.nodak.edu>
References: <4571B547.1090804@ecs.soton.ac.uk>	<200612022342.kB2NgCcf026083@bkserver.blacknight.ie>	<20061203011931.d29a40c0.michel@mitch-it.nl>
	<45743355.2040006@sendit.nodak.edu>
Message-ID: <4574917C.8090404@USherbrooke.ca>

Richard Frovarp a ?crit :
> Michel van der Klei wrote:
>> On Sun, 3 Dec 2006 01:42:02 +0200 Nerijus Baliunas 
>> <nerijus@users.sourceforge.net> wrote:
>>  
>>> Hello,
>>>
>>> I still get message corruption which I reported a few days ago when
>>> using Postfix with milter-greylist 3.0.
>>>     
>>
>> What are the big advantages of milter-greylist? I use postgrey in 
>> combination
>> with mailscanner and i'm very statisfied with the results. AFAIK is 
>> postgrey
>> the tool to use with postfix.
>>  
>>   
> milter-greylist allows syncing of the greylists amongst several 
> servers. I did not see the other sendmail milters advertising that 
> capability. I don't know if postgrey can do this or not.
I too chose milter-greylist for this reason but I stopped using it last 
Friday because it caused swapping ;-)  Really, it was a memory and cpu 
hog.  And it had all sorts of problems replicating its triplets to my 
other servers... I would have had to recompile it with larger buffers 
and it would just have eaten more memory...

I also saw something strange that frustrated  upper management: a 
message came in with a given triplet and was greylisted for 5 minutes 
(good!). two hours later the same triplet came back (at least it looked 
identical in my maillog) but the message was greylisted again by the 
same server (bad!).  The message was accepted on its fourth try, almost 
8 hours after the initial one (really bad!).

Denis

-- 
   _
  ?v?   Denis Beauchemin, analyste
 /(_)\  Universit? de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3595 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061204/ff683bb7/smime.bin
From ka at pacific.net  Mon Dec  4 21:37:24 2006
From: ka at pacific.net (Ken A)
Date: Mon Dec  4 21:34:48 2006
Subject: languages.conf file
In-Reply-To: <45744C09.2090003@trayerproducts.com>
References: <45744C09.2090003@trayerproducts.com>
Message-ID: <45749514.9050707@pacific.net>



Rodney Green wrote:
> /
> /Hello,
> 
> I just upgraded to MailScanner 4.57.6 using the RPM distribution and 
> install.sh.
> 
> As instructed, I ran "upgrade_languages_conf" at the end of the upgrade. 
> I'm now getting the following message
> in my mail log file.
> 
> "Looked up unknown string notcached in language translation file 
> /etc/MailScanner/reports/en/languages.conf"
> 
> Now, when I ran "upgrade_languages_conf" I had copied and pasted the 
> commands below from/to my shell session. In the process of doing this I 
> messed up and the language files got zeroed out. I've copied the 
> languages.conf file from the backup I did before upgrading to 
> /etc/MailScanner/reports/en and started MailScanner. I'm now 
> periodically getting that message in the log file.
> 
> 1. Is this a real problem? Mail is being processed and all, it seems.
> 2. If it is a problem, how can I rebuild the languages.conf file to how 
> it should be?

Just copy your languages.conf.old file back over the zero byte version.
This has bit me once or twice too.
Ken
Pacific.Net

> I did look for info on this and didn't find anything I thought was a 
> definite solution.
> 
> Thanks,
> Rod
> 
> 
> 
> 
> 
From jon.bates at summitmotors.com.au  Mon Dec  4 21:44:58 2006
From: jon.bates at summitmotors.com.au (Jon Bates)
Date: Mon Dec  4 21:45:11 2006
Subject: Viruses being blocked by filename rules,
	not being picked up by Clamav
Message-ID: <200612042144.kB4Liwau008340@summitmotors.com.au>



Reni Berber Wrote:

> Have you tried changing this into "Virus Scanners = clamavmodule". This
change
> means something different of what you are using, option clamav uses the
> lib/clamav-wrapper, clamavmodule uses the perl module (which you may, or
may not
> have installed -- `cpan -D Mail::ClamAV` will show if it is installed).

> Or using the option as you have it, check virus.scanners.conf to see if
the
> corresponding line is correct. Also, if you changed the wrapper, see what
is
> being executed (clamscan or clamdscan) and what options are used (with
clamscan
> the options are passed as parameters, with clamdscan the options are in
> /etc/clamd.conf). If using clamdscan, see if clamd is running.
> -- 
> Reni Berber

 
 
Hmmm.. Well I definitely havent changed the Virus Scanners option. Its
always been 'clamav'. Clamavmodule isnt even installed, judging by the
response from the CPAN install (which I cancelled). I could probably change
it, but this doesn't make sense to me as it was working perfectly before.

I've also turned on the log for Clamav so I'll see if there is any leads in
there.
______________________

Virus.scanners.conf lists:

clamav          /usr/lib/MailScanner/clamav-wrapper     /usr
clamavmodule    /bin/false                              /tmp

______________________

The /usr/lib/MailScanner/clamav-wrapper file uses clamscan by the looks of
it. 

______________________

One setting that I found interesting was Keep Spam And MCP Archive Clean =
yes. Would this have any bearing on my problem? I don't allow user access to
archived spam so I might try turning this off.

Any thoughts?

From res at ausics.net  Mon Dec  4 21:46:11 2006
From: res at ausics.net (Res)
Date: Mon Dec  4 21:46:30 2006
Subject: languages.conf file
In-Reply-To: <457490FC.2080901@enitech.com.au>
References: <45744C09.2090003@trayerproducts.com>
	<457490FC.2080901@enitech.com.au>
Message-ID: <Pine.LNX.4.64.0612050744001.23438@ebfjryy.nhfvpf.arg>

On Tue, 5 Dec 2006, Peter Russell wrote:

> The upgrade_languages.conf instructions at the end of the RPM mailscanner 
> installation do not work for me either - though i cant remember what i do to 
> fix, will upgrade to the newest version at the end of the week and let you 
> know

Permissions? THere was a release recently where it was chmoded -x but 
Jules fixed it pretty quick, hmm come to think of it I think it was a few 
versions back and might not be the issue

>
> Rodney Green wrote:
>> /
>> /Hello,
>> 
>> I just upgraded to MailScanner 4.57.6 using the RPM distribution and 
>> install.sh.
>> 
>> As instructed, I ran "upgrade_languages_conf" at the end of the upgrade. 
>> I'm now getting the following message
>> in my mail log file.
>> 
>> "Looked up unknown string notcached in language translation file 
>> /etc/MailScanner/reports/en/languages.conf"
>> 
>> Now, when I ran "upgrade_languages_conf" I had copied and pasted the 
>> commands below from/to my shell session. In the process of doing this I 
>> messed up and the language files got zeroed out. I've copied the 
>> languages.conf file from the backup I did before upgrading to 
>> /etc/MailScanner/reports/en and started MailScanner. I'm now periodically 
>> getting that message in the log file.
>> 
>> 1. Is this a real problem? Mail is being processed and all, it seems.
>> 2. If it is a problem, how can I rebuild the languages.conf file to how it 
>> should be?
>> 
>> I did look for info on this and didn't find anything I thought was a 
>> definite solution.
>> 
>> Thanks,
>> Rod
>> 
>> 
>> 
>> 
>> 
>

-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From glenn.steen at gmail.com  Mon Dec  4 22:51:48 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Mon Dec  4 22:51:54 2006
Subject: Greylisting (WAS: Re: MailScanner ANNOUNCE: 4.57 released)
In-Reply-To: <20061204205254.8300B11285@mx-a.vdnet.lt>
References: <4571B547.1090804@ecs.soton.ac.uk>
	<200612022342.kB2NgCcf026083@bkserver.blacknight.ie>
	<20061203011931.d29a40c0.michel@mitch-it.nl>
	<45743355.2040006@sendit.nodak.edu>
	<45744FDB.3030307@netmagicsolutions.com>
	<20061204205254.8300B11285@mx-a.vdnet.lt>
Message-ID: <223f97700612041451n39e66dedx28699a0d1e59a3eb@mail.gmail.com>

On 04/12/06, Nerijus Baliunas <nerijus@users.sourceforge.net> wrote:
> On Mon, 04 Dec 2006 22:12:03 +0530 Dhawal Doshy <dhawal@netmagicsolutions.com> wrote:
>
> > Nerijus, Glenn had mentioned that you send some raw samples (where
> > privacy is not critical) of mails pre and post milters to Julian.. did
> > you manage to do that?
>
> If you mean just raw messages - then yes, I sent them to Julian, but if you
> mean queue files - then no (how/where should I take them from?).
>
> Regards,
> Nerijus
That's easy Nerjus.... I'll try be a bit more eloquent than last time:-)....
Stop mailscanner, start postfix, send the testmessage, look in the log
what queue ID it got (or just trawl through "postqueue -p" (a.k.a.
mailq), copy that file (queue ID == filename) from the hold queue
(after all, it's just a file). Then stop Postfix and restart
MailScanner...

Disable the missbehaving milter, repeat the above... And voila, there
you have it, "the same" message in a working and a non-working queue
file. Makes it possible for Jules (or one of us other postfixers:-) to
try see what goes wrong... without having to implement the same exact
setup you have.

Another possibility would be to use the Archive Mail feature, but then
you'd have to make sure it archives to queue files and not decoded and
put in some other format (mbox).

The first method is guaranteed to get us what we want.

Be aware that the queue file might contain information that could be
construed as sensitive (depends on policy, as always:-).

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From glenn.steen at gmail.com  Mon Dec  4 22:58:45 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Mon Dec  4 22:58:54 2006
Subject: Greylisting (WAS: Re: MailScanner ANNOUNCE: 4.57 released)
In-Reply-To: <223f97700612041451n39e66dedx28699a0d1e59a3eb@mail.gmail.com>
References: <4571B547.1090804@ecs.soton.ac.uk>
	<200612022342.kB2NgCcf026083@bkserver.blacknight.ie>
	<20061203011931.d29a40c0.michel@mitch-it.nl>
	<45743355.2040006@sendit.nodak.edu>
	<45744FDB.3030307@netmagicsolutions.com>
	<20061204205254.8300B11285@mx-a.vdnet.lt>
	<223f97700612041451n39e66dedx28699a0d1e59a3eb@mail.gmail.com>
Message-ID: <223f97700612041458p55d41f40wde14ae6b7dd34b02@mail.gmail.com>

On 04/12/06, Glenn Steen <glenn.steen@gmail.com> wrote:
(snip)
> Disable the missbehaving milter, repeat the above... And voila, there
I don't mean to say that the milter is at fault, we don't have enough
evidence to draw that conclusion (yet:-) ... I just liked the
alliteration;-).
(snip)
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From glenn.steen at gmail.com  Mon Dec  4 23:07:59 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Mon Dec  4 23:08:04 2006
Subject: languages.conf file
In-Reply-To: <45744C09.2090003@trayerproducts.com>
References: <45744C09.2090003@trayerproducts.com>
Message-ID: <223f97700612041507g5553febfrf1082f3304d0df36@mail.gmail.com>

On 04/12/06, Rodney Green <rgreen@trayerproducts.com> wrote:
> /
> /Hello,
>
> I just upgraded to MailScanner 4.57.6 using the RPM distribution and
> install.sh.
>
> As instructed, I ran "upgrade_languages_conf" at the end of the upgrade.
> I'm now getting the following message
> in my mail log file.
>
> "Looked up unknown string notcached in language translation file
> /etc/MailScanner/reports/en/languages.conf"
>
> Now, when I ran "upgrade_languages_conf" I had copied and pasted the
> commands below from/to my shell session. In the process of doing this I
> messed up and the language files got zeroed out. I've copied the
> languages.conf file from the backup I did before upgrading to
> /etc/MailScanner/reports/en and started MailScanner. I'm now
> periodically getting that message in the log file.
>
> 1. Is this a real problem? Mail is being processed and all, it seems.
> 2. If it is a problem, how can I rebuild the languages.conf file to how
> it should be?
>
> I did look for info on this and didn't find anything I thought was a
> definite solution.
>
> Thanks,
> Rod
(I'll have to confess that I haven't done the latest upgrade yet...
will do one tomorrow though:-)

Did the update create a languages.conf.rpmnew? If not, what are you
doing running the upgrade script then? As mentioned by others (Ken was
it?), if you just cut'n'paste the commands.... you have the old one as
a .old file... and can just move it back into place.

As said, will know more about this come morning.

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From ssilva at sgvwater.com  Mon Dec  4 23:10:36 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Mon Dec  4 23:10:57 2006
Subject: Viruses being blocked by filename rules, not being picked up
 by Clamav
In-Reply-To: <200612042144.kB4Liwau008340@summitmotors.com.au>
References: <200612042144.kB4Liwau008340@summitmotors.com.au>
Message-ID: <el29td$3jj$1@sea.gmane.org>

Jon Bates spake the following on 12/4/2006 1:44 PM:
> 
> Reni Berber Wrote:
> 
>> Have you tried changing this into "Virus Scanners = clamavmodule". This
> change
>> means something different of what you are using, option clamav uses the
>> lib/clamav-wrapper, clamavmodule uses the perl module (which you may, or
> may not
>> have installed -- `cpan -D Mail::ClamAV` will show if it is installed).
> 
>> Or using the option as you have it, check virus.scanners.conf to see if
> the
>> corresponding line is correct. Also, if you changed the wrapper, see what
> is
>> being executed (clamscan or clamdscan) and what options are used (with
> clamscan
>> the options are passed as parameters, with clamdscan the options are in
>> /etc/clamd.conf). If using clamdscan, see if clamd is running.
>> -- 
>> Reni Berber
> 
>  
>  
> Hmmm.. Well I definitely havent changed the Virus Scanners option. Its
> always been 'clamav'. Clamavmodule isnt even installed, judging by the
> response from the CPAN install (which I cancelled). I could probably change
> it, but this doesn't make sense to me as it was working perfectly before.
> 
> I've also turned on the log for Clamav so I'll see if there is any leads in
> there.
> ______________________
> 
> Virus.scanners.conf lists:
> 
> clamav          /usr/lib/MailScanner/clamav-wrapper     /usr
> clamavmodule    /bin/false                              /tmp
> 
> ______________________
> 
> The /usr/lib/MailScanner/clamav-wrapper file uses clamscan by the looks of
> it. 
> 
> ______________________
> 
> One setting that I found interesting was Keep Spam And MCP Archive Clean =
> yes. Would this have any bearing on my problem? I don't allow user access to
> archived spam so I might try turning this off.
> 
> Any thoughts?
> 
I didn't see any mention of if the same file can be detected as a virus when
clam is run on the command line.
Does it block an eicar test file if sent through the Mailscanner?

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From nerijus at users.sourceforge.net  Mon Dec  4 23:28:48 2006
From: nerijus at users.sourceforge.net (Nerijus Baliunas)
Date: Mon Dec  4 23:30:11 2006
Subject: Greylisting (WAS: Re: MailScanner ANNOUNCE: 4.57 released)
In-Reply-To: <223f97700612041451n39e66dedx28699a0d1e59a3eb@mail.gmail.com>
References: <4571B547.1090804@ecs.soton.ac.uk><200612022342.kB2NgCcf026083@bkserver.blacknight.ie><20061203011931.d29a40c0.michel@mitch-it.nl><45743355.2040006@sendit.nodak.edu><45744FDB.3030307@netmagicsolutions.com><20061204205254.8300B11285@mx-a.vdnet.lt>
	<223f97700612041451n39e66dedx28699a0d1e59a3eb@mail.gmail.com>
Message-ID: <20061204233255.DB881FF40@mx-a.vdnet.lt>

On Mon, 4 Dec 2006 23:51:48 +0100 Glenn Steen <glenn.steen@gmail.com> wrote:

> > > Nerijus, Glenn had mentioned that you send some raw samples (where
> > > privacy is not critical) of mails pre and post milters to Julian.. did
> > > you manage to do that?
> >
> > If you mean just raw messages - then yes, I sent them to Julian, but if you
> > mean queue files - then no (how/where should I take them from?).
>
> That's easy Nerjus.... I'll try be a bit more eloquent than last time:-)....
> Stop mailscanner, start postfix, send the testmessage, look in the log
> what queue ID it got (or just trawl through "postqueue -p" (a.k.a.
> mailq), copy that file (queue ID == filename) from the hold queue
> (after all, it's just a file). Then stop Postfix and restart
> MailScanner...
> 
> Disable the missbehaving milter, repeat the above... And voila, there
> you have it, "the same" message in a working and a non-working queue
> file. Makes it possible for Jules (or one of us other postfixers:-) to
> try see what goes wrong... without having to implement the same exact
> setup you have.

OK, here they are attached. message1 and queue1 are with milter-greylist,
message2 and queue2 - without.

Regards,
Nerijus

P.S. CCing Julian too, but as he is probably busy, I hope some of other postfixers
will take a look. Thanks.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: message1
Type: application/octet-stream
Size: 1156 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061205/e34febd0/message1.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: message2
Type: application/octet-stream
Size: 1111 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061205/e34febd0/message2.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: queue1
Type: application/octet-stream
Size: 1556 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061205/e34febd0/queue1.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: queue2
Type: application/octet-stream
Size: 1327 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061205/e34febd0/queue2.obj
From rob at robhq.com  Mon Dec  4 23:56:38 2006
From: rob at robhq.com (Rob Freeman)
Date: Mon Dec  4 23:56:59 2006
Subject: number spam
Message-ID: <000101c717ff$d953b6f0$8bfb24d0$@com>

Just starting getting some spam attacks with just numbers in the body.  The
subject is random along with the senders.  So far it is just a 5 or 6 digit
number like 54732 or 684324.  I guess someone is phishing for address's at
this point.  Any way to block these?

 

Thanks

 

Rob

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061204/433a72aa/attachment.html
From ssilva at sgvwater.com  Tue Dec  5 00:16:26 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Tue Dec  5 00:17:07 2006
Subject: number spam
In-Reply-To: <000101c717ff$d953b6f0$8bfb24d0$@com>
References: <000101c717ff$d953b6f0$8bfb24d0$@com>
Message-ID: <el2dor$flo$1@sea.gmane.org>

Rob Freeman spake the following on 12/4/2006 3:56 PM:
> Just starting getting some spam attacks with just numbers in the body. 
> The subject is random along with the senders.  So far it is just a 5 or
> 6 digit number like 54732 or 684324.  I guess someone is phishing for
> address?s at this point.  Any way to block these?
> 
>  
> 
> Thanks
> 
>  
> 
> Rob
> 
All of mine have hit rfc.ignorant and bayes_99 if that helps you. You could up
the score of DNS_FROM_RFC_ABUSE. I haven't seen too many that weren't caught
by other means. But then I drop sbl-xbl at the mta, so maybe I am dodging the
bullet somewhat.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From john at katy.com  Tue Dec  5 03:28:34 2006
From: john at katy.com (John Schmerold)
Date: Tue Dec  5 03:28:41 2006
Subject: mail size delivery delay
In-Reply-To: <03a601c717ab$d5072450$0a02a8c0@Gordon>
References: <022601c71546$0733fc90$0b02a8c0@Gordon><02f601c7179e$26e916b0$0a02a8c0@Gordon>	<Pine.LNX.4.64.0612042306030.19058@ebfjryy.nhfvpf.arg>
	<03a601c717ab$d5072450$0a02a8c0@Gordon>
Message-ID: <4574E762.2030107@katy.com>

If anyone knows how to do this in Postfix, I'm all ears - this is a 
great idea and somewhat related to a concept I presented to Julian for a 
custom programming opportunity (I'm looking for a couple sponsors to 
help cover programming time). For the record, my concept is as follows:
"I'm interested in getting an option added to MailScanner (or Postfix). 
This extension would extract attachments in excess of some user 
definable size &/or exclude user defined file types - for example vcf, 
compute a MD5 of the file and store it somewhere, using the MD5 & 
original extension,for example /var/www/html/files/md5.pdf

MS, would then insert a note at top &/or bottom of email listing the 
name(s) & location of the detached file(s) - for example: 
http://mx1.schmerold.com/files/9e107d9d372bb6826bd81d3542a419d6.xls

I would want MS to do this for inbound & outbound messages. "


Gordon Colyn wrote:
> oops sorry sendmail 8.13
>
> ----- Original Message ----- 
> From: "Res" <res@ausics.net>
> To: "MailScanner discussion" <mailscanner@lists.mailscanner.info>
> Sent: Monday, December 04, 2006 3:06 PM
> Subject: Re: mail size delivery delay
>
>
> On Mon, 4 Dec 2006, Gordon Colyn wrote:
>
>   
>> Is there a way to force delayed deliveries on mail that is larger than a
>> certain size?
>>
>> i.e., if mail is bigger than 50mb's hold in queue until after 6pm and then
>> release.
>>     
>
> You best tell us what your MTA is
>
>
>   
From bks at cal.interrasystems.com  Tue Dec  5 05:58:59 2006
From: bks at cal.interrasystems.com (Bibhas Kumar Samanta)
Date: Tue Dec  5 05:59:26 2006
Subject: Storing spam mails to separate alias for each user
Message-ID: <029c01c71832$750769c0$a9a4c0c0@bkslaptop>

Hello,

I am using MS/SA with sendmail on a RHEL 4.0 box.

MS allows to deliver all spam ( or high scoring spams) to
be either delivered or stored to a common quarantine area.

Can I store the spam mails on per user basis on the mail server,
so that user can check the their spam mails from time to time.
(ie for user1 , all spams to be stored at user1_spam file.)

They will get the non-spam mails delivered to their mail
 boxes automatically.

Please suggest.

regards,
Bibhas



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061205/555353a7/attachment.html
From stef at aoc-uk.com  Tue Dec  5 09:55:07 2006
From: stef at aoc-uk.com (Stef Morrell)
Date: Tue Dec  5 09:55:11 2006
Subject: Rules Mistake???
Message-ID: <120103F0F5EC264097BC0A06EC9D026A010C058A@pardessus.aoc-uk.com>

Denis Beauchemin wrote:
> Stef Morrell a ?crit :
>> I have a client who receives encrypted zip files from her accountant.
<snip>
> 
> I think you should rather use:
> # Should archives which contain any password-protected files
> be allowed?
> # Leaving this set to "no" is a good way of protecting
> against all the # protected zip files used by viruses at the moment.
> # This can also be the filename of a ruleset.
> Allow Password-Protected Archives = %rules-dir%/pwd.archives.rules
> 
> and:
> # cat pwd.archives.rules
> FromOrTo:   user1@yourdomain  yes
> FromOrTo:   Default no

Merci Denis... aussi Res pour votre r?ponse.

I think this is probably the thing to do.

Stef
Stefan Morrell          | Operations Director
Tel: 0845 3452820       | Alpha Omega Computers Ltd
Fax: 0845 3452830       | Incorporating Level 5 Internet
stef@aoc-uk.com         | stef@l5net.net
From rgreen at trayerproducts.com  Tue Dec  5 13:29:14 2006
From: rgreen at trayerproducts.com (Rodney Green)
Date: Tue Dec  5 13:29:48 2006
Subject: languages.conf file
In-Reply-To: <223f97700612041507g5553febfrf1082f3304d0df36@mail.gmail.com>
References: <45744C09.2090003@trayerproducts.com>
	<223f97700612041507g5553febfrf1082f3304d0df36@mail.gmail.com>
Message-ID: <4575742A.7000601@trayerproducts.com>

I don't know if there was a .rpmnew file for the languages file. I 
copied the backup languages.conf file that I manually copied before even 
running install.sh into /etc/MailScanner/reports/en. That is the file 
I'm currently using and is the only languages.conf file I have to use. I 
don't have a languages.old or languages.new.

Glenn Steen wrote:
> On 04/12/06, Rodney Green <rgreen@trayerproducts.com> wrote:
>> /
>> /Hello,
>>
>> I just upgraded to MailScanner 4.57.6 using the RPM distribution and
>> install.sh.
>>
>> As instructed, I ran "upgrade_languages_conf" at the end of the upgrade.
>> I'm now getting the following message
>> in my mail log file.
>>
>> "Looked up unknown string notcached in language translation file
>> /etc/MailScanner/reports/en/languages.conf"
>>
>> Now, when I ran "upgrade_languages_conf" I had copied and pasted the
>> commands below from/to my shell session. In the process of doing this I
>> messed up and the language files got zeroed out. I've copied the
>> languages.conf file from the backup I did before upgrading to
>> /etc/MailScanner/reports/en and started MailScanner. I'm now
>> periodically getting that message in the log file.
>>
>> 1. Is this a real problem? Mail is being processed and all, it seems.
>> 2. If it is a problem, how can I rebuild the languages.conf file to how
>> it should be?
>>
>> I did look for info on this and didn't find anything I thought was a
>> definite solution.
>>
>> Thanks,
>> Rod
> (I'll have to confess that I haven't done the latest upgrade yet...
> will do one tomorrow though:-)
>
> Did the update create a languages.conf.rpmnew? If not, what are you
> doing running the upgrade script then? As mentioned by others (Ken was
> it?), if you just cut'n'paste the commands.... you have the old one as
> a .old file... and can just move it back into place.
>
> As said, will know more about this come morning.
>

-- 

Rodney Green
Network Administrator
Trayer Products, Inc.
/rgreen@trayerproducts.com /
/607-734-8124 Ext. 343
Security+ Certified
/



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

From glenn.steen at gmail.com  Tue Dec  5 14:40:13 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Tue Dec  5 14:40:17 2006
Subject: languages.conf file
In-Reply-To: <4575742A.7000601@trayerproducts.com>
References: <45744C09.2090003@trayerproducts.com>
	<223f97700612041507g5553febfrf1082f3304d0df36@mail.gmail.com>
	<4575742A.7000601@trayerproducts.com>
Message-ID: <223f97700612050640i39d0a4e0rb3e22bb3dd15b154@mail.gmail.com>

On 05/12/06, Rodney Green <rgreen@trayerproducts.com> wrote:
> I don't know if there was a .rpmnew file for the languages file. I
> copied the backup languages.conf file that I manually copied before even
> running install.sh into /etc/MailScanner/reports/en. That is the file
> I'm currently using and is the only languages.conf file I have to use. I
> don't have a languages.old or languages.new.
>
> Glenn Steen wrote:
(snip)
> > (I'll have to confess that I haven't done the latest upgrade yet...
> > will do one tomorrow though:-)
> >
> > Did the update create a languages.conf.rpmnew? If not, what are you
> > doing running the upgrade script then? As mentioned by others (Ken was
> > it?), if you just cut'n'paste the commands.... you have the old one as
> > a .old file... and can just move it back into place.
> >
> > As said, will know more about this come morning.

Ok.

If you have the old MailScanenr and the new package... and a spare
box... You could just make a mock install of the old one, then perform
a mock upgrade... If that creates a .rpmnew file, then you can run the
upgrade script on that and copy it into the real server... should work
nicely:-).
Or just make a mock install of the new one (if you haven't changed
anything in languages.conf, this is what I'd do:-)... should give you
a file with the "missing strings/variables" set.

If that seems onerous, you could alwayslook at/add any missing string
definitions...
Close to the end of the file you should have something like:
# Used in SpamAssassin cache results headers
cached = cached
notcached = not cached

HtH
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From martinh at solidstatelogic.com  Tue Dec  5 14:43:00 2006
From: martinh at solidstatelogic.com (Martin Hepworth)
Date: Tue Dec  5 14:43:26 2006
Subject: wiki update for postfix unknown users..
Message-ID: <45758574.3040104@solidstatelogic.com>

All

Down the bottom of this page...

http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:reject_non_existent_users

there's a link to Pete Russell's scripts for pulling info from AD and 
Lotus notes.

However the link is dead, can anyone provide a new link?

-- 
Martin Hepworth
Senior Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

From glenn.steen at gmail.com  Tue Dec  5 15:11:54 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Tue Dec  5 15:11:59 2006
Subject: languages.conf file
In-Reply-To: <223f97700612050640i39d0a4e0rb3e22bb3dd15b154@mail.gmail.com>
References: <45744C09.2090003@trayerproducts.com>
	<223f97700612041507g5553febfrf1082f3304d0df36@mail.gmail.com>
	<4575742A.7000601@trayerproducts.com>
	<223f97700612050640i39d0a4e0rb3e22bb3dd15b154@mail.gmail.com>
Message-ID: <223f97700612050711q21a37e1fha664b7811545e962@mail.gmail.com>

On 05/12/06, Glenn Steen <glenn.steen@gmail.com> wrote:
> On 05/12/06, Rodney Green <rgreen@trayerproducts.com> wrote:
> > I don't know if there was a .rpmnew file for the languages file. I
> > copied the backup languages.conf file that I manually copied before even
> > running install.sh into /etc/MailScanner/reports/en. That is the file
> > I'm currently using and is the only languages.conf file I have to use. I
> > don't have a languages.old or languages.new.
> >
> > Glenn Steen wrote:
> (snip)
> > > (I'll have to confess that I haven't done the latest upgrade yet...
> > > will do one tomorrow though:-)
> > >
> > > Did the update create a languages.conf.rpmnew? If not, what are you
> > > doing running the upgrade script then? As mentioned by others (Ken was
> > > it?), if you just cut'n'paste the commands.... you have the old one as
> > > a .old file... and can just move it back into place.
> > >
> > > As said, will know more about this come morning.
>
> Ok.
>
> If you have the old MailScanenr and the new package... and a spare
> box... You could just make a mock install of the old one, then perform
> a mock upgrade... If that creates a .rpmnew file, then you can run the
> upgrade script on that and copy it into the real server... should work
> nicely:-).
> Or just make a mock install of the new one (if you haven't changed
> anything in languages.conf, this is what I'd do:-)... should give you
> a file with the "missing strings/variables" set.
>
> If that seems onerous, you could alwayslook at/add any missing string
> definitions...
> Close to the end of the file you should have something like:
> # Used in SpamAssassin cache results headers
> cached = cached
> notcached = not cached
>
> HtH

As I suspected (after doing an upgrade on a testbox from 4.56.8 ->
4.57.6) there was no new languages.conf.rpmnew ... so no need for
running the upgrade script on anything.

Give a holler if you need a "pristine copy" and can't get at it any other way:-)

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From glenn.steen at gmail.com  Tue Dec  5 15:17:19 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Tue Dec  5 15:17:22 2006
Subject: wiki update for postfix unknown users..
In-Reply-To: <45758574.3040104@solidstatelogic.com>
References: <45758574.3040104@solidstatelogic.com>
Message-ID: <223f97700612050717s16664368u645a44b2b703e3a2@mail.gmail.com>

On 05/12/06, Martin Hepworth <martinh@solidstatelogic.com> wrote:
> All
>
> Down the bottom of this page...
>
> http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:reject_non_existent_users
>
> there's a link to Pete Russell's scripts for pulling info from AD and
> Lotus notes.
>
> However the link is dead, can anyone provide a new link?
>
I've been "pestering" Pete about uploading the needed things to the
wiki... So far it's been only promises, promises... :-):-).

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From Kevin_Miller at ci.juneau.ak.us  Tue Dec  5 16:22:59 2006
From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller)
Date: Tue Dec  5 16:23:07 2006
Subject: Storing spam mails to separate alias for each user
In-Reply-To: <029c01c71832$750769c0$a9a4c0c0@bkslaptop>
Message-ID: <D1587DCF6294524BAFA2C9944312FCC863B9E8@city-exch-w3e.cbj.local>

I don't know that you can send them to individual quarantine
directories, but if you install MailWatch
(http://mailwatch.sourceforge.net/doku.php) you can query it on a per
user basis (and much more) by using the filter option in the reports.
Works a treat...


...Kevin
--
Kevin Miller                Registered Linux User No: 307357
CBJ MIS Dept.               Network Systems Admin., Mail Admin.
155 South Seward Street     ph: (907) 586-0242
Juneau, Alaska 99801        fax: (907 586-4500
  

 

________________________________

From: mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Bibhas
Kumar Samanta
Sent: Monday, December 04, 2006 8:59 PM
To: MailScanner discussion
Subject: Storing spam mails to separate alias for each user


Hello,
 
I am using MS/SA with sendmail on a RHEL 4.0 box.
 
MS allows to deliver all spam ( or high scoring spams) to
be either delivered or stored to a common quarantine area.
 
Can I store the spam mails on per user basis on the mail server,
so that user can check the their spam mails from time to time.
(ie for user1 , all spams to be stored at user1_spam file.)
 
They will get the non-spam mails delivered to their mail
 boxes automatically.
 
Please suggest.
 
regards,
Bibhas
 
From david at gnsa.us  Tue Dec  5 16:35:14 2006
From: david at gnsa.us (David Nalley)
Date: Tue Dec  5 16:37:40 2006
Subject: wiki update for postfix unknown users..
In-Reply-To: <45758574.3040104@solidstatelogic.com>
References: <45758574.3040104@solidstatelogic.com>
Message-ID: <45759FC2.3080708@gnsa.us>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin Hepworth wrote:
> All
> 
> Down the bottom of this page...
> 
> http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:reject_non_existent_users
> 
> 
> there's a link to Pete Russell's scripts for pulling info from AD and
> Lotus notes.
> 
> However the link is dead, can anyone provide a new link?
> 
I had to email Pete for a copy of the scripts. I have the zip file
containing the scripts if you have a place to host it. But we may want
to ask permission first.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFdZ/CkZOYj+cNI1cRApMxAJ9XAWbY82l8j31R0/PsPrB6O9rQBwCfYMD4
gdFt2W5CU5RgPs7uJa6NcAs=
=Xzi3
-----END PGP SIGNATURE-----
From ewallig at aerocontractors.com  Tue Dec  5 16:43:41 2006
From: ewallig at aerocontractors.com (Ed Wallig)
Date: Tue Dec  5 16:43:47 2006
Subject: Rules for filenames / file types
Message-ID: <FDF5AC25614CD644BA4E38E48CFCA08F1682D1@bodega.ACL.int>

Hi,
 
I am currently blocking .gif files using a deny statement in my
filename.rules.conf file to keep the image spam out. This is working
great but it is also blocking things that my users don't want blocked.
Is there a way to write a rule that allows gif files from certain email
domains (and/or addresses) to pass without getting stripped? It needs to
also allow outgoing email from my domain to pass w/o getting gif files
stripped out (girls in the admin office complaining about their
signatures and stationary).
 
 
Thanks,
 
 - Ed
 


 

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061205/7d9038d8/attachment.html
From martinh at solidstatelogic.com  Tue Dec  5 16:51:39 2006
From: martinh at solidstatelogic.com (Martin Hepworth)
Date: Tue Dec  5 16:51:48 2006
Subject: Rules for filenames / file types
In-Reply-To: <FDF5AC25614CD644BA4E38E48CFCA08F1682D1@bodega.ACL.int>
References: <FDF5AC25614CD644BA4E38E48CFCA08F1682D1@bodega.ACL.int>
Message-ID: <4575A39B.3020407@solidstatelogic.com>

Ed Wallig wrote:
> Hi,
>  
> I am currently blocking .gif files using a deny statement in my 
> filename.rules.conf file to keep the image spam out. This is working 
> great but it is also blocking things that my users don't want blocked. 
> Is there a way to write a rule that allows gif files from certain email 
> domains (and/or addresses) to pass without getting stripped? It needs to 
> also allow outgoing email from my domain to pass w/o getting gif files 
> stripped out (girls in the admin office complaining about their 
> signatures and stationary).
>  
>  
> Thanks,
>  
>  - Ed
>  
> 
> //
>  
> 
>  
> 
I'd look at the SARE rules, URI-RBL's DCC etc for doing this. Works 
great for me, without touching all the heavy FuzzyOCR code at all.


-- 
Martin Hepworth
Senior Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

From ewallig at aerocontractors.com  Tue Dec  5 17:25:32 2006
From: ewallig at aerocontractors.com (Ed Wallig)
Date: Tue Dec  5 17:25:43 2006
Subject: Rules for filenames / file types
In-Reply-To: <4575A39B.3020407@solidstatelogic.com>
Message-ID: <FDF5AC25614CD644BA4E38E48CFCA08F1682D6@bodega.ACL.int>

Hi,

Thanks for the reply - I'm not using SA in my config (separate anti-spam
system in place) so SARE and DCC are not options (I don't think).

In the filename.rules.conf file, can the "FromOrTo" directives be used?
This would solve the issue if I could simply put the domains that I want
to allow gifs from in here. I don't have any problem w/ blocking .gifs
from the majority of the world, just need a couple of domains to be able
to send them.

Thanks,

 - Ed 

-----Original Message-----
From: mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin
Hepworth
Sent: Tuesday, December 05, 2006 11:52 AM
To: MailScanner discussion
Subject: Re: Rules for filenames / file types

Ed Wallig wrote:
> Hi,
>  
> I am currently blocking .gif files using a deny statement in my 
> filename.rules.conf file to keep the image spam out. This is working 
> great but it is also blocking things that my users don't want blocked.
> Is there a way to write a rule that allows gif files from certain 
> email domains (and/or addresses) to pass without getting stripped? It 
> needs to also allow outgoing email from my domain to pass w/o getting 
> gif files stripped out (girls in the admin office complaining about 
> their signatures and stationary).
>  
>  
> Thanks,
>  
>  - Ed
>  
> 
> //
>  
> 
>  
> 
I'd look at the SARE rules, URI-RBL's DCC etc for doing this. Works
great for me, without touching all the heavy FuzzyOCR code at all.


-- 
Martin Hepworth
Senior Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

-- 
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
From mikes at hartwellcorp.com  Tue Dec  5 17:34:44 2006
From: mikes at hartwellcorp.com (Michael St. Laurent)
Date: Tue Dec  5 17:36:47 2006
Subject: Some mail coming in without attachments
Message-ID: <3BF93070B3D1B047BA7ABF612958950DF78D0F@hcex.hartwellcorp.com>

And this did start around the time that I upgraded to the most recent
version of MailScanner... I'm running 4.57 now and still seeing the
problem.  The TNEF versions we're using are:

tnef-1.4.3-1
perl-Convert-TNEF-0.17-1

Are these too old perhaps?

-----Original Message-----
From: mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex
Neuman van der Hans
Sent: Friday, December 01, 2006 3:48 PM
To: MailScanner discussion
Subject: Re: Some mail coming in without attachments

It means the attachment is probably tnef encoded and the webmail program

was probably smart enough to deal with it.

I had a problem once with a braindead M-Sexchange admin who insisted on 
RTF'ing all outgoing mail. The latest MailScanner version does replace 
tnef-encoded mail with its own non-tnef-encoded version, so you might 
want to look into that.

Michael St. Laurent wrote:
> I thought the same thing at first but the attachment went through when
> it was sent to a web mail account.
> 
> -----Original Message-----
> From: mailscanner-bounces@lists.mailscanner.info
> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott
> Silva
> Sent: Friday, December 01, 2006 11:11 AM
> To: mailscanner@lists.mailscanner.info
> Subject: Re: Some mail coming in without attachments
> 
> Michael St. Laurent spake the following on 12/1/2006 9:37 AM:
>> I've got two reports of emails being delivered without the Word
> document
>> attachments they were sent with.  Several attempts to send each of
> them
>> and each time the mail was delivered but there was no attachment.
>>  
>> Redhat Linux 9:
>> MailScanner-4.56.8-1 from the RPM install
>> ClamAV 0.88.6 & SpamAssassin 3.1.7 from the easy installation package
>>  
>> These packages were updated to the latest versions only a few weeks
>> ago.  So far the only other problem reported is a higher instance of
>> virus mails getting through to the secondary virus scanner (which is
>> running on the internal Exchange server).
>>
> Look for the obvious things like tnef encoded files being sent from an
> outlook
> user to an outlook express user. You really need to look at the
message
> source
> and see if the attachments really aren't there.
From dave.list at pixelhammer.com  Tue Dec  5 18:02:44 2006
From: dave.list at pixelhammer.com (DAve)
Date: Tue Dec  5 18:03:00 2006
Subject: Problems with split recipients
Message-ID: <4575B444.9020107@pixelhammer.com>

Using the following,

http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:split_mails_per_recipient

Everything seemed to go well, everyone is happy with the increased 
capture rates. But my outbound queue is growing now where previously I 
had no problems.

I am seeing the following messages in my mail logs;

Dec  5 12:56:54 avhost2 sendmail[59093]: NOQUEUE: SYSERR(root): 
QueuePath /var/spool/mqueue.in not subpath of QueueDirectory 
/var/spool/mqueue/

Am I missing something here? I followed the instructions in the Wiki 
closely and followed the original thread from Steve on this subject.

Looking at Sendmail docs it would seem I need to define my queues 
differently. Has anyone else seen this issue?

Thanks,

DAve
-- 
Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for
Veterans?

Maybe they forgot who made that choice possible.
From chandler at chapman.edu  Tue Dec  5 18:05:07 2006
From: chandler at chapman.edu (Chandler, Jay)
Date: Tue Dec  5 18:05:14 2006
Subject: How do others do it?
Message-ID: <A50A29B70741ED42BE44230B1DF6118416127C53@ADAM.chapman.edu>

I'm three months into the mail management duties, and I've taken the
university from a kludged together implementation of SpamAssassin to
running on MailScanner for inbound.
 
Now I'm preparing to tackle the task of setting up Mailscanner outbound.
 
Obviously I want virus scanning enabled, but how do most of you handle
the spam scanning issue?  Do you tag and pass, do you not scan at all,
or some other option?
 

--
Jay Chandler
Network Administrator, Chapman University
714.628.7249 / chandler@chapman.edu
Today's Excuse: Unoptimized hard drive 


 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061205/d457711d/attachment.html
From ka at pacific.net  Tue Dec  5 18:40:51 2006
From: ka at pacific.net (Ken A)
Date: Tue Dec  5 18:38:18 2006
Subject: Problems with split recipients
In-Reply-To: <4575B444.9020107@pixelhammer.com>
References: <4575B444.9020107@pixelhammer.com>
Message-ID: <4575BD33.4050505@pacific.net>



DAve wrote:
> Using the following,
> 
> http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:split_mails_per_recipient 
> 
> 
> Everything seemed to go well, everyone is happy with the increased 
> capture rates. But my outbound queue is growing now where previously I 
> had no problems.
> 
> I am seeing the following messages in my mail logs;
> 
> Dec  5 12:56:54 avhost2 sendmail[59093]: NOQUEUE: SYSERR(root): 
> QueuePath /var/spool/mqueue.in not subpath of QueueDirectory 
> /var/spool/mqueue/

You should have 2 instances of sendmail running (incoming and outgoing)
The incoming queue should be using /var/spool/mqueue.in and the outgoing 
sendmail instance should be using /var/spool/mqueue/.

You should make the changes for split recipients in the .mc or .cf for 
the incoming sendmail ONLY. You'll need to create a separate .mc and .cf 
for this instance of sendmail if you are splitting recipients, and make 
changes to the MailScanner init script where needed, per the doc you 
referred to.

Note that in normal MailScanner installation, the incoming and outgoing 
sendmail's use the same sendmail.cf.

Ken A.
Pacific.Net


> Am I missing something here? I followed the instructions in the Wiki 
> closely and followed the original thread from Steve on this subject.
> 
> Looking at Sendmail docs it would seem I need to define my queues 
> differently. Has anyone else seen this issue?
> 
> Thanks,
> 
> DAve
From ssilva at sgvwater.com  Tue Dec  5 18:50:12 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Tue Dec  5 18:50:40 2006
Subject: How do others do it?
In-Reply-To: <A50A29B70741ED42BE44230B1DF6118416127C53@ADAM.chapman.edu>
References: <A50A29B70741ED42BE44230B1DF6118416127C53@ADAM.chapman.edu>
Message-ID: <el4f15$olq$1@sea.gmane.org>

Chandler, Jay spake the following on 12/5/2006 10:05 AM:
> I'm three months into the mail management duties, and I've taken the
> university from a kludged together implementation of SpamAssassin to
> running on MailScanner for inbound.
>  
> Now I'm preparing to tackle the task of setting up Mailscanner outbound.
>  
> Obviously I want virus scanning enabled, but how do most of you handle
> the spam scanning issue?  Do you tag and pass, do you not scan at all,
> or some other option?
>  
If students will be accessing the mail system, then I would hold them to the
same standards that you apply to incoming mail. Students are notorious for
doing things "they aren't supposed to do". You can whitelist any
administration people that need to be.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From pravin.rane at gmail.com  Tue Dec  5 19:08:24 2006
From: pravin.rane at gmail.com (Pravin Rane)
Date: Tue Dec  5 19:08:27 2006
Subject: Rules for filenames / file types
In-Reply-To: <FDF5AC25614CD644BA4E38E48CFCA08F1682D6@bodega.ACL.int>
References: <4575A39B.3020407@solidstatelogic.com>
	<FDF5AC25614CD644BA4E38E48CFCA08F1682D6@bodega.ACL.int>
Message-ID: <13c021a90612051108ia46337of65ca031db93c9a4@mail.gmail.com>

In MailScanner.conf use following
Filename Rules = %etc-dir%/filename.rules



In %etc-dir%/filename.rules use following
FromOrTo: <tab>*@domain1.tld <tab>
%rules-dir%/domain1.tld.filename.rules.conf
FromOrTo: <tab>*@domain2.tld <tab>
%rules-dir%/domain2.tld.filename.rules.conf
FromOrTo: <tab> default <tab> %etc-dir%/filename.rules.conf # Default
filename ruleset


In %rules-dir%/domain1.tld.filename.rules.conf  use following
deny <tab>   \.gif$  <tab> <tab> Blocked as per policy
# and other extensions you want to deny/allow

In %rules-dir%/domain2.tld.filename.rules.conf  use following
allow <tab>   \.gif$  <tab> <tab> - <tab> -
# and other extensions you want to deny/allow

On 12/5/06, Ed Wallig <ewallig@aerocontractors.com> wrote:
>
> Hi,
>
> Thanks for the reply - I'm not using SA in my config (separate anti-spam
> system in place) so SARE and DCC are not options (I don't think).
>
> In the filename.rules.conf file, can the "FromOrTo" directives be used?
> This would solve the issue if I could simply put the domains that I want
> to allow gifs from in here. I don't have any problem w/ blocking .gifs
> from the majority of the world, just need a couple of domains to be able
> to send them.
>
> Thanks,
>
> - Ed
>
> -----Original Message-----
> From: mailscanner-bounces@lists.mailscanner.info
> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin
> Hepworth
> Sent: Tuesday, December 05, 2006 11:52 AM
> To: MailScanner discussion
> Subject: Re: Rules for filenames / file types
>
> Ed Wallig wrote:
> > Hi,
> >
> > I am currently blocking .gif files using a deny statement in my
> > filename.rules.conf file to keep the image spam out. This is working
> > great but it is also blocking things that my users don't want blocked.
> > Is there a way to write a rule that allows gif files from certain
> > email domains (and/or addresses) to pass without getting stripped? It
> > needs to also allow outgoing email from my domain to pass w/o getting
> > gif files stripped out (girls in the admin office complaining about
> > their signatures and stationary).
> >
> >
> > Thanks,
> >
> >  - Ed
> >
> >
> > //
> >
> >
> >
> >
> I'd look at the SARE rules, URI-RBL's DCC etc for doing this. Works
> great for me, without touching all the heavy FuzzyOCR code at all.
>
>
> --
> Martin Hepworth
> Senior Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
> **********************************************************************
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.
>
> **********************************************************************
>
> --
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
> --
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>



-- 
Regards

Pravin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061206/0827aca3/attachment.html
From chandler at chapman.edu  Tue Dec  5 19:17:20 2006
From: chandler at chapman.edu (Chandler, Jay)
Date: Tue Dec  5 19:17:24 2006
Subject: How do others do it?
Message-ID: <A50A29B70741ED42BE44230B1DF6118416128072@ADAM.chapman.edu>


Scott Silva wrote:
> Chandler, Jay spake the following on 12/5/2006 10:05 AM:
>> I'm three months into the mail management duties, and I've taken the
>> university from a kludged together implementation of SpamAssassin to
>> running on MailScanner for inbound.
>> 
>> Now I'm preparing to tackle the task of setting up Mailscanner
>> outbound. 
>> 
>> Obviously I want virus scanning enabled, but how do most of you
>> handle the spam scanning issue?  Do you tag and pass, do you not
>> scan at all, or some other option? 
>> 
> If students will be accessing the mail system, then I would hold them
> to the same standards that you apply to incoming mail. Students are
> notorious for doing things "they aren't supposed to do". You can
> whitelist any administration people that need to be.   

Unfortunately, we're in a position where there are close to 2000 staff
members who'll be using it-- two boxes handle the entire outbound load
for everything, be it our webmail, exchange server traffic, and (since
we disabled port 25 outbound a couple months back) any SMTP traffic
whatsoever that leaves our network.

I do realize that if I start flagging departmental messages as spam,
I'll catch hell, so how have others balanced the greater good of society
with the needs of their local institutions?


-- 
Jay Chandler
Network Administrator, Chapman University
714.628.7249 / chandler@chapman.edu
Today's Excuse: The rubber band broke
From ssilva at sgvwater.com  Tue Dec  5 19:35:03 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Tue Dec  5 19:35:21 2006
Subject: How do others do it?
In-Reply-To: <A50A29B70741ED42BE44230B1DF6118416128072@ADAM.chapman.edu>
References: <A50A29B70741ED42BE44230B1DF6118416128072@ADAM.chapman.edu>
Message-ID: <el4hl8$2nu$1@sea.gmane.org>

Chandler, Jay spake the following on 12/5/2006 11:17 AM:
> Scott Silva wrote:
>> Chandler, Jay spake the following on 12/5/2006 10:05 AM:
>>> I'm three months into the mail management duties, and I've taken the
>>> university from a kludged together implementation of SpamAssassin to
>>> running on MailScanner for inbound.
>>>
>>> Now I'm preparing to tackle the task of setting up Mailscanner
>>> outbound. 
>>>
>>> Obviously I want virus scanning enabled, but how do most of you
>>> handle the spam scanning issue?  Do you tag and pass, do you not
>>> scan at all, or some other option? 
>>>
>> If students will be accessing the mail system, then I would hold them
>> to the same standards that you apply to incoming mail. Students are
>> notorious for doing things "they aren't supposed to do". You can
>> whitelist any administration people that need to be.   
> 
> Unfortunately, we're in a position where there are close to 2000 staff
> members who'll be using it-- two boxes handle the entire outbound load
> for everything, be it our webmail, exchange server traffic, and (since
> we disabled port 25 outbound a couple months back) any SMTP traffic
> whatsoever that leaves our network.
> 
> I do realize that if I start flagging departmental messages as spam,
> I'll catch hell, so how have others balanced the greater good of society
> with the needs of their local institutions?
> 
> 
That is a touchy situation. You will have to try and balance the needs and
desires of the staff with the possibility of your servers getting blacklisted
if someone gets infected with a spambot. The likelyhood of any spambots
actually going through your servers is less of a problem, so if you can block
any mail traffic that doesn't go through your servers, you will be way ahead.

One way is to limit access to outside mail accounts except through webmail or
VPN. That will let the occasional outsider on your network like guest speakers
or service personnel to get out. I scan internal mail, but whitelist the
"important" people, like my boss, and her boss, and anybody deemed to be in
the "executive" level. Everyone else needs to be held accountable for what
they send.
You can just tag it, or add a header and track it. You don't necessarily have
to alter the messages. With an addon like Mailwatch, you can whitelist
internal mail, but still add the spam scores so you can track if anybody is
abusing the e-mail, or just tends to send spammy looking mail like ALL CAPS or
lots of blue or red text. Then you can politely help them so other servers
don't see them as spam.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From dave.list at pixelhammer.com  Tue Dec  5 19:37:42 2006
From: dave.list at pixelhammer.com (DAve)
Date: Tue Dec  5 19:38:06 2006
Subject: Problems with split recipients
In-Reply-To: <4575BD33.4050505@pacific.net>
References: <4575B444.9020107@pixelhammer.com> <4575BD33.4050505@pacific.net>
Message-ID: <4575CA86.1010800@pixelhammer.com>

Ken A wrote:
> 
> 
> DAve wrote:
>> Using the following,
>>
>> http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:split_mails_per_recipient 
>>
>>
>> Everything seemed to go well, everyone is happy with the increased 
>> capture rates. But my outbound queue is growing now where previously I 
>> had no problems.
>>
>> I am seeing the following messages in my mail logs;
>>
>> Dec  5 12:56:54 avhost2 sendmail[59093]: NOQUEUE: SYSERR(root): 
>> QueuePath /var/spool/mqueue.in not subpath of QueueDirectory 
>> /var/spool/mqueue/
> 
> You should have 2 instances of sendmail running (incoming and outgoing)
> The incoming queue should be using /var/spool/mqueue.in and the outgoing 
> sendmail instance should be using /var/spool/mqueue/.
> 
> You should make the changes for split recipients in the .mc or .cf for 
> the incoming sendmail ONLY. You'll need to create a separate .mc and .cf 
> for this instance of sendmail if you are splitting recipients, and make 
> changes to the MailScanner init script where needed, per the doc you 
> referred to.
> 
> Note that in normal MailScanner installation, the incoming and outgoing 
> sendmail's use the same sendmail.cf.

All that was done, we have always run a split queue on our MailScanner 
servers.

I have stopped the errors by making changes to my queues, as follows.

added a new queue dir of /var/spool/mailq
added incoming queue at /var/spool/mailq/mqueue.in
added outgoing queue at /var/spool/mailq/mqueue

adjusted my MailScanner.conf and start scripts accordingly.
added "define(`QUEUE_DIR','/var/spool/mailq')dnl to my incoming *.mc and 
rebuilt my incoming *.cf file. Restarted Sendmail.

Now the SYSERR messages are gone, watching my out queue now to see if it 
drops.

DAve
> 
> Ken A.
> Pacific.Net
> 
> 
>> Am I missing something here? I followed the instructions in the Wiki 
>> closely and followed the original thread from Steve on this subject.
>>
>> Looking at Sendmail docs it would seem I need to define my queues 
>> differently. Has anyone else seen this issue?
>>
>> Thanks,
>>
>> DAve


-- 
Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for
Veterans?

Maybe they forgot who made that choice possible.
From Richard.Frovarp at sendit.nodak.edu  Tue Dec  5 19:50:38 2006
From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp)
Date: Tue Dec  5 19:50:44 2006
Subject: How do others do it?
In-Reply-To: <A50A29B70741ED42BE44230B1DF6118416128072@ADAM.chapman.edu>
References: <A50A29B70741ED42BE44230B1DF6118416128072@ADAM.chapman.edu>
Message-ID: <4575CD8E.4080400@sendit.nodak.edu>

Chandler, Jay wrote:
> Scott Silva wrote:
>   
>> Chandler, Jay spake the following on 12/5/2006 10:05 AM:
>>     
>>> I'm three months into the mail management duties, and I've taken the
>>> university from a kludged together implementation of SpamAssassin to
>>> running on MailScanner for inbound.
>>>
>>> Now I'm preparing to tackle the task of setting up Mailscanner
>>> outbound. 
>>>
>>> Obviously I want virus scanning enabled, but how do most of you
>>> handle the spam scanning issue?  Do you tag and pass, do you not
>>> scan at all, or some other option? 
>>>
>>>       
>> If students will be accessing the mail system, then I would hold them
>> to the same standards that you apply to incoming mail. Students are
>> notorious for doing things "they aren't supposed to do". You can
>> whitelist any administration people that need to be.   
>>     
>
> Unfortunately, we're in a position where there are close to 2000 staff
> members who'll be using it-- two boxes handle the entire outbound load
> for everything, be it our webmail, exchange server traffic, and (since
> we disabled port 25 outbound a couple months back) any SMTP traffic
> whatsoever that leaves our network.
>
> I do realize that if I start flagging departmental messages as spam,
> I'll catch hell, so how have others balanced the greater good of society
> with the needs of their local institutions?
>
>
>   

I can see scanning for viruses. I don't know if I would worry about 
anything else. The other people should be doing their own scanning. I am 
assuming that your outbound servers require authentication. Spam is 
usually sent by bots that wouldn't be going through your authenticated 
server. By blocking 25 you've probably done the best you can.
From ewallig at aerocontractors.com  Tue Dec  5 20:15:48 2006
From: ewallig at aerocontractors.com (Ed Wallig)
Date: Tue Dec  5 20:15:47 2006
Subject: Rules for filenames / file types
In-Reply-To: <13c021a90612051108ia46337of65ca031db93c9a4@mail.gmail.com>
Message-ID: <FDF5AC25614CD644BA4E38E48CFCA08F1682F0@bodega.ACL.int>

Sweet, thanks - I'll give it a try :)
 
 
 - Ed

________________________________

From: mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Pravin
Rane
Sent: Tuesday, December 05, 2006 2:08 PM
To: MailScanner discussion
Subject: Re: Rules for filenames / file types



In MailScanner.conf use following 
Filename Rules = %etc-dir%/filename.rules



In %etc-dir%/filename.rules use following 
FromOrTo: <tab>*@domain1.tld <tab>
%rules-dir%/domain1.tld.filename.rules.conf 
FromOrTo: <tab>*@domain2.tld <tab>
%rules-dir%/domain2.tld.filename.rules.conf 
FromOrTo: <tab> default <tab> %etc-dir%/filename.rules.conf # Default
filename ruleset 


In %rules-dir%/domain1.tld.filename.rules.conf  use following
deny <tab>   \.gif$  <tab> <tab> Blocked as per policy
# and other extensions you want to deny/allow

In %rules-dir%/domain2.tld.filename.rules.conf  use following
allow <tab>   \.gif$  <tab> <tab> - <tab> - 
# and other extensions you want to deny/allow


On 12/5/06, Ed Wallig < ewallig@aerocontractors.com
<mailto:ewallig@aerocontractors.com> > wrote: 

	Hi,
	
	Thanks for the reply - I'm not using SA in my config (separate
anti-spam 
	system in place) so SARE and DCC are not options (I don't
think).
	
	In the filename.rules.conf file, can the "FromOrTo" directives
be used?
	This would solve the issue if I could simply put the domains
that I want 
	to allow gifs from in here. I don't have any problem w/ blocking
.gifs
	from the majority of the world, just need a couple of domains to
be able
	to send them.
	
	Thanks,
	
	- Ed
	
	-----Original Message----- 
	From: mailscanner-bounces@lists.mailscanner.info
	[mailto:mailscanner-bounces@lists.mailscanner.info ] On Behalf
Of Martin
	Hepworth
	Sent: Tuesday, December 05, 2006 11:52 AM
	To: MailScanner discussion
	Subject: Re: Rules for filenames / file types
	
	Ed Wallig wrote:
	> Hi,
	>
	> I am currently blocking .gif files using a deny statement in
my 
	> filename.rules.conf file to keep the image spam out. This is
working
	> great but it is also blocking things that my users don't want
blocked.
	> Is there a way to write a rule that allows gif files from
certain 
	> email domains (and/or addresses) to pass without getting
stripped? It
	> needs to also allow outgoing email from my domain to pass w/o
getting
	> gif files stripped out (girls in the admin office complaining
about 
	> their signatures and stationary).
	>
	>
	> Thanks,
	>
	>  - Ed
	>
	>
	> //
	>
	>
	>
	>
	I'd look at the SARE rules, URI-RBL's DCC etc for doing this.
Works 
	great for me, without touching all the heavy FuzzyOCR code at
all.
	
	
	--
	Martin Hepworth
	Senior Systems Administrator
	Solid State Logic
	Tel: +44 (0)1865 842300
	
	
********************************************************************** 
	
	This email and any files transmitted with it are confidential
and
	intended solely for the use of the individual or entity to whom
they
	are addressed. If you have received this email in error please
notify
	the system manager.
	
	This footnote confirms that this email message has been swept
	for the presence of computer viruses and is believed to be
clean.
	
	
********************************************************************** 
	
	--
	MailScanner mailing list
	mailscanner@lists.mailscanner.info
	http://lists.mailscanner.info/mailman/listinfo/mailscanner 
	
	Before posting, read http://wiki.mailscanner.info/posting
	
	Support MailScanner development - buy the book off the website!
	--
	MailScanner mailing list 
	mailscanner@lists.mailscanner.info
	http://lists.mailscanner.info/mailman/listinfo/mailscanner 
	
	Before posting, read http://wiki.mailscanner.info/posting
	
	Support MailScanner development - buy the book off the website!
	




-- 
Regards

Pravin 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061205/c13a68a0/attachment.html
From leolists at seidkr.com  Tue Dec  5 20:47:06 2006
From: leolists at seidkr.com (=?ISO-8859-1?Q?Philip_Leonard_WV=D8T?=)
Date: Tue Dec  5 20:47:19 2006
Subject: archived mail format
Message-ID: <4575DACA.4010303@seidkr.com>

Can I output archived mail in maildir format?  If so how do I tell MS to 
do that?

I've tried searching the list archives for this and found a reference 
that someone was doing this but I could not find any config examples.

thanks, Philip

From ralloway at winbeam.com  Tue Dec  5 20:57:01 2006
From: ralloway at winbeam.com (Richard D Alloway)
Date: Tue Dec  5 20:57:12 2006
Subject: SpamAssassin dns timeouts... why?!
Message-ID: <Pine.LNX.4.62.0612051548580.22516@mail.winbeam.com>


Hi!  I have been having loads of problems with spamassassin timing out during 
DNS lookups...

If I use

/usr/bin/spamassassin -D < /tmp/spamemail.txt

I see the correct IP used for the nameserver:

[16018] dbg: dns: name server: 192.168.1.1, family: 2, ipv6: 0

Then, I see that the lookups took a LONG time:

[16018] dbg: uridnsbl: select found 1 socks ready
[16018] dbg: uridnsbl: queries completed: 1 started: 2
[16018] dbg: uridnsbl: queries active: DNSBL=10 NS=3 at Tue Dec 5 15:52:34 2006
[16018] dbg: uridnsbl: waiting 2 seconds for URIDNSBL lookups to complete
[16018] dbg: uridnsbl: select found 1 socks ready
[16018] dbg: uridnsbl: queries completed: 1 started: 0
[16018] dbg: uridnsbl: queries active: A=2 DNSBL=10 NS=2 at Tue Dec 5 15:52:34 
2006
[16018] dbg: uridnsbl: select found 1 socks ready
[16018] dbg: uridnsbl: query for winbeam.com took 50 seconds to look up 
(multi.surbl.org.:winbeam.com)
[16018] dbg: uridnsbl: queries completed: 1 started: 0
[16018] dbg: uridnsbl: queries active: A=2 DNSBL=9 NS=2 at Tue Dec 5 15:52:35 
2006
[16018] dbg: uridnsbl: select found 1 socks ready
[16018] dbg: uridnsbl: query for winbeam.com took 50 seconds to look up 
(multi.uribl.com.:winbeam.com)
[16018] dbg: uridnsbl: queries completed: 1 started: 0
...etc...
[16018] dbg: uridnsbl: done waiting for URIDNSBL lookups to complete
[16018] dbg: uridnsbl: aborting remaining lookups

I've tried using dnsmasq and bind9 as caching-only nameservers dedicated to 
resolving and caching queries for my mail servers, and the cache is growing, 
but multiple "/usr/bin/spamassassin -D < /tmp/spamemail.txt" attempts on the 
same file still result in 30-70 sec lookup times in the uridnsbl portion of 
spamassassin.

Manual queries of the hosts ('winbeam.com.multi.uribl.com' for example) resolve 
(or fail to) instantly from either the cache box or the mail server.

Any idea what could be wrong?  I'm rapidly running out of ways to try to 
increase performance here.

Thanks!

-Rich
From r.berber at computer.org  Tue Dec  5 21:42:07 2006
From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=)
Date: Tue Dec  5 21:42:32 2006
Subject: Disabling DCC, Pyzor on the cf file
Message-ID: <el4p3f$2aq$1@sea.gmane.org>

Hi,

Using MS 4.57.6 I'm trying to disable the above plugins.

Following the instructions in spam.assassin.prefs.conf (a.k.a. mailscanner.cf),

> # Uncomment the lines below to stop using the specific service
> # To stop Razor2 checks, uncomment the following line
> #use_razor2     0
> # To stop DCC checks, uncomment the following line
> #use_dcc                0
> # To stop Pyzor checks, uncomment the following line
> #use_pyzor      0

does not work, spamassassin --lint complains with:

> [28764] warn: config: failed to parse line, skipping: use_razor2 0
> [28764] warn: config: failed to parse line, skipping: use_dcc 0
> [28764] warn: config: failed to parse line, skipping: use_pyzor 0

Is there any other way to avoid loading those plugins?  (using is not really the
problem since I don't have the executables installed, just the SA plugin).
-- 
Ren? Berber

From pete at enitech.com.au  Tue Dec  5 21:46:00 2006
From: pete at enitech.com.au (Peter Russell)
Date: Tue Dec  5 21:46:12 2006
Subject: wiki update for postfix unknown users..
In-Reply-To: <45759FC2.3080708@gnsa.us>
References: <45758574.3040104@solidstatelogic.com> <45759FC2.3080708@gnsa.us>
Message-ID: <4575E898.2090808@enitech.com.au>

Rightio you lot :)

I have finally had my password reset for another domain so i can upload 
files. I have uploaded the scripts. When you open them you will see 
proof that i am no good at code, so if anyone feels like testing and 
perfecting the error handling and reposting it for everyone that would 
be great.

I use the Domino one to read the Domino directory to build a Virtual 
Alias map, so you can have valid Domino users and forward them without 
having to use Domino for mail routing. (we have a redundant Domino mail, 
active Domino Application system).

I use the AD one to read the MS 2003 AD and build a recipient access map 
- kinda like a sendmail-milter, but better :)

Additionally i have added the sa-learn scripts that a kind gent from 
this list gave me. They read MS Exchange Public Folders and learn the 
contents into bayes. All you need an MS Exchange (i use 2003) public 
folder, set the default and anon permission to contribute without read 
access, yourself owner access and let you users drag spam into the 
public folder, cron your sa-learn script and Bob's your Mothers brother.

Again it would great if some one could have a look at these python 
scripts, because when i run them the script always finishes before the 
public folder is empty and i have to run it several times.

I have them hosted at
http://www.enitech.com.au/maps/recipient_maps.zip

http://www.enitech.com.au/maps/sa-learn.zip

Have fun
Pete



David Nalley wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Martin Hepworth wrote:
>> All
>>
>> Down the bottom of this page...
>>
>> http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:reject_non_existent_users
>>
>>
>> there's a link to Pete Russell's scripts for pulling info from AD and
>> Lotus notes.
>>
>> However the link is dead, can anyone provide a new link?
>>
> I had to email Pete for a copy of the scripts. I have the zip file
> containing the scripts if you have a place to host it. But we may want
> to ask permission first.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
> 
> iD8DBQFFdZ/CkZOYj+cNI1cRApMxAJ9XAWbY82l8j31R0/PsPrB6O9rQBwCfYMD4
> gdFt2W5CU5RgPs7uJa6NcAs=
> =Xzi3
> -----END PGP SIGNATURE-----
From Denis.Beauchemin at USherbrooke.ca  Tue Dec  5 21:46:19 2006
From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin)
Date: Tue Dec  5 21:46:46 2006
Subject: How do others do it?
In-Reply-To: <A50A29B70741ED42BE44230B1DF6118416128072@ADAM.chapman.edu>
References: <A50A29B70741ED42BE44230B1DF6118416128072@ADAM.chapman.edu>
Message-ID: <4575E8AB.6050104@USherbrooke.ca>

Chandler, Jay a ?crit :
> Scott Silva wrote:
>   
>> Chandler, Jay spake the following on 12/5/2006 10:05 AM:
>>     
>>> I'm three months into the mail management duties, and I've taken the
>>> university from a kludged together implementation of SpamAssassin to
>>> running on MailScanner for inbound.
>>>
>>> Now I'm preparing to tackle the task of setting up Mailscanner
>>> outbound. 
>>>
>>> Obviously I want virus scanning enabled, but how do most of you
>>> handle the spam scanning issue?  Do you tag and pass, do you not
>>> scan at all, or some other option? 
>>>
>>>       
>> If students will be accessing the mail system, then I would hold them
>> to the same standards that you apply to incoming mail. Students are
>> notorious for doing things "they aren't supposed to do". You can
>> whitelist any administration people that need to be.   
>>     
>
> Unfortunately, we're in a position where there are close to 2000 staff
> members who'll be using it-- two boxes handle the entire outbound load
> for everything, be it our webmail, exchange server traffic, and (since
> we disabled port 25 outbound a couple months back) any SMTP traffic
> whatsoever that leaves our network.
>
> I do realize that if I start flagging departmental messages as spam,
> I'll catch hell, so how have others balanced the greater good of society
> with the needs of their local institutions?
>
>
>   
Our internal smtp servers bounce (yes, bounce!) spam messages back to 
the sender.  I don't want any obvious spam originating from my network.  
My internal rules are quite light compared to the ones on my MX 
servers.  I've been running this way for over a year and we don't have 
that many angry staff/students.  We have about 2000 staff members and 
10000 students but the students don't use the system as much as the staff.

The bounce message explains that we block spam because we want to 
preserve the good reputation of our University.

Denis

-- 
   _
  ?v?   Denis Beauchemin, analyste
 /(_)\  Universit? de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3595 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061205/8678d58e/smime.bin
From ccampbell at brueggers.com  Tue Dec  5 22:00:01 2006
From: ccampbell at brueggers.com (Christian Campbell)
Date: Tue Dec  5 22:00:26 2006
Subject: Disabling DCC, Pyzor on the cf file
In-Reply-To: <el4p3f$2aq$1@sea.gmane.org>
Message-ID: <BBF8D28805D77C4899790ADA8F22FEAF016F2E8E@neptune.brueggers.net>

> Using MS 4.57.6 I'm trying to disable the above plugins.
> 
> > [28764] warn: config: failed to parse line, skipping: use_razor2 0 
> > [28764] warn: config: failed to parse line, skipping: use_dcc 0 
> > [28764] warn: config: failed to parse line, skipping: use_pyzor 0
> 
> Is there any other way to avoid loading those plugins?  
> (using is not really the problem since I don't have the 
> executables installed, just the SA plugin).

I recently had the same problem.  Matt Kettler recently pointed out to me
(on 12/2 on this list):  

"If you're getting those messages, it's because you're using SA 3.1.x and
you don't have the AWL or DCC plugins loaded in your *.pre files.

At that point, the feature set is *completely* disabled, to the point that
it doesn't even understand those configuration options.

You can safely remove those options from your file, and as long as you don't
uncomment the plugins in your *.pre files, they won't run."

I just left them commented out and it didn't complain any more.

Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3090 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061205/4d32d60a/smime.bin
From ssilva at sgvwater.com  Tue Dec  5 22:11:36 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Tue Dec  5 22:12:03 2006
Subject: Disabling DCC, Pyzor on the cf file
In-Reply-To: <el4p3f$2aq$1@sea.gmane.org>
References: <el4p3f$2aq$1@sea.gmane.org>
Message-ID: <el4qqo$8cu$1@sea.gmane.org>

Ren? Berber spake the following on 12/5/2006 1:42 PM:
> Hi,
> 
> Using MS 4.57.6 I'm trying to disable the above plugins.
> 
> Following the instructions in spam.assassin.prefs.conf (a.k.a. mailscanner.cf),
> 
>> # Uncomment the lines below to stop using the specific service
>> # To stop Razor2 checks, uncomment the following line
>> #use_razor2     0
>> # To stop DCC checks, uncomment the following line
>> #use_dcc                0
>> # To stop Pyzor checks, uncomment the following line
>> #use_pyzor      0
> 
> does not work, spamassassin --lint complains with:
> 
>> [28764] warn: config: failed to parse line, skipping: use_razor2 0
>> [28764] warn: config: failed to parse line, skipping: use_dcc 0
>> [28764] warn: config: failed to parse line, skipping: use_pyzor 0
> 
> Is there any other way to avoid loading those plugins?  (using is not really the
> problem since I don't have the executables installed, just the SA plugin).
Look in the .pre config files (init.pre and others if you have them) for the
loadplugin lines for those services and comment them out.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From mailscanner at yeticomputers.com  Tue Dec  5 22:14:11 2006
From: mailscanner at yeticomputers.com (Rick Chadderdon)
Date: Tue Dec  5 22:14:21 2006
Subject: How do others do it?
In-Reply-To: <4575E8AB.6050104@USherbrooke.ca>
References: <A50A29B70741ED42BE44230B1DF6118416128072@ADAM.chapman.edu>
	<4575E8AB.6050104@USherbrooke.ca>
Message-ID: <4575EF33.70007@yeticomputers.com>

Denis Beauchemin wrote:
> The bounce message explains that we block spam because we want to
> preserve the good reputation of our University.
Unfortunately, since nearly all spam comes from forged addresses, your
bounce message is explaining it to the wrong people.  Assuming you mean
"bounce" the same way I do.  I get a ton of "bounce message" spam
because of forged messages, even though I use SPF.  Annoying.  I hope
I'm just misunderstanding you, because if not, you're a spammer, even if
you aren't aware of it.

Rick
From r.berber at computer.org  Tue Dec  5 22:17:25 2006
From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=)
Date: Tue Dec  5 22:17:36 2006
Subject: Disabling DCC, Pyzor on the cf file
In-Reply-To: <el4p3f$2aq$1@sea.gmane.org>
References: <el4p3f$2aq$1@sea.gmane.org>
Message-ID: <el4r5k$8jl$1@sea.gmane.org>

Thanks for the replies.

I already had commented out the plugins in the .pre files, so that was the cause
for the warnings.
-- 
Ren? Berber

From gerard at seibercom.net  Tue Dec  5 22:44:54 2006
From: gerard at seibercom.net (Gerard Seibert)
Date: Tue Dec  5 22:44:47 2006
Subject: How do others do it?
In-Reply-To: <4575EF33.70007@yeticomputers.com>
References: <4575E8AB.6050104@USherbrooke.ca>
	<4575EF33.70007@yeticomputers.com>
Message-ID: <20061205174305.D990.GERARD@seibercom.net>

On Tuesday December 05, 2006 at 05:14:11 (PM) Rick Chadderdon wrote:

> Denis Beauchemin wrote:
> > The bounce message explains that we block spam because we want to
> > preserve the good reputation of our University.
> Unfortunately, since nearly all spam comes from forged addresses, your
> bounce message is explaining it to the wrong people.  Assuming you mean
> "bounce" the same way I do.  I get a ton of "bounce message" spam
> because of forged messages, even though I use SPF.  Annoying.  I hope
> I'm just misunderstanding you, because if not, you're a spammer, even if
> you aren't aware of it.

Worse, continuing this 'backscatter' might very well get his University
black-listed. SPAM and virus infected mail should be silently discarded.


-- 
Gerard
From alex at nkpanama.com  Tue Dec  5 23:04:38 2006
From: alex at nkpanama.com (Alex Neuman van der Hans)
Date: Tue Dec  5 23:14:01 2006
Subject: How do others do it?
In-Reply-To: <20061205174305.D990.GERARD@seibercom.net>
References: <4575E8AB.6050104@USherbrooke.ca>	<4575EF33.70007@yeticomputers.com>
	<20061205174305.D990.GERARD@seibercom.net>
Message-ID: <4575FB06.6010607@nkpanama.com>

He may be in fact being more of a hindrance than a help, since his 
University is now *more* likely to be blacklisted as a spammer.

Gerard Seibert wrote:
> On Tuesday December 05, 2006 at 05:14:11 (PM) Rick Chadderdon wrote:
> 
>> Denis Beauchemin wrote:
>>> The bounce message explains that we block spam because we want to
>>> preserve the good reputation of our University.
>> Unfortunately, since nearly all spam comes from forged addresses, your
>> bounce message is explaining it to the wrong people.  Assuming you mean
>> "bounce" the same way I do.  I get a ton of "bounce message" spam
>> because of forged messages, even though I use SPF.  Annoying.  I hope
>> I'm just misunderstanding you, because if not, you're a spammer, even if
>> you aren't aware of it.
> 
> Worse, continuing this 'backscatter' might very well get his University
> black-listed. SPAM and virus infected mail should be silently discarded.
> 
> 
From brent.addis at pronet.co.nz  Tue Dec  5 23:21:54 2006
From: brent.addis at pronet.co.nz (Brent Addis)
Date: Tue Dec  5 23:22:33 2006
Subject: How do others do it?
In-Reply-To: <20061205174305.D990.GERARD@seibercom.net>
References: <4575E8AB.6050104@USherbrooke.ca>	<4575EF33.70007@yeticomputers.com>
	<20061205174305.D990.GERARD@seibercom.net>
Message-ID: <4575FF12.1000904@pronet.co.nz>

I think you may have misread it.

I believe he is bouncing back to *internal* hosts, hence the "Our 
internal smtp servers bounce (yes, bounce!) spam messages back to the 
sender.  I don't want any obvious spam originating from my network."

Note the " I don't want any obvious spam originating from my network." 
part. It probably doesn't affect spam coming in from the internet at large.



Gerard Seibert wrote:
> On Tuesday December 05, 2006 at 05:14:11 (PM) Rick Chadderdon wrote:
>
>   
>> Denis Beauchemin wrote:
>>     
>>> The bounce message explains that we block spam because we want to
>>> preserve the good reputation of our University.
>>>       
>> Unfortunately, since nearly all spam comes from forged addresses, your
>> bounce message is explaining it to the wrong people.  Assuming you mean
>> "bounce" the same way I do.  I get a ton of "bounce message" spam
>> because of forged messages, even though I use SPF.  Annoying.  I hope
>> I'm just misunderstanding you, because if not, you're a spammer, even if
>> you aren't aware of it.
>>     
>
> Worse, continuing this 'backscatter' might very well get his University
> black-listed. SPAM and virus infected mail should be silently discarded.
>
>
>   

 

 

From brent.addis at pronet.co.nz  Tue Dec  5 23:28:31 2006
From: brent.addis at pronet.co.nz (Brent Addis)
Date: Tue Dec  5 23:29:09 2006
Subject: How do others do it?
In-Reply-To: <4575FF12.1000904@pronet.co.nz>
References: <4575E8AB.6050104@USherbrooke.ca>	<4575EF33.70007@yeticomputers.com>	<20061205174305.D990.GERARD@seibercom.net>
	<4575FF12.1000904@pronet.co.nz>
Message-ID: <4576009F.3070802@pronet.co.nz>

Although, upon rethinking, the way spam uses random from addresses, 
could indeed spell trouble on the internet at large. Unless he has that 
sort of thing blocked elsewhere.

Brent Addis wrote:
> I think you may have misread it.
>
> I believe he is bouncing back to *internal* hosts, hence the "Our 
> internal smtp servers bounce (yes, bounce!) spam messages back to the 
> sender.  I don't want any obvious spam originating from my network."
>
> Note the " I don't want any obvious spam originating from my network." 
> part. It probably doesn't affect spam coming in from the internet at 
> large.
>
>
>
> Gerard Seibert wrote:
>> On Tuesday December 05, 2006 at 05:14:11 (PM) Rick Chadderdon wrote:
>>
>>  
>>> Denis Beauchemin wrote:
>>>    
>>>> The bounce message explains that we block spam because we want to
>>>> preserve the good reputation of our University.
>>>>       
>>> Unfortunately, since nearly all spam comes from forged addresses, your
>>> bounce message is explaining it to the wrong people.  Assuming you mean
>>> "bounce" the same way I do.  I get a ton of "bounce message" spam
>>> because of forged messages, even though I use SPF.  Annoying.  I hope
>>> I'm just misunderstanding you, because if not, you're a spammer, 
>>> even if
>>> you aren't aware of it.
>>>     
>>
>> Worse, continuing this 'backscatter' might very well get his University
>> black-listed. SPAM and virus infected mail should be silently discarded.
>>
>>
>>   
>
>
>
>
>

 

From drew at technologytiger.net  Tue Dec  5 23:36:10 2006
From: drew at technologytiger.net (Drew Marshall)
Date: Tue Dec  5 23:36:17 2006
Subject: How do others do it?
In-Reply-To: <4575FB06.6010607@nkpanama.com>
References: <4575E8AB.6050104@USherbrooke.ca>	<4575EF33.70007@yeticomputers.com>
	<20061205174305.D990.GERARD@seibercom.net>
	<4575FB06.6010607@nkpanama.com>
Message-ID: <D40AC89E-4475-4575-A92D-3ED4F796F870@technologytiger.net>

On 5 Dec 2006, at 23:04, Alex Neuman van der Hans wrote:

> He may be in fact being more of a hindrance than a help, since his  
> University is now *more* likely to be blacklisted as a spammer.
>
> Gerard Seibert wrote:
>> On Tuesday December 05, 2006 at 05:14:11 (PM) Rick Chadderdon wrote:
>>> Denis Beauchemin wrote:
>>>> The bounce message explains that we block spam because we want to
>>>> preserve the good reputation of our University.
>>> Unfortunately, since nearly all spam comes from forged addresses,  
>>> your
>>> bounce message is explaining it to the wrong people.  Assuming  
>>> you mean
>>> "bounce" the same way I do.  I get a ton of "bounce message" spam
>>> because of forged messages, even though I use SPF.  Annoying.  I  
>>> hope
>>> I'm just misunderstanding you, because if not, you're a spammer,  
>>> even if
>>> you aren't aware of it.
>> Worse, continuing this 'backscatter' might very well get his  
>> University
>> black-listed. SPAM and virus infected mail should be silently  
>> discarded.

I think you have misunderstood what Denis meant. It sounds to me like  
he bounces what looks like Spam back to his students. I would guess  
(Hope?) he is using smtpauth or some other check that prevents the  
students from relaying with a faked from address, so he knows who  
they are. By bouncing the mail back to them, it stops their mail  
being silently dropped or otherwise undelivered (Or worse still  
putting the University on a RBL). I don't believe that Denis is  
suggesting he bounces Spam to any one other than the local users. You  
don't do you Denis?? :-)

Drew


From gavin at netergy.com  Wed Dec  6 00:08:56 2006
From: gavin at netergy.com (Gavin Nelmes-Crocker)
Date: Wed Dec  6 00:09:14 2006
Subject: Weird /tmp problem
Message-ID: <45760A18.4070909@netergy.com>

I'm suddenly seeing a really strange problem which has bugged me now for 
a couple of days with no resolution

Box Bluequartz (cobalt type OS)

df -h gives below

Filesystem            Size  Used Avail Use% Mounted on
/dev/md1              6.0G  1.4G  4.3G  24% /
/dev/md0               99M   38M   56M  41% /boot
none                 1014M     0 1014M   0% /dev/shm
/dev/md4               62G  8.6G   50G  15% /home
/dev/md2             1012M   34M  927M   4% /tmp
/dev/md3              4.0G  1.7G  2.1G  45% /var

I have Mailscanner-4.57.6-1 installed (upgraded tonight from slightly 
earlier version to see if the problem got resolved.

Problem - When i turn MailScanner on suddenly /tmp starts to fill 
rapidly and i then see an error in the logs

  MailScanner[21007]: ERROR: Unable to create temporary directory

If i do du -h i see below clearly showing there is a problem with /tmp

Filesystem            Size  Used Avail Use% Mounted on
/dev/md1              6.0G  1.4G  4.3G  24% /
/dev/md0               99M   38M   56M  41% /boot
none                 1014M     0 1014M   0% /dev/shm
/dev/md4               62G  8.6G   50G  15% /home
/dev/md2             1012M 1012M     0 100% /tmp
/dev/md3              4.0G  1.7G  2.1G  45% /var

but if i look at a listing with ls -al i see nothing different and more 
importantly nothing taking up massive disk space.

The result is that the users mail gets processed but they get no message 
and no subject the email is blank apart from the Mailscanner headers

As soon as i stop mailscanner and restart sendmail on its own everything 
returns to normal.

Where should i be looking? this was all working until Monday morning 
when it suddenly stopped, as far as i know no reboot or software update 
to cause it - weird

Thanks

Regards

Gavin
From ka at pacific.net  Wed Dec  6 00:34:48 2006
From: ka at pacific.net (Ken A)
Date: Wed Dec  6 00:32:11 2006
Subject: Weird /tmp problem
In-Reply-To: <45760A18.4070909@netergy.com>
References: <45760A18.4070909@netergy.com>
Message-ID: <45761028.70606@pacific.net>

You are running ls and df as root, right? Are you running any IDS? It's 
good to rule out the worst case scenarios first, even if that might seem 
paranoid. /tmp is an obvious target. ls output shouldn't conflict with 
df output. check ls -la carefully for anything funny looking (a dir 
beginning with a space, etc).
Ken A.
Pacific.Net

Gavin Nelmes-Crocker wrote:
> I'm suddenly seeing a really strange problem which has bugged me now for 
> a couple of days with no resolution
> 
> Box Bluequartz (cobalt type OS)
> 
> df -h gives below
> 
> Filesystem            Size  Used Avail Use% Mounted on
> /dev/md1              6.0G  1.4G  4.3G  24% /
> /dev/md0               99M   38M   56M  41% /boot
> none                 1014M     0 1014M   0% /dev/shm
> /dev/md4               62G  8.6G   50G  15% /home
> /dev/md2             1012M   34M  927M   4% /tmp
> /dev/md3              4.0G  1.7G  2.1G  45% /var
> 
> I have Mailscanner-4.57.6-1 installed (upgraded tonight from slightly 
> earlier version to see if the problem got resolved.
> 
> Problem - When i turn MailScanner on suddenly /tmp starts to fill 
> rapidly and i then see an error in the logs
> 
>  MailScanner[21007]: ERROR: Unable to create temporary directory
> 
> If i do du -h i see below clearly showing there is a problem with /tmp
> 
> Filesystem            Size  Used Avail Use% Mounted on
> /dev/md1              6.0G  1.4G  4.3G  24% /
> /dev/md0               99M   38M   56M  41% /boot
> none                 1014M     0 1014M   0% /dev/shm
> /dev/md4               62G  8.6G   50G  15% /home
> /dev/md2             1012M 1012M     0 100% /tmp
> /dev/md3              4.0G  1.7G  2.1G  45% /var
> 
> but if i look at a listing with ls -al i see nothing different and more 
> importantly nothing taking up massive disk space.
> 
> The result is that the users mail gets processed but they get no message 
> and no subject the email is blank apart from the Mailscanner headers
> 
> As soon as i stop mailscanner and restart sendmail on its own everything 
> returns to normal.
> 
> Where should i be looking? this was all working until Monday morning 
> when it suddenly stopped, as far as i know no reboot or software update 
> to cause it - weird
> 
> Thanks
> 
> Regards
> 
> Gavin
From glenn.steen at gmail.com  Wed Dec  6 08:14:15 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Wed Dec  6 08:14:19 2006
Subject: Greylisting (WAS: Re: MailScanner ANNOUNCE: 4.57 released)
In-Reply-To: <20061204233255.DB881FF40@mx-a.vdnet.lt>
References: <4571B547.1090804@ecs.soton.ac.uk>
	<200612022342.kB2NgCcf026083@bkserver.blacknight.ie>
	<20061203011931.d29a40c0.michel@mitch-it.nl>
	<45743355.2040006@sendit.nodak.edu>
	<45744FDB.3030307@netmagicsolutions.com>
	<20061204205254.8300B11285@mx-a.vdnet.lt>
	<223f97700612041451n39e66dedx28699a0d1e59a3eb@mail.gmail.com>
	<20061204233255.DB881FF40@mx-a.vdnet.lt>
Message-ID: <223f97700612060014o6a8b46b1k87e48195c1d93afc@mail.gmail.com>

On 05/12/06, Nerijus Baliunas <nerijus@users.sourceforge.net> wrote:
> On Mon, 4 Dec 2006 23:51:48 +0100 Glenn Steen <glenn.steen@gmail.com> wrote:
>
> > > > Nerijus, Glenn had mentioned that you send some raw samples (where
> > > > privacy is not critical) of mails pre and post milters to Julian.. did
> > > > you manage to do that?
> > >
> > > If you mean just raw messages - then yes, I sent them to Julian, but if you
> > > mean queue files - then no (how/where should I take them from?).
> >
> > That's easy Nerjus.... I'll try be a bit more eloquent than last time:-)....
> > Stop mailscanner, start postfix, send the testmessage, look in the log
> > what queue ID it got (or just trawl through "postqueue -p" (a.k.a.
> > mailq), copy that file (queue ID == filename) from the hold queue
> > (after all, it's just a file). Then stop Postfix and restart
> > MailScanner...
> >
> > Disable the missbehaving milter, repeat the above... And voila, there
> > you have it, "the same" message in a working and a non-working queue
> > file. Makes it possible for Jules (or one of us other postfixers:-) to
> > try see what goes wrong... without having to implement the same exact
> > setup you have.
>
> OK, here they are attached. message1 and queue1 are with milter-greylist,
> message2 and queue2 - without.
>
> Regards,
> Nerijus
>
> P.S. CCing Julian too, but as he is probably busy, I hope some of other postfixers
> will take a look. Thanks.
>
I typed a longish reply to this one yesterday, which gmail then
promptly swallowed:-).
Oh well.

The gist of it was "If I get time, I'll look at the code"... and
"interresting that postcat demangles it correctly (so that the postcat
of each queue file is ... well, as close to identical as possible)
...".

Don't have much spare time ATM though, so don't hold your breath:-).
Who knows, Jules might find the time to look at it before the weekend
(when I'll be likely having an hour to spend:-).

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From glenn.steen at gmail.com  Wed Dec  6 08:44:41 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Wed Dec  6 08:44:44 2006
Subject: Problems with split recipients
In-Reply-To: <4575CA86.1010800@pixelhammer.com>
References: <4575B444.9020107@pixelhammer.com> <4575BD33.4050505@pacific.net>
	<4575CA86.1010800@pixelhammer.com>
Message-ID: <223f97700612060044u38e40da9gbd46f230c5d2ba5d@mail.gmail.com>

On 05/12/06, DAve <dave.list@pixelhammer.com> wrote:
(snip)
>
> All that was done, we have always run a split queue on our MailScanner
> servers.
>
> I have stopped the errors by making changes to my queues, as follows.
>
> added a new queue dir of /var/spool/mailq
> added incoming queue at /var/spool/mailq/mqueue.in
> added outgoing queue at /var/spool/mailq/mqueue
>
> adjusted my MailScanner.conf and start scripts accordingly.
> added "define(`QUEUE_DIR','/var/spool/mailq')dnl to my incoming *.mc and
> rebuilt my incoming *.cf file. Restarted Sendmail.

Stupid question from a non-sendmail user... Couldn't you have reached
the same effect by "define(`QUEUE_DIR','/var/spool')dnl" ... ?
Wouldn't that have saved you a whole lot of checking/typing? Or is
there some other magic involved that I'm not thinking of?

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From martinh at solidstatelogic.com  Wed Dec  6 09:07:38 2006
From: martinh at solidstatelogic.com (Martin Hepworth)
Date: Wed Dec  6 09:08:14 2006
Subject: How do others do it?
In-Reply-To: <A50A29B70741ED42BE44230B1DF6118416127C53@ADAM.chapman.edu>
References: <A50A29B70741ED42BE44230B1DF6118416127C53@ADAM.chapman.edu>
Message-ID: <4576885A.5040903@solidstatelogic.com>

Chandler, Jay wrote:
> I'm three months into the mail management duties, and I've taken the 
> university from a kludged together implementation of SpamAssassin to 
> running on MailScanner for inbound.
>  
> Now I'm preparing to tackle the task of setting up Mailscanner outbound.
>  
> Obviously I want virus scanning enabled, but how do most of you handle 
> the spam scanning issue?  Do you tag and pass, do you not scan at all, 
> or some other option?
>  
> 
> --
> Jay Chandler
> Network Administrator, Chapman University
> 714.628.7249 / chandler@chapman.edu
> Today's Excuse: Unoptimized hard drive
> 
>  
> 
Jay

we just virus scan outbound and sign the things. NO spam scanning done 
at all..

-- 
Martin Hepworth
Senior Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

From res at ausics.net  Wed Dec  6 09:50:45 2006
From: res at ausics.net (Res)
Date: Wed Dec  6 09:51:02 2006
Subject: How do others do it?
In-Reply-To: <4576885A.5040903@solidstatelogic.com>
References: <A50A29B70741ED42BE44230B1DF6118416127C53@ADAM.chapman.edu>
	<4576885A.5040903@solidstatelogic.com>
Message-ID: <Pine.LNX.4.64.0612061944130.680@ebfjryy.nhfvpf.arg>

Hi Jay,

Chandler, Jay wrote:

>  Now I'm preparing to tackle the task of setting up Mailscanner outbound.
>  Obviously I want virus scanning enabled, but how do most of you handle the 
> spam scanning issue?  Do you tag and pass, do you not scan at all, or some 
> other option?

Treat your users like all others, the more that did this the better things 
would be for all, too many people sit back and say " it'll never be our 
users spamming " and they end up being, at some stage the ones that ARE :)

It only takes one moron with a worm infected winblows pc an hour to have 
your mail server sending out 80K spams, but by then it's too late, the 
damage has already been done.



-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From glenn.steen at gmail.com  Wed Dec  6 10:01:09 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Wed Dec  6 10:01:12 2006
Subject: Weird /tmp problem
In-Reply-To: <45761028.70606@pacific.net>
References: <45760A18.4070909@netergy.com> <45761028.70606@pacific.net>
Message-ID: <223f97700612060201v3136e501jc59472d4cd78147a@mail.gmail.com>

On 06/12/06, Ken A <ka@pacific.net> wrote:
> You are running ls and df as root, right? Are you running any IDS? It's
> good to rule out the worst case scenarios first, even if that might seem
> paranoid. /tmp is an obvious target. ls output shouldn't conflict with
> df output. check ls -la carefully for anything funny looking (a dir
> beginning with a space, etc).
> Ken A.
> Pacific.Net
>
> Gavin Nelmes-Crocker wrote:
> > I'm suddenly seeing a really strange problem which has bugged me now for
> > a couple of days with no resolution
> >
> > Box Bluequartz (cobalt type OS)
> >
> > df -h gives below
> >
> > Filesystem            Size  Used Avail Use% Mounted on
> > /dev/md1              6.0G  1.4G  4.3G  24% /
> > /dev/md0               99M   38M   56M  41% /boot
> > none                 1014M     0 1014M   0% /dev/shm
> > /dev/md4               62G  8.6G   50G  15% /home
> > /dev/md2             1012M   34M  927M   4% /tmp
> > /dev/md3              4.0G  1.7G  2.1G  45% /var
> >
> > I have Mailscanner-4.57.6-1 installed (upgraded tonight from slightly
> > earlier version to see if the problem got resolved.
> >
> > Problem - When i turn MailScanner on suddenly /tmp starts to fill
> > rapidly and i then see an error in the logs
> >
> >  MailScanner[21007]: ERROR: Unable to create temporary directory
> >
> > If i do du -h i see below clearly showing there is a problem with /tmp
> >
> > Filesystem            Size  Used Avail Use% Mounted on
> > /dev/md1              6.0G  1.4G  4.3G  24% /
> > /dev/md0               99M   38M   56M  41% /boot
> > none                 1014M     0 1014M   0% /dev/shm
> > /dev/md4               62G  8.6G   50G  15% /home
> > /dev/md2             1012M 1012M     0 100% /tmp
> > /dev/md3              4.0G  1.7G  2.1G  45% /var
> >
> > but if i look at a listing with ls -al i see nothing different and more
> > importantly nothing taking up massive disk space.
> >
> > The result is that the users mail gets processed but they get no message
> > and no subject the email is blank apart from the Mailscanner headers
> >
> > As soon as i stop mailscanner and restart sendmail on its own everything
> > returns to normal.
> >
> > Where should i be looking? this was all working until Monday morning
> > when it suddenly stopped, as far as i know no reboot or software update
> > to cause it - weird
> >
Good sugegstions... Also... When you stop MailScanner, is the "lost
space" suddenly available again?

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From gerard at seibercom.net  Wed Dec  6 11:46:31 2006
From: gerard at seibercom.net (Gerard Seibert)
Date: Wed Dec  6 11:46:21 2006
Subject: How do others do it?
In-Reply-To: <D40AC89E-4475-4575-A92D-3ED4F796F870@technologytiger.net>
References: <4575FB06.6010607@nkpanama.com>
	<D40AC89E-4475-4575-A92D-3ED4F796F870@technologytiger.net>
Message-ID: <20061206064624.F8FA.GERARD@seibercom.net>

On Tuesday December 05, 2006 at 06:36:10 (PM) Drew Marshall wrote:

> On 5 Dec 2006, at 23:04, Alex Neuman van der Hans wrote:
> 
> > He may be in fact being more of a hindrance than a help, since his  
> > University is now *more* likely to be blacklisted as a spammer.
> >
> > Gerard Seibert wrote:
> >> On Tuesday December 05, 2006 at 05:14:11 (PM) Rick Chadderdon wrote:
> >>> Denis Beauchemin wrote:
> >>>> The bounce message explains that we block spam because we want to
> >>>> preserve the good reputation of our University.
> >>> Unfortunately, since nearly all spam comes from forged addresses,  
> >>> your
> >>> bounce message is explaining it to the wrong people.  Assuming  
> >>> you mean
> >>> "bounce" the same way I do.  I get a ton of "bounce message" spam
> >>> because of forged messages, even though I use SPF.  Annoying.  I  
> >>> hope
> >>> I'm just misunderstanding you, because if not, you're a spammer,  
> >>> even if
> >>> you aren't aware of it.
> >> Worse, continuing this 'backscatter' might very well get his  
> >> University
> >> black-listed. SPAM and virus infected mail should be silently  
> >> discarded.
> 
> I think you have misunderstood what Denis meant. It sounds to me like  
> he bounces what looks like Spam back to his students. I would guess  
> (Hope?) he is using smtpauth or some other check that prevents the  
> students from relaying with a faked from address, so he knows who  
> they are. By bouncing the mail back to them, it stops their mail  
> being silently dropped or otherwise undelivered (Or worse still  
> putting the University on a RBL). I don't believe that Denis is  
> suggesting he bounces Spam to any one other than the local users. You  
> don't do you Denis?? :-)

I think the OP should supply a more complete picture of both what he is
doing and what he hopes to accomplish.  The OP's original post does seem
to be somewhat vague on those points which is clearly evident by the
wide range of responses he has received.

BTW, thanks Drew for not 'Top Posting'. It makes a thread so difficult
to follow.

-- 
Gerard

	"Vegetarian: Indian word for lousy hunter."
From dave.list at pixelhammer.com  Wed Dec  6 14:21:49 2006
From: dave.list at pixelhammer.com (DAve)
Date: Wed Dec  6 14:22:11 2006
Subject: Problems with split recipients
In-Reply-To: <223f97700612060044u38e40da9gbd46f230c5d2ba5d@mail.gmail.com>
References: <4575B444.9020107@pixelhammer.com>
	<4575BD33.4050505@pacific.net>	<4575CA86.1010800@pixelhammer.com>
	<223f97700612060044u38e40da9gbd46f230c5d2ba5d@mail.gmail.com>
Message-ID: <4576D1FD.2090103@pixelhammer.com>

Glenn Steen wrote:
> On 05/12/06, DAve <dave.list@pixelhammer.com> wrote:
> (snip)
>>
>> All that was done, we have always run a split queue on our MailScanner
>> servers.
>>
>> I have stopped the errors by making changes to my queues, as follows.
>>
>> added a new queue dir of /var/spool/mailq
>> added incoming queue at /var/spool/mailq/mqueue.in
>> added outgoing queue at /var/spool/mailq/mqueue
>>
>> adjusted my MailScanner.conf and start scripts accordingly.
>> added "define(`QUEUE_DIR','/var/spool/mailq')dnl to my incoming *.mc and
>> rebuilt my incoming *.cf file. Restarted Sendmail.
> 
> Stupid question from a non-sendmail user... Couldn't you have reached
> the same effect by "define(`QUEUE_DIR','/var/spool')dnl" ... ?
> Wouldn't that have saved you a whole lot of checking/typing? Or is
> there some other magic involved that I'm not thinking of?
> 

Quite possibly that would have worked. But since I found so little 
information on the error, and even less information on how queue groups 
actually work, I chose to play it safe and stuff everything into a new 
set of queue directories. It just took a few seconds per server.

It seems to have fixed my problem, if I could find an explanation as to 
why, I could write this up and add it to the Wiki.

Right now I'm dealing with an outbound slow queue after an upgrade to 
8.13.x, it never ends does it?

DAve

-- 
Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for
Veterans?

Maybe they forgot who made that choice possible.
From glenn.steen at gmail.com  Wed Dec  6 15:47:30 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Wed Dec  6 15:47:33 2006
Subject: Problems with split recipients
In-Reply-To: <4576D1FD.2090103@pixelhammer.com>
References: <4575B444.9020107@pixelhammer.com> <4575BD33.4050505@pacific.net>
	<4575CA86.1010800@pixelhammer.com>
	<223f97700612060044u38e40da9gbd46f230c5d2ba5d@mail.gmail.com>
	<4576D1FD.2090103@pixelhammer.com>
Message-ID: <223f97700612060747g4be2e02agc10b785fbe45dced@mail.gmail.com>

On 06/12/06, DAve <dave.list@pixelhammer.com> wrote:
> Glenn Steen wrote:
> > On 05/12/06, DAve <dave.list@pixelhammer.com> wrote:
> > (snip)
> >>
> >> All that was done, we have always run a split queue on our MailScanner
> >> servers.
> >>
> >> I have stopped the errors by making changes to my queues, as follows.
> >>
> >> added a new queue dir of /var/spool/mailq
> >> added incoming queue at /var/spool/mailq/mqueue.in
> >> added outgoing queue at /var/spool/mailq/mqueue
> >>
> >> adjusted my MailScanner.conf and start scripts accordingly.
> >> added "define(`QUEUE_DIR','/var/spool/mailq')dnl to my incoming *.mc and
> >> rebuilt my incoming *.cf file. Restarted Sendmail.
> >
> > Stupid question from a non-sendmail user... Couldn't you have reached
> > the same effect by "define(`QUEUE_DIR','/var/spool')dnl" ... ?
> > Wouldn't that have saved you a whole lot of checking/typing? Or is
> > there some other magic involved that I'm not thinking of?
> >
>
> Quite possibly that would have worked. But since I found so little
> information on the error, and even less information on how queue groups
> actually work, I chose to play it safe and stuff everything into a new
> set of queue directories. It just took a few seconds per server.
>
> It seems to have fixed my problem, if I could find an explanation as to
> why, I could write this up and add it to the Wiki.

Ok. Someone who is current with sendmail will have to help you there:-).

> Right now I'm dealing with an outbound slow queue after an upgrade to
> 8.13.x, it never ends does it?
No it doesn't... Which is fortunate, considering one is kind of in
need of that monthly paycheck:-).

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From gavin at netergy.com  Wed Dec  6 15:56:21 2006
From: gavin at netergy.com (Gavin Nelmes-Crocker)
Date: Wed Dec  6 15:56:25 2006
Subject: Weird /tmp problem
In-Reply-To: <223f97700612060201v3136e501jc59472d4cd78147a@mail.gmail.com>
References: <45760A18.4070909@netergy.com> <45761028.70606@pacific.net>
	<223f97700612060201v3136e501jc59472d4cd78147a@mail.gmail.com>
Message-ID: <4576E825.6000909@netergy.com>

> On 06/12/06, Ken A <ka@pacific.net> wrote:
>> You are running ls and df as root, right? Are you running any IDS? It's
>> good to rule out the worst case scenarios first, even if that might seem
>> paranoid. /tmp is an obvious target. ls output shouldn't conflict with
>> df output. check ls -la carefully for anything funny looking (a dir
>> beginning with a space, etc).

Correct i am logged in as root when doing all tests/checks.  We're not 
running any IDS on the server but have run chkrootkit and can see 
nothing bad

> Good sugegstions... Also... When you stop MailScanner, is the "lost
> space" suddenly available again?

Yes - stop mailscanner and /tmp goes back to normal

The difficulty is that i can only run tests that involve turning 
Mailscanner back on late at night and for short periods of time due to 
the email breaking.

Here are the outputs I'm seeing now with everything working and looking 
normal.

df
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/md1               6190592   1378676   4497452  24% /
/dev/md0                101018     38557     57245  41% /boot
none                   1037728         0   1037728   0% /dev/shm
/dev/md4              64428444   9027064  52128548  15% /home
/dev/md2               1035596     34140    948848   4% /tmp
/dev/md3               4127040   1705624   2211772  44% /var
# cd /tmp/
# ls -al
total 48
drwxrwxrwt   6 root root   4096 Dec  6 15:48 .
drwxr-xr-x  24 root root   4096 Dec  4 13:51 ..
-rw-------   1 root root     50 Dec  5 23:45 ClamAVBusy.lock
drwxrwxrwt   2 root root   4096 Dec  4 13:51 .ICE-unix
drwx------   2 root root   4096 Apr  3  2006 lost+found
-rw-rw----   1 mail daemon  248 Dec  4 14:41 majordomo.debug
drwxr-xr-x   2 root root   4096 Dec  4 13:45 paletteStatus
-rw-rw----   1 mail daemon 6844 Dec  6 15:43 resend.debug
drwx------   2 root root   4096 Dec  6 15:48 ssh-uJlNFn3025
-r--r--r--   1 root root     24 Oct 23 20:42 yum.check-update

I'll do the same later tonight with Mailscanner turned on - any other 
ideas to try in preparation for testing?

Thanks

Regards

Gavin
From tjones at isthmus.com  Wed Dec  6 16:12:10 2006
From: tjones at isthmus.com (Thom Jones)
Date: Wed Dec  6 16:15:04 2006
Subject: using Vispan with MailScanner
Message-ID: <200612061012.10449.tjones@isthmus.com>

Just a quick question for anyone using Vispan - 
Which is preferable?  Blocking at the sendmail access level or blocking with 
IPTables?  
thanks for any input.

-- 
Thom Jones
Isthmus Publishing Co., Inc.
http://www.thedailypage.com
If ignorance is bliss, why aren't more people happy?
From ka at pacific.net  Wed Dec  6 16:22:11 2006
From: ka at pacific.net (Ken A)
Date: Wed Dec  6 16:19:33 2006
Subject: Problems with split recipients
In-Reply-To: <4575CA86.1010800@pixelhammer.com>
References: <4575B444.9020107@pixelhammer.com> <4575BD33.4050505@pacific.net>
	<4575CA86.1010800@pixelhammer.com>
Message-ID: <4576EE33.5090502@pacific.net>



DAve wrote:
> Ken A wrote:
>>
>>
>> DAve wrote:
>>> Using the following,
>>>
>>> http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:split_mails_per_recipient 
>>>
>>>
>>> Everything seemed to go well, everyone is happy with the increased 
>>> capture rates. But my outbound queue is growing now where previously 
>>> I had no problems.
>>>
>>> I am seeing the following messages in my mail logs;
>>>
>>> Dec  5 12:56:54 avhost2 sendmail[59093]: NOQUEUE: SYSERR(root): 
>>> QueuePath /var/spool/mqueue.in not subpath of QueueDirectory 
>>> /var/spool/mqueue/
>>
>> You should have 2 instances of sendmail running (incoming and outgoing)
>> The incoming queue should be using /var/spool/mqueue.in and the 
>> outgoing sendmail instance should be using /var/spool/mqueue/.
>>
>> You should make the changes for split recipients in the .mc or .cf for 
>> the incoming sendmail ONLY. You'll need to create a separate .mc and 
>> .cf for this instance of sendmail if you are splitting recipients, and 
>> make changes to the MailScanner init script where needed, per the doc 
>> you referred to.
>>
>> Note that in normal MailScanner installation, the incoming and 
>> outgoing sendmail's use the same sendmail.cf.
> 
> All that was done, we have always run a split queue on our MailScanner 
> servers.

I may just be being dense(regular occurrance) but if you have had split 
queues all along, there's no reason for this issue to pop up now that 
you have enabled queue groups. Queue groups enabled to split recipients 
don't add additional queue directories. In any case, I'm glad it's 
flowing now!
Ken A.
Pacific.Net

> I have stopped the errors by making changes to my queues, as follows.
> 
> added a new queue dir of /var/spool/mailq
> added incoming queue at /var/spool/mailq/mqueue.in
> added outgoing queue at /var/spool/mailq/mqueue
> 
> adjusted my MailScanner.conf and start scripts accordingly.
> added "define(`QUEUE_DIR','/var/spool/mailq')dnl to my incoming *.mc and 
> rebuilt my incoming *.cf file. Restarted Sendmail.
> 
> Now the SYSERR messages are gone, watching my out queue now to see if it 
> drops.
> 
> DAve
>>
>> Ken A.
>> Pacific.Net
>>
>>
>>> Am I missing something here? I followed the instructions in the Wiki 
>>> closely and followed the original thread from Steve on this subject.
>>>
>>> Looking at Sendmail docs it would seem I need to define my queues 
>>> differently. Has anyone else seen this issue?
>>>
>>> Thanks,
>>>
>>> DAve
> 
> 
From ka at pacific.net  Wed Dec  6 16:43:20 2006
From: ka at pacific.net (Ken A)
Date: Wed Dec  6 16:40:42 2006
Subject: How do others do it?
In-Reply-To: <Pine.LNX.4.64.0612061944130.680@ebfjryy.nhfvpf.arg>
References: <A50A29B70741ED42BE44230B1DF6118416127C53@ADAM.chapman.edu>	<4576885A.5040903@solidstatelogic.com>
	<Pine.LNX.4.64.0612061944130.680@ebfjryy.nhfvpf.arg>
Message-ID: <4576F328.6060204@pacific.net>



Res wrote:
> Hi Jay,
> 
> Chandler, Jay wrote:
> 
>>  Now I'm preparing to tackle the task of setting up Mailscanner outbound.
>>  Obviously I want virus scanning enabled, but how do most of you 
>> handle the spam scanning issue?  Do you tag and pass, do you not scan 
>> at all, or some other option?
> 
> Treat your users like all others, the more that did this the better 
> things would be for all, too many people sit back and say " it'll never 
> be our users spamming " and they end up being, at some stage the ones 
> that ARE :)

It depends who your users are. I assume they are not spammers or you 
wouldn't be asking. So, I think you can be a bit less aggressive with 
your own users. You don't need to run rbl tests against your own IP 
space in SA or MailScanner, you probably don't need to have ANY 
whitelists, and you probably can turn off a lot of tests that would 
normally FP on your users 'marketing' (double-opt-in of course) email.

Run it with very high triggers at first and see how it goes, then 
gradually move triggers down until you are comfortable with the results. 
The goal should be to not tag anything, but catch any real spam 
outbreaks, maybe from a clueless marketing drone, or an exploited 
website. Run anti-virus on any mailserver too, of course.

> It only takes one moron with a worm infected winblows pc an hour to have 
> your mail server sending out 80K spams, but by then it's too late, the 
> damage has already been done.

Blocking port 25 outbound will block 99% of bot activity. I don't think 
I've heard of any that actually use the client's configured mailserver. 
Scanning for viruses (clamav-milter) with catch email that is infected 
with mass email worms.

Ken A.
Pacific.Net


> 
> 
From Denis.Beauchemin at USherbrooke.ca  Wed Dec  6 16:43:40 2006
From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin)
Date: Wed Dec  6 16:44:36 2006
Subject: How do others do it?
In-Reply-To: <D40AC89E-4475-4575-A92D-3ED4F796F870@technologytiger.net>
References: <4575E8AB.6050104@USherbrooke.ca>	<4575EF33.70007@yeticomputers.com>	<20061205174305.D990.GERARD@seibercom.net>	<4575FB06.6010607@nkpanama.com>
	<D40AC89E-4475-4575-A92D-3ED4F796F870@technologytiger.net>
Message-ID: <4576F33C.7090406@USherbrooke.ca>

Drew Marshall a ?crit :
> On 5 Dec 2006, at 23:04, Alex Neuman van der Hans wrote:
>
>> He may be in fact being more of a hindrance than a help, since his 
>> University is now *more* likely to be blacklisted as a spammer.
>>
>> Gerard Seibert wrote:
>>> On Tuesday December 05, 2006 at 05:14:11 (PM) Rick Chadderdon wrote:
>>>> Denis Beauchemin wrote:
>>>>> The bounce message explains that we block spam because we want to
>>>>> preserve the good reputation of our University.
>>>> Unfortunately, since nearly all spam comes from forged addresses, your
>>>> bounce message is explaining it to the wrong people.  Assuming you 
>>>> mean
>>>> "bounce" the same way I do.  I get a ton of "bounce message" spam
>>>> because of forged messages, even though I use SPF.  Annoying.  I hope
>>>> I'm just misunderstanding you, because if not, you're a spammer, 
>>>> even if
>>>> you aren't aware of it.
>>> Worse, continuing this 'backscatter' might very well get his University
>>> black-listed. SPAM and virus infected mail should be silently 
>>> discarded.
>
> I think you have misunderstood what Denis meant. It sounds to me like 
> he bounces what looks like Spam back to his students. I would guess 
> (Hope?) he is using smtpauth or some other check that prevents the 
> students from relaying with a faked from address, so he knows who they 
> are. By bouncing the mail back to them, it stops their mail being 
> silently dropped or otherwise undelivered (Or worse still putting the 
> University on a RBL). I don't believe that Denis is suggesting he 
> bounces Spam to any one other than the local users. You don't do you 
> Denis?? :-)
>

Whoa!!!  I leave the list alone for a couple of hours and people are 
ready to flame me!!!  You guys are quick on the trigger ;)

I really said that only my internal smtp servers (not my MX servers) do 
bounce spam messages back to the sender.  It really does not happen 
really often anyways because most computers on the campus are protected 
by AV (we have a site-wide licence for McAfee that covers home use).

What I wanted to address by this measure was to not send an email to 
some external site that my MS would have tagged as spam on its way out.  
That would have looked pretty bad: we send you this email even though 
our content analyzer thinks it is junk...

Denis

-- 
   _
  ?v?   Denis Beauchemin, analyste
 /(_)\  Universit? de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3595 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061206/769159ff/smime.bin
From ssilva at sgvwater.com  Wed Dec  6 17:10:22 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Wed Dec  6 17:10:43 2006
Subject: Weird /tmp problem
In-Reply-To: <4576E825.6000909@netergy.com>
References: <45760A18.4070909@netergy.com>
	<45761028.70606@pacific.net>	<223f97700612060201v3136e501jc59472d4cd78147a@mail.gmail.com>
	<4576E825.6000909@netergy.com>
Message-ID: <el6thv$k3$1@sea.gmane.org>

Gavin Nelmes-Crocker spake the following on 12/6/2006 7:56 AM:
>> On 06/12/06, Ken A <ka@pacific.net> wrote:
>>> You are running ls and df as root, right? Are you running any IDS? It's
>>> good to rule out the worst case scenarios first, even if that might seem
>>> paranoid. /tmp is an obvious target. ls output shouldn't conflict with
>>> df output. check ls -la carefully for anything funny looking (a dir
>>> beginning with a space, etc).
> 
> Correct i am logged in as root when doing all tests/checks.  We're not
> running any IDS on the server but have run chkrootkit and can see
> nothing bad
> 
>> Good sugegstions... Also... When you stop MailScanner, is the "lost
>> space" suddenly available again?
> 
> Yes - stop mailscanner and /tmp goes back to normal
> 
> The difficulty is that i can only run tests that involve turning
> Mailscanner back on late at night and for short periods of time due to
> the email breaking.
> 
> Here are the outputs I'm seeing now with everything working and looking
> normal.
> 
> df
> Filesystem           1K-blocks      Used Available Use% Mounted on
> /dev/md1               6190592   1378676   4497452  24% /
> /dev/md0                101018     38557     57245  41% /boot
> none                   1037728         0   1037728   0% /dev/shm
> /dev/md4              64428444   9027064  52128548  15% /home
> /dev/md2               1035596     34140    948848   4% /tmp
> /dev/md3               4127040   1705624   2211772  44% /var
> # cd /tmp/
> # ls -al
> total 48
> drwxrwxrwt   6 root root   4096 Dec  6 15:48 .
> drwxr-xr-x  24 root root   4096 Dec  4 13:51 ..
> -rw-------   1 root root     50 Dec  5 23:45 ClamAVBusy.lock
> drwxrwxrwt   2 root root   4096 Dec  4 13:51 .ICE-unix
> drwx------   2 root root   4096 Apr  3  2006 lost+found
> -rw-rw----   1 mail daemon  248 Dec  4 14:41 majordomo.debug
> drwxr-xr-x   2 root root   4096 Dec  4 13:45 paletteStatus
> -rw-rw----   1 mail daemon 6844 Dec  6 15:43 resend.debug
> drwx------   2 root root   4096 Dec  6 15:48 ssh-uJlNFn3025
> -r--r--r--   1 root root     24 Oct 23 20:42 yum.check-update
> 
> I'll do the same later tonight with Mailscanner turned on - any other
> ideas to try in preparation for testing?
> 
> Thanks
> 
> Regards
> 
> Gavin
Have you used du -f /tmp when the error occurs?
That might give you a clue if a directory is filling up.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From ssilva at sgvwater.com  Wed Dec  6 17:13:20 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Wed Dec  6 17:15:06 2006
Subject: using Vispan with MailScanner
In-Reply-To: <200612061012.10449.tjones@isthmus.com>
References: <200612061012.10449.tjones@isthmus.com>
Message-ID: <el6tnh$k3$2@sea.gmane.org>

Thom Jones spake the following on 12/6/2006 8:12 AM:
> Just a quick question for anyone using Vispan - 
> Which is preferable?  Blocking at the sendmail access level or blocking with 
> IPTables?  
> thanks for any input.
> 
If you are already running iptables you can block there. But I am not sure if
mail dropped at the firewall shows in the graphs like mail dropped at the MTA.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From dave.list at pixelhammer.com  Wed Dec  6 17:16:55 2006
From: dave.list at pixelhammer.com (DAve)
Date: Wed Dec  6 17:17:08 2006
Subject: Problems with split recipients
In-Reply-To: <4576EE33.5090502@pacific.net>
References: <4575B444.9020107@pixelhammer.com>
	<4575BD33.4050505@pacific.net>	<4575CA86.1010800@pixelhammer.com>
	<4576EE33.5090502@pacific.net>
Message-ID: <4576FB07.5010609@pixelhammer.com>

Ken A wrote:
> 
> 
> DAve wrote:
>> Ken A wrote:
>>>
>>>
>>> DAve wrote:
>>>> Using the following,
>>>>
>>>> http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:split_mails_per_recipient 
>>>>
>>>>
>>>> Everything seemed to go well, everyone is happy with the increased 
>>>> capture rates. But my outbound queue is growing now where previously 
>>>> I had no problems.
>>>>
>>>> I am seeing the following messages in my mail logs;
>>>>
>>>> Dec  5 12:56:54 avhost2 sendmail[59093]: NOQUEUE: SYSERR(root): 
>>>> QueuePath /var/spool/mqueue.in not subpath of QueueDirectory 
>>>> /var/spool/mqueue/
>>>
>>> You should have 2 instances of sendmail running (incoming and outgoing)
>>> The incoming queue should be using /var/spool/mqueue.in and the 
>>> outgoing sendmail instance should be using /var/spool/mqueue/.
>>>
>>> You should make the changes for split recipients in the .mc or .cf 
>>> for the incoming sendmail ONLY. You'll need to create a separate .mc 
>>> and .cf for this instance of sendmail if you are splitting 
>>> recipients, and make changes to the MailScanner init script where 
>>> needed, per the doc you referred to.
>>>
>>> Note that in normal MailScanner installation, the incoming and 
>>> outgoing sendmail's use the same sendmail.cf.
>>
>> All that was done, we have always run a split queue on our MailScanner 
>> servers.
> 
> I may just be being dense(regular occurrance) but if you have had split 
> queues all along, there's no reason for this issue to pop up now that 
> you have enabled queue groups. Queue groups enabled to split recipients 
> don't add additional queue directories. In any case, I'm glad it's 
> flowing now!

Therein lies my confusion! I would not have thought that would be an 
issue either. Apparently, Sendmail requires a "parent" directory, or the 
default group directory to be defined. All created queues must be within 
that directory.

I found this based on a search of the error. Unfortunately my BatBook is 
too old for the new features of 8.13.8. The entire problem might be have 
been related to using two milters.

DAve

> Ken A.
> Pacific.Net
> 
>> I have stopped the errors by making changes to my queues, as follows.
>>
>> added a new queue dir of /var/spool/mailq
>> added incoming queue at /var/spool/mailq/mqueue.in
>> added outgoing queue at /var/spool/mailq/mqueue
>>
>> adjusted my MailScanner.conf and start scripts accordingly.
>> added "define(`QUEUE_DIR','/var/spool/mailq')dnl to my incoming *.mc 
>> and rebuilt my incoming *.cf file. Restarted Sendmail.
>>
>> Now the SYSERR messages are gone, watching my out queue now to see if 
>> it drops.
>>
>> DAve
>>>
>>> Ken A.
>>> Pacific.Net
>>>
>>>
>>>> Am I missing something here? I followed the instructions in the Wiki 
>>>> closely and followed the original thread from Steve on this subject.
>>>>
>>>> Looking at Sendmail docs it would seem I need to define my queues 
>>>> differently. Has anyone else seen this issue?
>>>>
>>>> Thanks,
>>>>
>>>> DAve
>>
>>


-- 
Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for
Veterans?

Maybe they forgot who made that choice possible.
From tjones at isthmus.com  Wed Dec  6 17:25:43 2006
From: tjones at isthmus.com (Thom Jones)
Date: Wed Dec  6 17:28:03 2006
Subject: using Vispan with MailScanner
In-Reply-To: <el6tnh$k3$2@sea.gmane.org>
References: <200612061012.10449.tjones@isthmus.com> <el6tnh$k3$2@sea.gmane.org>
Message-ID: <200612061125.43809.tjones@isthmus.com>

On Wednesday 06 December 2006 11:13, Scott Silva wrote:
> Thom Jones spake the following on 12/6/2006 8:12 AM:
> > Just a quick question for anyone using Vispan -
> > Which is preferable?  Blocking at the sendmail access level or blocking
> > with IPTables?
> > thanks for any input.
>
> If you are already running iptables you can block there. But I am not sure
> if mail dropped at the firewall shows in the graphs like mail dropped at
> the MTA.
>
Actually, it does.  I changed the config to iptables earlier today and the 
blocked addresses are counting up just fine.
I was thinking that blocking at the firewall level would be more efficient 
which is what precipitated the question. 
Thanks!
-- 
Thom Jones
Isthmus Publishing Co., Inc.
http://www.thedailypage.com

If ignorance is bliss, why aren't more people happy?
From Kevin_Miller at ci.juneau.ak.us  Wed Dec  6 19:00:01 2006
From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller)
Date: Wed Dec  6 19:00:05 2006
Subject: SA-clamAV integrated package
Message-ID: <D1587DCF6294524BAFA2C9944312FCC863B9F5@city-exch-w3e.cbj.local>

I just installed the SA-clamAV package on one of my boxes and noticed a
couple of conflicting lines at the end of the process:
=============
snip
Now go and edit the file /etc/mail/spamassassin/v310.pre
You need to uncomment (remove the #) the loadplugin lines for
DCC.
snip...
Now go and edit the file /etc/mail/spamassassin/init.pre
You need to uncomment (remove the #) the loadplugin lines for
DCC.
...
=============

I was installing over the top of a previous install, so already had the
DCC line uncommented in the v310.pre file.  No biggie there.  But was
surprised to see the instruction to uncomment it in the init.pre file.
Should it be in both places or just one?  If just one, which one?

I also noticed that the line:
  loadplugin Mail::SpamaAsassin:Plugin:Razor2
exists in both init.pre and v310.pre.  Is that correct or is that
probably some cruft left over from an older install?  Which should it be
in if it shouldn't be in both?

Thanks...

...Kevin
-- 
Kevin Miller                Registered Linux User No: 307357
CBJ MIS Dept.               Network Systems Admin., Mail Admin.
155 South Seward Street     ph: (907) 586-0242
Juneau, Alaska 99801        fax: (907 586-4500
 
From jscott at infoconex.com  Wed Dec  6 19:11:44 2006
From: jscott at infoconex.com (Jim Scott)
Date: Wed Dec  6 19:08:38 2006
Subject: Emails getting tagged as Disarmed
Message-ID: <010c01c7196a$5ea26fc0$9c15a8c0@concord.corp>

I have installed the latest version on your site today and all of the sudden 
we are getting emails tagged as Disarmed. I checked my MailScanner.conf file 
and it is setup to not change the subject for Disarmed messages.

These are servers that have been in production for a long time and just 
started to do this after the upgrade.

Anyone else seeing this? Anything I can do to provide more details to help 
with understanding what the issue is?

Jim

From ssilva at sgvwater.com  Wed Dec  6 19:46:32 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Wed Dec  6 19:47:00 2006
Subject: Emails getting tagged as Disarmed
In-Reply-To: <010c01c7196a$5ea26fc0$9c15a8c0@concord.corp>
References: <010c01c7196a$5ea26fc0$9c15a8c0@concord.corp>
Message-ID: <el76mo$6lq$1@sea.gmane.org>

Jim Scott spake the following on 12/6/2006 11:11 AM:
> I have installed the latest version on your site today and all of the
> sudden we are getting emails tagged as Disarmed. I checked my
> MailScanner.conf file and it is setup to not change the subject for
> Disarmed messages.
> 
> These are servers that have been in production for a long time and just
> started to do this after the upgrade.
> 
> Anyone else seeing this? Anything I can do to provide more details to
> help with understanding what the issue is?
> 
> Jim
> 
Did you run "upgrade_MailScanner_conf " to see any new options and add to the
conf file?
Run "MailScanner --changed" to see anything you have changed from the defaults.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From res at ausics.net  Wed Dec  6 22:27:03 2006
From: res at ausics.net (Res)
Date: Wed Dec  6 22:27:11 2006
Subject: Problems with split recipients
In-Reply-To: <4576D1FD.2090103@pixelhammer.com>
References: <4575B444.9020107@pixelhammer.com> <4575BD33.4050505@pacific.net>
	<4575CA86.1010800@pixelhammer.com>
	<223f97700612060044u38e40da9gbd46f230c5d2ba5d@mail.gmail.com>
	<4576D1FD.2090103@pixelhammer.com>
Message-ID: <Pine.LNX.4.64.0612070819010.4863@ebfjryy.nhfvpf.arg>

On Wed, 6 Dec 2006, DAve wrote:

> Right now I'm dealing with an outbound slow queue after an upgrade to 8.13.x, 
> it never ends does it?


define(`confSEPARATE_PROC',`True')dnl
define(`confQUEUE_SORT_ORDER', `modification')dnl


Depending on your hardware you might want to alter these values
(works without effort on hp dl380 dual 2.8G, on dl 580's I use 1400/2000)

define(`confMAX_DAEMON_CHILDREN',`800')dnl
define(`confMAX_QUEUE_CHILDREN',`1200')dnl


-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From res at ausics.net  Wed Dec  6 22:37:44 2006
From: res at ausics.net (Res)
Date: Wed Dec  6 22:37:51 2006
Subject: How do others do it?
In-Reply-To: <4576F328.6060204@pacific.net>
References: <A50A29B70741ED42BE44230B1DF6118416127C53@ADAM.chapman.edu>
	<4576885A.5040903@solidstatelogic.com>
	<Pine.LNX.4.64.0612061944130.680@ebfjryy.nhfvpf.arg>
	<4576F328.6060204@pacific.net>
Message-ID: <Pine.LNX.4.64.0612070830000.4863@ebfjryy.nhfvpf.arg>

On Wed, 6 Dec 2006, Ken A wrote:

>> It only takes one moron with a worm infected winblows pc an hour to have 
>> your mail server sending out 80K spams, but by then it's too late, the 
>> damage has already been done.
>
> Blocking port 25 outbound will block 99% of bot activity. I don't think I've 
> heard of any that actually use the client's configured mailserver. Scanning 
> for viruses (clamav-milter) with catch email that is infected with mass email 
> worms.

Business clients that insist on using micro$oft openrelay (u might know it 
better as "exchange") setup to use the mail servers.



-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From bbecken at aafp.org  Wed Dec  6 22:55:25 2006
From: bbecken at aafp.org (Brad Beckenhauer)
Date: Wed Dec  6 22:56:24 2006
Subject: using Vispan with MailScanner
In-Reply-To: <el6tnh$k3$2@sea.gmane.org>
References: <200612061012.10449.tjones@isthmus.com> <el6tnh$k3$2@sea.gmane.org>
Message-ID: <4576F5F5.D87E.0068.3@aafp.org>

Using Postfix and Vispan.
I block it at the firewall.  Keeps the log file size down and iptable
dropped connections to not get reflected in the in the graphs.

The "Spam" Tab will show you the Level of blocking, how long the
Address will be blocked, The blocked IP address and the reverse DNS
entry if it could be determined.


>>> Scott Silva <ssilva@sgvwater.com> 12/6/2006 11:13 AM >>>
Thom Jones spake the following on 12/6/2006 8:12 AM:
> Just a quick question for anyone using Vispan - 
> Which is preferable?  Blocking at the sendmail access level or
blocking with 
> IPTables?  
> thanks for any input.
> 
If you are already running iptables you can block there. But I am not
sure if
mail dropped at the firewall shows in the graphs like mail dropped at
the MTA.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

-- 
MailScanner mailing list
mailscanner@lists.mailscanner.info 
http://lists.mailscanner.info/mailman/listinfo/mailscanner 

Before posting, read http://wiki.mailscanner.info/posting 

Support MailScanner development - buy the book off the website! 
From michele at blacknight.ie  Wed Dec  6 23:07:01 2006
From: michele at blacknight.ie (Michele Neylon :: Blacknight)
Date: Wed Dec  6 23:07:05 2006
Subject: using Vispan with MailScanner
In-Reply-To: <4576F5F5.D87E.0068.3@aafp.org>
References: <200612061012.10449.tjones@isthmus.com>
	<el6tnh$k3$2@sea.gmane.org> <4576F5F5.D87E.0068.3@aafp.org>
Message-ID: <45774D15.4010101@blacknight.ie>

Brad Beckenhauer wrote:
> Using Postfix and Vispan.
> I block it at the firewall.  Keeps the log file size down and iptable
> dropped connections to not get reflected in the in the graphs.

Surely that's a bit dangerous?

What if a major ISP's SMTP is being abused?




-- 
Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
http://www.blacknight.ie/
http://blog.blacknight.ie/
Tel. 1850 927 280
Intl. +353 (0) 59  9183072
UK: 0870 163 0607
Fax. +353 (0) 59  9164239
From alex at nkpanama.com  Thu Dec  7 00:24:34 2006
From: alex at nkpanama.com (Alex Neuman van der Hans)
Date: Thu Dec  7 00:28:12 2006
Subject: using Vispan with MailScanner
In-Reply-To: <45774D15.4010101@blacknight.ie>
References: <200612061012.10449.tjones@isthmus.com>	<el6tnh$k3$2@sea.gmane.org>
	<4576F5F5.D87E.0068.3@aafp.org> <45774D15.4010101@blacknight.ie>
Message-ID: <45775F42.3050208@nkpanama.com>

YMMV. Check your logs for a few months/weeks back, grep for IP 
addresses, then "sort -u" the list, and look for major ISP IPs. 
Whitelist those.

You can also use mailwatch to see who your biggest senders/receivers 
are, then find out what their MX's are and whitelist them as well.

As long as the iptables command is -A DROP or -A REJECT and you've -I 
ACCEPT'ed (meaning they'll go to the top of the table and override), you 
should be all set.

.. that's what I think I'd do in that situation.

Michele Neylon :: Blacknight wrote:
> Brad Beckenhauer wrote:
>> Using Postfix and Vispan.
>> I block it at the firewall.  Keeps the log file size down and iptable
>> dropped connections to not get reflected in the in the graphs.
> 
> Surely that's a bit dangerous?
> 
> What if a major ISP's SMTP is being abused?
> 
> 
> 
> 
From jscott at infoconex.com  Thu Dec  7 07:30:50 2006
From: jscott at infoconex.com (Jim Scott)
Date: Thu Dec  7 07:35:16 2006
Subject: Emails getting tagged as Disarmed
References: <010c01c7196a$5ea26fc0$9c15a8c0@concord.corp>
	<el76mo$6lq$1@sea.gmane.org>
Message-ID: <002e01c719d2$370f61d0$0569a8c0@JIMLAPTOP>

>>
> Did you run "upgrade_MailScanner_conf " to see any new options and add to 
> the
> conf file?
> Run "MailScanner --changed" to see anything you have changed from the 
> defaults.
>
> -- 

Here is what it shows for disarmed when I ran the check. Notice I have my 
settings set to NO for disarmedmodifysubject.

contentmodifysubject               start          yes
disarmedmodifysubject              start          no 

From glenn.steen at gmail.com  Thu Dec  7 10:19:32 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Thu Dec  7 10:19:35 2006
Subject: Weird /tmp problem
In-Reply-To: <el6thv$k3$1@sea.gmane.org>
References: <45760A18.4070909@netergy.com> <45761028.70606@pacific.net>
	<223f97700612060201v3136e501jc59472d4cd78147a@mail.gmail.com>
	<4576E825.6000909@netergy.com> <el6thv$k3$1@sea.gmane.org>
Message-ID: <223f97700612070219g3d4a6559lbfcf6bc9a99bd962@mail.gmail.com>

On 06/12/06, Scott Silva <ssilva@sgvwater.com> wrote:
> Gavin Nelmes-Crocker spake the following on 12/6/2006 7:56 AM:
> >> On 06/12/06, Ken A <ka@pacific.net> wrote:
> >>> You are running ls and df as root, right? Are you running any IDS? It's
> >>> good to rule out the worst case scenarios first, even if that might seem
> >>> paranoid. /tmp is an obvious target. ls output shouldn't conflict with
> >>> df output. check ls -la carefully for anything funny looking (a dir
> >>> beginning with a space, etc).
> >
> > Correct i am logged in as root when doing all tests/checks.  We're not
> > running any IDS on the server but have run chkrootkit and can see
> > nothing bad
> >
> >> Good sugegstions... Also... When you stop MailScanner, is the "lost
> >> space" suddenly available again?
> >
> > Yes - stop mailscanner and /tmp goes back to normal
> >
> > The difficulty is that i can only run tests that involve turning
> > Mailscanner back on late at night and for short periods of time due to
> > the email breaking.
> >
> > Here are the outputs I'm seeing now with everything working and looking
> > normal.
> >
> > df
> > Filesystem           1K-blocks      Used Available Use% Mounted on
> > /dev/md1               6190592   1378676   4497452  24% /
> > /dev/md0                101018     38557     57245  41% /boot
> > none                   1037728         0   1037728   0% /dev/shm
> > /dev/md4              64428444   9027064  52128548  15% /home
> > /dev/md2               1035596     34140    948848   4% /tmp
> > /dev/md3               4127040   1705624   2211772  44% /var
> > # cd /tmp/
> > # ls -al
> > total 48
> > drwxrwxrwt   6 root root   4096 Dec  6 15:48 .
> > drwxr-xr-x  24 root root   4096 Dec  4 13:51 ..
> > -rw-------   1 root root     50 Dec  5 23:45 ClamAVBusy.lock
> > drwxrwxrwt   2 root root   4096 Dec  4 13:51 .ICE-unix
> > drwx------   2 root root   4096 Apr  3  2006 lost+found
> > -rw-rw----   1 mail daemon  248 Dec  4 14:41 majordomo.debug
> > drwxr-xr-x   2 root root   4096 Dec  4 13:45 paletteStatus
> > -rw-rw----   1 mail daemon 6844 Dec  6 15:43 resend.debug
> > drwx------   2 root root   4096 Dec  6 15:48 ssh-uJlNFn3025
> > -r--r--r--   1 root root     24 Oct 23 20:42 yum.check-update
> >
> > I'll do the same later tonight with Mailscanner turned on - any other
> > ideas to try in preparation for testing?
> >
> > Thanks
> >
> > Regards
> >
> > Gavin
> Have you used du -f /tmp when the error occurs?
> That might give you a clue if a directory is filling up.
>
Another thing.... is that a "memory backed filesystem", like tmpfs or somesuch?
If so, does reveringt it to a normal filesystem, temporarily, just to
see if that fixes your problem... help (in the short term)?
What kind of size limits do you enforce (MTA, MS etc)?

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From glenn.steen at gmail.com  Thu Dec  7 10:21:25 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Thu Dec  7 10:21:30 2006
Subject: SA-clamAV integrated package
In-Reply-To: <D1587DCF6294524BAFA2C9944312FCC863B9F5@city-exch-w3e.cbj.local>
References: <D1587DCF6294524BAFA2C9944312FCC863B9F5@city-exch-w3e.cbj.local>
Message-ID: <223f97700612070221p655eabap9de220f84678ed77@mail.gmail.com>

On 06/12/06, Kevin Miller <Kevin_Miller@ci.juneau.ak.us> wrote:
> I just installed the SA-clamAV package on one of my boxes and noticed a
> couple of conflicting lines at the end of the process:
> =============
> snip
> Now go and edit the file /etc/mail/spamassassin/v310.pre
> You need to uncomment (remove the #) the loadplugin lines for
> DCC.
> snip...
> Now go and edit the file /etc/mail/spamassassin/init.pre
> You need to uncomment (remove the #) the loadplugin lines for
> DCC.
> ...
> =============
>
> I was installing over the top of a previous install, so already had the
> DCC line uncommented in the v310.pre file.  No biggie there.  But was
> surprised to see the instruction to uncomment it in the init.pre file.
> Should it be in both places or just one?  If just one, which one?
>
> I also noticed that the line:
>   loadplugin Mail::SpamaAsassin:Plugin:Razor2
> exists in both init.pre and v310.pre.  Is that correct or is that
> probably some cruft left over from an older install?  Which should it be
> in if it shouldn't be in both?
>
> Thanks...
>
Just one is enough. If it is in more than one, the second load will
fail, without much harm, but why do that?:-)

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From Denis.Beauchemin at USherbrooke.ca  Thu Dec  7 13:33:28 2006
From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin)
Date: Thu Dec  7 13:33:49 2006
Subject: Great MS publicity!
Message-ID: <45781828.30909@USherbrooke.ca>

Hello All,

I was reading the latest Red Hat Magazine 
http://www.redhat.com/magazine/ and the article on "How to set up a home 
email server
(without being spammed to death)" (at 
http://www.redhat.com/magazine/025nov06/features/email/index.html) has a 
section on MS:
>
>
>     Obtaining and installing MailScanner, SpamAssassin, and ClamAV
>
> Out of the box, sendmail works to deliver mail only. As such, you are 
> quite vulnerable to spam and virus threats that will very quickly 
> become a problem if you do not take action early. These three 
> applications will process received mail and scan it for viruses and 
> spam before it is delivered. You can download the latest versions of 
> these applications from mailscanner.info 
> <http://www.mailscanner.info/downloads.html>.
>
I think there might be many new MS users very soon.

Denis

-- 
   _
  ?v?   Denis Beauchemin, analyste
 /(_)\  Universit? de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3595 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061207/c128d0d2/smime.bin
From admin at homemachine.net  Thu Dec  7 13:42:52 2006
From: admin at homemachine.net (Tom)
Date: Thu Dec  7 13:41:59 2006
Subject: Great MS publicity!
In-Reply-To: <45781828.30909@USherbrooke.ca>
References: <45781828.30909@USherbrooke.ca>
Message-ID: <45781A5C.1040302@homemachine.net>

this has already been mentioned, yet we are still being spammed to death....

Denis Beauchemin wrote:
> Hello All,
> 
> I was reading the latest Red Hat Magazine 
> http://www.redhat.com/magazine/ and the article on "How to set up a home 
> email server
> (without being spammed to death)" (at 
> http://www.redhat.com/magazine/025nov06/features/email/index.html) has a 
> section on MS:
> 
>>
>>
>>     Obtaining and installing MailScanner, SpamAssassin, and ClamAV
>>
>> Out of the box, sendmail works to deliver mail only. As such, you are 
>> quite vulnerable to spam and virus threats that will very quickly 
>> become a problem if you do not take action early. These three 
>> applications will process received mail and scan it for viruses and 
>> spam before it is delivered. You can download the latest versions of 
>> these applications from mailscanner.info 
>> <http://www.mailscanner.info/downloads.html>.
>>
> I think there might be many new MS users very soon.
> 
> Denis
> 
From ralloway at winbeam.com  Thu Dec  7 15:11:09 2006
From: ralloway at winbeam.com (Richard D Alloway)
Date: Thu Dec  7 15:11:40 2006
Subject: using Vispan with MailScanner
In-Reply-To: <200612061012.10449.tjones@isthmus.com>
References: <200612061012.10449.tjones@isthmus.com>
Message-ID: <Pine.LNX.4.62.0612071003350.29564@mail.winbeam.com>


On Wed, 6 Dec 2006, Thom Jones wrote:

> Just a quick question for anyone using Vispan -
> Which is preferable?  Blocking at the sendmail access level or blocking with
> IPTables?
> thanks for any input.

Hi Thom!

I've been using vispan for a few weeks now and have modified it to support 
RBLs via rbldnsd (or compatible).

I like this approach since blocking via IPTables does tell legitimate email 
senders (using a blocked server) simply fails without any information about who 
to contact about removing the ban, etc.

The good points for using the IPTables method is that the connection is never 
established to the MTA, reducing the overall load on your system, and you can 
block regardless of the MTA used.

Another reason I like this method is that you can use the RBL to block at the 
MTA level (any that support RBLs) or within MailScanner or within 
SpamAssassin... there are many options! :)

I've attempted to contact the author of Vispan regarding my patches to 2.1.0, 
but haven't heard back from the author or the Vispan site's webmaster (may be 
the same person).

I'd be happy to share my patch(s) with you and/or the rest of the group if 
you or anyone else is interested.

-Richard D Alloway
  Chief Technical Officer
  Winbeam Inc, A ClearWire Company
From ralloway at winbeam.com  Thu Dec  7 15:13:09 2006
From: ralloway at winbeam.com (Richard D Alloway)
Date: Thu Dec  7 15:13:58 2006
Subject: using Vispan with MailScanner
In-Reply-To: <el6tnh$k3$2@sea.gmane.org>
References: <200612061012.10449.tjones@isthmus.com> <el6tnh$k3$2@sea.gmane.org>
Message-ID: <Pine.LNX.4.62.0612071011320.29564@mail.winbeam.com>

On Wed, 6 Dec 2006, Scott Silva wrote:

> Thom Jones spake the following on 12/6/2006 8:12 AM:
>> Just a quick question for anyone using Vispan -
>> Which is preferable?  Blocking at the sendmail access level or blocking with
>> IPTables?
>> thanks for any input.
>>
> If you are already running iptables you can block there. But I am not sure if
> mail dropped at the firewall shows in the graphs like mail dropped at the MTA.

Mail dropped via iptables is NOT reported anywhere in Vispan since the mail 
logs don't include any information about connections blocked in this manner.

-Richard D Alloway
  Chief Technical Officer
  Winbeam Inc, A ClearWire Company
From ralloway at winbeam.com  Thu Dec  7 15:15:05 2006
From: ralloway at winbeam.com (Richard D Alloway)
Date: Thu Dec  7 15:16:08 2006
Subject: using Vispan with MailScanner
In-Reply-To: <200612061125.43809.tjones@isthmus.com>
References: <200612061012.10449.tjones@isthmus.com> <el6tnh$k3$2@sea.gmane.org>
	<200612061125.43809.tjones@isthmus.com>
Message-ID: <Pine.LNX.4.62.0612071013350.29564@mail.winbeam.com>

On Wed, 6 Dec 2006, Thom Jones wrote:

> On Wednesday 06 December 2006 11:13, Scott Silva wrote:
>> Thom Jones spake the following on 12/6/2006 8:12 AM:
>>> Just a quick question for anyone using Vispan -
>>> Which is preferable?  Blocking at the sendmail access level or blocking
>>> with IPTables?
>>> thanks for any input.
>>
>> If you are already running iptables you can block there. But I am not sure
>> if mail dropped at the firewall shows in the graphs like mail dropped at
>> the MTA.
>>
> Actually, it does.  I changed the config to iptables earlier today and the
> blocked addresses are counting up just fine.
> I was thinking that blocking at the firewall level would be more efficient
> which is what precipitated the question.
> Thanks!

The blocked addresses are added to the list of blocked addresses, yes, but 
the connections rejected at the iptables level are not reflected in the 
"Messages Rejected" graphs or data points.

-Richard D Alloway
  Chief Technical Officer
  Winbeam Inc, A ClearWire Company
From Howard at harper-adams.ac.uk  Thu Dec  7 16:51:26 2006
From: Howard at harper-adams.ac.uk (Howard Robinson)
Date: Thu Dec  7 16:52:19 2006
Subject: MailScanner on Virtual server
Message-ID: <s57846a3.056@gw.harper-adams.ac.uk>

Dear list,
Long term we are looking at consolidating our physical server requirement whilst at the same time increasing availability.  We are looking at VMware with several physical servers in a cluster sharing a mirrored disk array with a more sensible/secure/easy to use backup procedure that we have at present. Currently we have multiple tapes that need changing every day.

Still not clear that we will go down that route but if we do are there any problems running MailScanner box within a VMWare environment?  Currently we use Red Hat Enterprise 3, sendmail, almost latest mailscanner plus the usual add-ons. Given the minimum power of the latest servers our MailScanner system is rarely stressed so could be one candidate for virtualisation. If it is stressed it's more a sign of something wrong than a real increase in mail.

I can see an opportunity to be able to test revised setups with out the hassle of reinstallation if it fails.
I have had a quick look at the archives back to early this year and saw nothing that seemed relevant.
If you wish to reply directly please do so.


 


Regards

Howard Robinson,
(Senior Technical Development Officer),
Harper Adams University College,
Edgmond,
Newport,
Shropshire ,
TF10 8NB.

Tel. Direct 01952 815253
Tel. Switch Board 01952 820280
Fax 01952 814783
Email hrobinson@harper-adams.ac.uk
Web www.harper-adams.ac.uk
 

From martinh at solidstatelogic.com  Thu Dec  7 17:11:59 2006
From: martinh at solidstatelogic.com (Martin Hepworth)
Date: Thu Dec  7 17:12:25 2006
Subject: MailScanner on Virtual server
In-Reply-To: <s57846a3.056@gw.harper-adams.ac.uk>
References: <s57846a3.056@gw.harper-adams.ac.uk>
Message-ID: <45784B5F.6020800@solidstatelogic.com>

Howard Robinson wrote:
> Dear list,
> Long term we are looking at consolidating our physical server requirement whilst at the same time increasing availability.  We are looking at VMware with several physical servers in a cluster sharing a mirrored disk array with a more sensible/secure/easy to use backup procedure that we have at present. Currently we have multiple tapes that need changing every day.

get a backup server based on amanda.....nice and easy

mirrored/clustered won't help when the building burns or you have no 
access to site to get at disks. you still need off site tapes!

> 
> Still not clear that we will go down that route but if we do are there any problems running MailScanner box within a VMWare environment?  Currently we use Red Hat Enterprise 3, sendmail, almost latest mailscanner plus the usual add-ons. Given the minimum power of the latest servers our MailScanner system is rarely stressed so could be one candidate for virtualisation. If it is stressed it's more a sign of something wrong than a real increase in mail.
> 
> I can see an opportunity to be able to test revised setups with out the hassle of reinstallation if it fails.
> I have had a quick look at the archives back to early this year and saw nothing that seemed relevant.
> If you wish to reply directly please do so.
> 

works well from I hear. Julian has MS running this way.

> 
>  
> 
> 
> Regards
> 
> Howard Robinson,



-- 
Martin Hepworth
Senior Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

From campbell at cnpapers.com  Thu Dec  7 17:16:12 2006
From: campbell at cnpapers.com (Steve Campbell)
Date: Thu Dec  7 17:16:55 2006
Subject: OT - lost input channel after rcpt
Message-ID: <003f01c71a23$6502d350$0705000a@ddf5dw71>

I'd like to get some opinions on a question I have on the "lost input 
channel" message I get in my sendmail logs.

For the most part, these seem like bad maillings, but I realize this could 
be real mail that just happens to lose the connection. I run MIMEdeFang on 
this machine, and expect it could also be from that also in a roundabout 
way.

How many people use these messages to determine what IPs might go into their 
sendmail access file? Know of any gotchas? It seems like a great place to 
compile a list of IPs to verify before adding to my access file. What might 
cause this message on my server that I should be aware of?

Thanks for any thoughts.

Steve Campbell
campbell@cnpapers.com
Charleston Newspapers 


From amoore at dekalbmemorial.com  Thu Dec  7 17:43:59 2006
From: amoore at dekalbmemorial.com (Aaron K. Moore)
Date: Thu Dec  7 17:44:17 2006
Subject: using Vispan with MailScanner
In-Reply-To: <EXCH1ldW8u5RHHSAMfJ0000c219@mail.dekalbmemorial.com>
Message-ID: <60D398EB2DB948409CA1F50D8AF1225701BC9431@exch1.dekalbmemorial.local>

Richard D Alloway wrote:
> 
> I've been using vispan for a few weeks now and have modified it to
> support RBLs via rbldnsd (or compatible).
> 
> I like this approach since blocking via IPTables does tell legitimate
> email senders (using a blocked server) simply fails without any
> information about who to contact about removing the ban, etc.
> 
> The good points for using the IPTables method is that the connection
> is never established to the MTA, reducing the overall load on your
> system, and you can block regardless of the MTA used.
> 
> Another reason I like this method is that you can use the RBL to
> block at the MTA level (any that support RBLs) or within MailScanner
> or within SpamAssassin... there are many options! :)
> 
> I've attempted to contact the author of Vispan regarding my patches
> to 2.1.0, but haven't heard back from the author or the Vispan site's
> webmaster (may be the same person).
> 
> I'd be happy to share my patch(s) with you and/or the rest of the
> group if 
> you or anyone else is interested.
 
Using an RBL is definitely the way to go.  I only use Vispan for the
graphing as I found it making our access file huge and using way too
much CPU time inserting and deleting entries in the access file.  

I ended up writing a custom function for MailScanner to log spam
messages into a database and then generate files for rbldnsd using that
information.

-- 
Aaron Kent Moore
Information Technology Services
DeKalb Memorial Hospital, Inc.
Auburn, IN
Phone:  260.920.2808
E-mail:  amoore@dekalbmemorial.com
From TGFurnish at herffjones.com  Thu Dec  7 18:03:25 2006
From: TGFurnish at herffjones.com (Furnish, Trever G)
Date: Thu Dec  7 18:03:35 2006
Subject: Blocking e-mail with special characters in username
Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC505@inex3.herffjones.hj-int>

Much to my chagrin, I put this header rule in place and was very happy
with the amount of spam it was catching...without realizing for a few
days that it actually matches "<abc@foo.com>" just as well as it matches
"<a'bc@foo.com>". :-(  Lots and lots of false positives.

       From =~ /\<\w[\w']{1,30}\@/

That reads "the character <, followed by a word character, followed by
between 1 and 30 word characters or apostrophes, followed by an
at-sign".  In other words it doesn't need the apostrophe in order to
match.

So thinking myself reasonably proficient in Perl I put in the following
instead:

       From =~ /\<[^'\@]*'[^\@]*\@/

...which my own checking with Perl and with "Regex Coach" (after
removing the perl-specific \ before the @'s) seem to confirm works
correctly.

But that doesn't work in MailScanner+SA3.0. :-(  Still lots and lots of
false positives.

Given the following From header in the message, can someone tell me what
I'm missing?  Anyone see any reason this header should match the second
pattern listed above?

   From: "Aubrey Rosario" <socialismexhalation@aakb.bib.dk>

--
Trever




> -----Original Message-----
> From: mailscanner-bounces@lists.mailscanner.info 
> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf 
> Of John Wilcock
> Sent: Friday, December 01, 2006 6:37 AM
> To: MailScanner discussion
> Subject: Re: Blocking e-mail with special characters in username
> 
> emm1 wrote:
> > I have been having alot of e-mails like this one 
> > from=<biographicalparallelism's@acbm.com>. How can I block 
> e-mail that 
> > contain characters like ' in the username/domain field?
> > 
> > Thanks!
> 
> I've been seeing a few of these, but all have scored well 
> over 10 points largely thanks to SARE stocks rules.
> 
> If you want a specific rule, this should catch them:
> 
> header		local_FROM_APOSTROPHE	From =~ 
> /\<\w[\w']{1,30}\@/
> 
> 
> John.
> 
> --
> -- Over 3000 webcams from ski resorts around the world - 
> www.snoweye.com
> -- Translate your technical documents and web pages    - www.tradoc.fr
> --
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website! 
> 
From jrudd at ucsc.edu  Thu Dec  7 18:33:47 2006
From: jrudd at ucsc.edu (John Rudd)
Date: Thu Dec  7 18:34:27 2006
Subject: Botnet 0.6 plugin for Spam Assassin availabile
Message-ID: <45785E8B.5080903@ucsc.edu>


(I had a bout of insomnia last night, and got more done than I had 
pre-announced yesterday...)


The next version of the Botnet plugin for Spam Assassin is ready.  The 
install instructions are in the Botnet.txt file, and in the INSTALL file.

For those who don't know what Botnet is, it's a plugin which tries to 
identify whether or not the message has been submitted by a 
botnet/spam-zombie type host by looking at its DNS characteristics (no 
reverse DNS, reverse DNS that doesn't resolve, or doesn't resolve back 
to the relay's IP, or reverse DNS that contains things that look like an 
ISP's client address).  The places I've been using it, and the people I 
hear about who are using it, have seen a high degree of success.

It can be downloaded from:

  http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar


As usual, feedback, statistics, bug reports, feature suggestions, are 
all welcome.

NOTE: This will be the last version I announce outside of the SA users 
mailing list.  I don't want to wear out the patience of the other list 
owners.  users@spamassassin.apache.org is where I'll make all further 
release announcements.


What's new in 0.6:


1) IP in Hostname bug fix (the same IP address octet could be matched 
twice.. which was a problem if the octet was "1", and the hostname had a 
sub-string like "101" in it)

2) pass_domains, clientwords, and serverwords weren't insensitive checks

3) typo fixed in botnet.txt

4) moved to Net::DNS (finally; and it's going to be needed for To Do 
item #3)

5) perl package is now named Mail::SpamAssassin::Plugin::Botnet

6) because clientwords and serverwords are meant to be _words_, they are 
now wrapped by (\b|\d) (both before and after the word/expression). 
This is to help avoid false positives where a clientword might have been 
a substring of a larger word that shouldn't have triggered the check 
(similarly for serverwords).

7) similarly, pass_domains now have a leading (\.|\A) added to them IF 
they don't already have \. or \A in front (but it will be added if the 
expression starts with "." -- since this is a regular expression, that 
is assumed to mean any single character, so be careful).

8) added debug output for parse_config

9) added "mta" and "relay" to serverwords (used by classmates.com and/or 
reunion.com)

10) changed dsl to (a|s|d(yn)?)?dsl in clientwords (so, covers adsl, 
sdsl, ddsl, and dyndsl ... I've seen all of those except ddsl)

11) added res(net|ident(ial)?)? to clientwords (rr.com supposedly uses 
".res." in residential/customer IP hostnames, and ".resnet." is common 
at universities for dorm IP addresses)

12) contemplating adding cpe and cust(omer)? to the controversial 
clientwords (I think cpe = customer (presence/provided/?) equipment)



----


To Do before 1.0:

1) prepend __ to sub-rules, only BOTNET proper should not have that

2) separate the SA routines from the core algorithms, so that the botnet 
checks can be used in other perl programs.  Include a script that takes 
an IP addr and answers where/how it passed/failed.

3) try to do a lookup on the sender's email address domain; if it points 
back to the relay's IP address (A record, or one of the MX records), 
then that's less likely to be a botnet.  Use this like 
BOTNET_SERVERWORDS -- just a counter to BOTNET_CLIENT.  What about SPF, 
too? (I think that was a suggestion in one of the alternate meta rules)

4) credits for help I've gotten from other people

5) get listed in the wiki


From taz at taz-mania.com  Thu Dec  7 18:55:03 2006
From: taz at taz-mania.com (Dennis Willson)
Date: Thu Dec  7 18:55:07 2006
Subject: MailScanner on Virtual server
In-Reply-To: <s57846a3.056@gw.harper-adams.ac.uk>
Message-ID: <web-8878540@namesystems.net>


I'm currently consulting at VMWare. 

At VMWare all infrastructure servers (mail, dns, dhcp, nis, etc...) 
must all run withing VMs. No dedicated servers allowed! They believe 
in using their own product. 

Running MailScanner within a VM is not an issue, it runs fine. Just be 
sure each VM has it's own dedicated RAID set and don't have multiple 
VMs sharing the same hard disk. 




On Thu, 07 Dec 2006 16:51:26 +0000
  "Howard Robinson" <Howard@harper-adams.ac.uk> wrote:
>Dear list,
>Long term we are looking at consolidating our physical server 
>requirement whilst at the same time increasing availability.  We are 
>looking at VMware with several physical servers in a cluster sharing 
>a mirrored disk array with a more sensible/secure/easy to use backup 
>procedure that we have at present. Currently we have multiple tapes 
>that need changing every day.
>
>Still not clear that we will go down that route but if we do are 
>there any problems running MailScanner box within a VMWare 
>environment?  Currently we use Red Hat Enterprise 3, sendmail, almost 
>latest mailscanner plus the usual add-ons. Given the minimum power of 
>the latest servers our MailScanner system is rarely stressed so could 
>be one candidate for virtualisation. If it is stressed it's more a 
>sign of something wrong than a real increase in mail.
>
>I can see an opportunity to be able to test revised setups with out 
>the hassle of reinstallation if it fails.
>I have had a quick look at the archives back to early this year and 
>saw nothing that seemed relevant.
>If you wish to reply directly please do so.
>
>
>  
>
>
>Regards
>
>Howard Robinson,
>(Senior Technical Development Officer),
>Harper Adams University College,
>Edgmond,
>Newport,
>Shropshire ,
>TF10 8NB.
>
>Tel. Direct 01952 815253
>Tel. Switch Board 01952 820280
>Fax 01952 814783
>Email hrobinson@harper-adams.ac.uk
>Web www.harper-adams.ac.uk
>  
>
>-- 
>MailScanner mailing list
>mailscanner@lists.mailscanner.info
>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>Before posting, read http://wiki.mailscanner.info/posting
>
>Support MailScanner development - buy the book off the website! 


--------------------------------------------------
Dennis Willson

taz@taz-mania.com
http://www.taz-mania.com

Ham (Extra Class): ka6lsw
Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, 
Gas Blender

Owner: Kepnet Internet Services

Life should not be a journey to the grave with the intention of 
arriving safely in a nice looking and well preserved body, but rather 
to skid in broadside, thoroughly used up, totally worn out, and loudly 
proclaiming, "WOW! WHAT A RIDE!"
From jscott at infoconex.com  Thu Dec  7 19:07:31 2006
From: jscott at infoconex.com (Jim Scott)
Date: Thu Dec  7 19:06:23 2006
Subject: Emails getting tagged as Disarmed
In-Reply-To: <002e01c719d2$370f61d0$0569a8c0@JIMLAPTOP>
References: <010c01c7196a$5ea26fc0$9c15a8c0@concord.corp>	<el76mo$6lq$1@sea.gmane.org>
	<002e01c719d2$370f61d0$0569a8c0@JIMLAPTOP>
Message-ID: <45786673.1020506@infoconex.com>

Jim Scott wrote:
>>>
>> Did you run "upgrade_MailScanner_conf " to see any new options and 
>> add to the
>> conf file?
>> Run "MailScanner --changed" to see anything you have changed from the 
>> defaults.
>>
>> -- 
>
> Here is what it shows for disarmed when I ran the check. Notice I have 
> my settings set to NO for disarmedmodifysubject.
>
> contentmodifysubject               start          yes
> disarmedmodifysubject              start          no
Anyone have any input on my issue? We have been running these servers 
for a very long time and this only started after the recent upgrade. My 
settings seem to clearly show that I am not modifying the subject for 
messages that are disarmed yet I am getting emails tagged with Disarmed 
in the subject.


-- 
Jim Scott
Infoconex Online Services
http://www.infoconex.com

From chandler at chapman.edu  Thu Dec  7 19:30:07 2006
From: chandler at chapman.edu (Chandler, Jay)
Date: Thu Dec  7 19:30:11 2006
Subject: Virus Scanning Only-- how to?
Message-ID: <A50A29B70741ED42BE44230B1DF61184162A670D@ADAM.chapman.edu>

If I want MailScanner to just scan for viruses (this is in an outbound
only box), what needs to be changed past setting 'Use SpamAssassin = no'
and 'Dangerous Content Scanning = no'?
 
 
 

--
Jay Chandler
Network Administrator, Chapman University
714.628.7249 / chandler@chapman.edu
Today's Excuse: ether leak 


 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061207/d1fb6c72/attachment.html
From ugob at camo-route.com  Thu Dec  7 19:53:40 2006
From: ugob at camo-route.com (Ugo Bellavance)
Date: Thu Dec  7 19:55:08 2006
Subject: ordb.org slow
Message-ID: <el9rg5$pn2$2@sea.gmane.org>

Hi,

	Am I the only one experiencing slow response from the ordb DNSBL?

Regards,

Ugo

From michele at blacknight.ie  Thu Dec  7 19:58:18 2006
From: michele at blacknight.ie (Michele Neylon :: Blacknight)
Date: Thu Dec  7 19:58:23 2006
Subject: Header Options
Message-ID: <4578725A.6070303@blacknight.ie>

Hi all

One of my random queries that some of you may be able to assist with.. 
Hopefully it will make sense :)



A number of our users are looking for options to filter "borderline" 
mails ie. possible spams and / or phishing fraud using the headers 
(subject line would be easier, but I honestly don't want to get into 
managing huge rulesets on a per domain basis)


I've been reading over the options in MailScanner.conf for the header 
options, but unless I am mistaken there doesn't seem to be anyway to add 
the "sss" type header (or similar) to non-spam emails
The one option I have considered is to drop the threshold on spam and 
set the option to deliver while dropping the threshold on "high spam" 
and setting it to store, but that may break something else :)

Any thoughts??

Michele
-- 
Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
http://www.blacknight.ie/
http://blog.blacknight.ie/
Tel. 1850 927 280
Intl. +353 (0) 59  9183072
UK: 0870 163 0607
Fax. +353 (0) 59  9164239
From ssilva at sgvwater.com  Thu Dec  7 20:26:27 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Thu Dec  7 20:26:50 2006
Subject: Emails getting tagged as Disarmed
In-Reply-To: <45786673.1020506@infoconex.com>
References: <010c01c7196a$5ea26fc0$9c15a8c0@concord.corp>	<el76mo$6lq$1@sea.gmane.org>	<002e01c719d2$370f61d0$0569a8c0@JIMLAPTOP>
	<45786673.1020506@infoconex.com>
Message-ID: <el9tdk$1k7$1@sea.gmane.org>

Jim Scott spake the following on 12/7/2006 11:07 AM:
> Jim Scott wrote:
>>>>
>>> Did you run "upgrade_MailScanner_conf " to see any new options and
>>> add to the
>>> conf file?
>>> Run "MailScanner --changed" to see anything you have changed from the
>>> defaults.
>>>
>>> -- 
>>
>> Here is what it shows for disarmed when I ran the check. Notice I have
>> my settings set to NO for disarmedmodifysubject.
>>
>> contentmodifysubject               start          yes
>> disarmedmodifysubject              start          no
> Anyone have any input on my issue? We have been running these servers
> for a very long time and this only started after the recent upgrade. My
> settings seem to clearly show that I am not modifying the subject for
> messages that are disarmed yet I am getting emails tagged with Disarmed
> in the subject.
> 
> 
Maybe you should look at the possibility of 2 copies of a MailScanner part
somewhere. Or if you did an rpm install, is there an rpmnew file where
something didn't get replaced? Have all the upgrades been done the same way (
IE.. rpm or tarball)?
Did you personally do the upgrades or are you depending on some one else's
 "I did it this way"?
I have the same settings on those two options, and it isn't tagging for me.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From ssilva at sgvwater.com  Thu Dec  7 20:34:51 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Thu Dec  7 20:35:16 2006
Subject: ordb.org slow
In-Reply-To: <el9rg5$pn2$2@sea.gmane.org>
References: <el9rg5$pn2$2@sea.gmane.org>
Message-ID: <el9ttb$3is$1@sea.gmane.org>

Ugo Bellavance spake the following on 12/7/2006 11:53 AM:
> Hi,
> 
>     Am I the only one experiencing slow response from the ordb DNSBL?
> 
> Regards,
> 
> Ugo
> 
Their latency seems a little high today. Not just their server, but a few hops
before it also.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From pete at enitech.com.au  Thu Dec  7 20:44:52 2006
From: pete at enitech.com.au (Pete Russell)
Date: Thu Dec  7 20:45:06 2006
Subject: Virus Scanning Only-- how to?
In-Reply-To: <A50A29B70741ED42BE44230B1DF61184162A670D@ADAM.chapman.edu>
References: <A50A29B70741ED42BE44230B1DF61184162A670D@ADAM.chapman.edu>
Message-ID: <45787D44.7050709@enitech.com.au>

I guess you could turn off filetype and filename scanning too...?

Chandler, Jay wrote:
> If I want MailScanner to just scan for viruses (this is in an outbound 
> only box), what needs to be changed past setting 'Use SpamAssassin = no' 
> and 'Dangerous Content Scanning = no'?
>  
>  
>  
> 
> --
> Jay Chandler
> Network Administrator, Chapman University
> 714.628.7249 / chandler@chapman.edu
> Today's Excuse: ether leak
> 
>  
> 
From ssilva at sgvwater.com  Thu Dec  7 20:51:00 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Thu Dec  7 20:52:42 2006
Subject: Header Options
In-Reply-To: <4578725A.6070303@blacknight.ie>
References: <4578725A.6070303@blacknight.ie>
Message-ID: <el9urk$6ut$1@sea.gmane.org>

Michele Neylon :: Blacknight spake the following on 12/7/2006 11:58 AM:
> Hi all
> 
> One of my random queries that some of you may be able to assist with..
> Hopefully it will make sense :)
> 
> 
> 
> A number of our users are looking for options to filter "borderline"
> mails ie. possible spams and / or phishing fraud using the headers
> (subject line would be easier, but I honestly don't want to get into
> managing huge rulesets on a per domain basis)
> 
> 
> I've been reading over the options in MailScanner.conf for the header
> options, but unless I am mistaken there doesn't seem to be anyway to add
> the "sss" type header (or similar) to non-spam emails
> The one option I have considered is to drop the threshold on spam and
> set the option to deliver while dropping the threshold on "high spam"
> and setting it to store, but that may break something else :)
> 
> Any thoughts??
> 
> Michele
How about;
SpamScore Number Instead Of Stars = no
and
Always Include SpamAssassin Report = yes






-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From ssilva at sgvwater.com  Thu Dec  7 21:03:07 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Thu Dec  7 21:03:59 2006
Subject: Header Options
In-Reply-To: <el9urk$6ut$1@sea.gmane.org>
References: <4578725A.6070303@blacknight.ie> <el9urk$6ut$1@sea.gmane.org>
Message-ID: <el9vib$9kb$1@sea.gmane.org>

Scott Silva spake the following on 12/7/2006 12:51 PM:
> Michele Neylon :: Blacknight spake the following on 12/7/2006 11:58 AM:
>> Hi all
>>
>> One of my random queries that some of you may be able to assist with..
>> Hopefully it will make sense :)
>>
>>
>>
>> A number of our users are looking for options to filter "borderline"
>> mails ie. possible spams and / or phishing fraud using the headers
>> (subject line would be easier, but I honestly don't want to get into
>> managing huge rulesets on a per domain basis)
>>
>>
>> I've been reading over the options in MailScanner.conf for the header
>> options, but unless I am mistaken there doesn't seem to be anyway to add
>> the "sss" type header (or similar) to non-spam emails
>> The one option I have considered is to drop the threshold on spam and
>> set the option to deliver while dropping the threshold on "high spam"
>> and setting it to store, but that may break something else :)
>>
>> Any thoughts??
>>
>> Michele
> How about;
> SpamScore Number Instead Of Stars = no
> and
> Always Include SpamAssassin Report = yes
> 
Also look at
# Do you want to include the "Spam Score" header. This shows 1 character
# (Spam Score Character) for every point of the SpamAssassin score. This
# makes it very easy for users to be able to filter their mail using
# whatever SpamAssassin threshold they want. For example, they just look
# for "sssss" for every message whose score is > 5, for example.
# This can also be the filename of a ruleset.
Spam Score = yes




-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From bob.jones at usg.edu  Thu Dec  7 21:23:36 2006
From: bob.jones at usg.edu (Bob Jones)
Date: Thu Dec  7 21:23:26 2006
Subject: MailScanner/Sendmail/Solaris Lock Type
Message-ID: <45788658.1010702@usg.edu>

Hey all, I know this is a dead horse but I couldn't find anything that 
answered this as completely as I liked.  So, I know in general, with 
MailScanner if you are using Sendmail 8.13 you should use a Lock Type of 
posix, and I've found many a post which mentions this.  However, I have 
a tickle in the back of my head that on Solaris systems (9 in this 
case), the lock type should still be flock.  Is my memory correct or do 
I need to change it to posix?

-- 
Thanks,
Bob Jones
bob.jones@usg.edu
From res at ausics.net  Thu Dec  7 22:31:53 2006
From: res at ausics.net (Res)
Date: Thu Dec  7 22:32:01 2006
Subject: OT - lost input channel after rcpt
In-Reply-To: <003f01c71a23$6502d350$0705000a@ddf5dw71>
References: <003f01c71a23$6502d350$0705000a@ddf5dw71>
Message-ID: <Pine.LNX.4.64.0612080816240.19547@ebfjryy.nhfvpf.arg>

On Thu, 7 Dec 2006, Steve Campbell wrote:

> How many people use these messages to determine what IPs might go into their 
> sendmail access file? Know of any gotchas? It seems like a great place to


I wouldn't use this as a guide on who to add into access, you can get 
these from legitimate sites that have connection issues, even your own
local network issues.

Although I agree 95% are from scum buckets, the other 5% is an unacceptably
high figure, for me to use it, it would need to be less than 0.001% risk of
real mail loss, sounds real low doesn't it, but if you do a few million
messages a day, thats a few thousand msgs that might be real that you are 
outright denying, I'd rather them retry and get in later :)



-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From jon.bates at summitmotors.com.au  Thu Dec  7 22:36:53 2006
From: jon.bates at summitmotors.com.au (Jon Bates)
Date: Thu Dec  7 22:37:02 2006
Subject: Viruses being blocked by filename rules,
	not being picked up by Clamav
Message-ID: <200612072236.kB7Maq3D004008@summitmotors.com.au>


Scott Silva Wrote:

> I didn't see any mention of if the same file can be detected as a virus
when clam is run on the command line.
> Does it block an eicar test file if sent through the Mailscanner?

Ahh! I didn't think the even check this.

Subsequently I've found that ClamAV wasn't detecting ANY viruses, so I've
installed clamavmodule, and run with that instead. Everything seems to be
working fine now!

Thanks for your help Scott and Reni.

- Jon

From vaibhav at ozdocs.net.au  Thu Dec  7 22:48:38 2006
From: vaibhav at ozdocs.net.au (Vaibhav Pandey)
Date: Thu Dec  7 22:48:45 2006
Subject: Quarantine Dir on Web Server
Message-ID: <200612080948.AA555483710@mail.ozdocs.net.au>

Dear All, 

I wanted to put the Quarantine directory on a browsable directory of the Apache. 

I have set the "Quarantine Directory" as /var/www/html/quarantine 

And when I go at http://MailScanner/quarantine I don't see nothing. On the other hand if I create a directory on my own mkdir /var/www/html/quarantine/test, I can see the directory but can't see 20061207 etc directories. I am pretty sure that they are there.. 

Please help. 

With best regards, 

Webb. 



-- 
This message has been scanned for viruses and
dangerous content by Ozdocs MailScanner, and is
believed to be clean.

From jscott at infoconex.com  Thu Dec  7 23:00:47 2006
From: jscott at infoconex.com (Jim Scott)
Date: Thu Dec  7 22:59:37 2006
Subject: Emails getting tagged as Disarmed
In-Reply-To: <el9tdk$1k7$1@sea.gmane.org>
References: <010c01c7196a$5ea26fc0$9c15a8c0@concord.corp>	<el76mo$6lq$1@sea.gmane.org>	<002e01c719d2$370f61d0$0569a8c0@JIMLAPTOP>	<45786673.1020506@infoconex.com>
	<el9tdk$1k7$1@sea.gmane.org>
Message-ID: <45789D1F.6070809@infoconex.com>

Scott Silva wrote:

> Maybe you should look at the possibility of 2 copies of a MailScanner part
> somewhere. Or if you did an rpm install, is there an rpmnew file where
> something didn't get replaced? Have all the upgrades been done the same way (
> IE.. rpm or tarball)?
> Did you personally do the upgrades or are you depending on some one else's
>  "I did it this way"?
> I have the same settings on those two options, and it isn't tagging for me.
> 

I installed and have always installed from RPM and all past installs and 
upgrades have used this method.

We also have 2 SMTP servers for redundancy and it seems that both are 
producing the same results. So whatever is happening it is the same on 2 
servers that had the same process applied.

I personally performed these upgrades and have always been the person 
performing them.

Maybe it is only specific emails in certain conditions. I am not getting 
all email tagged as spam. Seems to be mostly
html content that it is happening to.

Also my upgrade process was as follows.

Extracted tar
ran ./install.sh
performed upgrade_MailScanner



-- 
Jim Scott
Infoconex Online Services
http://www.infoconex.com
From ssilva at sgvwater.com  Thu Dec  7 23:42:16 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Thu Dec  7 23:42:44 2006
Subject: Emails getting tagged as Disarmed
In-Reply-To: <45789D1F.6070809@infoconex.com>
References: <010c01c7196a$5ea26fc0$9c15a8c0@concord.corp>	<el76mo$6lq$1@sea.gmane.org>	<002e01c719d2$370f61d0$0569a8c0@JIMLAPTOP>	<45786673.1020506@infoconex.com>	<el9tdk$1k7$1@sea.gmane.org>
	<45789D1F.6070809@infoconex.com>
Message-ID: <ela8sp$f5l$1@sea.gmane.org>

Jim Scott spake the following on 12/7/2006 3:00 PM:
> Scott Silva wrote:
> 
>> Maybe you should look at the possibility of 2 copies of a MailScanner
>> part
>> somewhere. Or if you did an rpm install, is there an rpmnew file where
>> something didn't get replaced? Have all the upgrades been done the
>> same way (
>> IE.. rpm or tarball)?
>> Did you personally do the upgrades or are you depending on some one
>> else's
>>  "I did it this way"?
>> I have the same settings on those two options, and it isn't tagging
>> for me.
>>
> 
> I installed and have always installed from RPM and all past installs and
> upgrades have used this method.
> 
> We also have 2 SMTP servers for redundancy and it seems that both are
> producing the same results. So whatever is happening it is the same on 2
> servers that had the same process applied.
> 
> I personally performed these upgrades and have always been the person
> performing them.
> 
> Maybe it is only specific emails in certain conditions. I am not getting
> all email tagged as spam. Seems to be mostly
> html content that it is happening to.
> 
> Also my upgrade process was as follows.
> 
> Extracted tar
> ran ./install.sh
> performed upgrade_MailScanner
> 
> 
> 
You must have some magic combination of settings that triggers this then.
Maybe you could get in contact with Julian off-list, as he has been real busy
lately and not watching the list very closely.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From res at ausics.net  Thu Dec  7 23:58:04 2006
From: res at ausics.net (Res)
Date: Thu Dec  7 23:58:14 2006
Subject: Quarantine Dir on Web Server
In-Reply-To: <200612080948.AA555483710@mail.ozdocs.net.au>
References: <200612080948.AA555483710@mail.ozdocs.net.au>
Message-ID: <Pine.LNX.4.64.0612080954210.20159@ebfjryy.nhfvpf.arg>

Hi,

On Fri, 8 Dec 2006, Vaibhav Pandey wrote:

> Dear All,
>
> I wanted to put the Quarantine directory on a browsable directory of the Apache.
>
> I have set the "Quarantine Directory" as /var/www/html/quarantine
>
> And when I go at http://MailScanner/quarantine I don't see nothing. On the other hand if I create a directory on my own mkdir /var/www/html/quarantine/test, I can see the directory but can't see 20061207 etc directories. I am pretty sure that they are there..


This will be Apache, by default if there is no index.* files it wont show 
anything.

Add in:
<Directory /var/www/html/quarantine>
         Options +Indexes
</Directory>
then restart apache and it should be good, however doing it your way 
creates privacy issues, I think some use MailWatch to do what you are 
after, I don't use it so I'll leave it to someone else to clarify that area.


-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From jfagan at firstlightnetworks.com  Fri Dec  8 00:00:04 2006
From: jfagan at firstlightnetworks.com (James Fagan)
Date: Thu Dec  7 23:58:50 2006
Subject: ordb.org slow
In-Reply-To: <el9rg5$pn2$2@sea.gmane.org>
Message-ID: <59E4A3A1069C2640959AD0F7518C48122F0771@FLN1.fln.local>

> 
> Hi,
> 
> 	Am I the only one experiencing slow response from the 
> ordb DNSBL?
> 
> Regards,
> 
> Ugo


No, I have seen it time out alot actualy lately in my logs. I still use
it, but it seems maybe there is too much traffic?
I posted on their mailling list and recieved one reply of someone else
expeirencing the problem, but no definate answer. Maybe they are closed
but still alive? Their webpage hasnt been updated in while from what I
saw last I checked.
From michele at blacknight.ie  Fri Dec  8 00:00:26 2006
From: michele at blacknight.ie (Michele Neylon :: Blacknight)
Date: Fri Dec  8 00:00:36 2006
Subject: Header Options
In-Reply-To: <el9urk$6ut$1@sea.gmane.org>
References: <4578725A.6070303@blacknight.ie> <el9urk$6ut$1@sea.gmane.org>
Message-ID: <4578AB1A.1080802@blacknight.ie>

Scott Silva wrote:
> How about;
> SpamScore Number Instead Of Stars = no
> and
> Always Include SpamAssassin Report = yes

Scott

I have that option already set :(

Your email gave me:

X-blackknightscan-MailScanner-Information: Please contact the ISP for 
more information
X-blackknightscan-MailScanner: Found to be clean
X-blackknightscan-MailScanner-SpamCheck: not spam, SpamAssassin (cached,
	score=-2.326, required 6, autolearn=not spam, BAYES_00 -2.60,
	INFO_TLD 1.27, RCVD_IN_NERDS_IE -2.00, RCVD_IN_NERDS_US 1.00)
X-blackknightscan-MailScanner-From: 
mailscanner-bounces@lists.mailscanner.info
X-Spam-Status: No

There's no sign of anything else ....



-- 
Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
http://www.blacknight.ie/
http://blog.blacknight.ie/
Tel. 1850 927 280
Intl. +353 (0) 59  9183072
UK: 0870 163 0607
Fax. +353 (0) 59  9164239
From ssilva at sgvwater.com  Fri Dec  8 00:00:27 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Fri Dec  8 00:01:02 2006
Subject: Emails getting tagged as Disarmed
In-Reply-To: <ela8sp$f5l$1@sea.gmane.org>
References: <010c01c7196a$5ea26fc0$9c15a8c0@concord.corp>	<el76mo$6lq$1@sea.gmane.org>	<002e01c719d2$370f61d0$0569a8c0@JIMLAPTOP>	<45786673.1020506@infoconex.com>	<el9tdk$1k7$1@sea.gmane.org>	<45789D1F.6070809@infoconex.com>
	<ela8sp$f5l$1@sea.gmane.org>
Message-ID: <ela9us$id5$1@sea.gmane.org>

Scott Silva spake the following on 12/7/2006 3:42 PM:
> Jim Scott spake the following on 12/7/2006 3:00 PM:
>> Scott Silva wrote:
>>
>>> Maybe you should look at the possibility of 2 copies of a MailScanner
>>> part
>>> somewhere. Or if you did an rpm install, is there an rpmnew file where
>>> something didn't get replaced? Have all the upgrades been done the
>>> same way (
>>> IE.. rpm or tarball)?
>>> Did you personally do the upgrades or are you depending on some one
>>> else's
>>>  "I did it this way"?
>>> I have the same settings on those two options, and it isn't tagging
>>> for me.
>>>
>> I installed and have always installed from RPM and all past installs and
>> upgrades have used this method.
>>
>> We also have 2 SMTP servers for redundancy and it seems that both are
>> producing the same results. So whatever is happening it is the same on 2
>> servers that had the same process applied.
>>
>> I personally performed these upgrades and have always been the person
>> performing them.
>>
>> Maybe it is only specific emails in certain conditions. I am not getting
>> all email tagged as spam. Seems to be mostly
>> html content that it is happening to.
>>
>> Also my upgrade process was as follows.
>>
>> Extracted tar
>> ran ./install.sh
>> performed upgrade_MailScanner
>>
>>
>>
> You must have some magic combination of settings that triggers this then.
> Maybe you could get in contact with Julian off-list, as he has been real busy
> lately and not watching the list very closely.
> 
You could change "Disarmed Subject Text = " oto something fairly easy to
ignore for now until you get this resolved like a single - or a dot.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From micoots at yahoo.com  Fri Dec  8 04:54:35 2006
From: micoots at yahoo.com (Michael Mansour)
Date: Fri Dec  8 04:54:39 2006
Subject: Allowing .pr3 files through
Message-ID: <20061208045435.23228.qmail@web33310.mail.mud.yahoo.com>

Hi,

I have a person who receives these various .pr3 files. These files are patches for the software they run. They receive them as zip files but the pr3's are contained in the zip.

Mailscanner quarantines these files with "No programs allowed" but I would like to allow them in for this particular domain.

I have their setup as:

/etc/MailScanner/example.com.filename.rules.conf
allow   \.pr3$          -       -

at the end of the file, but that does not seem to work.

My guess is that it's matching it from these two rules:

example.com.filetype.rules.conf:deny  ELF             No executables          No programs allowed
example.com.filetype.rules.conf:deny  executable      No executables          No programs allowed

since they're the only files I can grep through with the "No programs allowed" statements.

Any ideas what I can edit/do to allow these types of files through?

Thanks.

Michael.




Send instant messages to your online friends http://au.messenger.yahoo.com 
From vaibhav at ozdocs.net.au  Fri Dec  8 05:12:37 2006
From: vaibhav at ozdocs.net.au (Vaibhav Pandey)
Date: Fri Dec  8 05:12:46 2006
Subject: why can't I post?
Message-ID: <200612081612.AA678822428@mail.ozdocs.net.au>



-- 
This message has been scanned for viruses and
dangerous content by Ozdocs MailScanner, and is
believed to be clean.

From ugob at camo-route.com  Fri Dec  8 05:40:31 2006
From: ugob at camo-route.com (Ugo Bellavance)
Date: Fri Dec  8 05:40:50 2006
Subject: why can't I post?
In-Reply-To: <200612081612.AA678822428@mail.ozdocs.net.au>
References: <200612081612.AA678822428@mail.ozdocs.net.au>
Message-ID: <elatsg$v01$1@sea.gmane.org>

Vaibhav Pandey wrote:
> 

Well, you just posted....

From ugob at camo-route.com  Fri Dec  8 05:41:39 2006
From: ugob at camo-route.com (Ugo Bellavance)
Date: Fri Dec  8 05:45:16 2006
Subject: ordb.org slow
In-Reply-To: <el9ttb$3is$1@sea.gmane.org>
References: <el9rg5$pn2$2@sea.gmane.org> <el9ttb$3is$1@sea.gmane.org>
Message-ID: <elatuk$v01$2@sea.gmane.org>

Scott Silva wrote:
> Ugo Bellavance spake the following on 12/7/2006 11:53 AM:
>> Hi,
>>
>>     Am I the only one experiencing slow response from the ordb DNSBL?
>>
>> Regards,
>>
>> Ugo
>>
> Their latency seems a little high today. Not just their server, but a few hops
> before it also.
> 

I had to disable the lookups in sendmail, and SA timed out quite a few 
times... INQ went up...

Even the website was very slow to load.  It seems to be ok now.

Ugo

From ugob at camo-route.com  Fri Dec  8 05:42:04 2006
From: ugob at camo-route.com (Ugo Bellavance)
Date: Fri Dec  8 05:50:10 2006
Subject: Virus Scanning Only-- how to?
In-Reply-To: <45787D44.7050709@enitech.com.au>
References: <A50A29B70741ED42BE44230B1DF61184162A670D@ADAM.chapman.edu>
	<45787D44.7050709@enitech.com.au>
Message-ID: <elatvd$v01$3@sea.gmane.org>

Pete Russell wrote:
> I guess you could turn off filetype and filename scanning too...?
> 
> Chandler, Jay wrote:
>> If I want MailScanner to just scan for viruses (this is in an outbound 
>> only box), what needs to be changed past setting 'Use SpamAssassin = 
>> no' and 'Dangerous Content Scanning = no'?

And phishing

>>  
>>  
>>  
>>
>> -- 
>> Jay Chandler
>> Network Administrator, Chapman University
>> 714.628.7249 / chandler@chapman.edu
>> Today's Excuse: ether leak
>>
>>  
>>

From gordon at itnt.co.za  Fri Dec  8 07:36:33 2006
From: gordon at itnt.co.za (Gordon Colyn)
Date: Fri Dec  8 07:37:07 2006
Subject: Bayes db running in SQL with Mailscanner
Message-ID: <006401c71a9b$98eefa40$0a02a8c0@Gordon>

ITNT Banner Campaign
Hi,

Can anyone tell me how to setup a bayes database to run in mysql and 
mailscanner?

Or give me an idea where I can find info to do this?

Regards
Gordon Colyn
InTheNet Technologies
www.itnt.co.za
MSN: gordoncolyn@hotmail.com
SKYPE: gordoncolyn
086 123 ITNT (4868)
086 682 5204 (Fax)
+27 (0)83 296 7534
Confidentiality: This e-mail including any attachments is intended for the 
above named addressee(s) only and contains confidential information. If you 
have received this email in error you must take no action based on its 
contents, nor must you reproduce or show the e-mail or any attachments or 
any part thereof or communicate the contents to anyone; please reply to the 
sender of this e-mail informing them of the error.
Viruses: We recommend that in keeping with good computing practice the 
recipient should ensure that e-mails received are virus free before opening. 

From jscott at infoconex.com  Fri Dec  8 07:56:29 2006
From: jscott at infoconex.com (Jim Scott)
Date: Fri Dec  8 07:55:40 2006
Subject: Emails getting tagged as Disarmed
In-Reply-To: <ela9us$id5$1@sea.gmane.org>
References: <010c01c7196a$5ea26fc0$9c15a8c0@concord.corp>	<el76mo$6lq$1@sea.gmane.org>	<002e01c719d2$370f61d0$0569a8c0@JIMLAPTOP>	<45786673.1020506@infoconex.com>	<el9tdk$1k7$1@sea.gmane.org>	<45789D1F.6070809@infoconex.com>	<ela8sp$f5l$1@sea.gmane.org>
	<ela9us$id5$1@sea.gmane.org>
Message-ID: <45791AAD.9040108@infoconex.com>

Scott Silva wrote:
> Scott Silva spake the following on 12/7/2006 3:42 PM:
>> Jim Scott spake the following on 12/7/2006 3:00 PM:
>>> Scott Silva wrote:
>>>
>>>> Maybe you should look at the possibility of 2 copies of a MailScanner
>>>> part
>>>> somewhere. Or if you did an rpm install, is there an rpmnew file where
>>>> something didn't get replaced? Have all the upgrades been done the
>>>> same way (
>>>> IE.. rpm or tarball)?
>>>> Did you personally do the upgrades or are you depending on some one
>>>> else's
>>>>  "I did it this way"?
>>>> I have the same settings on those two options, and it isn't tagging
>>>> for me.
>>>>
>>> I installed and have always installed from RPM and all past installs and
>>> upgrades have used this method.
>>>
>>> We also have 2 SMTP servers for redundancy and it seems that both are
>>> producing the same results. So whatever is happening it is the same on 2
>>> servers that had the same process applied.
>>>
>>> I personally performed these upgrades and have always been the person
>>> performing them.
>>>
>>> Maybe it is only specific emails in certain conditions. I am not getting
>>> all email tagged as spam. Seems to be mostly
>>> html content that it is happening to.
>>>
>>> Also my upgrade process was as follows.
>>>
>>> Extracted tar
>>> ran ./install.sh
>>> performed upgrade_MailScanner
>>>
>>>
>>>
>> You must have some magic combination of settings that triggers this then.
>> Maybe you could get in contact with Julian off-list, as he has been real busy
>> lately and not watching the list very closely.
>>
> You could change "Disarmed Subject Text = " oto something fairly easy to
> ignore for now until you get this resolved like a single - or a dot.
> 

Thanks for your input, tomorrow I am going to replace my current 
MailScanner.conf with the .rpmnew and then go back and make my changes I 
need to be sure that I dont have some issue with this being related to 
an upgrade maybe not properly parsing my .conf file. If it is still 
happening after that then I think this is likely a bug.

-- 
Jim Scott
Infoconex Online Services
http://www.infoconex.com
From glenn.steen at gmail.com  Fri Dec  8 08:49:47 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Fri Dec  8 08:49:53 2006
Subject: Emails getting tagged as Disarmed
In-Reply-To: <45791AAD.9040108@infoconex.com>
References: <010c01c7196a$5ea26fc0$9c15a8c0@concord.corp>
	<el76mo$6lq$1@sea.gmane.org>
	<002e01c719d2$370f61d0$0569a8c0@JIMLAPTOP>
	<45786673.1020506@infoconex.com> <el9tdk$1k7$1@sea.gmane.org>
	<45789D1F.6070809@infoconex.com> <ela8sp$f5l$1@sea.gmane.org>
	<ela9us$id5$1@sea.gmane.org> <45791AAD.9040108@infoconex.com>
Message-ID: <223f97700612080049m1e94e31bs45186c6fde268128@mail.gmail.com>

On 08/12/06, Jim Scott <jscott@infoconex.com> wrote:
> Scott Silva wrote:
> > Scott Silva spake the following on 12/7/2006 3:42 PM:
> >> Jim Scott spake the following on 12/7/2006 3:00 PM:
> >>> Scott Silva wrote:
> >>>
> >>>> Maybe you should look at the possibility of 2 copies of a MailScanner
> >>>> part
> >>>> somewhere. Or if you did an rpm install, is there an rpmnew file where
> >>>> something didn't get replaced? Have all the upgrades been done the
> >>>> same way (
> >>>> IE.. rpm or tarball)?
> >>>> Did you personally do the upgrades or are you depending on some one
> >>>> else's
> >>>>  "I did it this way"?
> >>>> I have the same settings on those two options, and it isn't tagging
> >>>> for me.
> >>>>
> >>> I installed and have always installed from RPM and all past installs and
> >>> upgrades have used this method.
> >>>
> >>> We also have 2 SMTP servers for redundancy and it seems that both are
> >>> producing the same results. So whatever is happening it is the same on 2
> >>> servers that had the same process applied.
> >>>
> >>> I personally performed these upgrades and have always been the person
> >>> performing them.
> >>>
> >>> Maybe it is only specific emails in certain conditions. I am not getting
> >>> all email tagged as spam. Seems to be mostly
> >>> html content that it is happening to.
> >>>
> >>> Also my upgrade process was as follows.
> >>>
> >>> Extracted tar
> >>> ran ./install.sh
> >>> performed upgrade_MailScanner
> >>>
> >>>
> >>>
> >> You must have some magic combination of settings that triggers this then.
> >> Maybe you could get in contact with Julian off-list, as he has been real busy
> >> lately and not watching the list very closely.
> >>
> > You could change "Disarmed Subject Text = " oto something fairly easy to
> > ignore for now until you get this resolved like a single - or a dot.
> >
>
> Thanks for your input, tomorrow I am going to replace my current
> MailScanner.conf with the .rpmnew and then go back and make my changes I
> need to be sure that I dont have some issue with this being related to
> an upgrade maybe not properly parsing my .conf file. If it is still
> happening after that then I think this is likely a bug.
>
I'm sure you did already, but ... running "MailScanner --lint" should
reveal any typos ....:-).
Fat-fingering can happen to the best.... And that might justr explain
why something you see as correct... really isn't;-).
Oh, just one more ... You've never edited the config witha windoze
editor, have you? No extra ^M characters lurking on some line or
other....?

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From a.peacock at chime.ucl.ac.uk  Fri Dec  8 08:50:26 2006
From: a.peacock at chime.ucl.ac.uk (Anthony Peacock)
Date: Fri Dec  8 08:50:48 2006
Subject: Bayes db running in SQL with Mailscanner
In-Reply-To: <006401c71a9b$98eefa40$0a02a8c0@Gordon>
References: <006401c71a9b$98eefa40$0a02a8c0@Gordon>
Message-ID: <45792752.1080302@chime.ucl.ac.uk>

Hi Gordon,

Gordon Colyn wrote:
> ITNT Banner Campaign
> Hi,
> 
> Can anyone tell me how to setup a bayes database to run in mysql and 
> mailscanner?

Setting up a mysql bayes database is done in SpamAssassin and is 
basically the same whether using MailScanner or not.

> Or give me an idea where I can find info to do this?

The SpamAssassin docs and Wiki have some good information for this:

http://wiki.apache.org/spamassassin/BetterDocumentation/SqlReadmeBayes

> 
> Regards
> Gordon Colyn
> InTheNet Technologies
> www.itnt.co.za
> MSN: gordoncolyn@hotmail.com
> SKYPE: gordoncolyn
> 086 123 ITNT (4868)
> 086 682 5204 (Fax)
> +27 (0)83 296 7534
> Confidentiality: This e-mail including any attachments is intended for the 
> above named addressee(s) only and contains confidential information. If you 
> have received this email in error you must take no action based on its 
> contents, nor must you reproduce or show the e-mail or any attachments or 
> any part thereof or communicate the contents to anyone; please reply to the 
> sender of this e-mail informing them of the error.
> Viruses: We recommend that in keeping with good computing practice the 
> recipient should ensure that e-mails received are virus free before opening. 
> 


-- 
Anthony Peacock
CHIME, Royal Free & University College Medical School
WWW:    http://www.chime.ucl.ac.uk/~rmhiajp/
"If you have an apple and I have  an apple and we  exchange apples
then you and I will still each have  one apple. But  if you have an
idea and I have an idea and we exchange these ideas, then each of us
will have two ideas." -- George Bernard Shaw
From a.peacock at chime.ucl.ac.uk  Fri Dec  8 08:59:30 2006
From: a.peacock at chime.ucl.ac.uk (Anthony Peacock)
Date: Fri Dec  8 08:59:48 2006
Subject: MailScanner/Sendmail/Solaris Lock Type
In-Reply-To: <45788658.1010702@usg.edu>
References: <45788658.1010702@usg.edu>
Message-ID: <45792972.3020607@chime.ucl.ac.uk>

Hi,

Bob Jones wrote:
> Hey all, I know this is a dead horse but I couldn't find anything that 
> answered this as completely as I liked.  So, I know in general, with 
> MailScanner if you are using Sendmail 8.13 you should use a Lock Type of 
> posix, and I've found many a post which mentions this.  However, I have 
> a tickle in the back of my head that on Solaris systems (9 in this 
> case), the lock type should still be flock.  Is my memory correct or do 
> I need to change it to posix?
> 

No I believe you are correct.

I run on Solaris 8 with Sendmail 8.13 and have my lock type set to flock.


A while ago I had a go at trying to stop people on this list declaring 
that you had to use lock type = posix on any system using Sendmail 8.13, 
without reference to the OS.  I gave up in the end as we continue to get 
people stating as fact that you MUST use lock type = posix for Sendmail 
8.13 without considering the OS.  The facts are that on Linux with 
Sendmail 8.13 you _MUST_ use lock type = posix, but this is not true for 
all OSs.


-- 
Anthony Peacock
CHIME, Royal Free & University College Medical School
WWW:    http://www.chime.ucl.ac.uk/~rmhiajp/
"If you have an apple and I have  an apple and we  exchange apples
then you and I will still each have  one apple. But  if you have an
idea and I have an idea and we exchange these ideas, then each of us
will have two ideas." -- George Bernard Shaw
From gordon at itnt.co.za  Fri Dec  8 09:23:47 2006
From: gordon at itnt.co.za (Gordon Colyn)
Date: Fri Dec  8 09:24:20 2006
Subject: Bayes db running in SQL with Mailscanner
References: <006401c71a9b$98eefa40$0a02a8c0@Gordon>
	<45792752.1080302@chime.ucl.ac.uk>
Message-ID: <021f01c71aaa$994077d0$0a02a8c0@Gordon>

Thanks

----- Original Message ----- 
From: "Anthony Peacock" <a.peacock@chime.ucl.ac.uk>
To: "MailScanner discussion" <mailscanner@lists.mailscanner.info>
Sent: Friday, December 08, 2006 10:50 AM
Subject: Re: Bayes db running in SQL with Mailscanner


Hi Gordon,

Gordon Colyn wrote:
> ITNT Banner Campaign
> Hi,
>
> Can anyone tell me how to setup a bayes database to run in mysql and
> mailscanner?

Setting up a mysql bayes database is done in SpamAssassin and is
basically the same whether using MailScanner or not.

> Or give me an idea where I can find info to do this?

The SpamAssassin docs and Wiki have some good information for this:

http://wiki.apache.org/spamassassin/BetterDocumentation/SqlReadmeBayes

>
> Regards
> Gordon Colyn
> InTheNet Technologies
> www.itnt.co.za
> MSN: gordoncolyn@hotmail.com
> SKYPE: gordoncolyn
> 086 123 ITNT (4868)
> 086 682 5204 (Fax)
> +27 (0)83 296 7534
> Confidentiality: This e-mail including any attachments is intended for the
> above named addressee(s) only and contains confidential information. If 
> you
> have received this email in error you must take no action based on its
> contents, nor must you reproduce or show the e-mail or any attachments or
> any part thereof or communicate the contents to anyone; please reply to 
> the
> sender of this e-mail informing them of the error.
> Viruses: We recommend that in keeping with good computing practice the
> recipient should ensure that e-mails received are virus free before 
> opening.
>


-- 
Anthony Peacock
CHIME, Royal Free & University College Medical School
WWW:    http://www.chime.ucl.ac.uk/~rmhiajp/
"If you have an apple and I have  an apple and we  exchange apples
then you and I will still each have  one apple. But  if you have an
idea and I have an idea and we exchange these ideas, then each of us
will have two ideas." -- George Bernard Shaw
-- 
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

From martinh at solidstatelogic.com  Fri Dec  8 09:31:33 2006
From: martinh at solidstatelogic.com (Martin Hepworth)
Date: Fri Dec  8 09:31:45 2006
Subject: Virus Scanning Only-- how to?
In-Reply-To: <A50A29B70741ED42BE44230B1DF61184162A670D@ADAM.chapman.edu>
References: <A50A29B70741ED42BE44230B1DF61184162A670D@ADAM.chapman.edu>
Message-ID: <457930F5.5020809@solidstatelogic.com>

Chandler, Jay wrote:
> If I want MailScanner to just scan for viruses (this is in an outbound 
> only box), what needs to be changed past setting 'Use SpamAssassin = no' 
> and 'Dangerous Content Scanning = no'?
>  
>  
>  
> 
> --
> Jay Chandler
> Network Administrator, Chapman University
> 714.628.7249 / chandler@chapman.edu
> Today's Excuse: ether leak
> 
>  
> 
Jay

you need to attach a ruleset to anothter option so internal ip-addresses 
don't get scanned.. eg..

Spam Checks = %rules-dir%/internal.whitelist.rules

in internal.whitelist.rules

put

From:  192.168.1.	Yes
FromOrTo: default 	no



-- 
Martin Hepworth
Senior Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

From support-lists at petdoctors.co.uk  Fri Dec  8 10:25:29 2006
From: support-lists at petdoctors.co.uk (Nigel Kendrick)
Date: Fri Dec  8 10:25:46 2006
Subject: Getting a summary of how many emails received by each account
Message-ID: <02c501c71ab3$2f101600$3c65a8c0@support01>

Hi guys, 

Before I start googling or scripting, can anyone point me towards a command
line utility that will list the amount of mail delivered to every account
(MailScanner + PostFix), say in the last hour, day etc.?

Thanks

Nigel Kendrick

From dhawal at netmagicsolutions.com  Fri Dec  8 10:42:18 2006
From: dhawal at netmagicsolutions.com (Dhawal Doshy)
Date: Fri Dec  8 10:42:34 2006
Subject: Bayes db running in SQL with Mailscanner
In-Reply-To: <021f01c71aaa$994077d0$0a02a8c0@Gordon>
References: <006401c71a9b$98eefa40$0a02a8c0@Gordon>	<45792752.1080302@chime.ucl.ac.uk>
	<021f01c71aaa$994077d0$0a02a8c0@Gordon>
Message-ID: <4579418A.50807@netmagicsolutions.com>

Gordon Colyn wrote:
>> ITNT Banner Campaign
>> Hi,
>>
>> Can anyone tell me how to setup a bayes database to run in mysql and
>> mailscanner?
> 
> Setting up a mysql bayes database is done in SpamAssassin and is
> basically the same whether using MailScanner or not.
> 
>> Or give me an idea where I can find info to do this?
> 
> The SpamAssassin docs and Wiki have some good information for this:
> 
> http://wiki.apache.org/spamassassin/BetterDocumentation/SqlReadmeBayes

One more:
http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spamassassin:bayes:sql
From ja at conviator.com  Fri Dec  8 12:08:54 2006
From: ja at conviator.com (Jan Agermose)
Date: Fri Dec  8 12:09:21 2006
Subject: OT: word files
Message-ID: <6B59FCF2EFD0334A8147A1BB463F111E01E04A8F@mail-17ps.atlarge.net>

Skipped content of type multipart/alternative-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 534 bytes
Desc: image001.gif
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061208/874b79fc/attachment.gif
From admin at homemachine.net  Fri Dec  8 12:15:18 2006
From: admin at homemachine.net (Tom)
Date: Fri Dec  8 12:14:22 2006
Subject: Botnet 0.6 plugin for Spam Assassin availabile
In-Reply-To: <45785E8B.5080903@ucsc.edu>
References: <45785E8B.5080903@ucsc.edu>
Message-ID: <45795756.6060106@homemachine.net>

what does tis mean??

Lint output: [18529] warn: plugin: failed to parse plugin (from @INC): 
Can't locate Mail/SpamAssassin/Plugin/botnet.pm in @INC (@INC contains: 
lib /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi 
/usr/lib/perl5/vendor_perl/5.8.0 
/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi 
/usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl 
/usr/lib/perl5/vendor_perl) at (eval 61) line 1.
[18529] warn: plugin: failed to create instance of plugin 
Mail::SpamAssassin::Plugin::botnet: Can't locate object method "new" via 
package "Mail::SpamAssassin::Plugin::botnet" at (eval 62) line 1.
[18529] warn: plugin: failed to load plugin 
/etc/mail/spamassassin/Botnet.pm: No such file or directory
[18529] warn: plugin: failed to create instance of plugin 
Mail::SpamAssassin::Plugin::Botnet: Can't locate object method "new" via 
package "Mail::SpamAssassin::Plugin::Botnet" (perhaps you forgot to load 
"Mail::SpamAssassin::Plugin::Botnet"?) at (eval 700) line 1.
[18529] warn: config: failed to parse line, skipping: botnet_pass_auth 0
[18529] warn: config: failed to parse line, skipping: botnet_skip_ip 
^127\.0\.0\.1$
[18529] warn: config: failed to parse line, skipping: botnet_skip_ip 
^10\..*$
[18529] warn: config: failed to parse line, skipping: botnet_skip_ip 
^172\.1[6789]\..*$
[18529] warn: config: failed to parse line, skipping: botnet_skip_ip 
^172\.2[0-9]\..*$
[18529] warn: config: failed to parse line, skipping: botnet_skip_ip 
^172\.3[01]\..*$
[18529] warn: config: failed to parse line, skipping: botnet_skip_ip 
^192\.168\..*$
[18529] warn: config: failed to parse line, skipping: 
botnet_pass_domains amazon\.com
[18529] warn: config: failed to parse line, skipping: 
botnet_pass_domains apple\.com
[18529] warn: config: failed to parse line, skipping: 
botnet_pass_domains ebay\.com
[18529] warn: config: failed to parse line, skipping: botnet_clientwords 
= cable catv ddns dhcp dial-?up dip (a|s|d(yn)?)?dsl
[18529] warn: config: failed to parse line, skipping: botnet_clientwords 
= dynamic modem ppp res(net|ident(ial)?)?
[18529] warn: config: failed to parse line, skipping: botnet_clientwords 
= client fixed pool static user
[18529] warn: config: failed to parse line, skipping: botnet_serverwords 
= mail mta mx relay smtp
[18529] warn: rules: failed to run BOTNET_CLIENTWORDS test, skipping:
[18529] warn:  (Can't locate object method "botnet_clientwords" via 
package "Mail::SpamAssassin::PerMsgStatus" at 
/usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/PerMsgStatus.pm line 
2638.
[18529] warn: )
[18529] warn: rules: failed to run BOTNET_SERVERWORDS test, skipping:
[18529] warn:  (Can't locate object method "botnet_serverwords" via 
package "Mail::SpamAssassin::PerMsgStatus" at 
/usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/PerMsgStatus.pm line 
2638.
[18529] warn: )
[18529] warn: rules: failed to run BOTNET_IPINHOSTNAME test, skipping:
[18529] warn:  (Can't locate object method "botnet_ipinhostname" via 
package "Mail::SpamAssassin::PerMsgStatus" at 
/usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/PerMsgStatus.pm line 
2638.
[18529] warn: )
[18529] warn: rules: failed to run BOTNET_NORDNS test, skipping:
[18529] warn:  (Can't locate object method "botnet_nordns" via package 
"Mail::SpamAssassin::PerMsgStatus" at 
/usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/PerMsgStatus.pm line 
2638.
[18529] warn: )
[18529] warn: lint: 18 issues detected, please rerun with debug enabled 
for more information



John Rudd wrote:
> 
> (I had a bout of insomnia last night, and got more done than I had 
> pre-announced yesterday...)
> 
> 
> The next version of the Botnet plugin for Spam Assassin is ready.  The 
> install instructions are in the Botnet.txt file, and in the INSTALL file.
> 
> For those who don't know what Botnet is, it's a plugin which tries to 
> identify whether or not the message has been submitted by a 
> botnet/spam-zombie type host by looking at its DNS characteristics (no 
> reverse DNS, reverse DNS that doesn't resolve, or doesn't resolve back 
> to the relay's IP, or reverse DNS that contains things that look like an 
> ISP's client address).  The places I've been using it, and the people I 
> hear about who are using it, have seen a high degree of success.
> 
> It can be downloaded from:
> 
>  http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar
> 
> 
> As usual, feedback, statistics, bug reports, feature suggestions, are 
> all welcome.
> 
> NOTE: This will be the last version I announce outside of the SA users 
> mailing list.  I don't want to wear out the patience of the other list 
> owners.  users@spamassassin.apache.org is where I'll make all further 
> release announcements.
> 
> 
> What's new in 0.6:
> 
> 
> 1) IP in Hostname bug fix (the same IP address octet could be matched 
> twice.. which was a problem if the octet was "1", and the hostname had a 
> sub-string like "101" in it)
> 
> 2) pass_domains, clientwords, and serverwords weren't insensitive checks
> 
> 3) typo fixed in botnet.txt
> 
> 4) moved to Net::DNS (finally; and it's going to be needed for To Do 
> item #3)
> 
> 5) perl package is now named Mail::SpamAssassin::Plugin::Botnet
> 
> 6) because clientwords and serverwords are meant to be _words_, they are 
> now wrapped by (\b|\d) (both before and after the word/expression). This 
> is to help avoid false positives where a clientword might have been a 
> substring of a larger word that shouldn't have triggered the check 
> (similarly for serverwords).
> 
> 7) similarly, pass_domains now have a leading (\.|\A) added to them IF 
> they don't already have \. or \A in front (but it will be added if the 
> expression starts with "." -- since this is a regular expression, that 
> is assumed to mean any single character, so be careful).
> 
> 8) added debug output for parse_config
> 
> 9) added "mta" and "relay" to serverwords (used by classmates.com and/or 
> reunion.com)
> 
> 10) changed dsl to (a|s|d(yn)?)?dsl in clientwords (so, covers adsl, 
> sdsl, ddsl, and dyndsl ... I've seen all of those except ddsl)
> 
> 11) added res(net|ident(ial)?)? to clientwords (rr.com supposedly uses 
> ".res." in residential/customer IP hostnames, and ".resnet." is common 
> at universities for dorm IP addresses)
> 
> 12) contemplating adding cpe and cust(omer)? to the controversial 
> clientwords (I think cpe = customer (presence/provided/?) equipment)
> 
> 
> 
> ----
> 
> 
> To Do before 1.0:
> 
> 1) prepend __ to sub-rules, only BOTNET proper should not have that
> 
> 2) separate the SA routines from the core algorithms, so that the botnet 
> checks can be used in other perl programs.  Include a script that takes 
> an IP addr and answers where/how it passed/failed.
> 
> 3) try to do a lookup on the sender's email address domain; if it points 
> back to the relay's IP address (A record, or one of the MX records), 
> then that's less likely to be a botnet.  Use this like 
> BOTNET_SERVERWORDS -- just a counter to BOTNET_CLIENT.  What about SPF, 
> too? (I think that was a suggestion in one of the alternate meta rules)
> 
> 4) credits for help I've gotten from other people
> 
> 5) get listed in the wiki
> 
> 
From jrudd at ucsc.edu  Fri Dec  8 12:37:48 2006
From: jrudd at ucsc.edu (John Rudd)
Date: Fri Dec  8 12:38:11 2006
Subject: Botnet 0.6 plugin for Spam Assassin availabile
In-Reply-To: <45795756.6060106@homemachine.net>
References: <45785E8B.5080903@ucsc.edu> <45795756.6060106@homemachine.net>
Message-ID: <45795C9C.2040008@ucsc.edu>



Tom wrote:
> what does tis mean??
> 
> Lint output: [18529] warn: plugin: failed to parse plugin (from @INC): 
> Can't locate Mail/SpamAssassin/Plugin/botnet.pm 

This looks like you changed something so it had lower case botnet.pm 
instead of upper case Botnet.pm ... yes?  Perhaps your loadplugin line 
that you put into some cf or pre file?


What directory did you put Botnet.pm into?
What file did you put the loadplugin line for Botnet.pm into?
What does your loadplugin line look like for Botnet.pm?
What does the package line look like inside Botnet.pm?

From admin at homemachine.net  Fri Dec  8 12:45:00 2006
From: admin at homemachine.net (Tom)
Date: Fri Dec  8 12:43:59 2006
Subject: {Spam?} Re: Botnet 0.6 plugin for Spam Assassin availabile
In-Reply-To: <45795C9C.2040008@ucsc.edu>
References: <45785E8B.5080903@ucsc.edu> <45795756.6060106@homemachine.net>
	<45795C9C.2040008@ucsc.edu>
Message-ID: <45795E4C.7030609@homemachine.net>

my bad, changed to Botnet instead of botnet and all is good :)

cheers

John Rudd wrote:
> 
> 
> Tom wrote:
> 
>> what does tis mean??
>>
>> Lint output: [18529] warn: plugin: failed to parse plugin (from @INC): 
>> Can't locate Mail/SpamAssassin/Plugin/botnet.pm 
> 
> 
> This looks like you changed something so it had lower case botnet.pm 
> instead of upper case Botnet.pm ... yes?  Perhaps your loadplugin line 
> that you put into some cf or pre file?
> 
> 
> What directory did you put Botnet.pm into?
> What file did you put the loadplugin line for Botnet.pm into?
> What does your loadplugin line look like for Botnet.pm?
> What does the package line look like inside Botnet.pm?
> 
From gerard at seibercom.net  Fri Dec  8 13:01:31 2006
From: gerard at seibercom.net (Gerard Seibert)
Date: Fri Dec  8 13:01:20 2006
Subject: OT: word files
In-Reply-To: <6B59FCF2EFD0334A8147A1BB463F111E01E04A8F@mail-17ps.atlarge.net>
References: <6B59FCF2EFD0334A8147A1BB463F111E01E04A8F@mail-17ps.atlarge.net>
Message-ID: <20061208075513.B42F.GERARD@seibercom.net>

On Friday December 08, 2006 at 07:08:54 (AM) Jan Agermose wrote:

> Hi

> 1) When a warning comes out like the one about Word documents do
> you the say "ok, lets block that type of attachments" or how do you
> react? At what point do you decide to block or not? 
> 
> 2) Sort of the same: BMP files - Possible buffer overflow in
> Windows :-) is this actually still a "problem" or what. At the moment we
> block them, but it seams to annoy a lot people. Is there a way to check
> if we are ever "attacked" by BMP files or if this is simply an old
> setting that makes no sense anymore. 
> 
> 3) Are there any websites that list the current threads 

There are numerous sites available for your perusal. These are just two
of them:

http://www.sans.org/top20/
http://cve.mitre.org/

I prefer the former one myself. You also must remember that most
exploits only exist in the laboratory. Before going hog wide
indiscriminately blocking email, first check to see it it actually
exists in the wild and whether or not a patch has been issued for the
exploit. There are numerous tools available to expedite that chore.


-- 
Gerard

Posting Etiquette

	http://www.river.com/users/share/etiquette/
	http://www.html-faq.com/etiquette/?toppost
	http://www.river.com/users/share/etiquette/trumpetpower-netiquette.html
	http://www.neverending.org/~ftobin/resources/formatting_email_replies/
	http://www.reedmedia.net/misc/mail/using-mailing-list.html
	http://groups.google.com/support/bin/answer.py?answer=12348&topic=250
	http://en.wikipedia.org/wiki/Godwin's_law
From glenn.steen at gmail.com  Fri Dec  8 13:15:39 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Fri Dec  8 13:15:43 2006
Subject: Getting a summary of how many emails received by each account
In-Reply-To: <02c501c71ab3$2f101600$3c65a8c0@support01>
References: <02c501c71ab3$2f101600$3c65a8c0@support01>
Message-ID: <223f97700612080515m279011ddu8113297dedc18b17@mail.gmail.com>

On 08/12/06, Nigel Kendrick <support-lists@petdoctors.co.uk> wrote:
> Hi guys,
>
> Before I start googling or scripting, can anyone point me towards a command
> line utility that will list the amount of mail delivered to every account
> (MailScanner + PostFix), say in the last hour, day etc.?
>
> Thanks
>
> Nigel Kendrick
>
It's not perfect, since it'll go a bit wild about the HOLD thing...
But pflogsumm from http://jimsun.linxnet.com/postfix_contrib.html is
the best thing IMO. In conjunction with MailWatch one get a real grip
on things:-).
I run it from cron once/day (since I use split maillogs, I have to
trawl /var/log/syslog ...) to get the previous days stats and
once/week for a weekly summary. For shortterm stats, MailWatch fits my
bill... Easy to script it too (just dream up the best SQL query you
can:-), but you could use pflogsumm there too.

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From ryanmr at goshen.edu  Fri Dec  8 13:45:43 2006
From: ryanmr at goshen.edu (Ryan Rittenhouse)
Date: Fri Dec  8 13:46:10 2006
Subject: Getting a summary of how many emails received by each account
In-Reply-To: <02c501c71ab3$2f101600$3c65a8c0@support01>
References: <02c501c71ab3$2f101600$3c65a8c0@support01>
Message-ID: <45796C87.5060903@goshen.edu>

Nigel Kendrick wrote:
> Hi guys, 
> 
> Before I start googling or scripting, can anyone point me towards a command
> line utility that will list the amount of mail delivered to every account
> (MailScanner + PostFix), say in the last hour, day etc.?
> 
> Thanks
> 
> Nigel Kendrick
> 

I've been using awstats for the last year and have been more than satisfied with the 
information it provides. # of messages and size displayed by date, day of week, hour, user 
account, etc.

http://awstats.sourceforge.net/

-Ryan Rittenhouse

From sandrews at andrewscompanies.com  Fri Dec  8 14:13:28 2006
From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com)
Date: Fri Dec  8 14:13:35 2006
Subject: word files
Message-ID: <1964AAFBC212F742958F9275BF63DBB0429AD1@winchester.andrewscompanies.com>

Skipped content of type multipart/alternative-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 534 bytes
Desc: image001.gif
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061208/6216fdff/attachment.gif
From ugob at camo-route.com  Fri Dec  8 15:14:21 2006
From: ugob at camo-route.com (Ugo Bellavance)
Date: Fri Dec  8 15:14:45 2006
Subject: MailScanner slow and not taking all resources available
Message-ID: <elbvgf$3t9$1@sea.gmane.org>

Hi,

This is MailScanner version 4.54.6

It sometimes happen on some servers (not always the same) that suddenly, 
the INQ grows very fast.  When I look at the server, CPU is used only 
at ~ 50% or less and MailScanner is not using the CPU that much.

- The networks seems to be ok (I can easily download a file at 1 MB/s 
(10mbps link).
- DNS resolution seems to be quick
- SA doesn't time out
- System doesn't swap
- disk i/o doesn't look saturated

Here is an excerpt of dstat output:
----total-cpu-usage---- -dsk/total- -net/total- ---paging-- ---system--
usr sys idl wai hiq siq|_read _writ|_recv _send|__in_ _out_|_int_ _csw_
  51   9  30   9   1   1|   0  1032k|  41k  246k|   0     0 | 998   857
  64   6  29   0   1   1|   0   136k|  32k  286k|   0     0 | 808   550
  53   8  39   0   0   1|   0     0 |  61k  625k|   0     0 |1179   530
  80  13   8   0   0   1|   0     0 |  30k  319k|   0     0 | 846  1350
  80   9  10   0   1   1|   0     0 |  41k  311k|   0     0 | 824   485
  84   6  10   0   0   1|   0  1264k|  29k  281k|   0     0 | 913   510
  54  13  32   0   1   1|   0     0 |  45k  327k|   0     0 | 950   579
  74  10  16   0   0   2|   0     0 |  52k  317k|   0     0 | 953   984
  54  16  30   0   0   1|   0     0 |  64k  323k|   0     0 | 995   676
  18   6  76   0   0   1|   0     0 | 122k  292k|   0     0 |1152  1053
  62  13  16   9   1   0|   0    19M|  74k  255k|   0     0 |1356  1154
  64  13  22   0   1   1|   0     0 |  45k  317k|   0     0 | 917   937
  68   8  25   0   0   0|   0     0 |  51k  325k|   0     0 | 923   558
  44  21  34   0   1   2|   0   184k|  47k  299k|   0     0 | 969   647
  47  20  20  13   0   2|   0    19M|  44k   96k|   0     0 |1002   634

top:

  10:07:18  up 40 days,  1:22,  2 users,  load average: 1.62, 1.20, 1.07
95 processes: 94 sleeping, 1 running, 0 zombie, 0 stopped
CPU states:  cpu    user    nice  system    irq  softirq  iowait    idle
            total   12.0%    0.0%    6.2%   0.0%     0.4%    0.3%   80.6%
            cpu00   14.2%    0.0%    5.0%   0.2%     0.6%    0.4%   79.6%
            cpu01    9.9%    0.0%    7.5%   0.0%     0.3%    0.3%   81.6%
Mem:  3074084k av, 2809584k used,  264500k free,       0k shrd,  134216k 
buff
                    2141452k actv,  470156k in_d,   25672k in_c
Swap: 2008104k av,    7580k used, 2000524k free                 1809200k 
cached

   PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND
18116 root      18   0 78476  76M  3264 S     3.6  2.5   0:00   1 
MailScanner
15502 root      15   0  390M 390M   784 S     3.3 13.0   1:20   1 
milter-greylist
15970 root      25   0 13104  12M  3400 S     2.6  0.4   0:10   1 php
  7807 root      15   0  390M 390M   784 S     1.0 13.0   0:21   1 
milter-greylist
  7843 root      16   0  390M 390M   784 S     0.9 13.0   0:28   1 
milter-greylist
17886 root      15   0 78240  76M  3264 S     0.5  2.5   0:00   1 
MailScanner
22380 root      15   0 76008  74M  3248 S     0.1  2.4   0:25   1 
MailScanner
17840 root      15   0  1056 1056   812 R     0.1  0.0   0:00   0 top


Anyone seeing this as well?

From glenn.steen at gmail.com  Fri Dec  8 16:05:28 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Fri Dec  8 16:05:31 2006
Subject: MailScanner slow and not taking all resources available
In-Reply-To: <elbvgf$3t9$1@sea.gmane.org>
References: <elbvgf$3t9$1@sea.gmane.org>
Message-ID: <223f97700612080805m69b61aa5hbc8f097adaf5f37b@mail.gmail.com>

On 08/12/06, Ugo Bellavance <ugob@camo-route.com> wrote:
> Hi,
>
> This is MailScanner version 4.54.6
>
> It sometimes happen on some servers (not always the same) that suddenly,
> the INQ grows very fast.  When I look at the server, CPU is used only
> at ~ 50% or less and MailScanner is not using the CPU that much.
>
> - The networks seems to be ok (I can easily download a file at 1 MB/s
> (10mbps link).
> - DNS resolution seems to be quick
> - SA doesn't time out
> - System doesn't swap
> - disk i/o doesn't look saturated
>
> Here is an excerpt of dstat output:
> ----total-cpu-usage---- -dsk/total- -net/total- ---paging-- ---system--
> usr sys idl wai hiq siq|_read _writ|_recv _send|__in_ _out_|_int_ _csw_
>   51   9  30   9   1   1|   0  1032k|  41k  246k|   0     0 | 998   857
>   64   6  29   0   1   1|   0   136k|  32k  286k|   0     0 | 808   550
>   53   8  39   0   0   1|   0     0 |  61k  625k|   0     0 |1179   530
>   80  13   8   0   0   1|   0     0 |  30k  319k|   0     0 | 846  1350
>   80   9  10   0   1   1|   0     0 |  41k  311k|   0     0 | 824   485
>   84   6  10   0   0   1|   0  1264k|  29k  281k|   0     0 | 913   510
>   54  13  32   0   1   1|   0     0 |  45k  327k|   0     0 | 950   579
>   74  10  16   0   0   2|   0     0 |  52k  317k|   0     0 | 953   984
>   54  16  30   0   0   1|   0     0 |  64k  323k|   0     0 | 995   676
>   18   6  76   0   0   1|   0     0 | 122k  292k|   0     0 |1152  1053
>   62  13  16   9   1   0|   0    19M|  74k  255k|   0     0 |1356  1154
>   64  13  22   0   1   1|   0     0 |  45k  317k|   0     0 | 917   937
>   68   8  25   0   0   0|   0     0 |  51k  325k|   0     0 | 923   558
>   44  21  34   0   1   2|   0   184k|  47k  299k|   0     0 | 969   647
>   47  20  20  13   0   2|   0    19M|  44k   96k|   0     0 |1002   634
>
> top:
>
>   10:07:18  up 40 days,  1:22,  2 users,  load average: 1.62, 1.20, 1.07
> 95 processes: 94 sleeping, 1 running, 0 zombie, 0 stopped
> CPU states:  cpu    user    nice  system    irq  softirq  iowait    idle
>             total   12.0%    0.0%    6.2%   0.0%     0.4%    0.3%   80.6%
>             cpu00   14.2%    0.0%    5.0%   0.2%     0.6%    0.4%   79.6%
>             cpu01    9.9%    0.0%    7.5%   0.0%     0.3%    0.3%   81.6%
> Mem:  3074084k av, 2809584k used,  264500k free,       0k shrd,  134216k
> buff
>                     2141452k actv,  470156k in_d,   25672k in_c
> Swap: 2008104k av,    7580k used, 2000524k free                 1809200k
> cached
>
>    PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND
> 18116 root      18   0 78476  76M  3264 S     3.6  2.5   0:00   1
> MailScanner
> 15502 root      15   0  390M 390M   784 S     3.3 13.0   1:20   1
> milter-greylist
> 15970 root      25   0 13104  12M  3400 S     2.6  0.4   0:10   1 php
>   7807 root      15   0  390M 390M   784 S     1.0 13.0   0:21   1
> milter-greylist
>   7843 root      16   0  390M 390M   784 S     0.9 13.0   0:28   1
> milter-greylist
> 17886 root      15   0 78240  76M  3264 S     0.5  2.5   0:00   1
> MailScanner
> 22380 root      15   0 76008  74M  3248 S     0.1  2.4   0:25   1
> MailScanner
> 17840 root      15   0  1056 1056   812 R     0.1  0.0   0:00   0 top
>
>
> Anyone seeing this as well?
>
Not really no.
SA might not be timing out, but... Have you looked at the digest
checks? Sometimes DCC and/or Pyzor seem to have abominable response
times... On a fairly busy server (can't really call my setup "busy":-)
that would likely have a huge impact.

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From martinh at solidstatelogic.com  Fri Dec  8 16:17:16 2006
From: martinh at solidstatelogic.com (Martin Hepworth)
Date: Fri Dec  8 16:17:59 2006
Subject: MailScanner slow and not taking all resources available
In-Reply-To: <elbvgf$3t9$1@sea.gmane.org>
References: <elbvgf$3t9$1@sea.gmane.org>
Message-ID: <4579900C.8000602@solidstatelogic.com>

Ugo Bellavance wrote:
> Hi,
> 
> This is MailScanner version 4.54.6
> 
> It sometimes happen on some servers (not always the same) that suddenly, 
> the INQ grows very fast.  When I look at the server, CPU is used only at 
> ~ 50% or less and MailScanner is not using the CPU that much.
> 
> - The networks seems to be ok (I can easily download a file at 1 MB/s 
> (10mbps link).
> - DNS resolution seems to be quick
> - SA doesn't time out
> - System doesn't swap
> - disk i/o doesn't look saturated
> 
> Here is an excerpt of dstat output:
> ----total-cpu-usage---- -dsk/total- -net/total- ---paging-- ---system--
> usr sys idl wai hiq siq|_read _writ|_recv _send|__in_ _out_|_int_ _csw_
>  51   9  30   9   1   1|   0  1032k|  41k  246k|   0     0 | 998   857
>  64   6  29   0   1   1|   0   136k|  32k  286k|   0     0 | 808   550
>  53   8  39   0   0   1|   0     0 |  61k  625k|   0     0 |1179   530
>  80  13   8   0   0   1|   0     0 |  30k  319k|   0     0 | 846  1350
>  80   9  10   0   1   1|   0     0 |  41k  311k|   0     0 | 824   485
>  84   6  10   0   0   1|   0  1264k|  29k  281k|   0     0 | 913   510
>  54  13  32   0   1   1|   0     0 |  45k  327k|   0     0 | 950   579
>  74  10  16   0   0   2|   0     0 |  52k  317k|   0     0 | 953   984
>  54  16  30   0   0   1|   0     0 |  64k  323k|   0     0 | 995   676
>  18   6  76   0   0   1|   0     0 | 122k  292k|   0     0 |1152  1053
>  62  13  16   9   1   0|   0    19M|  74k  255k|   0     0 |1356  1154
>  64  13  22   0   1   1|   0     0 |  45k  317k|   0     0 | 917   937
>  68   8  25   0   0   0|   0     0 |  51k  325k|   0     0 | 923   558
>  44  21  34   0   1   2|   0   184k|  47k  299k|   0     0 | 969   647
>  47  20  20  13   0   2|   0    19M|  44k   96k|   0     0 |1002   634
> 
> top:
> 
>  10:07:18  up 40 days,  1:22,  2 users,  load average: 1.62, 1.20, 1.07
> 95 processes: 94 sleeping, 1 running, 0 zombie, 0 stopped
> CPU states:  cpu    user    nice  system    irq  softirq  iowait    idle
>            total   12.0%    0.0%    6.2%   0.0%     0.4%    0.3%   80.6%
>            cpu00   14.2%    0.0%    5.0%   0.2%     0.6%    0.4%   79.6%
>            cpu01    9.9%    0.0%    7.5%   0.0%     0.3%    0.3%   81.6%
> Mem:  3074084k av, 2809584k used,  264500k free,       0k shrd,  134216k 
> buff
>                    2141452k actv,  470156k in_d,   25672k in_c
> Swap: 2008104k av,    7580k used, 2000524k free                 1809200k 
> cached
> 
>   PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND
> 18116 root      18   0 78476  76M  3264 S     3.6  2.5   0:00   1 
> MailScanner
> 15502 root      15   0  390M 390M   784 S     3.3 13.0   1:20   1 
> milter-greylist
> 15970 root      25   0 13104  12M  3400 S     2.6  0.4   0:10   1 php
>  7807 root      15   0  390M 390M   784 S     1.0 13.0   0:21   1 
> milter-greylist
>  7843 root      16   0  390M 390M   784 S     0.9 13.0   0:28   1 
> milter-greylist
> 17886 root      15   0 78240  76M  3264 S     0.5  2.5   0:00   1 
> MailScanner
> 22380 root      15   0 76008  74M  3248 S     0.1  2.4   0:25   1 
> MailScanner
> 17840 root      15   0  1056 1056   812 R     0.1  0.0   0:00   0 top
> 
> 
> Anyone seeing this as well?
> 
Ugo

If it was anyone else I'd be asking if you'd done the performane tuning 
stuff on the wiki.

There is some odd stuff going on with the dnsrbl at the moment. People 
on the nanog list are commenting on this.

Dunno is there is some other DDOS attacks going but also opendns are 
under attack right now. Might be worth looking at which DNS/RBL's you 
are using on this and seeing if you can work around of locally mirror RBLs.
-- 
Martin Hepworth
Senior Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

From stef at aoc-uk.com  Fri Dec  8 16:30:41 2006
From: stef at aoc-uk.com (Stef Morrell)
Date: Fri Dec  8 16:30:43 2006
Subject: Allowing .pr3 files through
Message-ID: <120103F0F5EC264097BC0A06EC9D026A0111BF89@pardessus.aoc-uk.com>

Michael Mansour wrote:
> I have their setup as:
> 
> /etc/MailScanner/example.com.filename.rules.conf
> allow   \.pr3$          -       -
> 
> at the end of the file, but that does not seem to work.

As far as I know, the rules file is parsed in order and stops when a
match is found.

Thefore, try putting it at the beginning instead, so that it matches for
.pr3 and allows it before matching the general disallow rules for
executables.

Regards

Stef
Stefan Morrell          | Operations Director
Tel: 0845 3452820       | Alpha Omega Computers Ltd
Fax: 0845 3452830       | Incorporating Level 5 Internet
stef@aoc-uk.com         | stef@l5net.net
From stef at aoc-uk.com  Fri Dec  8 16:41:12 2006
From: stef at aoc-uk.com (Stef Morrell)
Date: Fri Dec  8 16:41:13 2006
Subject: "Use DCC as a daemon"
Message-ID: <120103F0F5EC264097BC0A06EC9D026A0111BF8A@pardessus.aoc-uk.com>

Hi,

As I was idly flicking through the wiki I came across (here:
http://wiki.mailscanner.info/doku.php?id=maq:index#optimization_tips)
the suggestion to use DCC as a daemon, with a link to some
"instructions".

Now for some reason dccifd keeps popping up as a process on my machine
in any case. It's not causing me any pain, so I've largely ignored it
beyond a 'kill' once in a while. However if I can actually use it, that
would be better still.

The link is broken, though, it seems - does anyone know if/where the
documentation currently resides?

Ta

Stef
Stefan Morrell          | Operations Director
Tel: 0845 3452820       | Alpha Omega Computers Ltd
Fax: 0845 3452830       | Incorporating Level 5 Internet
stef@aoc-uk.com         | stef@l5net.net
From jscott at infoconex.com  Fri Dec  8 16:49:36 2006
From: jscott at infoconex.com (Jim Scott)
Date: Fri Dec  8 16:46:32 2006
Subject: Emails getting tagged as Disarmed
References: <010c01c7196a$5ea26fc0$9c15a8c0@concord.corp><el76mo$6lq$1@sea.gmane.org><002e01c719d2$370f61d0$0569a8c0@JIMLAPTOP><45786673.1020506@infoconex.com>
	<el9tdk$1k7$1@sea.gmane.org><45789D1F.6070809@infoconex.com>
	<ela8sp$f5l$1@sea.gmane.org><ela9us$id5$1@sea.gmane.org>
	<45791AAD.9040108@infoconex.com>
	<223f97700612080049m1e94e31bs45186c6fde268128@mail.gmail.com>
Message-ID: <001b01c71ae8$d8356020$9c15a8c0@concord.corp>


>>
> I'm sure you did already, but ... running "MailScanner --lint" should
> reveal any typos ....:-).
> Fat-fingering can happen to the best.... And that might justr explain
> why something you see as correct... really isn't;-).
> Oh, just one more ... You've never edited the config witha windoze
> editor, have you? No extra ^M characters lurking on some line or
> other....?
>
> -- 
> -- Glenn

Great suggestion. I actually forgot about this. However running that command 
seems to reveal that I have no errors in my .conf file.

Read 748 hostnames from the phishing whitelist
Config: calling custom init function MailWatchLogging

Checking for SpamAssassin errors (if you use it)...
Using SpamAssassin results cache
Connected to SpamAssassin cache database
SpamAssassin reported no errors.
Using locktype = posix
Creating hardcoded struct_flock subroutine for linux (Linux-type)
MailScanner.conf says "Virus Scanners = clamavmodule f-prot"
Found these virus scanners installed: f-prot, clamavmodule

From KGoods at AIAInsurance.com  Fri Dec  8 16:47:42 2006
From: KGoods at AIAInsurance.com (Ken Goods)
Date: Fri Dec  8 16:55:01 2006
Subject: Way OT... Anyone having DNS Problems today?
Message-ID: <13C0059880FDD3118DC600508B6D4A6D01C2904C@aiainsurance.com>

We're experiencing an issue where about 50% of the sites we try to visit
will not come up and about the same amount are returning emails as
undeliverable. I can get to Google, MSN, and a few others but not to Amazon,
yahoo, etc.. etc...
 
Almost looks like DNS poisoning because the error message I get is from an
Apache system and not the usual one I would normally get from our proxy
server. 
 
Has anyone else noticed anything strange with DNS this morning? 
 
TIA,
Ken

Ken Goods
Network Administrator
AIA/CropUSA Insurance, Inc.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061208/67671ba3/attachment.html
From ugob at camo-route.com  Fri Dec  8 17:00:07 2006
From: ugob at camo-route.com (Ugo Bellavance)
Date: Fri Dec  8 17:00:37 2006
Subject: MailScanner slow and not taking all resources available
In-Reply-To: <4579900C.8000602@solidstatelogic.com>
References: <elbvgf$3t9$1@sea.gmane.org> <4579900C.8000602@solidstatelogic.com>
Message-ID: <elc5mp$r0f$1@sea.gmane.org>

Martin Hepworth wrote:
> Ugo Bellavance wrote:
>> Hi,
>>
>> This is MailScanner version 4.54.6
>>
>> It sometimes happen on some servers (not always the same) that 
>> suddenly, the INQ grows very fast.  When I look at the server, CPU is 
>> used only at ~ 50% or less and MailScanner is not using the CPU that 
>> much.
>>
>> - The networks seems to be ok (I can easily download a file at 1 MB/s 
>> (10mbps link).
>> - DNS resolution seems to be quick
>> - SA doesn't time out
>> - System doesn't swap
>> - disk i/o doesn't look saturated
>>

<snip>

>> Anyone seeing this as well?
>>
> Ugo
> 
> If it was anyone else I'd be asking if you'd done the performane tuning 
> stuff on the wiki.
> 
> There is some odd stuff going on with the dnsrbl at the moment. People 
> on the nanog list are commenting on this.
> 
> Dunno is there is some other DDOS attacks going but also opendns are 
> under attack right now. Might be worth looking at which DNS/RBL's you 
> are using on this and seeing if you can work around of locally mirror RBLs.

It has now come back to normal... network congestion I think.

Regards,

Ugo


From martinh at solidstatelogic.com  Fri Dec  8 17:02:57 2006
From: martinh at solidstatelogic.com (Martin Hepworth)
Date: Fri Dec  8 17:03:23 2006
Subject: Way OT... Anyone having DNS Problems today?
In-Reply-To: <13C0059880FDD3118DC600508B6D4A6D01C2904C@aiainsurance.com>
References: <13C0059880FDD3118DC600508B6D4A6D01C2904C@aiainsurance.com>
Message-ID: <45799AC1.3040101@solidstatelogic.com>

Ken Goods wrote:
> We're experiencing an issue where about 50% of the sites we try to 
> visit will not come up and about the same amount are returning emails as 
> undeliverable. I can get to Google, MSN, and a few others but not to 
> Amazon, yahoo, etc.. etc...
>  
> Almost looks like DNS poisoning because the error message I get is from 
> an Apache system and not the usual one I would normally get from our 
> proxy server.
>  
> Has anyone else noticed anything strange with DNS this morning?
>  
> TIA,
> Ken
> 
> Ken Goods
> Network Administrator
> AIA/CropUSA Insurance, Inc.
> 
Ken

opendns is under attack for the last few days. also one of the RBL's has 
been having problems over last night....

-- 
Martin Hepworth
Senior Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

From ka at pacific.net  Fri Dec  8 17:20:30 2006
From: ka at pacific.net (Ken A)
Date: Fri Dec  8 17:17:50 2006
Subject: Virus Scanning Only-- how to?
In-Reply-To: <elatvd$v01$3@sea.gmane.org>
References: <A50A29B70741ED42BE44230B1DF61184162A670D@ADAM.chapman.edu>	<45787D44.7050709@enitech.com.au>
	<elatvd$v01$3@sea.gmane.org>
Message-ID: <45799EDE.5000007@pacific.net>



Ugo Bellavance wrote:
> Pete Russell wrote:
>> I guess you could turn off filetype and filename scanning too...?
>>
>> Chandler, Jay wrote:
>>> If I want MailScanner to just scan for viruses (this is in an 
>>> outbound only box), what needs to be changed past setting 'Use 
>>> SpamAssassin = no' and 'Dangerous Content Scanning = no'?
> 
> And phishing
> 

And MailScanner. ;-)
Why not just use clamav-milter or some other simpler approach, if all 
you want it virus checks.
Ken A.
Pacific.Net


>>>  
>>>  
>>>
>>> -- 
>>> Jay Chandler
>>> Network Administrator, Chapman University
>>> 714.628.7249 / chandler@chapman.edu
>>> Today's Excuse: ether leak
>>>
>>>  
>>>
> 
From KGoods at AIAInsurance.com  Fri Dec  8 17:34:32 2006
From: KGoods at AIAInsurance.com (Ken Goods)
Date: Fri Dec  8 17:41:53 2006
Subject: Way OT... Anyone having DNS Problems today?
Message-ID: <13C0059880FDD3118DC600508B6D4A6D01C2904E@aiainsurance.com>

Martin Hepworth wrote:
> Ken Goods wrote:
>> We're experiencing an issue where about 50% of the sites we try to
>> visit will not come up and about the same amount are returning
>> emails as undeliverable. I can get to Google, MSN, and a few others
>> but not to Amazon, yahoo, etc.. etc... 
>> 
>> Almost looks like DNS poisoning because the error message I get is
>> from an Apache system and not the usual one I would normally get
>> from our proxy server. 
>> 
>> Has anyone else noticed anything strange with DNS this morning?
>> 
>> TIA,
>> Ken
>> 
>> Ken Goods
>> Network Administrator
>> AIA/CropUSA Insurance, Inc.
>> 
> Ken
> 
> opendns is under attack for the last few days. also one of the RBL's
> has been having problems over last night....
> 
> --
> Martin Hepworth
> Senior Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
> 
> **********************************************************************
> 
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
> 
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.
> 
> **********************************************************************

Thanks Martin,
Upon looking closer at the DNS cache I noticed a lot of entries with A
records pointing to 64.34.222.20 making me think it was DNS poisoning. But
after clearing the DNS cache I'm still having problems with a few sites. I'm
still not sure exactly what's going on because I get error trying to display
yahoo.com: 

Not Found
The requested URL / was not found on this server.
----------------------------------------------------------------------------
----
Apache/1.3.34 Server at www.yahoo.com Port 80

Which I also get on cnn.com and who knows how many others, but in looking at
the cache the ip's for yahoo's nameservers appear to be correct now (after
clearing the cache and restarting DNS). I guess the next step would be to
reboot that machine just to make sure it's not the culprit. 

Thanks again for your input.
Kind regards,
Ken

Ken Goods
Network Administrator
AIA/CropUSA Insurance, Inc.

From vosburgh at dalsemi.com  Fri Dec  8 18:16:27 2006
From: vosburgh at dalsemi.com (David Vosburgh)
Date: Fri Dec  8 18:17:19 2006
Subject: MailScanner slow and not taking all resources available
In-Reply-To: <elbvgf$3t9$1@sea.gmane.org>
References: <elbvgf$3t9$1@sea.gmane.org>
Message-ID: <4579ABFB.8010300@dalsemi.com>

Ugo Bellavance wrote:
> Hi,
> 
> This is MailScanner version 4.54.6
> 
> It sometimes happen on some servers (not always the same) that suddenly, 
> the INQ grows very fast.  When I look at the server, CPU is used only at 
> ~ 50% or less and MailScanner is not using the CPU that much.
> 
> - The networks seems to be ok (I can easily download a file at 1 MB/s 
> (10mbps link).
> - DNS resolution seems to be quick
> - SA doesn't time out
> - System doesn't swap
> - disk i/o doesn't look saturated
> 
> Here is an excerpt of dstat output:
> ----total-cpu-usage---- -dsk/total- -net/total- ---paging-- ---system--
> usr sys idl wai hiq siq|_read _writ|_recv _send|__in_ _out_|_int_ _csw_
>  51   9  30   9   1   1|   0  1032k|  41k  246k|   0     0 | 998   857
>  64   6  29   0   1   1|   0   136k|  32k  286k|   0     0 | 808   550
>  53   8  39   0   0   1|   0     0 |  61k  625k|   0     0 |1179   530
>  80  13   8   0   0   1|   0     0 |  30k  319k|   0     0 | 846  1350
>  80   9  10   0   1   1|   0     0 |  41k  311k|   0     0 | 824   485
>  84   6  10   0   0   1|   0  1264k|  29k  281k|   0     0 | 913   510
>  54  13  32   0   1   1|   0     0 |  45k  327k|   0     0 | 950   579
>  74  10  16   0   0   2|   0     0 |  52k  317k|   0     0 | 953   984
>  54  16  30   0   0   1|   0     0 |  64k  323k|   0     0 | 995   676
>  18   6  76   0   0   1|   0     0 | 122k  292k|   0     0 |1152  1053
>  62  13  16   9   1   0|   0    19M|  74k  255k|   0     0 |1356  1154
>  64  13  22   0   1   1|   0     0 |  45k  317k|   0     0 | 917   937
>  68   8  25   0   0   0|   0     0 |  51k  325k|   0     0 | 923   558
>  44  21  34   0   1   2|   0   184k|  47k  299k|   0     0 | 969   647
>  47  20  20  13   0   2|   0    19M|  44k   96k|   0     0 |1002   634
> 
> top:
> 
>  10:07:18  up 40 days,  1:22,  2 users,  load average: 1.62, 1.20, 1.07
> 95 processes: 94 sleeping, 1 running, 0 zombie, 0 stopped
> CPU states:  cpu    user    nice  system    irq  softirq  iowait    idle
>            total   12.0%    0.0%    6.2%   0.0%     0.4%    0.3%   80.6%
>            cpu00   14.2%    0.0%    5.0%   0.2%     0.6%    0.4%   79.6%
>            cpu01    9.9%    0.0%    7.5%   0.0%     0.3%    0.3%   81.6%
> Mem:  3074084k av, 2809584k used,  264500k free,       0k shrd,  134216k 
> buff
>                    2141452k actv,  470156k in_d,   25672k in_c
> Swap: 2008104k av,    7580k used, 2000524k free                 1809200k 
> cached
> 
>   PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND
> 18116 root      18   0 78476  76M  3264 S     3.6  2.5   0:00   1 
> MailScanner
> 15502 root      15   0  390M 390M   784 S     3.3 13.0   1:20   1 
> milter-greylist
> 15970 root      25   0 13104  12M  3400 S     2.6  0.4   0:10   1 php
>  7807 root      15   0  390M 390M   784 S     1.0 13.0   0:21   1 
> milter-greylist
>  7843 root      16   0  390M 390M   784 S     0.9 13.0   0:28   1 
> milter-greylist
> 17886 root      15   0 78240  76M  3264 S     0.5  2.5   0:00   1 
> MailScanner
> 22380 root      15   0 76008  74M  3248 S     0.1  2.4   0:25   1 
> MailScanner
> 17840 root      15   0  1056 1056   812 R     0.1  0.0   0:00   0 top
> 
> 
> Anyone seeing this as well?
> 
I've seen something similar on another admins system.  There were four 
essentially identical systems (that is, same hardware and OS, and fairly 
close in terms of revs of MS/SA etc.) filtering mail for one domain. One 
had a backlog in mqueue.in of something like 8k messages, yet the load 
average on this two processor box was something like 0.2.  I looked at 
most of the normal things at a system level as you did.  I ran test 
messages through looking for obvious bottlenecks in the system (none), 
and no SA timeouts at all. Nothing leapt out at me.  In looking at the 
maillog, despite the large inbound queue, MailScanner was not picking 
messages up very often to process.  There were ten MS processes going, 
it was only picking up a new batch for processing every few minutes.  I 
helped him tweak the queue run interval (lower) and the number of MS 
processes (fewer), and it seemed to help a bit, but I honestly think it 
was more just coincidence.  I need to check back in with him this 
weekend to see how it's behaving now.

Dave


From r.berber at computer.org  Fri Dec  8 18:50:47 2006
From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=)
Date: Fri Dec  8 18:51:34 2006
Subject: MailScanner/Sendmail/Solaris Lock Type
In-Reply-To: <45788658.1010702@usg.edu>
References: <45788658.1010702@usg.edu>
Message-ID: <elcc6i$jnr$1@sea.gmane.org>

Bob Jones wrote:

> Hey all, I know this is a dead horse but I couldn't find anything that
> answered this as completely as I liked.  So, I know in general, with
> MailScanner if you are using Sendmail 8.13 you should use a Lock Type of
> posix, and I've found many a post which mentions this.  However, I have
> a tickle in the back of my head that on Solaris systems (9 in this
> case), the lock type should still be flock.  Is my memory correct or do
> I need to change it to posix?

It should match what sendmail is using, and by default it is using fcntl not
flock.  Ref: sendmail-8.13.8/sendmail/README :

"HASFLOCK	Set this if you prefer to use the flock(2) system call
		rather than using fcntl-based locking.  Fcntl locking
		has some semantic gotchas, but many vendor systems
		also interface it to lockd(8) to do NFS-style locking.
		Unfortunately, may vendors implementations of fcntl locking
		is just plain broken (e.g., locks are never released,
		causing your sendmail to deadlock; when the kernel runs
		out of locks your system crashes).  For this reason, I
		recommend always defining this unless you are absolutely
		certain that your fcntl locking implementation really works."

And there is nothing in sendmail-8.13.8/devtools/OS/SunOS.5.9 that changes this.

I've heard bad things about Solaris' implementation of fcntl, about it being
just a wrapper around flock, but FWIW I'm using it with no problem under Sol9
and low to moderate load; and I used flock under Sol8/Sol9 with an older
MailScanner version also without a problem.
-- 
Ren? Berber

From dnsadmin at 1bigthink.com  Fri Dec  8 19:21:32 2006
From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com)
Date: Fri Dec  8 19:22:23 2006
Subject: Need confirmation on Posix/flock settings
Message-ID: <7.0.1.0.0.20061208141624.06ef5550@1bigthink.com>

Hello All,

I recently upgraded with the current ClamAV/SpamAssassin tarball and 
had flock set after SpamAssassin upgrade, but I seem to remember that 
I was advised to run Posix on a 2.6x kernel.

I am running mailscanner-4.50.15-1 from RPM install and latest 
ClamAV/SpamAsassin install on CentOS 4.4, kernel 2.6.

Please confirm; I should be running locking-type = posix, correct???

Thanks,
Glenn

From res at ausics.net  Fri Dec  8 20:56:17 2006
From: res at ausics.net (Res)
Date: Fri Dec  8 20:56:30 2006
Subject: MailScanner slow and not taking all resources available
In-Reply-To: <223f97700612080805m69b61aa5hbc8f097adaf5f37b@mail.gmail.com>
References: <elbvgf$3t9$1@sea.gmane.org>
	<223f97700612080805m69b61aa5hbc8f097adaf5f37b@mail.gmail.com>
Message-ID: <Pine.LNX.4.64.0612090653520.9976@ebfjryy.nhfvpf.arg>

On Fri, 8 Dec 2006, Glenn Steen wrote:

>> 
> Not really no.
> SA might not be timing out, but... Have you looked at the digest
> checks? Sometimes DCC and/or Pyzor seem to have abominable response
> times... On a fairly busy server (can't really call my setup "busy":-)
> that would likely have a huge impact.

I fully agree with Mr PostMix :P

I had to remove these months ago for this very reason, people wanted mail 
within minutes, not the next day :)


-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From micoots at yahoo.com  Fri Dec  8 21:01:09 2006
From: micoots at yahoo.com (Michael Mansour)
Date: Fri Dec  8 21:01:12 2006
Subject: Allowing .pr3 files through
Message-ID: <20061208210109.47804.qmail@web33314.mail.mud.yahoo.com>

Hi Stef, 

I put the rule to the top of the list and the "bad content" was still tagged on the message.

I believe this is tagged from the "filetype" rules area not "filename".

If that's the case, what sort of rule would I need to put in to allow .pr3 files?

The filetype fules I have for this domain are:

allow   text            -                       -
allow   script          -                       -
allow   archive         -                       -
allow   postscript      -                       -
deny    self-extract    No self-extracting archives     No self-extracting archives allowed
deny    ELF             No executables          No programs allowed
deny    executable      No executables          No programs allowed
allow   MPEG            Yes MPEG movies         MPEG movies allowed
allow   AVI             Yes AVI movies          AVI movies allowed
allow   MNG             Yes MNG/PNG movies      MNG movies allowed
allow   Quicktime       Yes Quicktime movies    Quicktime movies allowed
allow   ASF             Yes Windows media       Windows media files allowed
allow   BMP             Yes BMP files           BMP graphics files allowed
deny    Registry        No Windows Registry entries     No Windows Registry files allowed

Thanks.

Michael.

Michael Mansour wrote: 
> I have their setup as: 
> 
> /etc/MailScanner/example.com.filename.rules.conf 
> allow \.pr3$ - - 
> 
> at the end of the file, but that does not seem to work. 

As far as I know, the rules file is parsed in order and stops when a 
match is found. 

Thefore, try putting it at the beginning instead, so that it matches for 
.pr3 and allows it before matching the general disallow rules for 
executables. 

Regards 

Stef 
Stefan Morrell | Operations Director 
Tel: 0845 3452820 | Alpha Omega Computers Ltd 
Fax: 0845 3452830 | Incorporating Level 5 Internet 
stef@aoc-uk.com | stef@l5net.net 
-- 
MailScanner mailing list 
mailscanner@lists.mailscanner.info 
http://lists.mailscanner.info/mailman/listinfo/mailscanner 

Before posting, read http://wiki.mailscanner.info/posting 

Support MailScanner development - buy the book off the website!

Send instant messages to your online friends http://au.messenger.yahoo.com 
From res at ausics.net  Fri Dec  8 21:25:40 2006
From: res at ausics.net (Res)
Date: Fri Dec  8 21:25:50 2006
Subject: Allowing .pr3 files through
In-Reply-To: <20061208210109.47804.qmail@web33314.mail.mud.yahoo.com>
References: <20061208210109.47804.qmail@web33314.mail.mud.yahoo.com>
Message-ID: <Pine.LNX.4.64.0612090722210.9976@ebfjryy.nhfvpf.arg>


On Fri, 8 Dec 2006, Michael Mansour wrote:

> Hi Stef,
>
> I put the rule to the top of the list and the "bad content" was still tagged on the message.
>
> I believe this is tagged from the "filetype" rules area not "filename".

It might think its an executable PR3 can be used as postsrcipt extension 
so I'm suprised it's not allowed with what you have


Filetype rules will over-ride filename everytime, filetype is based on 
system " file " where filename I don't beleive uses file in tests and just 
takes your word for it on filename, making filetype a much more sensible 
approach to be the top level guardian.

try :
file /full/path/to/file.pr3
and see what it says it thinks it is


>
> If that's the case, what sort of rule would I need to put in to allow .pr3 files?
>
> The filetype fules I have for this domain are:
>
> allow   text            -                       -
> allow   script          -                       -
> allow   archive         -                       -
> allow   postscript      -                       -
> deny    self-extract    No self-extracting archives     No self-extracting archives allowed
> deny    ELF             No executables          No programs allowed
> deny    executable      No executables          No programs allowed
> allow   MPEG            Yes MPEG movies         MPEG movies allowed
> allow   AVI             Yes AVI movies          AVI movies allowed
> allow   MNG             Yes MNG/PNG movies      MNG movies allowed
> allow   Quicktime       Yes Quicktime movies    Quicktime movies allowed
> allow   ASF             Yes Windows media       Windows media files allowed
> allow   BMP             Yes BMP files           BMP graphics files allowed
> deny    Registry        No Windows Registry entries     No Windows Registry files allowed
>
> Thanks.
>
> Michael.
>
> Michael Mansour wrote:
>> I have their setup as:
>>
>> /etc/MailScanner/example.com.filename.rules.conf
>> allow \.pr3$ - -
>>
>> at the end of the file, but that does not seem to work.
>
> As far as I know, the rules file is parsed in order and stops when a
> match is found.
>
> Thefore, try putting it at the beginning instead, so that it matches for
> .pr3 and allows it before matching the general disallow rules for
> executables.
>
> Regards
>
> Stef
> Stefan Morrell | Operations Director
> Tel: 0845 3452820 | Alpha Omega Computers Ltd
> Fax: 0845 3452830 | Incorporating Level 5 Internet
> stef@aoc-uk.com | stef@l5net.net
>

-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From glenn.steen at gmail.com  Fri Dec  8 21:26:19 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Fri Dec  8 21:26:25 2006
Subject: "Use DCC as a daemon"
In-Reply-To: <120103F0F5EC264097BC0A06EC9D026A0111BF8A@pardessus.aoc-uk.com>
References: <120103F0F5EC264097BC0A06EC9D026A0111BF8A@pardessus.aoc-uk.com>
Message-ID: <223f97700612081326x43eee717xab166dc1aeb30e7d@mail.gmail.com>

On 08/12/06, Stef Morrell <stef@aoc-uk.com> wrote:
> Hi,
>
> As I was idly flicking through the wiki I came across (here:
> http://wiki.mailscanner.info/doku.php?id=maq:index#optimization_tips)
> the suggestion to use DCC as a daemon, with a link to some
> "instructions".
>
> Now for some reason dccifd keeps popping up as a process on my machine
> in any case. It's not causing me any pain, so I've largely ignored it
> beyond a 'kill' once in a while. However if I can actually use it, that
> would be better still.
>
> The link is broken, though, it seems - does anyone know if/where the
> documentation currently resides?
>
> Ta
Ouch! Seems the old Faq-o-matic is off-line... Whether by design or
accident, I don't know (has happened before, then it was by accident).
It has, unfortunately, proved to be a bigger chore than expected to
move it all into the wiki... Mostly because one wants to ...
improve/rewrite/tidy up, as one goes along. And some things, I (and
obviously others too:-) simplky can't write about (since we lack the
specific knowledge... Simply don't use everything under the Sun;-).
Someone should perhaps prod Jules about the faq-o-matic...

Meanwhile, go look at
http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spamassassin:plugins:dcc:dccifd_install
which seem to contain everything you need:-). Seems someone (who has a
bit of free time:-) should go through the wiki and do some link sanity
checks:-D

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From glenn.steen at gmail.com  Fri Dec  8 21:34:06 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Fri Dec  8 21:34:09 2006
Subject: Way OT... Anyone having DNS Problems today?
In-Reply-To: <13C0059880FDD3118DC600508B6D4A6D01C2904E@aiainsurance.com>
References: <13C0059880FDD3118DC600508B6D4A6D01C2904E@aiainsurance.com>
Message-ID: <223f97700612081334m183e813bp5425a555939d09ac@mail.gmail.com>

On 08/12/06, Ken Goods <KGoods@aiainsurance.com> wrote:
> Martin Hepworth wrote:
> > Ken Goods wrote:
> >> We're experiencing an issue where about 50% of the sites we try to
> >> visit will not come up and about the same amount are returning
> >> emails as undeliverable. I can get to Google, MSN, and a few others
> >> but not to Amazon, yahoo, etc.. etc...
> >>
> >> Almost looks like DNS poisoning because the error message I get is
> >> from an Apache system and not the usual one I would normally get
> >> from our proxy server.
> >>
> >> Has anyone else noticed anything strange with DNS this morning?
> >>
> >> TIA,
> >> Ken
> >>
> >> Ken Goods
> >> Network Administrator
> >> AIA/CropUSA Insurance, Inc.
> >>
> > Ken
> >
> > opendns is under attack for the last few days. also one of the RBL's
> > has been having problems over last night....
> >
> > --
> > Martin Hepworth
> > Senior Systems Administrator
> > Solid State Logic
> > Tel: +44 (0)1865 842300
> >
> > **********************************************************************
> >
> > This email and any files transmitted with it are confidential and
> > intended solely for the use of the individual or entity to whom they
> > are addressed. If you have received this email in error please notify
> > the system manager.
> >
> > This footnote confirms that this email message has been swept
> > for the presence of computer viruses and is believed to be clean.
> >
> > **********************************************************************
>
> Thanks Martin,
> Upon looking closer at the DNS cache I noticed a lot of entries with A
> records pointing to 64.34.222.20 making me think it was DNS poisoning. But
> after clearing the DNS cache I'm still having problems with a few sites. I'm
> still not sure exactly what's going on because I get error trying to display
> yahoo.com:
>
> Not Found
> The requested URL / was not found on this server.
> ----------------------------------------------------------------------------
> ----
> Apache/1.3.34 Server at www.yahoo.com Port 80
>
> Which I also get on cnn.com and who knows how many others, but in looking at
> the cache the ip's for yahoo's nameservers appear to be correct now (after
> clearing the cache and restarting DNS). I guess the next step would be to
> reboot that machine just to make sure it's not the culprit.
>
> Thanks again for your input.
> Kind regards,
> Ken

You mention a proxy, so... look long and hard at that one (not just DNS cache).
Also, what's your upstream, in regard to DNS? Using any generic
forwarders? Might be them being "poisoned" too...

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From ssilva at sgvwater.com  Fri Dec  8 21:40:00 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Fri Dec  8 21:40:09 2006
Subject: "Use DCC as a daemon"
In-Reply-To: <120103F0F5EC264097BC0A06EC9D026A0111BF8A@pardessus.aoc-uk.com>
References: <120103F0F5EC264097BC0A06EC9D026A0111BF8A@pardessus.aoc-uk.com>
Message-ID: <elcm3h$olp$1@sea.gmane.org>

Stef Morrell spake the following on 12/8/2006 8:41 AM:
> Hi,
> 
> As I was idly flicking through the wiki I came across (here:
> http://wiki.mailscanner.info/doku.php?id=maq:index#optimization_tips)
> the suggestion to use DCC as a daemon, with a link to some
> "instructions".
> 
> Now for some reason dccifd keeps popping up as a process on my machine
> in any case. It's not causing me any pain, so I've largely ignored it
> beyond a 'kill' once in a while. However if I can actually use it, that
> would be better still.
> 
> The link is broken, though, it seems - does anyone know if/where the
> documentation currently resides?
> 
You control DCC through its conf file. If you enable dccifd and disable
dccproc in the conf file, spamassassin and mailscanner will just use it. The
difference is very noticeable, as you don't have to start dcc for every message.
The docs are at
http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spamassassin:plugins:dcc:dccifd_install

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From glenn.steen at gmail.com  Fri Dec  8 21:40:22 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Fri Dec  8 21:40:26 2006
Subject: MailScanner/Sendmail/Solaris Lock Type
In-Reply-To: <elcc6i$jnr$1@sea.gmane.org>
References: <45788658.1010702@usg.edu> <elcc6i$jnr$1@sea.gmane.org>
Message-ID: <223f97700612081340o7d2aeb35n17f432d28439d748@mail.gmail.com>

On 08/12/06, Ren? Berber <r.berber@computer.org> wrote:
(snip)
>
> I've heard bad things about Solaris' implementation of fcntl, about it being
> just a wrapper around flock, but FWIW I'm using it with no problem under Sol9
> and low to moderate load; and I used flock under Sol8/Sol9 with an older
> MailScanner version also without a problem.
That chimes well with it being a wrapper (note: I have no such
knowledge, so get that notion confirmed!:-)... If fcntl (a.k.a.
posix:) is just a wrapper around flock, a file locking scheme using
either would end up with the same... namely flock, so there really
would be no problem at all.
It should be easy enough to make a couple of test scripts to see if
the "wrapper idea" really is true...;)

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From ssilva at sgvwater.com  Fri Dec  8 21:41:59 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Fri Dec  8 21:45:12 2006
Subject: Way OT... Anyone having DNS Problems today?
In-Reply-To: <13C0059880FDD3118DC600508B6D4A6D01C2904C@aiainsurance.com>
References: <13C0059880FDD3118DC600508B6D4A6D01C2904C@aiainsurance.com>
Message-ID: <elcm77$olp$2@sea.gmane.org>

Ken Goods spake the following on 12/8/2006 8:47 AM:
> We're experiencing an issue where about 50% of the sites we try to
> visit will not come up and about the same amount are returning emails as
> undeliverable. I can get to Google, MSN, and a few others but not to
> Amazon, yahoo, etc.. etc...
>  
> Almost looks like DNS poisoning because the error message I get is from
> an Apache system and not the usual one I would normally get from our
> proxy server.
>  
> Has anyone else noticed anything strange with DNS this morning?
>  
> TIA,
> Ken
> 
> Ken Goods
> Network Administrator
> AIA/CropUSA Insurance, Inc.
> 
Here is a quick look at the state of the net;
http://www.internettrafficreport.com/


-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From KGoods at AIAInsurance.com  Fri Dec  8 21:39:36 2006
From: KGoods at AIAInsurance.com (Ken Goods)
Date: Fri Dec  8 21:46:57 2006
Subject: Way OT... Anyone having DNS Problems today?
Message-ID: <13C0059880FDD3118DC600508B6D4A6D01C29054@aiainsurance.com>

Glenn Steen wrote:

*snip*

> 
> You mention a proxy, so... look long and hard at that one (not just
> DNS cache). Also, what's your upstream, in regard to DNS? Using any
> generic 
> forwarders? Might be them being "poisoned" too...
> 
> --
> -- Glenn
> email: glenn < dot > steen < at > gmail < dot > com
> work: glenn < dot > steen < at > ap1 < dot > se

Yes... it looks like there's some kind of boogie man between the proxy (MS
2.0) and DNS also the dreaded MS product (both on the same box). I telnetted
into the MailScanner box and did a dig and host to yahoo.com and both
resolve correctly using the same MS DNS server so it's only our internal
people (behind the proxy) that are affected. Querying the DNS server from
outside produces the correct responses. But since that's also our web server
and Exchange server I'll have to wait until later to reboot it.

Upstream are the root servers.... ;) no generic forwarders... it's all the
dumb MS box! :) It's still looks like it was caused initially by DNS
poisoning (something I can't fix on the version of DNS I'm running). Last
time it happened (early spring this year) I just cleared the cache and
blocked the offending IP's at the firewall.

Thanks for you input.
Kind regards,
Ken

Ken Goods
Network Administrator
AIA/CropUSA Insurance, Inc.

From ssilva at sgvwater.com  Fri Dec  8 21:57:27 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Fri Dec  8 21:57:47 2006
Subject: Need confirmation on Posix/flock settings
In-Reply-To: <7.0.1.0.0.20061208141624.06ef5550@1bigthink.com>
References: <7.0.1.0.0.20061208141624.06ef5550@1bigthink.com>
Message-ID: <elcn47$rnd$1@sea.gmane.org>

dnsadmin 1bigthink.com spake the following on 12/8/2006 11:21 AM:
> Hello All,
> 
> I recently upgraded with the current ClamAV/SpamAssassin tarball and had
> flock set after SpamAssassin upgrade, but I seem to remember that I was
> advised to run Posix on a 2.6x kernel.
> 
> I am running mailscanner-4.50.15-1 from RPM install and latest
> ClamAV/SpamAsassin install on CentOS 4.4, kernel 2.6.
> 
> Please confirm; I should be running locking-type = posix, correct???
> 
> Thanks,
> Glenn
> 
Posix with sendmail 8.13 on linux. Centos 4.4 has sendmail 8.13.
If running on postfix, your answer will follow from those more knowledgeable...


-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From dnsadmin at 1bigthink.com  Fri Dec  8 22:20:05 2006
From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com)
Date: Fri Dec  8 22:20:25 2006
Subject: Need confirmation on Posix/flock settings
In-Reply-To: <elcn47$rnd$1@sea.gmane.org>
References: <7.0.1.0.0.20061208141624.06ef5550@1bigthink.com>
	<elcn47$rnd$1@sea.gmane.org>
Message-ID: <7.0.1.0.0.20061208171602.0b3f9c38@1bigthink.com>

At 04:57 PM 12/8/2006, you wrote:

>dnsadmin 1bigthink.com spake the following on 12/8/2006 11:21 AM:
> > Hello All,
> >
> > I recently upgraded with the current ClamAV/SpamAssassin tarball and had
> > flock set after SpamAssassin upgrade, but I seem to remember that I was
> > advised to run Posix on a 2.6x kernel.
> >
> > I am running mailscanner-4.50.15-1 from RPM install and latest
> > ClamAV/SpamAsassin install on CentOS 4.4, kernel 2.6.
> >
> > Please confirm; I should be running locking-type = posix, correct???
> >
> > Thanks,
> > Glenn
> >
>Posix with sendmail 8.13 on linux. Centos 4.4 has sendmail 8.13.
>If running on postfix, your answer will follow from those more 
>knowledgeable...
>
>

Thanks Scott! Yep, that's got me!

Now one more question, though; it's flock on kernel 2.4, isn't it?

I also have a mailserver on Whitebox 3.x. same 
MailScanner/SpamAssassin version, sendmail 8.12.x. Yes, I know.. I'd 
love to upgrade it, but I can't at the moment.

Thanks,
Glenn Parsons

>--
>
>MailScanner is like deodorant...
>You hope everybody uses it, and
>you notice quickly if they don't!!!!
>
>--
>MailScanner mailing list
>mailscanner@lists.mailscanner.info
>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>Before posting, read http://wiki.mailscanner.info/posting
>
>Support MailScanner development - buy the book off the website!

From ssilva at sgvwater.com  Fri Dec  8 22:45:10 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Fri Dec  8 22:45:44 2006
Subject: Need confirmation on Posix/flock settings
In-Reply-To: <7.0.1.0.0.20061208171602.0b3f9c38@1bigthink.com>
References: <7.0.1.0.0.20061208141624.06ef5550@1bigthink.com>	<elcn47$rnd$1@sea.gmane.org>
	<7.0.1.0.0.20061208171602.0b3f9c38@1bigthink.com>
Message-ID: <elcptn$4ka$1@sea.gmane.org>

dnsadmin 1bigthink.com spake the following on 12/8/2006 2:20 PM:
> At 04:57 PM 12/8/2006, you wrote:
> 
>> dnsadmin 1bigthink.com spake the following on 12/8/2006 11:21 AM:
>> > Hello All,
>> >
>> > I recently upgraded with the current ClamAV/SpamAssassin tarball and
>> had
>> > flock set after SpamAssassin upgrade, but I seem to remember that I was
>> > advised to run Posix on a 2.6x kernel.
>> >
>> > I am running mailscanner-4.50.15-1 from RPM install and latest
>> > ClamAV/SpamAsassin install on CentOS 4.4, kernel 2.6.
>> >
>> > Please confirm; I should be running locking-type = posix, correct???
>> >
>> > Thanks,
>> > Glenn
>> >
>> Posix with sendmail 8.13 on linux. Centos 4.4 has sendmail 8.13.
>> If running on postfix, your answer will follow from those more
>> knowledgeable...
>>
>>
> 
> Thanks Scott! Yep, that's got me!
> 
> Now one more question, though; it's flock on kernel 2.4, isn't it?
> 
> I also have a mailserver on Whitebox 3.x. same MailScanner/SpamAssassin
> version, sendmail 8.12.x. Yes, I know.. I'd love to upgrade it, but I
> can't at the moment.
> 
> Thanks,
> Glenn Parsons
> 
>> -- 
>>
>> MailScanner is like deodorant...
>> You hope everybody uses it, and
>> you notice quickly if they don't!!!!
>>
>> -- 
>> MailScanner mailing list
>> mailscanner@lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
> 
I think that sendmail 8.13 is not compiled with flock support on any linux
version or kernel. The only way I know for sure is to run the following on the
suspected system;
sendmail -bt -d0.10 < /dev/null | grep HASFLOCK and see if it matches.
If it returns blank, then use posix.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From ajos1 at onion.demon.co.uk  Fri Dec  8 23:32:09 2006
From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk)
Date: Fri Dec  8 23:32:16 2006
Subject: Quarantine Dir on Web Server
Message-ID: <sentfri08dec2006233209gmtbstajos1@sonicbadger.com>

-

Initially I would look in the directory to see if any files are being put in there... rather than guessing that they might be there.

ls /var/www/html/quarantine
du /var/www/html/quarantine

Will indicate if  /var/www/html/quarantine  is empty or not...

If there are items in there... then I would look at permissions as the next step.

-----Original Message-----
From: MailScanner discussion <mailscanner@lists.mailscanner.info
Subj: Quarantine Dir on Web Server
Date: Fri, 8 Dec 2006 09:48:38 +1100

Dear All, 

I wanted to put the Quarantine directory on a browsable directory of the Apache. 

I have set the "Quarantine Directory" as /var/www/html/quarantine 

And when I go at http://MailScanner/quarantine I don't see nothing. On the other hand if I create a directory on my own mkdir /var/www/html/quarantine/test, I can see the directory but can't see 20061207 etc directories. I am pretty sure that they are there.. 

Please help. 

With best regards, 

Webb. 
From ajos1 at onion.demon.co.uk  Fri Dec  8 23:36:00 2006
From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk)
Date: Fri Dec  8 23:36:07 2006
Subject: MailScanner... Still October...
Message-ID: <sentfri08dec2006233600gmtbstajos1@sonicbadger.com>

-

I noticed this last week... but thought I would be told off for being too quick of the mark... as it was about 5 mins after the December update came out... so I kept quiet...

Minor I know... But...

www.mailscanner.info   still says:   Version 4.56 10th October 2006

I am just thinking of the people who only look as far as the first 6 lines to see if there is an update or not.
From dnsadmin at 1bigthink.com  Fri Dec  8 23:38:11 2006
From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com)
Date: Fri Dec  8 23:38:21 2006
Subject: Need confirmation on Posix/flock settings
In-Reply-To: <elcptn$4ka$1@sea.gmane.org>
References: <7.0.1.0.0.20061208141624.06ef5550@1bigthink.com>
	<elcn47$rnd$1@sea.gmane.org>
	<7.0.1.0.0.20061208171602.0b3f9c38@1bigthink.com>
	<elcptn$4ka$1@sea.gmane.org>
Message-ID: <7.0.1.0.0.20061208183731.09bbec98@1bigthink.com>

At 05:45 PM 12/8/2006, you wrote:

>dnsadmin 1bigthink.com spake the following on 12/8/2006 2:20 PM:
> > At 04:57 PM 12/8/2006, you wrote:
> >
> >> dnsadmin 1bigthink.com spake the following on 12/8/2006 11:21 AM:
> >> > Hello All,
> >> >
> >> > I recently upgraded with the current ClamAV/SpamAssassin tarball and
> >> had
> >> > flock set after SpamAssassin upgrade, but I seem to remember that I was
> >> > advised to run Posix on a 2.6x kernel.
> >> >
> >> > I am running mailscanner-4.50.15-1 from RPM install and latest
> >> > ClamAV/SpamAsassin install on CentOS 4.4, kernel 2.6.
> >> >
> >> > Please confirm; I should be running locking-type = posix, correct???
> >> >
> >> > Thanks,
> >> > Glenn
> >> >
> >> Posix with sendmail 8.13 on linux. Centos 4.4 has sendmail 8.13.
> >> If running on postfix, your answer will follow from those more
> >> knowledgeable...
> >>
> >>
> >
> > Thanks Scott! Yep, that's got me!
> >
> > Now one more question, though; it's flock on kernel 2.4, isn't it?
> >
> > I also have a mailserver on Whitebox 3.x. same MailScanner/SpamAssassin
> > version, sendmail 8.12.x. Yes, I know.. I'd love to upgrade it, but I
> > can't at the moment.
> >
> > Thanks,
> > Glenn Parsons
> >
> >> --
> >>
> >> MailScanner is like deodorant...
> >> You hope everybody uses it, and
> >> you notice quickly if they don't!!!!
> >>
> >> --
> >> MailScanner mailing list
> >> mailscanner@lists.mailscanner.info
> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>
> >> Before posting, read http://wiki.mailscanner.info/posting
> >>
> >> Support MailScanner development - buy the book off the website!
> >
>I think that sendmail 8.13 is not compiled with flock support on any linux
>version or kernel. The only way I know for sure is to run the following on the
>suspected system;
>sendmail -bt -d0.10 < /dev/null | grep HASFLOCK and see if it matches.
>If it returns blank, then use posix.

Thanks again Scott. That answered it.

Cheers,
Glenn 

From ssilva at sgvwater.com  Fri Dec  8 23:46:50 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Fri Dec  8 23:47:14 2006
Subject: MailScanner... Still October...
In-Reply-To: <sentfri08dec2006233600gmtbstajos1@sonicbadger.com>
References: <sentfri08dec2006233600gmtbstajos1@sonicbadger.com>
Message-ID: <elcthb$ep8$1@sea.gmane.org>

ajos1@onion.demon.co.uk spake the following on 12/8/2006 3:36 PM:
> -
> 
> I noticed this last week... but thought I would be told off for being too quick of the mark... as it was about 5 mins after the December update came out... so I kept quiet...
> 
> Minor I know... But...
> 
> www.mailscanner.info   still says:   Version 4.56 10th October 2006
> 
> I am just thinking of the people who only look as far as the first 6 lines to see if there is an update or not.
Julian has been extremely busy at his paying job. I am just happy that he
decided to put out a release. The announce list is a better way to find out
when the latest and greatest comes out.
 I'm sure he will fix it before the next release.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From ajos1 at onion.demon.co.uk  Sat Dec  9 04:00:30 2006
From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk)
Date: Sat Dec  9 04:00:36 2006
Subject: MailWatch... is it still being developed?
Message-ID: <sentsat09dec2006040030gmtbstajos1@sonicbadger.com>

-

MailWatch... is it still being developed?
From micoots at yahoo.com  Sat Dec  9 05:12:05 2006
From: micoots at yahoo.com (Michael Mansour)
Date: Sat Dec  9 05:12:09 2006
Subject: MailWatch... is it still being developed?
Message-ID: <20061209051205.5629.qmail@web33303.mail.mud.yahoo.com>

I think alot of software continues to be developed. I've been using MailWatch for some time in production without issues.

In terms of being developed, yes, we're expecting  v2.0 sometime in the first half of next year.

Michael.

----- Original Message ----
From: "ajos1@onion.demon.co.uk" <ajos1@onion.demon.co.uk>
To: mailscanner@lists.mailscanner.info
Sent: Saturday, 9 December, 2006 3:00:30 PM
Subject: MailWatch... is it still being developed?


-

MailWatch... is it still being developed?
-- 
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

Send instant messages to your online friends http://au.messenger.yahoo.com 
From micoots at yahoo.com  Sat Dec  9 05:40:37 2006
From: micoots at yahoo.com (Michael Mansour)
Date: Sat Dec  9 05:40:40 2006
Subject: Allowing .pr3 files through
Message-ID: <20061209054037.20942.qmail@web33315.mail.mud.yahoo.com>

Hi,

I reaaly hate top posting but am using the new Yahoo mail beta and it doesn't seem I can change this to good old ">" replies.

I tried this and get:

# file wimrpmd2.pr3
wimrpmd2.pr3: MS-DOS executable (EXE), OS/2 or MS Windows

So you're right, the server considers these files executables so they match against one of these:

deny    ELF             No executables          No programs allowed
deny    executable      No executables          No programs allowed

Hmm.. this now poses the question, how can I allow .pr3 files specifically but disallow all other executables?

Michael.

----- Original Message ----
From: Res <res@ausics.net>
To: MailScanner discussion <mailscanner@lists.mailscanner.info>
Sent: Saturday, 9 December, 2006 8:25:40 AM
Subject: Re: Allowing .pr3 files through


On Fri, 8 Dec 2006, Michael Mansour wrote:

> Hi Stef,
>
> I put the rule to the top of the list and the "bad content" was still tagged on the message.
>
> I believe this is tagged from the "filetype" rules area not "filename".

It might think its an executable PR3 can be used as postsrcipt extension 
so I'm suprised it's not allowed with what you have


Filetype rules will over-ride filename everytime, filetype is based on 
system " file " where filename I don't beleive uses file in tests and just 
takes your word for it on filename, making filetype a much more sensible 
approach to be the top level guardian.

try :
file /full/path/to/file.pr3
and see what it says it thinks it is


>
> If that's the case, what sort of rule would I need to put in to allow .pr3 files?
>
> The filetype fules I have for this domain are:
>
> allow   text            -                       -
> allow   script          -                       -
> allow   archive         -                       -
> allow   postscript      -                       -
> deny    self-extract    No self-extracting archives     No self-extracting archives allowed
> deny    ELF             No executables          No programs allowed
> deny    executable      No executables          No programs allowed
> allow   MPEG            Yes MPEG movies         MPEG movies allowed
> allow   AVI             Yes AVI movies          AVI movies allowed
> allow   MNG             Yes MNG/PNG movies      MNG movies allowed
> allow   Quicktime       Yes Quicktime movies    Quicktime movies allowed
> allow   ASF             Yes Windows media       Windows media files allowed
> allow   BMP             Yes BMP files           BMP graphics files allowed
> deny    Registry        No Windows Registry entries     No Windows Registry files allowed
>
> Thanks.
>
> Michael.
>
> Michael Mansour wrote:
>> I have their setup as:
>>
>> /etc/MailScanner/example.com.filename.rules.conf
>> allow \.pr3$ - -
>>
>> at the end of the file, but that does not seem to work.
>
> As far as I know, the rules file is parsed in order and stops when a
> match is found.
>
> Thefore, try putting it at the beginning instead, so that it matches for
> .pr3 and allows it before matching the general disallow rules for
> executables.
>
> Regards
>
> Stef
> Stefan Morrell | Operations Director
> Tel: 0845 3452820 | Alpha Omega Computers Ltd
> Fax: 0845 3452830 | Incorporating Level 5 Internet
> stef@aoc-uk.com | stef@l5net.net
>

-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


-- 
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

Send instant messages to your online friends http://au.messenger.yahoo.com 
From res at ausics.net  Sat Dec  9 07:23:27 2006
From: res at ausics.net (Res)
Date: Sat Dec  9 07:23:34 2006
Subject: Allowing .pr3 files through
In-Reply-To: <20061209054037.20942.qmail@web33315.mail.mud.yahoo.com>
References: <20061209054037.20942.qmail@web33315.mail.mud.yahoo.com>
Message-ID: <Pine.LNX.4.64.0612091717010.14739@ebfjryy.nhfvpf.arg>

Hi,
On Fri, 8 Dec 2006, Michael Mansour wrote:

> I reaaly hate top posting but am using the new Yahoo mail beta and it doesn't seem I can change this to good old ">" replies.

hehe  OK

> I tried this and get:
>
> # file wimrpmd2.pr3
> wimrpmd2.pr3: MS-DOS executable (EXE), OS/2 or MS Windows
>
> So you're right, the server considers these files executables so they match against one of these:
>
> deny    ELF             No executables          No programs allowed
> deny    executable      No executables          No programs allowed
>
> Hmm.. this now poses the question, how can I allow .pr3 files specifically but disallow all other executables?

You will have to at least change 'executable' to allow...
allow    executable      No executables          No programs allowed

file name and type are 2 different types of tests, I guess you can then 
use the defaults in filename conf with denies on the executables. This is 
what we do, except we also allow '.exe'


--
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From garry at glendown.de  Sat Dec  9 07:33:33 2006
From: garry at glendown.de (Garry Glendown)
Date: Sat Dec  9 07:33:35 2006
Subject: mailscanner-mrtg graph labels
In-Reply-To: <Pine.LNX.4.64.0611081843550.4340@tiger.dorfam.ca>
References: <000b01c6ffa4$a4794c10$670a000a@dorfam.ca>	<45509A4E.7090303@USherbrooke.ca>
	<Pine.LNX.4.64.0611081843550.4340@tiger.dorfam.ca>
Message-ID: <457A66CD.7070009@glendown.de>

>> Are you sure you didn't mess up the /etc/mrtg/mailscanner-mrtg.cfg
>> file for these 2 graphs? This is what I have for the MTA:
>> YLegend[mailbytes]: Bytes
>> ShortLegend[mailbytes]: bytes &nbsp; &nbsp;
>> Legend1[mailbytes]: Average Bytes
>> Legend2[mailbytes]:
>> Legend3[mailbytes]: Maximum Bytes
>> Legend4[mailbytes]:
>> LegendI[mailbytes]: :
>> LegendO[mailbytes]:
>> kilo[mailbytes]: 1024
>> kMG[mailbytes]: k,M,G,T,P
>>
>> If all is OK, then maybe something changed in FC6 and the last 2 lines
>> (kilo and kMG) are not having the same effect as they did before.
>>
>> Denis
> 
> I think something changed in FC6.  My config file matches yours.

Same here, on a CentOS install (which is RedHat based) - cfg file looks
fine, but html output is missing the info (running 0.11 here)
From garry at glendown.de  Sat Dec  9 07:37:19 2006
From: garry at glendown.de (Garry Glendown)
Date: Sat Dec  9 07:37:21 2006
Subject: Altering mailscanner-mrtg to show chart with spam & high spam ...
Message-ID: <457A67AF.2090903@glendown.de>

I was wondering, has anybody tried to modify mailscanner-mrtg so it
would show a chart that differentiates between regular spam and high
scoring spam? I know that once you start using a rules file to define
what high scoring spam is, this would not be all the way correct, but
for general info, showing a stacked graph that has e.g. a green line for
anything under the spam score of 5, a yellow for 5-10, and red for 10
and above, would be nice ... I know I can advanced information like that
by using mailwatch, but I don't want to put that extra load on the
server in question at the moment ...

Tnx, -gg
From micoots at yahoo.com  Sat Dec  9 08:22:09 2006
From: micoots at yahoo.com (Michael Mansour)
Date: Sat Dec  9 08:22:12 2006
Subject: Allowing .pr3 files through
Message-ID: <20061209082209.13550.qmail@web33313.mail.mud.yahoo.com>

Hi Res,

That worked fine, .pr3's are going through.

Thanks.

Michael.

----- Original Message ----
From: Res <res@ausics.net>
To: MailScanner discussion <mailscanner@lists.mailscanner.info>
Sent: Saturday, 9 December, 2006 6:23:27 PM
Subject: Re: Allowing .pr3 files through


Hi,
On Fri, 8 Dec 2006, Michael Mansour wrote:

> I reaaly hate top posting but am using the new Yahoo mail beta and it doesn't seem I can change this to good old ">" replies.

hehe  OK

> I tried this and get:
>
> # file wimrpmd2.pr3
> wimrpmd2.pr3: MS-DOS executable (EXE), OS/2 or MS Windows
>
> So you're right, the server considers these files executables so they match against one of these:
>
> deny    ELF             No executables          No programs allowed
> deny    executable      No executables          No programs allowed
>
> Hmm.. this now poses the question, how can I allow .pr3 files specifically but disallow all other executables?

You will have to at least change 'executable' to allow...
allow    executable      No executables          No programs allowed

file name and type are 2 different types of tests, I guess you can then 
use the defaults in filename conf with denies on the executables. This is 
what we do, except we also allow '.exe'


--
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


-- 
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

Send instant messages to your online friends http://au.messenger.yahoo.com 
From ja at conviator.com  Sat Dec  9 11:12:03 2006
From: ja at conviator.com (Jan Agermose)
Date: Sat Dec  9 11:12:36 2006
Subject: SV: word files
In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0429AD1@winchester.andrewscompanies.com>
Message-ID: <6B59FCF2EFD0334A8147A1BB463F111E01E04C68@mail-17ps.atlarge.net>

*LOL* YES I know it will cause a lot of problems - that's why we do not
do it - but the question was raised by a customer of mine - if we where
and why not. The point is when do we "protect" and when do we "protect
only if it does annoy" :-) 

 

Anyway - thanks - and thanks for the links, Gerard, I will look at the
sites and maybe even learn something :-D 

 

Best regards

Jan

 

Emne: RE: word files

 

you think blocking BMP annoys people, try blocking word files...

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061209/e33aa587/attachment.html
From res at ausics.net  Sat Dec  9 11:45:03 2006
From: res at ausics.net (Res)
Date: Sat Dec  9 11:45:10 2006
Subject: Allowing .pr3 files through
In-Reply-To: <20061209082209.13550.qmail@web33313.mail.mud.yahoo.com>
References: <20061209082209.13550.qmail@web33313.mail.mud.yahoo.com>
Message-ID: <Pine.LNX.4.64.0612092144470.15628@ebfjryy.nhfvpf.arg>

On Sat, 9 Dec 2006, Michael Mansour wrote:

> Hi Res,
>
> That worked fine, .pr3's are going through.
>
> Thanks.


no problems

>

-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From gerard at seibercom.net  Sat Dec  9 12:37:48 2006
From: gerard at seibercom.net (Gerard Seibert)
Date: Sat Dec  9 12:37:54 2006
Subject: Allowing .pr3 files through
In-Reply-To: <20061209054037.20942.qmail@web33315.mail.mud.yahoo.com>
References: <20061209054037.20942.qmail@web33315.mail.mud.yahoo.com>
Message-ID: <20061209073347.3FF6.GERARD@seibercom.net>

On Saturday December 09, 2006 at 12:40:37 (AM) Michael Mansour wrote:

> Hi,
> 
> I reaaly hate top posting but am using the new Yahoo mail beta and it
> | doesn't seem I can change this to good old ">" replies.

What does that have to do with placing the cursor at the bottom of the
page? You could always insert a 'Reply Separator' if need be. You could
always revert to the older version of Yahoo Mail. I did that myself.
Better yet, just use a different MUA.


-- 
Gerard
From sandrews at andrewscompanies.com  Sat Dec  9 16:25:18 2006
From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com)
Date: Sat Dec  9 16:25:24 2006
Subject: word files
Message-ID: <1964AAFBC212F742958F9275BF63DBB0429AE2@winchester.andrewscompanies.com>

in all seriousness, when we answer this question it's along the lines
of...
 
we block mpeg files because they have no business value, we allow doc
files because they do even though they offer the opportunity for
vulnerabilities.  we then allow on our antivirus at the gateway, server,
and workstation to mitigate the risk.

  _____  

From: mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jan
Agermose
Sent: Saturday, December 09, 2006 6:12 AM
To: MailScanner discussion
Subject: SV: word files



*LOL* YES I know it will cause a lot of problems - that's why we do not
do it - but the question was raised by a customer of mine - if we where
and why not. The point is when do we "protect" and when do we "protect
only if it does annoy" :-) 

 

Anyway - thanks - and thanks for the links, Gerard, I will look at the
sites and maybe even learn something :-D 

 

Best regards

Jan

 

Emne: RE: word files

 

you think blocking BMP annoys people, try blocking word files...

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061209/82ec19a6/attachment.html
From ajos1 at onion.demon.co.uk  Sat Dec  9 20:02:45 2006
From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk)
Date: Sat Dec  9 20:02:55 2006
Subject: MailWatch... is it still being developed?
Message-ID: <sentsat09dec2006200245gmtbstajos1@sonicbadger.com>

-

Excellent news...

If it was not being maintained... I was thinking of offering to take in on...

-----Original Message-----
From: MailScanner discussion <mailscanner@lists.mailscanner.info
Subj: Re: MailWatch... is it still being developed?
Date: Fri, 8 Dec 2006 21:12:05 -0800 (PST)

I think alot of software continues to be developed. I've been using MailWatch for some time in production without issues.

In terms of being developed, yes, we're expecting  v2.0 sometime in the first half of next year.

Michael.

==
=====================================================================
=
=  Need help dealing with Parking Tickets, Bailiffs, Capita or NTL...
=  Call...    +44 8457 90 90 90    http://www.samaritans.org/
=
=====================================================================
From ajos1 at onion.demon.co.uk  Sat Dec  9 20:06:28 2006
From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk)
Date: Sat Dec  9 20:06:35 2006
Subject: IMF, SCL and OWA
Message-ID: <sentsat09dec2006200628gmtbstajos1@sonicbadger.com>

-

I have sussed out IMF and SCL on Exchange...

For users to use it in OWA... they each need to turn on Filter Junk E-Mail in their options.

I am wondering if anyone has or has seen a script that would allows me to turn on Filter Junk E-mail for all users on an Exchange server...

I do not want to do it by hand for 1000 users!

Thanks a-lot-o.
From res at ausics.net  Sat Dec  9 21:07:27 2006
From: res at ausics.net (Res)
Date: Sat Dec  9 21:07:35 2006
Subject: Allowing .pr3 files through
In-Reply-To: <20061209073347.3FF6.GERARD@seibercom.net>
References: <20061209054037.20942.qmail@web33315.mail.mud.yahoo.com>
	<20061209073347.3FF6.GERARD@seibercom.net>
Message-ID: <Pine.LNX.4.64.0612100706430.18144@ebfjryy.nhfvpf.arg>

On Sat, 9 Dec 2006, Gerard Seibert wrote:

> On Saturday December 09, 2006 at 12:40:37 (AM) Michael Mansour wrote:
>
>> Hi,
>>
>> I reaaly hate top posting but am using the new Yahoo mail beta and it
>> | doesn't seem I can change this to good old ">" replies.
>
> What does that have to do with placing the cursor at the bottom of the
> page? You could always insert a 'Reply Separator' if need be. You could
> always revert to the older version of Yahoo Mail. I did that myself.
> Better yet, just use a different MUA.
>

what the hell has this got to do with mailscanner, he did the right thing 
IMHO it was acceptable, if you want to educate him to use another plz do 
it off list



>
>

-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From mike at vesol.com  Sat Dec  9 23:38:55 2006
From: mike at vesol.com (Mike Kercher)
Date: Sat Dec  9 23:40:38 2006
Subject: IMF, SCL and OWA
In-Reply-To: <sentsat09dec2006200628gmtbstajos1@sonicbadger.com>
Message-ID: <EAE39E9E242F774099806D1052118953370AF4@samba2003.home.middlefinger.net>

mailscanner-bounces@lists.mailscanner.info <> scribbled on Saturday,
December 09, 2006 2:06 PM:

> -
> 
> I have sussed out IMF and SCL on Exchange...
> 
> For users to use it in OWA... they each need to turn on
> Filter Junk E-Mail in their options.
> 
> I am wondering if anyone has or has seen a script that would
> allows me to turn on Filter Junk E-mail for all users on an
> Exchange server...
> 
> I do not want to do it by hand for 1000 users!
> 
> Thanks a-lot-o.

There is a group policy object for this setting.

Mike
From shuttlebox at gmail.com  Sun Dec 10 01:35:13 2006
From: shuttlebox at gmail.com (shuttlebox)
Date: Sun Dec 10 01:35:17 2006
Subject: "Use DCC as a daemon"
In-Reply-To: <120103F0F5EC264097BC0A06EC9D026A0111BF8A@pardessus.aoc-uk.com>
References: <120103F0F5EC264097BC0A06EC9D026A0111BF8A@pardessus.aoc-uk.com>
Message-ID: <625385e30612091735u3b8b9eaavb81893a86df921ef@mail.gmail.com>

On 12/8/06, Stef Morrell <stef@aoc-uk.com> wrote:
> Now for some reason dccifd keeps popping up as a process on my machine
> in any case. It's not causing me any pain, so I've largely ignored it
> beyond a 'kill' once in a while. However if I can actually use it, that
> would be better still.

Recent versions of DCC spawn dccifd if dccproc is invoked a certain
amount of times during a certain period of time, i.e. frequently.
That's why you see it even if you haven't configured it.

In theory it sounds good to run it daemonized but in practice I didn't
notice any big difference. You should be good though with your current
setup, just stop killing it. :-)

-- 
/peter
From root at doctor.nl2k.ab.ca  Sun Dec 10 14:21:39 2006
From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the
	Problem)
Date: Sun Dec 10 14:24:58 2006
Subject: MAilscanner, Dspam, Sendmail 8.13.8 under one system
Message-ID: <20061210142139.GP19599@doctor.nl2k.ab.ca>

I am running Dspam 3.6.8 and MAilScanner 4.57 with current
perl modules with sendmail 8.13.8 under BSD/OS 4.3.1 fully patched.

With the addition on Dspam, I have seen 
Operating system error  in my queue flushes.

Pointer please to minimize errors.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

From root at doctor.nl2k.ab.ca  Sun Dec 10 14:55:09 2006
From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the
	Problem)
Date: Sun Dec 10 14:58:21 2006
Subject: [dspam-users] MAilscanner, Dspam,
	Sendmail 8.13.8 under one system
In-Reply-To: <20061210142139.GP19599@doctor.nl2k.ab.ca>
References: <20061210142139.GP19599@doctor.nl2k.ab.ca>
Message-ID: <20061210145509.GA28425@doctor.nl2k.ab.ca>

On Sun, Dec 10, 2006 at 07:21:39AM -0700, Dave Shariff Yadallee -  System Administrator a.k.a. The Root of the Problem wrote:
> I am running Dspam 3.6.8 and MAilScanner 4.57 with current
> perl modules with sendmail 8.13.8 under BSD/OS 4.3.1 fully patched.
> 
> With the addition on Dspam, I have seen 
> Operating system error  in my queue flushes.
> 
> Pointer please to minimize errors.
>

My dspam configuration is:

 
CC=/usr/bin/gcc CXX=/usr/bin/g++ CFLAGS="-g -DDEBUG -O9 -Wall -march=i686" \
CXXFLAGS=-Wno-deprecated CPPFLAGS=-Wno-deprecated \
CPPFLAGS="-I/usr/X11/include -I/usr/include -I/usr/contrib/include" \
LDFLAGS="-L/usr/lib  -L/usr/contrib/lib -L/usr/X11R6/lib" \
M4=/usr/contrib/bin/m4 \
./configure \
  --prefix=/usr/contrib \
  --localstatedir=/var \
  --infodir=/usr/share/info \
  --mandir=/usr/share/man \
  --enable-clamav \
  --enable-debug  \
  --enable-syslog \
  --enable-bnr-debug  \
  --enable-homedir   \
  --disable-trusted-user-security \
  --enable-preferences-extension \
  --enable-domain-scale  \
  --enable-virtual-users \
  --enable-profiling  \
  --with-dspam-home=/var/dspam \
  --with-dspam-home-mode=2770 \
  --with-dspam-home-owner=root \
  --with-dspam-home-group=clamav \
  --with-logfile=/var/log/dspam.log \
  --with-delivery-agent=/usr/bin/procmail \
  --with-storage-driver=mysql_drv \
  --with-mysql-includes=/usr/contrib/include/mysql \
  --with-mysql-libraries=/usr/contrib/lib/mysql/ \
  --with-pgsql-includes=/usr/contrib/pgsql/include \
  --with-pgsql-libraries=/usr/contrib/pgsql/lib \
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

From michele at blacknight.ie  Mon Dec 11 13:29:56 2006
From: michele at blacknight.ie (Michele Neylon :: Blacknight)
Date: Mon Dec 11 13:28:46 2006
Subject: MailWatch... is it still being developed?
In-Reply-To: <sentsat09dec2006040030gmtbstajos1@sonicbadger.com>
Message-ID: <005a01c71d28$73379bb0$e3f31151@blacknight.local>

ajos1@onion.demon.co.uk wrote:
> -
> 
> MailWatch... is it still being developed?

Of course it is.

What made you think otherwise?



Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
http://www.blacknight.ie/
http://blog.blacknight.ie/
Tel. 1850 927 280
Intl. +353 (0) 59  9183072
UK: 0870 163 0607
Direct Dial: +353 (0)59 9183090
Fax. +353 (0) 59  9164239

From Johan.Hedlund at tietoenator.com  Mon Dec 11 14:50:15 2006
From: Johan.Hedlund at tietoenator.com (Johan.Hedlund@tietoenator.com)
Date: Mon Dec 11 14:50:23 2006
Subject: Local delivery + Mailscanner
Message-ID: <1D1C14F9CD24904987F2907D74C772B405EC206F@mustang.eu.tieto.com>



I've recently setup a configuration using Mailscanner + sendmail +
procmail and dovecot (imap), everything is running on the same server.

After a mail is scanned by mailscanner it's a huge delay for it to be
delivered (local deliver).

Dec  6 19:31:25 mail sendmail[5009]: kB6IVKsN005009: from=<johan@xxxx>,
size=960, class=0, nrcpts=1, msgid=<45770C78.1020709@joh.se>, prot   
o=ESMTP, daemon=MTA, relay=mxfep02.bredband.com [195.54.107.73]

Dec  6 19:31:27 mail MailScanner[4933]: New Batch: Scanning 1 messages,
1447 bytes                                                             
Dec  6 19:31:27 mail MailScanner[4933]: Spam Checks: Starting

Dec  6 19:31:42 mail MailScanner[4933]: Message kB6IVKsN005009 from
195.54.107.73 (johan@xxxx) to mailxxxxx.mine.nu is not spam, SpamAssass

in (score=0, required 6, autolearn=not spam)

Dec  6 19:31:42 mail MailScanner[4933]: Spam Checks completed at 94
bytes per second

Dec  6 19:31:42 mail MailScanner[4933]: Virus and Content Scanning:
Starting

Dec  6 19:31:44 mail MailScanner[4933]: Virus Scanning completed at 838
bytes per second                                                       
Dec  6 19:31:44 mail MailScanner[4933]: Uninfected: Delivered 1 messages

Dec  6 19:31:44 mail MailScanner[4933]: Virus Processing completed at
176850 bytes per second

Dec  6 19:31:44 mail MailScanner[4933]: Batch completed at 84 bytes per
second (1447 / 17)                                                     
Dec  6 19:31:44 mail MailScanner[4933]: Batch (1 message) processed in
17.08 seconds                                                           
Dec  6 19:32:52 mail sendmail[5048]: kB6IVKsN005009: to=jhd,
delay=00:01:27, xdelay=00:00:00, mailer=local, pri=120960, dsn=2.0.0,
stat=Sent   

delay=00:01:27 ?!

It seems mailscanner can't deliver directly after scaning and that
leaves it up to sendmails queue-runner to finally deliver it, which
default might be 0-15 minutes.

I'm using the default dirs for mqueue in mailscanner and nothing special
in my sendmail.mc.

The /etc/procmailrc :

MAILDIR=$HOME/Maildir/
DEFAULT=$MAILDIR

I'm using MS 4.56.8 and sendmail 8.13.1.

If I run sendmail alone without Mailscanner the mail is delivered
instantly.


Regards,
Johan

From simon.walter at hp-factory.de  Mon Dec 11 16:35:13 2006
From: simon.walter at hp-factory.de (Simon Walter)
Date: Mon Dec 11 16:35:29 2006
Subject: MailWatch... is it still being developed?
In-Reply-To: <005a01c71d28$73379bb0$e3f31151@blacknight.local> (Michele
	Neylon's message of "Mon, 11 Dec 2006 13:29:56 -0000")
References: <005a01c71d28$73379bb0$e3f31151@blacknight.local>
Message-ID: <87zm9u4chq.fsf@hp-factory.de>


Hello

"Michele Neylon :: Blacknight" <michele@blacknight.ie> writes:
> ajos1@onion.demon.co.uk wrote:
>> MailWatch... is it still being developed?
>
> Of course it is.
>
> What made you think otherwise?

Perhaps the missing release since over a year on sf.net?

-- 
Regards
Simon Walter
From ssilva at sgvwater.com  Mon Dec 11 17:20:39 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Mon Dec 11 17:21:16 2006
Subject: MailWatch... is it still being developed?
In-Reply-To: <87zm9u4chq.fsf@hp-factory.de>
References: <005a01c71d28$73379bb0$e3f31151@blacknight.local>
	<87zm9u4chq.fsf@hp-factory.de>
Message-ID: <elk418$96t$1@sea.gmane.org>

Simon Walter spake the following on 12/11/2006 8:35 AM:
> Hello
> 
> "Michele Neylon :: Blacknight" <michele@blacknight.ie> writes:
>> ajos1@onion.demon.co.uk wrote:
>>> MailWatch... is it still being developed?
>> Of course it is.
>>
>> What made you think otherwise?
> 
> Perhaps the missing release since over a year on sf.net?
> 
You should subscribe to the mailwatch list. A fairly active list that the
developer frequents. The 2.0 version in the pipe is a very substantial
re-write. That can take a while.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From glenn.steen at gmail.com  Mon Dec 11 17:29:33 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Mon Dec 11 17:29:35 2006
Subject: MailWatch... is it still being developed?
In-Reply-To: <87zm9u4chq.fsf@hp-factory.de>
References: <005a01c71d28$73379bb0$e3f31151@blacknight.local>
	<87zm9u4chq.fsf@hp-factory.de>
Message-ID: <223f97700612110929k4c75fac4qa00f8ff10e3bef95@mail.gmail.com>

On 11/12/06, Simon Walter <simon.walter@hp-factory.de> wrote:
>
> Hello
>
> "Michele Neylon :: Blacknight" <michele@blacknight.ie> writes:
> > ajos1@onion.demon.co.uk wrote:
> >> MailWatch... is it still being developed?
> >
> > Of course it is.
> >
> > What made you think otherwise?
>
> Perhaps the missing release since over a year on sf.net?
>
Even a rather cursory search of the MW mailing list archives would
reveal that a major rewrite is in the makings ... and has been for a
longish time. I respect Steve for his great work, as well as his
position that he really wants to be in the driver seat here
(precluding anyone helping him much)... And he has actually set a date
(well, a quarter:-) for release now, which likely means we'll see
something workable close to that time (perhaps 07Q2 would be the time
to schedule an update to 2.0:-).

Steve has graciously made a sneak preview available at
https://dc2.fsl.com/mailwatch_dev/ (login with guest as both username
and password), if you'd like a look.

Oh, and further discussion should likely be taken to the MW list;-).

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From rogerio at tecnowaydigital.com.br  Mon Dec 11 18:27:44 2006
From: rogerio at tecnowaydigital.com.br (=?iso-8859-1?Q?Rog=E9rio_Wiethorn_-_TecnoWay_Digital?=)
Date: Mon Dec 11 18:27:53 2006
Subject: Autoreply
Message-ID: <019001c71d52$0d20ddd0$e401a8c0@twdnb01>

H?. There's some mailscanner function to create a autoreply message, like vacation ?

Thanks

Rog?rio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061211/b380a646/attachment.html
From rogerio at tecnowaydigital.com.br  Mon Dec 11 18:32:57 2006
From: rogerio at tecnowaydigital.com.br (=?iso-8859-1?Q?Rog=E9rio_Wiethorn_-_TecnoWay_Digital?=)
Date: Mon Dec 11 18:33:38 2006
Subject: Archive Mail + postfix and virtual mailbox
Message-ID: <01a301c71d52$c99c0e80$e401a8c0@twdnb01>

I'm using MailScanner with postfix + mysql + virtual mailbox.

With the best way for me to archive mail?

I'm using, eg. (To:    user@mydomain.com     /dsk_bkp_email/user.

I file was created, but how can I restore the message to user mailbox ?

Thanks a lot.

Rogerio Wiethorn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061211/d059f0c3/attachment.html
From ssilva at sgvwater.com  Mon Dec 11 18:47:14 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Mon Dec 11 18:48:51 2006
Subject: Autoreply
In-Reply-To: <019001c71d52$0d20ddd0$e401a8c0@twdnb01>
References: <019001c71d52$0d20ddd0$e401a8c0@twdnb01>
Message-ID: <elk93i$spo$1@sea.gmane.org>

Rog?rio Wiethorn - TecnoWay Digital spake the following on 12/11/2006 10:27 AM:
> H?. There's some mailscanner function to create a autoreply message,
> like vacation ?
>  
> Thanks
>  
> Rog?rio
> 
Why not use vacation?


-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From rogerio at tecnowaydigital.com.br  Mon Dec 11 19:49:23 2006
From: rogerio at tecnowaydigital.com.br (=?iso-8859-1?Q?Rog=E9rio_Wiethorn_-_TecnoWay_Digital?=)
Date: Mon Dec 11 19:49:32 2006
Subject: Autoreply
References: <019001c71d52$0d20ddd0$e401a8c0@twdnb01>
	<elk93i$spo$1@sea.gmane.org>
Message-ID: <020e01c71d5d$75b0bef0$e401a8c0@twdnb01>

I 've try it but when vacation send message, sendmail say:

Sender address rejected: Domain not found

----- Original Message ----- 
From: "Scott Silva" <ssilva@sgvwater.com>
To: <mailscanner@lists.mailscanner.info>
Sent: Monday, December 11, 2006 4:47 PM
Subject: Re: Autoreply


Rog?rio Wiethorn - TecnoWay Digital spake the following on 12/11/2006 10:27 
AM:
> H?. There's some mailscanner function to create a autoreply message,
> like vacation ?
>
> Thanks
>
> Rog?rio
>
Why not use vacation?


-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

-- 
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

From mike at vesol.com  Mon Dec 11 20:11:07 2006
From: mike at vesol.com (Mike Kercher)
Date: Mon Dec 11 20:13:00 2006
Subject: Autoreply
In-Reply-To: <020e01c71d5d$75b0bef0$e401a8c0@twdnb01>
Message-ID: <EAE39E9E242F774099806D1052118953370B00@samba2003.home.middlefinger.net>

mailscanner-bounces@lists.mailscanner.info <> scribbled on :

> I 've try it but when vacation send message, sendmail say:
> 
> Sender address rejected: Domain not found
> 
> ----- Original Message -----
> From: "Scott Silva" <ssilva@sgvwater.com>
> To: <mailscanner@lists.mailscanner.info>
> Sent: Monday, December 11, 2006 4:47 PM
> Subject: Re: Autoreply
> 
> 
> Rog?rio Wiethorn - TecnoWay Digital spake the following on
> 12/11/2006 10:27
> AM:
>> H?. There's some mailscanner function to create a autoreply message,
>> like vacation ?
>> 
>> Thanks
>> 
>> Rog?rio
>> 
> Why not use vacation?

How about procmail?

Mike


From q at snj.ca  Mon Dec 11 21:01:50 2006
From: q at snj.ca (Quintin Giesbrecht)
Date: Mon Dec 11 21:03:23 2006
Subject: MailScanner Stuck
In-Reply-To: <EAE39E9E242F774099806D1052118953370B00@samba2003.home.middlefinger.net>
Message-ID: <2BE78592B3B1824F97A2685E96221F6234E738@mail.snj.mb.ca>

MailScanner seems to be stuck on one of my servers (a new build - FC6,
with the latest SA and MS builds).

The maillog keeps reading: New Batch: Scanning x messages, xxxx bytes

It never actually scans it, nor does it send it through.  Any ideas?

Thanks.

Quintin Giesbrecht
IT Manager
-----
Smith Neufeld Jodoin LLP
85 PTH 12 North
Steinbach, MB  R5G 1A7
Office:  204.326.3442
Direct Line:  204.346.5106
q@snj.ca
From q at snj.ca  Mon Dec 11 21:17:34 2006
From: q at snj.ca (Quintin Giesbrecht)
Date: Mon Dec 11 21:18:10 2006
Subject: MailScanner Stuck
In-Reply-To: <2BE78592B3B1824F97A2685E96221F6234E738@mail.snj.mb.ca>
Message-ID: <2BE78592B3B1824F97A2685E96221F6234E739@mail.snj.mb.ca>

Further to this, I have done some testing, and if I turn Spam Check off,
then it seems to work, so it seems to be something with SpamAssassin -
although, a spamassassin --lint produces no errors.

Thanks 

-----Original Message-----
From: mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Quintin
Giesbrecht
Sent: Monday, December 11, 2006 3:02 PM
To: MailScanner discussion
Subject: MailScanner Stuck

MailScanner seems to be stuck on one of my servers (a new build - FC6,
with the latest SA and MS builds).

The maillog keeps reading: New Batch: Scanning x messages, xxxx bytes

It never actually scans it, nor does it send it through.  Any ideas?

Thanks.

Quintin Giesbrecht
IT Manager
-----
Smith Neufeld Jodoin LLP
85 PTH 12 North
Steinbach, MB  R5G 1A7
Office:  204.326.3442
Direct Line:  204.346.5106
q@snj.ca
--
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
From steve.freegard at fsl.com  Mon Dec 11 21:30:51 2006
From: steve.freegard at fsl.com (Steve Freegard)
Date: Mon Dec 11 21:30:59 2006
Subject: MailScanner Stuck
In-Reply-To: <2BE78592B3B1824F97A2685E96221F6234E739@mail.snj.mb.ca>
References: <2BE78592B3B1824F97A2685E96221F6234E738@mail.snj.mb.ca>
	<2BE78592B3B1824F97A2685E96221F6234E739@mail.snj.mb.ca>
Message-ID: <457DCE0B.10509@fsl.com>

Hi Quintin,

Quintin Giesbrecht wrote:
> Further to this, I have done some testing, and if I turn Spam Check off,
> then it seems to work, so it seems to be something with SpamAssassin -
> although, a spamassassin --lint produces no errors.

Switch Spam Checks back on and run 'MailScanner --debug --debug-sa' and 
see what it outputs.

Kind regards,
Steve.
From q at snj.ca  Mon Dec 11 21:48:49 2006
From: q at snj.ca (Quintin Giesbrecht)
Date: Mon Dec 11 21:48:51 2006
Subject: MailScanner Stuck
In-Reply-To: <457DCE0B.10509@fsl.com>
Message-ID: <2BE78592B3B1824F97A2685E96221F620BD632@mail.snj.mb.ca>

Here is output from 'MailScanner --debug --debug-sa' as requested.  TIA.


In Debugging mode, not forking...
[6254] dbg: logger: adding facilities: all
[6254] dbg: logger: logging level is DBG
[6254] dbg: generic: SpamAssassin version 3.1.7
[6254] dbg: config: score set 0 chosen.
[6254] dbg: util: running in taint mode? no
[6254] dbg: message: ---- MIME PARSER START ----
[6254] dbg: message: main message type: text/plain
[6254] dbg: message: parsing normal part
[6254] dbg: message: added part, type: text/plain
[6254] dbg: message: ---- MIME PARSER END ----
[6254] dbg: dns: is Net::DNS::Resolver available? yes
[6254] dbg: dns: Net::DNS version: 0.59
[6254] dbg: ignore: test message to precompile patterns and load modules
[6254] dbg: config: using "/etc/mail/spamassassin" for site rules pre
files
[6254] dbg: config: read file /etc/mail/spamassassin/init.pre
[6254] dbg: config: read file /etc/mail/spamassassin/v310.pre
[6254] dbg: config: read file /etc/mail/spamassassin/v312.pre
[6254] dbg: config: using "/usr/share/spamassassin" for sys rules pre
files
[6254] dbg: config: using "/usr/share/spamassassin" for default rules
dir
[6254] dbg: config: read file /usr/share/spamassassin/10_misc.cf
[6254] dbg: config: read file /usr/share/spamassassin/20_advance_fee.cf
[6254] dbg: config: read file /usr/share/spamassassin/20_anti_ratware.cf
[6254] dbg: config: read file /usr/share/spamassassin/20_body_tests.cf
[6254] dbg: config: read file /usr/share/spamassassin/20_compensate.cf
[6254] dbg: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf
[6254] dbg: config: read file /usr/share/spamassassin/20_drugs.cf
[6254] dbg: config: read file
/usr/share/spamassassin/20_fake_helo_tests.cf
[6254] dbg: config: read file /usr/share/spamassassin/20_head_tests.cf
[6254] dbg: config: read file /usr/share/spamassassin/20_html_tests.cf
[6254] dbg: config: read file /usr/share/spamassassin/20_meta_tests.cf
[6254] dbg: config: read file /usr/share/spamassassin/20_net_tests.cf
[6254] dbg: config: read file /usr/share/spamassassin/20_phrases.cf
[6254] dbg: config: read file /usr/share/spamassassin/20_porn.cf
[6254] dbg: config: read file /usr/share/spamassassin/20_ratware.cf
[6254] dbg: config: read file /usr/share/spamassassin/20_uri_tests.cf
[6254] dbg: config: read file /usr/share/spamassassin/23_bayes.cf
[6254] dbg: config: read file /usr/share/spamassassin/25_accessdb.cf
[6254] dbg: config: read file /usr/share/spamassassin/25_antivirus.cf
[6254] dbg: config: read file
/usr/share/spamassassin/25_body_tests_es.cf
[6254] dbg: config: read file
/usr/share/spamassassin/25_body_tests_pl.cf
[6254] dbg: config: read file /usr/share/spamassassin/25_dcc.cf
[6254] dbg: config: read file /usr/share/spamassassin/25_dkim.cf
[6254] dbg: config: read file /usr/share/spamassassin/25_domainkeys.cf
[6254] dbg: config: read file /usr/share/spamassassin/25_hashcash.cf
[6254] dbg: config: read file /usr/share/spamassassin/25_pyzor.cf
[6254] dbg: config: read file /usr/share/spamassassin/25_razor2.cf
[6254] dbg: config: read file /usr/share/spamassassin/25_replace.cf
[6254] dbg: config: read file /usr/share/spamassassin/25_spf.cf
[6254] dbg: config: read file /usr/share/spamassassin/25_textcat.cf
[6254] dbg: config: read file /usr/share/spamassassin/25_uribl.cf
[6254] dbg: config: read file /usr/share/spamassassin/30_text_de.cf
[6254] dbg: config: read file /usr/share/spamassassin/30_text_fr.cf
[6254] dbg: config: read file /usr/share/spamassassin/30_text_it.cf
[6254] dbg: config: read file /usr/share/spamassassin/30_text_nl.cf
[6254] dbg: config: read file /usr/share/spamassassin/30_text_pl.cf
[6254] dbg: config: read file /usr/share/spamassassin/30_text_pt_br.cf
[6254] dbg: config: read file /usr/share/spamassassin/50_scores.cf
[6254] dbg: config: read file /usr/share/spamassassin/60_awl.cf
[6254] dbg: config: read file /usr/share/spamassassin/60_whitelist.cf
[6254] dbg: config: read file /usr/share/spamassassin/60_whitelist_dk.cf
[6254] dbg: config: read file
/usr/share/spamassassin/60_whitelist_dkim.cf
[6254] dbg: config: read file
/usr/share/spamassassin/60_whitelist_spf.cf
[6254] dbg: config: read file
/usr/share/spamassassin/60_whitelist_subject.cf
[6254] dbg: config: using "/etc/mail/spamassassin" for site rules dir
[6254] dbg: config: read file /etc/mail/spamassassin/local.cf
[6254] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf
[6254] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from
@INC
[6254] dbg: plugin: registered
Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa911e20)
[6254] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from
@INC
[6254] dbg: plugin: registered
Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa92dbbc)
[6254] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC
[6254] dbg: plugin: registered
Mail::SpamAssassin::Plugin::SPF=HASH(0xa94fa8c)
[6254] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC
[6254] dbg: pyzor: network tests on, attempting Pyzor
[6254] dbg: plugin: registered
Mail::SpamAssassin::Plugin::Pyzor=HASH(0xa953dbc)
[6254] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from
@INC
[6254] dbg: reporter: network tests on, attempting SpamCop
[6254] dbg: plugin: registered
Mail::SpamAssassin::Plugin::SpamCop=HASH(0xa9b4b74)
[6254] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC
[6254] dbg: plugin: registered
Mail::SpamAssassin::Plugin::AWL=HASH(0xa9b970c)
[6254] dbg: plugin: loading
Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC
[6254] dbg: plugin: registered
Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0xa9bf458)
[6254] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject
from @INC
[6254] dbg: plugin: registered
Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0xa96d6e0)
[6254] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from
@INC
[6254] dbg: plugin: registered
Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0xaa99714)
[6254] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from
@INC
[6254] dbg: plugin: registered
Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0xab31da8)
[6254] dbg: config: adding redirector regex:
/^http:\/\/chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i
[6254] dbg: config: adding redirector regex:
/^http:\/\/www(?:\d+)?\.nate\.com\/r\/\w+\/(.*)$/i
[6254] dbg: config: adding redirector regex:
/^http:\/\/.+\.gov\/(?:.*\/)?externalLink\.jhtml\?.*url=(.*?)(?:&.*)?$/i
[6254] dbg: config: adding redirector regex:
/^http:\/\/redir\.internet\.com\/.+?\/.+?\/(.*)$/i
[6254] dbg: config: adding redirector regex:
/^http:\/\/(?:.*?\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i
[6254] dbg: config: adding redirector regex:
m'^http.*?/redirect\.php\?.*(?<=[?&])goto=(.*?)(?:$|[&#])'i
[6254] dbg: config: adding redirector regex:
m'^https?:/*(?:[^/]+\.)?emf\d\.com/r\.cfm.*?&r=(.*)'i
[6254] dbg: config: adding redirector regex:
m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&#])'i
[6254] dbg: config: adding redirector regex:
m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:
$|[&#])'i
[6254] dbg: config: adding redirector regex:
m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*
?(?<=%20|..[=+\s])site:(.*?)(?:$|%20|[\s+&#])'i
[6254] dbg: config: adding redirector regex:
m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*
?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&#])'i
[6254] dbg: config: adding redirector regex:
m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.
*?)(?:$|[&#])'i
[6254] dbg: plugin:
Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0xab31da8) implements
'finish_parsing_end'
[6254] dbg: replacetags: replacing tags
[6254] dbg: replacetags: done replacing tags
[6254] dbg: bayes: no dbs present, cannot tie DB R/O:
/root/.spamassassin/bayes_toks
[6254] dbg: config: score set 1 chosen.
[6254] dbg: message: ---- MIME PARSER START ----
[6254] dbg: message: main message type: text/plain
[6254] dbg: message: parsing normal part
[6254] dbg: message: added part, type: text/plain
[6254] dbg: message: ---- MIME PARSER END ----
[6254] dbg: bayes: no dbs present, cannot tie DB R/O:
/root/.spamassassin/bayes_toks
[6254] dbg: dns: dns_available set to yes in config file, skipping test
[6254] dbg: metadata: X-Spam-Relays-Trusted:
[6254] dbg: metadata: X-Spam-Relays-Untrusted:
[6254] dbg: metadata: X-Spam-Relays-Internal:
[6254] dbg: metadata: X-Spam-Relays-External:
[6254] dbg: message: no encoding detected
[6254] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa911e20)
implements 'parsed_metadata'
[6254] dbg: uridnsbl: domains to query:
[6254] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set
sblxbl-lastexternal
[6254] dbg: dns: checking RBL sa-accredit.habeas.com., set
habeas-firsttrusted
[6254] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl
[6254] dbg: dns: checking RBL sa-other.bondedsender.org., set
bsp-untrusted
[6254] dbg: dns: checking RBL combined.njabl.org., set
njabl-lastexternal
[6254] dbg: dns: checking RBL combined.njabl.org., set njabl
[6254] dbg: dns: checking RBL
combined-HIB.dnsiplists.completewhois.com., set whois
[6254] dbg: dns: checking RBL list.dsbl.org., set dsbl-lastexternal
[6254] dbg: dns: checking RBL bl.spamcop.net., set spamcop
[6254] dbg: dns: checking RBL sa-trusted.bondedsender.org., set
bsp-firsttrusted
[6254] dbg: dns: checking RBL
combined-HIB.dnsiplists.completewhois.com., set whois-lastexternal
[6254] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs-lastexternal
[6254] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs
[6254] dbg: dns: checking RBL iadb.isipp.com., set iadb-firsttrusted
[6254] dbg: check: running tests for priority: 0
[6254] dbg: rules: running header regexp tests; score so far=0
[6254] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<"
[6254] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit:
"1165852068"
[6254] dbg: rules: ran header rule __SANE_MSGID ======> got hit:
"<1165852068.9447@spamassassin_spamd_init>
[6254] dbg: rules: "
[6254] dbg: rules: ran header rule NO_REAL_NAME ======> got hit:
"ignore@compiling.spamassassin.taint.org
[6254] dbg: rules: "
[6254] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit:
"@spamassassin_spamd_init>"
[6254] dbg: spf: no suitable relay for spf use found, skipping SPF-helo
check
[6254] dbg: eval: all '*From' addrs:
ignore@compiling.spamassassin.taint.org
[6254] dbg: eval: all '*To' addrs:
[6254] dbg: spf: no suitable relay for spf use found, skipping SPF check
[6254] dbg: rules: ran eval rule NO_RELAYS ======> got hit
[6254] dbg: spf: cannot get Envelope-From, cannot use SPF
[6254] dbg: spf: def_spf_whitelist_from: could not find useable envelope
sender
[6254] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit
[6254] dbg: rules: ran eval rule MISSING_HEADERS ======> got hit
[6254] dbg: spf: spf_whitelist_from: could not find useable envelope
sender
[6254] dbg: rules: running body-text per-line regexp tests; score so
far=0.738
[6254] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I"
[6254] dbg: uri: running uri tests; score so far=0.738
[6254] dbg: rules: running raw-body-text per-line regexp tests; score so
far=0.738
[6254] dbg: rules: running full-text regexp tests; score so far=0.738
[6254] dbg: pyzor: pyzor is available: /usr/bin/pyzor
[6254] dbg: info: entering helper-app run mode
[6254] dbg: pyzor: opening pipe: /usr/bin/pyzor check <
/tmp/.spamassassin6254O8KqKQtmp
[6255] dbg: util: setuid: ruid=0 euid=0
[6254] dbg: pyzor: [6255] finished: exit=0x0100
[6254] dbg: pyzor: got response: 66.250.40.33:24441 (200, 'OK') 0 0
[6254] dbg: info: leaving helper-app run mode
[6254] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa911e20)
implements 'check_tick'
[6254] dbg: check: running tests for priority: 500
[6254] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa911e20)
implements 'check_post_dnsbl'
[6254] dbg: rules: running meta tests; score so far=0.738
[6254] info: rules: meta test DIGEST_MULTIPLE has undefined dependency
'RAZOR2_CHECK'
[6254] info: rules: meta test DIGEST_MULTIPLE has undefined dependency
'DCC_CHECK'
[6254] dbg: rules: running header regexp tests; score so far=2.216
[6254] dbg: rules: running body-text per-line regexp tests; score so
far=2.216
[6254] dbg: uri: running uri tests; score so far=2.216
[6254] dbg: rules: running raw-body-text per-line regexp tests; score so
far=2.216
[6254] dbg: rules: running full-text regexp tests; score so far=2.216
[6254] dbg: check: running tests for priority: 1000
[6254] dbg: rules: running meta tests; score so far=2.216
[6254] dbg: rules: running header regexp tests; score so far=2.216
[6254] dbg: rules: running body-text per-line regexp tests; score so
far=2.216
[6254] dbg: uri: running uri tests; score so far=2.216
[6254] dbg: rules: running raw-body-text per-line regexp tests; score so
far=2.216
[6254] dbg: rules: running full-text regexp tests; score so far=2.216
[6254] dbg: check: is spam? score=2.216 required=5
[6254] dbg: check:
tests=MISSING_HEADERS,MISSING_SUBJECT,NO_REAL_NAME,NO_RECEIVED,NO_RELAYS
,TO_CC_NONE
[6254] dbg: check:
subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__NONEMPTY_BODY,_
_SANE_MSGID,__UNUSABLE_MSGID
Undefined subroutine &MailScanner::CustomConfig::SQLWhitelist called at
/usr/lib/MailScanner/MailScanner/Config.pm line 121, <GEN35> line 31. 

-----Original Message-----
From: mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve
Freegard
Sent: Monday, December 11, 2006 3:31 PM
To: MailScanner discussion
Subject: Re: MailScanner Stuck

Hi Quintin,

Quintin Giesbrecht wrote:
> Further to this, I have done some testing, and if I turn Spam Check 
> off, then it seems to work, so it seems to be something with 
> SpamAssassin - although, a spamassassin --lint produces no errors.

Switch Spam Checks back on and run 'MailScanner --debug --debug-sa' and
see what it outputs.

Kind regards,
Steve.
--
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
From gmane at jerm.org  Mon Dec 11 22:01:33 2006
From: gmane at jerm.org (jerm)
Date: Mon Dec 11 22:05:22 2006
Subject: Have a hit from a rule but don't know from wich ruleset it comes
References: <EF1C82DB68BD96498ACC52CAF9D2B49E13166C@webmail.sks-systeme.de>
	<45743E0B.7060005@sendit.nodak.edu>
Message-ID: <loom.20061211T225604-414@post.gmane.org>



i've had the same problem recently.  The issue seems to be in a received line.

the client sent mail from their their dsl connection at
gak.64-212-98-78.dsl.goo.com 

thusly, the first received line reads approximately:
Received: from gak.64-212-98-78.dsl.goo.com [64.212.98.78]   etc....

the issie seems to be the inclusion of the IP address in the FQDN.  if i resend
this message with the same headers, but take out the 64-212-98.... secion from
the FQDN (not the bracketed IP address), it works just fine.  the IP matching or
being from a suspicious netblock seems to have no bearing on the problem

did you find anyithing else on this issue?


From alex at nkpanama.com  Mon Dec 11 21:08:40 2006
From: alex at nkpanama.com (Alex Neuman van der Hans)
Date: Mon Dec 11 22:09:03 2006
Subject: Autoreply
In-Reply-To: <019001c71d52$0d20ddd0$e401a8c0@twdnb01>
References: <019001c71d52$0d20ddd0$e401a8c0@twdnb01>
Message-ID: <457DC8D8.7030109@nkpanama.com>

That's a function for your MDA, not MailScanner.

If you *do* set up an autoreply, think about the following:

1. If you indiscriminately autoreply YOU WILL BE MARKED/DEALT WITH AS A 
SPAMMER BY MANY PEOPLE/SERVERS/RBL's. This is a matter of policy. For 
more info:

http://www.spamcop.net/fom-serve/cache/329.html

2. If you set it up using tools like the one in Webmin or at
http://vacation.sourceforge.net/
(which BTW just got updated for the first time in 5 years), remember to 
set up the program so that it DOESN'T REPLY TO MAILING LISTS (if 
possible), and so that IT DOESN'T REPLY TO THE SAME PERSON TWICE IN A 
SPECIFIED TIME FRAME, preferably at least a week. That way it's more 
difficult for loops to form because of badly misconfigured servers, 
programs, sysadmins or users.

You *will* be exposing yourself to abuse, so be very careful about it.

Rog?rio Wiethorn - TecnoWay Digital wrote:
> H?. There's some mailscanner function to create a autoreply message, 
> like vacation ?
>  
> Thanks
>  
> Rog?rio
> 
From sailer at bnl.gov  Mon Dec 11 22:09:32 2006
From: sailer at bnl.gov (Tim Sailer)
Date: Mon Dec 11 22:12:27 2006
Subject: MailScanner Stuck
In-Reply-To: <2BE78592B3B1824F97A2685E96221F620BD632@mail.snj.mb.ca>
References: <457DCE0B.10509@fsl.com>
	<2BE78592B3B1824F97A2685E96221F620BD632@mail.snj.mb.ca>
Message-ID: <20061211220932.GA21920@bnl.gov>

On Mon, Dec 11, 2006 at 03:48:49PM -0600, Quintin Giesbrecht wrote:
> Here is output from 'MailScanner --debug --debug-sa' as requested.  TIA.

> Undefined subroutine &MailScanner::CustomConfig::SQLWhitelist called at
> /usr/lib/MailScanner/MailScanner/Config.pm line 121, <GEN35> line 31. 

My guess would to fix the above error, and things will be OK...

Tim

-- 
Tim Sailer <sailer@bnl.gov> 
DoE Intelligence and Counterintelligence - Cyber Division
Northeast Regional Counterintelligence Office
Brookhaven National Laboratory  (631) 344-3001
From Denis.Beauchemin at USherbrooke.ca  Mon Dec 11 22:12:31 2006
From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin)
Date: Mon Dec 11 22:12:46 2006
Subject: MailScanner Stuck
In-Reply-To: <2BE78592B3B1824F97A2685E96221F620BD632@mail.snj.mb.ca>
References: <2BE78592B3B1824F97A2685E96221F620BD632@mail.snj.mb.ca>
Message-ID: <457DD7CF.9040505@USherbrooke.ca>

Quintin Giesbrecht a ?crit :
> Here is output from 'MailScanner --debug --debug-sa' as requested.  TIA.
>
>
> ...
> Undefined subroutine &MailScanner::CustomConfig::SQLWhitelist called at
> /usr/lib/MailScanner/MailScanner/Config.pm line 121, <GEN35> line 31. 
>   
Quintin,

Looks like MS is calling an undefined function.  Did you put anything 
into "Always Looked Up Last =" in MailScanner.conf?

Denis

-- 
   _
  ?v?   Denis Beauchemin, analyste
 /(_)\  Universit? de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3595 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061211/e4b3de81/smime.bin
From damian at workgroupsolutions.com  Mon Dec 11 22:46:14 2006
From: damian at workgroupsolutions.com (Damian Mendoza)
Date: Mon Dec 11 22:46:18 2006
Subject: MailScanner Stuck
In-Reply-To: <2BE78592B3B1824F97A2685E96221F6234E738@mail.snj.mb.ca>
Message-ID: <0C941442AC84A8449448BA2207DD4F4D19127D@core01.workgroupsolutions.com>

Quintan,

I have seen this happen on three installations lately and had to disable
all scanning for 500 messages to clear some messages out of the queues.
Once I enabled scanning, processing continued normally.

All three installations were being pounded with dictionary attacks. I
have since started verifying recipient email addresses.


Damian

-----Original Message-----
From: mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Quintin
Giesbrecht
Sent: Monday, December 11, 2006 1:02 PM
To: MailScanner discussion
Subject: MailScanner Stuck

MailScanner seems to be stuck on one of my servers (a new build - FC6,
with the latest SA and MS builds).

The maillog keeps reading: New Batch: Scanning x messages, xxxx bytes

It never actually scans it, nor does it send it through.  Any ideas?

Thanks.

Quintin Giesbrecht
IT Manager
-----
Smith Neufeld Jodoin LLP
85 PTH 12 North
Steinbach, MB  R5G 1A7
Office:  204.326.3442
Direct Line:  204.346.5106
q@snj.ca
-- 
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
From q at snj.ca  Mon Dec 11 22:47:28 2006
From: q at snj.ca (Quintin Giesbrecht)
Date: Mon Dec 11 22:47:25 2006
Subject: MailScanner Stuck
In-Reply-To: <457DD7CF.9040505@USherbrooke.ca>
Message-ID: <2BE78592B3B1824F97A2685E96221F620BD634@mail.snj.mb.ca>

Thanks!  I have MailWatch installed, and it turned out to be a misconfig on my part with MailWatch...it is working now.

Thanks!

Q 

-----Original Message-----
From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Denis Beauchemin
Sent: Monday, December 11, 2006 4:13 PM
To: MailScanner discussion
Subject: Re: MailScanner Stuck

Quintin Giesbrecht a ?crit :
> Here is output from 'MailScanner --debug --debug-sa' as requested.  TIA.
>
>
> ...
> Undefined subroutine &MailScanner::CustomConfig::SQLWhitelist called 
> at /usr/lib/MailScanner/MailScanner/Config.pm line 121, <GEN35> line 31.
>   
Quintin,

Looks like MS is calling an undefined function.  Did you put anything into "Always Looked Up Last =" in MailScanner.conf?

Denis

-- 
   _
  ?v?   Denis Beauchemin, analyste
 /(_)\  Universit? de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045


From chandler at chapman.edu  Tue Dec 12 00:22:20 2006
From: chandler at chapman.edu (Jay Chandler)
Date: Tue Dec 12 00:22:26 2006
Subject: Exchange Chokes on MailScanner Headers?
Message-ID: <457DF63C.9080705@chapman.edu>

Our Exchange guy (hidden safely behind the Mailscanner frontend that 
faces the outside world) has recently been complaining about the 
following recurring error in his logs:

Failed to create a new named property for database "Chapman Exchange 
Storage Group\Chapman Mailbox Store (CLUSTER1)" because the number of 
named properties reached the quota limit (11575).
 User attempting to create the named property: "SYSTEM"
 Named property GUID: 00020386-0000-0000-c000-000000000046
 Named property name/id: "X-Chapman-MailScanner"

EventID: 9667

Anyone seen this and have a quick fix before I go tearing into the 
crapulence known as the MS Knowledge Base and figure out Exchange's 
oddities?

-- 

Jay Chandler
Network Administrator, Chapman University
714.628.7249 / chandler@chapman.edu
Today's Excuse: SCSI Chain overterminated 

From taz at taz-mania.com  Tue Dec 12 01:18:59 2006
From: taz at taz-mania.com (Dennis Willson)
Date: Tue Dec 12 01:19:05 2006
Subject: Exchange Chokes on MailScanner Headers?
In-Reply-To: <457DF63C.9080705@chapman.edu>
Message-ID: <web-8900812@namesystems.net>

Try:
   http://support.microsoft.com/kb/820379



On Mon, 11 Dec 2006 16:22:20 -0800
  Jay Chandler <chandler@chapman.edu> wrote:
>Our Exchange guy (hidden safely behind the Mailscanner frontend that 
>faces the outside world) has recently been complaining about the 
>following recurring error in his logs:
>
>Failed to create a new named property for database "Chapman Exchange 
>Storage Group\Chapman Mailbox Store (CLUSTER1)" because the number of 
>named properties reached the quota limit (11575).
>User attempting to create the named property: "SYSTEM"
>  Named property GUID: 00020386-0000-0000-c000-000000000046
>Named property name/id: "X-Chapman-MailScanner"
>
>EventID: 9667
>
>Anyone seen this and have a quick fix before I go tearing into the 
>crapulence known as the MS Knowledge Base and figure out Exchange's 
>oddities?
>
>-- 
>
>Jay Chandler
>Network Administrator, Chapman University
>714.628.7249 / chandler@chapman.edu
>Today's Excuse: SCSI Chain overterminated 
>-- 
>MailScanner mailing list
>mailscanner@lists.mailscanner.info
>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>Before posting, read http://wiki.mailscanner.info/posting
>
>Support MailScanner development - buy the book off the website! 


--------------------------------------------------
Dennis Willson

taz@taz-mania.com
http://www.taz-mania.com

Ham (Extra Class): ka6lsw
Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, 
Gas Blender

Owner: Kepnet Internet Services

Life should not be a journey to the grave with the intention of 
arriving safely in a nice looking and well preserved body, but rather 
to skid in broadside, thoroughly used up, totally worn out, and loudly 
proclaiming, "WOW! WHAT A RIDE!"
From glenn.steen at gmail.com  Tue Dec 12 01:20:40 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Tue Dec 12 01:20:44 2006
Subject: Exchange Chokes on MailScanner Headers?
In-Reply-To: <457DF63C.9080705@chapman.edu>
References: <457DF63C.9080705@chapman.edu>
Message-ID: <223f97700612111720o6137107cg39bc0244dc3145e2@mail.gmail.com>

On 12/12/06, Jay Chandler <chandler@chapman.edu> wrote:
> Our Exchange guy (hidden safely behind the Mailscanner frontend that
> faces the outside world) has recently been complaining about the
> following recurring error in his logs:
>
> Failed to create a new named property for database "Chapman Exchange
> Storage Group\Chapman Mailbox Store (CLUSTER1)" because the number of
> named properties reached the quota limit (11575).
>  User attempting to create the named property: "SYSTEM"
>  Named property GUID: 00020386-0000-0000-c000-000000000046
>  Named property name/id: "X-Chapman-MailScanner"
>
> EventID: 9667
>
> Anyone seen this and have a quick fix before I go tearing into the
> crapulence known as the MS Knowledge Base and figure out Exchange's
> oddities?
>
Why should you be doing his/her job?
Almost as funny as when me PC-snivelers, uh... Windows admins...
started complaining that my trusty ol' NTP server was at fault when
the event log on a couple of new DCs/other crap started filling with
complaints about the "unreacheability"/unsyncability" of time....
After a 5 minutes googling I turned up that the bozos had used "net
time /setsntp:..." where they should be using "w32tm ....". Sigh.
They at least had the decency to blush when I told them (off!).

Same here, AFAICS. A quick google shows that you should be pointing
that M-Sexchange person in the direction of
http://support.microsoft.com/default.aspx?kbid=820379 .... Be sure to
tell that person that this is indeed another fine Miss Feature by
M$:-).

HtH
Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From dhawal at netmagicsolutions.com  Tue Dec 12 07:24:55 2006
From: dhawal at netmagicsolutions.com (Dhawal Doshy)
Date: Tue Dec 12 07:25:22 2006
Subject: Autoreply
In-Reply-To: <457DC8D8.7030109@nkpanama.com>
References: <019001c71d52$0d20ddd0$e401a8c0@twdnb01>
	<457DC8D8.7030109@nkpanama.com>
Message-ID: <457E5947.1000700@netmagicsolutions.com>

Alex Neuman van der Hans wrote:
> That's a function for your MDA, not MailScanner.
> 
> If you *do* set up an autoreply, think about the following:
> 
> 1. If you indiscriminately autoreply YOU WILL BE MARKED/DEALT WITH AS A 
> SPAMMER BY MANY PEOPLE/SERVERS/RBL's. This is a matter of policy. For 
> more info:
> 
> http://www.spamcop.net/fom-serve/cache/329.html
> 
> 2. If you set it up using tools like the one in Webmin or at
> http://vacation.sourceforge.net/
> (which BTW just got updated for the first time in 5 years), remember to 
> set up the program so that it DOESN'T REPLY TO MAILING LISTS (if 
> possible), and so that IT DOESN'T REPLY TO THE SAME PERSON TWICE IN A 
> SPECIFIED TIME FRAME, preferably at least a week. That way it's more 
> difficult for loops to form because of badly misconfigured servers, 
> programs, sysadmins or users.
> 
> You *will* be exposing yourself to abuse, so be very careful about it.

A best practice for autoresponders.. IMO
http://groups.google.com/group/list.postfix.users/msg/676fb5a12a4a6ac4?dmode=source

- dhawal
From gmatt at nerc.ac.uk  Tue Dec 12 11:10:15 2006
From: gmatt at nerc.ac.uk (Greg Matthews)
Date: Tue Dec 12 11:10:26 2006
Subject: MailScanner ANNOUNCE: 4.57 released
In-Reply-To: <4571B547.1090804@ecs.soton.ac.uk>
References: <4571B547.1090804@ecs.soton.ac.uk>
Message-ID: <457E8E17.9020703@nerc.ac.uk>

Julian Field wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I have just released a new stable version 4.57.

anyone else having trouble verifying the pgp signature?

# gpg -vv --verify MailScanner-4.57.6-1.rpm.tar.gz.sig
gpg: armor: BEGIN PGP SIGNATURE
gpg: armor header: Version: PGP Desktop 9.5.1 (Build 1557)
:marker packet:
  50 47 50
:onepass_sig packet: keyid 11F659471415B654
         version 3, sigclass 00, digest 2, pubkey 17, last=1
:signature packet: algo 17, keyid 11F659471415B654
         version 3, created 1165079244, md5len 5, sigclass 00
         digest algo 2, begin of digest f9 14
         data: [160 bits]
         data: [160 bits]
gpg: assuming signed data in `MailScanner-4.57.6-1.rpm.tar.gz'
gpg: can't handle this ambiguous signature data


-- 
Greg Matthews           01491 692445
Head of UNIX/Linux, iTSS Wallingford

-- 
This message (and any attachments) is for the recipient only. NERC
is subject to the Freedom of Information Act 2000 and the contents
of this email and any reply you make may be disclosed by NERC unless
it is exempt from release under the Act. Any material supplied to
NERC may be stored in an electronic records management system.

From glenn.steen at gmail.com  Tue Dec 12 12:10:31 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Tue Dec 12 12:10:34 2006
Subject: MailScanner ANNOUNCE: 4.57 released
In-Reply-To: <457E8E17.9020703@nerc.ac.uk>
References: <4571B547.1090804@ecs.soton.ac.uk> <457E8E17.9020703@nerc.ac.uk>
Message-ID: <223f97700612120410j32a51eb5s88e959ebfeda228f@mail.gmail.com>

On 12/12/06, Greg Matthews <gmatt@nerc.ac.uk> wrote:
> Julian Field wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > I have just released a new stable version 4.57.
>
> anyone else having trouble verifying the pgp signature?
>
> # gpg -vv --verify MailScanner-4.57.6-1.rpm.tar.gz.sig
> gpg: armor: BEGIN PGP SIGNATURE
> gpg: armor header: Version: PGP Desktop 9.5.1 (Build 1557)
> :marker packet:
>   50 47 50
> :onepass_sig packet: keyid 11F659471415B654
>          version 3, sigclass 00, digest 2, pubkey 17, last=1
> :signature packet: algo 17, keyid 11F659471415B654
>          version 3, created 1165079244, md5len 5, sigclass 00
>          digest algo 2, begin of digest f9 14
>          data: [160 bits]
>          data: [160 bits]
> gpg: assuming signed data in `MailScanner-4.57.6-1.rpm.tar.gz'
> gpg: can't handle this ambiguous signature data
>
>
Same here. Didn't look further (apart from checking that Jules hasn't
changed his public (-ly available) key.

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From alex at nkpanama.com  Tue Dec 12 14:26:35 2006
From: alex at nkpanama.com (Alex Neuman van der Hans)
Date: Tue Dec 12 14:42:45 2006
Subject: Autoreply
In-Reply-To: <457E5947.1000700@netmagicsolutions.com>
References: <019001c71d52$0d20ddd0$e401a8c0@twdnb01>	<457DC8D8.7030109@nkpanama.com>
	<457E5947.1000700@netmagicsolutions.com>
Message-ID: <457EBC1B.5020004@nkpanama.com>

Anything you can recommend that complies with these guidelines?

Dhawal Doshy wrote:
> Alex Neuman van der Hans wrote:
>> That's a function for your MDA, not MailScanner.
>>
>> If you *do* set up an autoreply, think about the following:
>>
>> 1. If you indiscriminately autoreply YOU WILL BE MARKED/DEALT WITH AS 
>> A SPAMMER BY MANY PEOPLE/SERVERS/RBL's. This is a matter of policy. 
>> For more info:
>>
>> http://www.spamcop.net/fom-serve/cache/329.html
>>
>> 2. If you set it up using tools like the one in Webmin or at
>> http://vacation.sourceforge.net/
>> (which BTW just got updated for the first time in 5 years), remember 
>> to set up the program so that it DOESN'T REPLY TO MAILING LISTS (if 
>> possible), and so that IT DOESN'T REPLY TO THE SAME PERSON TWICE IN A 
>> SPECIFIED TIME FRAME, preferably at least a week. That way it's more 
>> difficult for loops to form because of badly misconfigured servers, 
>> programs, sysadmins or users.
>>
>> You *will* be exposing yourself to abuse, so be very careful about it.
> 
> A best practice for autoresponders.. IMO
> http://groups.google.com/group/list.postfix.users/msg/676fb5a12a4a6ac4?dmode=source 
> 
> 
> - dhawal
From Denis.Beauchemin at USherbrooke.ca  Tue Dec 12 14:57:35 2006
From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin)
Date: Tue Dec 12 15:13:59 2006
Subject: New ClamAV out
Message-ID: <457EC35F.90606@USherbrooke.ca>

Release Name: 0.88.7

Hello all,

Our security guy pointed the following advisory for Clam 0.88.6 and 
prior versions: http://www.frsirt.com/english/advisories/2006/4948
Clam AntiVirus MIME Attachments Handling Remote Denial of Service 
Vulnerability

This comes from Clam 0.88.7:
This version improves scanning of mail and tar files.

Changes:
Mon Dec 11 02:47:03 CET 2006
----------------------------
  * Bugfixes:
    - libclamav/message.c: handle consecutive errors in base64 decoding
    - libclamav/mbox.c: honour recursion limit when scanning email messages
    - clamscan: new option --mail-max-recursion
    - clamd/clamav-milter: new option MailMaxRecursion
    - libclamav/untar.c: honour archive limits

Denis

-- 
   _
  ?v?   Denis Beauchemin, analyste
 /(_)\  Universit? de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3595 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061212/e22f5261/smime.bin
From drozk at moeller.com  Tue Dec 12 15:14:47 2006
From: drozk at moeller.com (Kevin Droz)
Date: Tue Dec 12 15:16:18 2006
Subject: No Message Collected
Message-ID: <00e701c71e00$4377b3a0$965d5c5c@MOELLER.COM>

 
 
I just upgraded to MailScanner 4.57-61 and getting e-mails saying "No
Messages Collected"
 
I looked in my Mail Log and found the following entries:
 
Unlinking /var/spool/mqueue.in/qfkBCE9KPU012323 failed: No such file or
directory

kBCE9KPU012323: SYSERR(root): readqf: cannot open ./dfkBCE9KPU012323: No
such file or directory
 
 
Any ideas?
 
Thanks,
Kevin
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061212/35c7f74e/attachment.html
From samp at arial-concept.com  Tue Dec 12 17:33:46 2006
From: samp at arial-concept.com (Sam Przyswa)
Date: Tue Dec 12 17:34:07 2006
Subject: MailScanner spam filtering and Thunderbird undesirable mails
Message-ID: <457EE7FA.3030500@arial-concept.com>

Hi,

I'm not sure that my MailScanner/Spamassassin is well configured, on a 
machine the command "sa-learn --dump all" return that:

<18:03:19>root@mjc-idf ~ >sa-learn --dump all
0.000          0          3          0  non-token data: bayes db version
0.000          0          0          0  non-token data: nspam
0.000          0          2          0  non-token data: nham
0.000          0        502          0  non-token data: ntokens
0.000          0 1158007683          0  non-token data: oldest atime
0.000          0 1158007690          0  non-token data: newest atime
0.000          0          0          0  non-token data: last journal 
sync atime
0.000          0          0          0  non-token data: last expiry atime
0.000          0          0          0  non-token data: last expire 
atime delta
0.000          0          0          0  non-token data: last expire 
reduction count
0.500          0          1 1158007683  5a2a12092d
0.500          0          2 1158007690  87450837a1
0.500          0          1 1158007683  8492dae09c
...

With:
SpamAssassin version 3.1.4
  running on Perl version 5.8.8

On that machine the spam filtering seems working fine.

On other machine the command "sa-learn --dump all" give me only that:

root@soleil:/tmp# root@soleil:/etc/MailScanner# sa-learn --dump all
0.000          0          3          0  non-token data: bayes db version
0.000          0          0          0  non-token data: nspam
0.000          0          0          0  non-token data: nham
0.000          0          0          0  non-token data: ntokens
0.000          0          0          0  non-token data: oldest atime
0.000          0          0          0  non-token data: newest atime
0.000          0          0          0  non-token data: last journal 
sync atime
0.000          0          0          0  non-token data: last expiry atime
0.000          0          0          0  non-token data: last expire 
atime delta
0.000          0          0          0  non-token data: last expire 
reduction count

With:
SpamAssassin version 3.1.0
  running on Perl version 5.8.7

With this machine my Mozilla-thunderbird find lot of undesirable mails, 
does Thunderbird is more effective than MailScanner/Spamassassin or my 
setup is bad configured ?

Thanks in advance for your help.

Sam.



-- 
Ce message a ?t? v?rifi? par MailScanner
pour des virus ou des polluriels et rien de
suspect n'a ?t? trouv?.

From ssilva at sgvwater.com  Tue Dec 12 17:59:45 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Tue Dec 12 18:00:19 2006
Subject: MailScanner spam filtering and Thunderbird undesirable mails
In-Reply-To: <457EE7FA.3030500@arial-concept.com>
References: <457EE7FA.3030500@arial-concept.com>
Message-ID: <elmqmh$3gq$1@sea.gmane.org>

Sam Przyswa spake the following on 12/12/2006 9:33 AM:
> Hi,
> 
> I'm not sure that my MailScanner/Spamassassin is well configured, on a
> machine the command "sa-learn --dump all" return that:
> 
> <18:03:19>root@mjc-idf ~ >sa-learn --dump all
> 0.000          0          3          0  non-token data: bayes db version
> 0.000          0          0          0  non-token data: nspam
> 0.000          0          2          0  non-token data: nham
> 0.000          0        502          0  non-token data: ntokens
> 0.000          0 1158007683          0  non-token data: oldest atime
> 0.000          0 1158007690          0  non-token data: newest atime
> 0.000          0          0          0  non-token data: last journal
> sync atime
> 0.000          0          0          0  non-token data: last expiry atime
> 0.000          0          0          0  non-token data: last expire
> atime delta
> 0.000          0          0          0  non-token data: last expire
> reduction count
> 0.500          0          1 1158007683  5a2a12092d
> 0.500          0          2 1158007690  87450837a1
> 0.500          0          1 1158007683  8492dae09c
> ...
> 
> With:
> SpamAssassin version 3.1.4
>  running on Perl version 5.8.8
> 
> On that machine the spam filtering seems working fine.
> 
> On other machine the command "sa-learn --dump all" give me only that:
> 
> root@soleil:/tmp# root@soleil:/etc/MailScanner# sa-learn --dump all
> 0.000          0          3          0  non-token data: bayes db version
> 0.000          0          0          0  non-token data: nspam
> 0.000          0          0          0  non-token data: nham
> 0.000          0          0          0  non-token data: ntokens
> 0.000          0          0          0  non-token data: oldest atime
> 0.000          0          0          0  non-token data: newest atime
> 0.000          0          0          0  non-token data: last journal
> sync atime
> 0.000          0          0          0  non-token data: last expiry atime
> 0.000          0          0          0  non-token data: last expire
> atime delta
> 0.000          0          0          0  non-token data: last expire
> reduction count
> 
> With:
> SpamAssassin version 3.1.0
>  running on Perl version 5.8.7
> 
> With this machine my Mozilla-thunderbird find lot of undesirable mails,
> does Thunderbird is more effective than MailScanner/Spamassassin or my
> setup is bad configured ?
> 
> Thanks in advance for your help.
> 
> Sam.
> 
> 
> 
You have almost no bayes data. Here is a --dump magic from one of my lesser
hit servers;

0.000          0          3          0  non-token data: bayes db version
0.000          0     230194          0  non-token data: nspam
0.000          0     148815          0  non-token data: nham
0.000          0     193563          0  non-token data: ntokens
0.000          0 1165425289          0  non-token data: oldest atime
0.000          0 1165946146          0  non-token data: newest atime
0.000          0 1165945429          0  non-token data: last journal sync atime
0.000          0 1165864479          0  non-token data: last expiry atime
0.000          0          0          0  non-token data: last expire atime delta
0.000          0          0          0  non-token data: last expire reduction
count

As you can see, the nham and nspam counts are in the six figure range.
Could you be running spamassassin as another user, and maybe you dumped the
wrong database?

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From vlad at mazek.com  Tue Dec 12 18:25:40 2006
From: vlad at mazek.com (Vlad Mazek)
Date: Tue Dec 12 18:25:54 2006
Subject: MailScanner with sendmail multiple queues
Message-ID: <457EF424.8020208@mazek.com>

About a month ago someone here was talking about MailScanner working 
with multiple sendmail queues - and separating RBL mail into a secondary 
low priority queue to speed up scanning and give priority to mail that 
wasn't on any RBL's.

Did that project make any headway, is there additional info on it, 
performance, etc?
From Denis.Beauchemin at USherbrooke.ca  Tue Dec 12 18:54:19 2006
From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin)
Date: Tue Dec 12 18:54:44 2006
Subject: New ClamAV out
In-Reply-To: <457EC35F.90606@USherbrooke.ca>
References: <457EC35F.90606@USherbrooke.ca>
Message-ID: <457EFADB.5090400@USherbrooke.ca>

Denis Beauchemin a ?crit :
> Release Name: 0.88.7
>
> Hello all,
>
> Our security guy pointed the following advisory for Clam 0.88.6 and 
> prior versions: http://www.frsirt.com/english/advisories/2006/4948
> Clam AntiVirus MIME Attachments Handling Remote Denial of Service 
> Vulnerability
>
> This comes from Clam 0.88.7:
> This version improves scanning of mail and tar files.
>
> Changes:
> Mon Dec 11 02:47:03 CET 2006
> ----------------------------
>  * Bugfixes:
>    - libclamav/message.c: handle consecutive errors in base64 decoding
>    - libclamav/mbox.c: honour recursion limit when scanning email 
> messages
>    - clamscan: new option --mail-max-recursion
>    - clamd/clamav-milter: new option MailMaxRecursion
>    - libclamav/untar.c: honour archive limits
>
> Denis
>
Just wanted to let you know that there seems to be a problem with the 
new ClamAV and ZIP files: I get a lot of:
Dec 12 12:37:52 132.210.244.93 MailScanner[31880]: 
ClamAVModule::INFECTED:: Oversized.Zip:: 
./kBCHaqdS004063/BIOMETISS_BIOREACTEUR_07-12-2006.zip

I had none yesterday and I have 20 since upgrading Clam this morning.

Denis

-- 
   _
  ?v?   Denis Beauchemin, analyste
 /(_)\  Universit? de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3595 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061212/ada9e5bb/smime.bin
From glenn.steen at gmail.com  Tue Dec 12 20:22:37 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Tue Dec 12 20:22:47 2006
Subject: No Message Collected
In-Reply-To: <00e701c71e00$4377b3a0$965d5c5c@MOELLER.COM>
References: <00e701c71e00$4377b3a0$965d5c5c@MOELLER.COM>
Message-ID: <223f97700612121222u7c22104dyd39d6aee02234d5a@mail.gmail.com>

On 12/12/06, Kevin Droz <drozk@moeller.com> wrote:
>
>
>
>
> I just upgraded to MailScanner 4.57-61 and getting e-mails saying "No
> Messages Collected"
>
> I looked in my Mail Log and found the following entries:
>
> Unlinking /var/spool/mqueue.in/qfkBCE9KPU012323 failed: No
> such file or directory
> kBCE9KPU012323: SYSERR(root): readqf: cannot open ./dfkBCE9KPU012323: No
> such file or directory
>
>
> Any ideas?
>
> Thanks,
> Kevin
>
Two things come to mind: Lock Type? And you don't have a "non
MailScanner sendmail" running as well as the MailScanner one?

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From drozk at moeller.com  Tue Dec 12 20:58:35 2006
From: drozk at moeller.com (Kevin Droz)
Date: Tue Dec 12 20:58:47 2006
Subject: No Message Collected
In-Reply-To: <223f97700612121222u7c22104dyd39d6aee02234d5a@mail.gmail.com>
Message-ID: <020e01c71e30$4a9f3600$965d5c5c@MOELLER.COM>

 
I have only 1 sendmail running. Explain Lock Types?

Thanks,
Kevin 

-----Original Message-----
From: mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen
Sent: Tuesday, December 12, 2006 3:23 PM
To: MailScanner discussion
Subject: Re: No Message Collected

On 12/12/06, Kevin Droz <drozk@moeller.com> wrote:
>
>
>
>
> I just upgraded to MailScanner 4.57-61 and getting e-mails saying "No 
> Messages Collected"
>
> I looked in my Mail Log and found the following entries:
>
> Unlinking /var/spool/mqueue.in/qfkBCE9KPU012323 failed: No such file 
> or directory
> kBCE9KPU012323: SYSERR(root): readqf: cannot open ./dfkBCE9KPU012323: 
> No such file or directory
>
>
> Any ideas?
>
> Thanks,
> Kevin
>
Two things come to mind: Lock Type? And you don't have a "non MailScanner
sendmail" running as well as the MailScanner one?

--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
--
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

From TGFurnish at herffjones.com  Tue Dec 12 21:59:56 2006
From: TGFurnish at herffjones.com (Furnish, Trever G)
Date: Tue Dec 12 22:00:06 2006
Subject: Is this really how bayes+autolearn works?
Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC564@inex3.herffjones.hj-int>

My Bayes db seems to consistently start assigning BAYES_00 (-2.6) to
messages that are simple plain text messages you'd think would be easily
caught.  The messages are all seemingly almost identical.  They're
coming from bots, and only a small percentage of them are caught by
other SA rules.
 
Does that mean that they're being auto-learned as Ham and then
cancelling out my attempts to teach Bayes later that this is spam?  Out
of the many thousands that flood in, I'm only able to retrain bayes
using a small percentage (because only a small subset of my users drag
spam into the retraining system consistently).
 
The reason they're not caught by other SA rules is because they're
coming from bots.  Many of the samples I've looked at also wouldn't have
been caught John Rudd's Botnet plugin.

So Bayes is getting lots of messages that SA doesn't detect as spam, and
only a few similar messages that I train it to treat as spam.  Is this a
plausible explanation for why Bayes would consistently be misclassifying
this mail?
 
So far the floods start in the afternoon and the subject strings are
consistent enough that I'm able to correct the damage by:
    - removing my bayes database and retraining from archived spam
corpus (slow)
    - creating custom rules to, for example, filter out "Subject =~
/Good Morning/" (dangerous)
 
--
Trever Furnish, tgfurnish@herffjones.com
Herff Jones, Inc. Unix / Network Administrator
Phone: 317.612.3519
Any sufficiently advanced technology is indistinguishable from Unix.
From pete at enitech.com.au  Tue Dec 12 22:10:34 2006
From: pete at enitech.com.au (Peter Russell)
Date: Tue Dec 12 22:10:41 2006
Subject: OT: REGEXP 
Message-ID: <457F28DA.4080002@enitech.com.au>

I have postfix recipient maps and some one on here once helped me format 
the content using regexp so i could create one entry that covered 
multiple formats. I need to change that but am almost clueless as to how.

Could some one offer a suggestion on how to write the following as a regexp.

Current				Required
user@domain.com	OK		user@domain.com		OK
				user@domain.com.au	OK

Is the REGEXP something like
/user@domain/.[com|/.com/.au]	OK

Appreciate any suggestions
Pete
From ssilva at sgvwater.com  Tue Dec 12 22:41:24 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Tue Dec 12 22:41:52 2006
Subject: No Message Collected
In-Reply-To: <020e01c71e30$4a9f3600$965d5c5c@MOELLER.COM>
References: <223f97700612121222u7c22104dyd39d6aee02234d5a@mail.gmail.com>
	<020e01c71e30$4a9f3600$965d5c5c@MOELLER.COM>
Message-ID: <elnb6j$3jo$1@sea.gmane.org>

Kevin Droz spake the following on 12/12/2006 12:58 PM:
>  
> I have only 1 sendmail running. Explain Lock Types?
> 
> Thanks,
> Kevin 
> 
> -----Original Message-----
> From: mailscanner-bounces@lists.mailscanner.info
> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen
> Sent: Tuesday, December 12, 2006 3:23 PM
> To: MailScanner discussion
> Subject: Re: No Message Collected
> 
> On 12/12/06, Kevin Droz <drozk@moeller.com> wrote:
>>
>>
>>
>> I just upgraded to MailScanner 4.57-61 and getting e-mails saying "No 
>> Messages Collected"
>>
>> I looked in my Mail Log and found the following entries:
>>
>> Unlinking /var/spool/mqueue.in/qfkBCE9KPU012323 failed: No such file 
>> or directory
>> kBCE9KPU012323: SYSERR(root): readqf: cannot open ./dfkBCE9KPU012323: 
>> No such file or directory
>>
>>
>> Any ideas?
>>
>> Thanks,
>> Kevin
>>
> Two things come to mind: Lock Type? And you don't have a "non MailScanner
> sendmail" running as well as the MailScanner one?
> 
> --
> -- Glenn
> email: glenn < dot > steen < at > gmail < dot > com
> work: glenn < dot > steen < at > ap1 < dot > se
> --
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website! 
> 
In the mailscanner.conf file is a section on file locking;

# How to lock spool files.
# Don't set this unless you *know* you need to.
# For sendmail, it defaults to "posix".
# For sendmail 8.12 and older, you will probably need to change it to flock,
# particularly on Linux systems.
# For Exim, it defaults to "posix".
# No other type is implemented.
Lock Type = posix

But set the lock type to one or the other. I have seen some systems not set
the proper default. This is only for linux systems.


-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From mkettler at evi-inc.com  Tue Dec 12 22:45:22 2006
From: mkettler at evi-inc.com (Matt Kettler)
Date: Tue Dec 12 22:45:35 2006
Subject: OT: REGEXP
In-Reply-To: <457F28DA.4080002@enitech.com.au>
References: <457F28DA.4080002@enitech.com.au>
Message-ID: <457F3102.5090508@evi-inc.com>

Peter Russell wrote:
> I have postfix recipient maps and some one on here once helped me format
> the content using regexp so i could create one entry that covered
> multiple formats. I need to change that but am almost clueless as to how.
> 
> Could some one offer a suggestion on how to write the following as a
> regexp.
> 
> Current                Required
> user@domain.com    OK        user@domain.com        OK
>                 user@domain.com.au    OK
> 
> Is the REGEXP something like
> /user@domain/.[com|/.com/.au]    OK

Disclaimer: I know regexes VERY well, but postfix not at all.

That regex is pretty hosed.

1) use \ not / in front of .'s that you want to be literals. / begins and ENDS
the regex.

Fixing error 1  we get:
/user@domain\.[com|\.com\.au]/

2) [] is used for character ranges, so [com|/.com/.au] will match 1 character,
as long as it's one of the characters contained between the braces. You really
want () for this kind of thing.

Fixing error 2 we get:
/user@domain\.(com|\.com\.au)/

3) you have a logic bomb in the () section here. In order to match "com.au"
you'd wind up matching domain..com.au. Two .'s required because there's already
one out before the ()'s.

Fixing error 3:

/user@domain\.(com|com\.au)/

4) Inefficient use of (|). Both clauses start with "com". Ordinarily you'd
eliminate that and move it outside the (), but this would make the first clause
empty.. so, we'll ditch the (|) entirely and use ()? instead.

/user@domain\.com(\.au)?/

5) Inefficient use of a trailing ? expression. Generally speaking regexes match
substrings, so any ? or * expression at the beginning or end of a regex is
irrelevant. Provided there's not some weirdness in postfix that forces regexes
to match full-text, you can simplify further to:

/user@domain\.com/

Which would match "user@domain.com" "user@domain.com.au" or
even"anythingintheworld-user@domain.com-anythingelseintheworld".

6) If the substring matching pointed out in 5 is over-broad for you, you can fix
4 by ending anchors for beginning and end of input:

/^user@domain\.com(\.au)?$/

That will only match exactly "user@domain.com" or "user@domain.com.au"
From ssilva at sgvwater.com  Tue Dec 12 22:45:11 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Tue Dec 12 22:50:10 2006
Subject: Is this really how bayes+autolearn works?
In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC564@inex3.herffjones.hj-int>
References: <57573D714A832C43B9D80EAFBDA48D0302BAC564@inex3.herffjones.hj-int>
Message-ID: <elnbdn$3jo$2@sea.gmane.org>

Furnish, Trever G spake the following on 12/12/2006 1:59 PM:
> My Bayes db seems to consistently start assigning BAYES_00 (-2.6) to
> messages that are simple plain text messages you'd think would be easily
> caught.  The messages are all seemingly almost identical.  They're
> coming from bots, and only a small percentage of them are caught by
> other SA rules.
>  
> Does that mean that they're being auto-learned as Ham and then
> cancelling out my attempts to teach Bayes later that this is spam?  Out
> of the many thousands that flood in, I'm only able to retrain bayes
> using a small percentage (because only a small subset of my users drag
> spam into the retraining system consistently).
>  
> The reason they're not caught by other SA rules is because they're
> coming from bots.  Many of the samples I've looked at also wouldn't have
> been caught John Rudd's Botnet plugin.
> 
> So Bayes is getting lots of messages that SA doesn't detect as spam, and
> only a few similar messages that I train it to treat as spam.  Is this a
> plausible explanation for why Bayes would consistently be misclassifying
> this mail?
>  
> So far the floods start in the afternoon and the subject strings are
> consistent enough that I'm able to correct the damage by:
>     - removing my bayes database and retraining from archived spam
> corpus (slow)
>     - creating custom rules to, for example, filter out "Subject =~
> /Good Morning/" (dangerous)
>  
I also see a lot of spam coming from bots, but I consistently catch most of
it. Are you using some good add-on rules?
Do you have any samples that some of us could run through our systems to see
what we get?


-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From gmane at tippingmar.com  Tue Dec 12 22:56:30 2006
From: gmane at tippingmar.com (Mark Nienberg)
Date: Tue Dec 12 22:56:58 2006
Subject: New ClamAV out
In-Reply-To: <457EFADB.5090400@USherbrooke.ca>
References: <457EC35F.90606@USherbrooke.ca> <457EFADB.5090400@USherbrooke.ca>
Message-ID: <elnc2u$6op$1@sea.gmane.org>

Denis Beauchemin wrote:

> Just wanted to let you know that there seems to be a problem with the 
> new ClamAV and ZIP files: I get a lot of:
> Dec 12 12:37:52 132.210.244.93 MailScanner[31880]: 
> ClamAVModule::INFECTED:: Oversized.Zip:: 
> ./kBCHaqdS004063/BIOMETISS_BIOREACTEUR_07-12-2006.zip
> 
> I had none yesterday and I have 20 since upgrading Clam this morning.

Have you tried increasing the
ClamAVmodule Maximum Compression Ratio = 250
setting in MailScanner.conf?

Mark

From glenn.steen at gmail.com  Wed Dec 13 08:43:15 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Wed Dec 13 08:43:19 2006
Subject: OT: REGEXP
In-Reply-To: <457F3102.5090508@evi-inc.com>
References: <457F28DA.4080002@enitech.com.au> <457F3102.5090508@evi-inc.com>
Message-ID: <223f97700612130043v7c9f4829ub697df98969ba7b4@mail.gmail.com>

On 12/12/06, Matt Kettler <mkettler@evi-inc.com> wrote:
> Peter Russell wrote:
> > I have postfix recipient maps and some one on here once helped me format
> > the content using regexp so i could create one entry that covered
> > multiple formats. I need to change that but am almost clueless as to how.
> >
> > Could some one offer a suggestion on how to write the following as a
> > regexp.
> >
> > Current                Required
> > user@domain.com    OK        user@domain.com        OK
> >                 user@domain.com.au    OK
> >
> > Is the REGEXP something like
> > /user@domain/.[com|/.com/.au]    OK
>
> Disclaimer: I know regexes VERY well, but postfix not at all.
Well, I'll comment on the postfix side then:-). ISTR I was the one
helping Pete out last time:-).
(snip)
> Provided there's not some weirdness in postfix that forces regexes
> to match full-text, you can simplify further to:
No "weirdness" to talk about. Postfix supports both POSIX regexps and
Perl compatible regexps ("man regexp_table pcre_table" shows the
difference in the postfix config, "man [5|7] regex" or "man 7
re_format" (or similar, depending on OS) documents POSIX REs, while
the usual perl docs on REs document the pcre part).
In an access type file, one needs to remember that when using REs,
postfix will not do the "magic exploding" of the address into its
constituent parts (local/domain etc), but other than that... No real
weirdness at all;-).

> 6) If the substring matching pointed out in 5 is over-broad for you, you can fix
> 4 by ending anchors for beginning and end of input:
>
> /^user@domain\.com(\.au)?$/
>
> That will only match exactly "user@domain.com" or "user@domain.com.au"

This is the one I'd recommend you to use Pete.
Keep in mind that although the RE tables are easier to maintain, the
indexed ones are faster, and have some "magic" to make rules based on
part(s) of the address. I wont deny that it'd be a two-line thing for
this case, though... If you generate them with a script (and the set
is fairly huge), you'd perhaps best try and time lookups on the
different table types as described in the respective man pages ("less
/etc/postfix/access" should contain the info on a regular indexed
access file).

Other than that... You'll be very well off with Matts (excellently
explained) RE above.

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From sujithem at cdacb.ernet.in  Wed Dec 13 08:45:10 2006
From: sujithem at cdacb.ernet.in (Sujith Emmanuel)
Date: Wed Dec 13 08:45:12 2006
Subject: OT: mail server /var/mail
Message-ID: <1d1e72700612130045o6ef88bcepde7480d6f4e7d1b5@mail.gmail.com>

Dear all,

     Sorry for the OT topic, but i thought it'll hard to look for better
mailadmins outside this group.
     I have a mail server on solaris 2.8. Sometimes my /var/mail/ folder
becomes very big. As far as my little knowledge is concerned, /var/mail is
used for storing unread mails and /export/home for actual mbox after reading
the mail. But even after people reads their mail, it is still left at
/var/mail.
     What i do now when the size becomes huge is to ask the users to delete
some of their mails. Can anyone point me in the right direction? btw, most
of the users use pine for checking mail.

Thanks and Regards
Sujith Emmanuel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061213/262e7243/attachment.html
From martinh at solidstatelogic.com  Wed Dec 13 09:18:50 2006
From: martinh at solidstatelogic.com (Martin Hepworth)
Date: Wed Dec 13 09:19:06 2006
Subject: OT: mail server /var/mail
In-Reply-To: <1d1e72700612130045o6ef88bcepde7480d6f4e7d1b5@mail.gmail.com>
References: <1d1e72700612130045o6ef88bcepde7480d6f4e7d1b5@mail.gmail.com>
Message-ID: <457FC57A.6020308@solidstatelogic.com>

Sujith Emmanuel wrote:
> Dear all,
> 
>      Sorry for the OT topic, but i thought it'll hard to look for better 
> mailadmins outside this group.
>      I have a mail server on solaris 2.8. Sometimes my /var/mail/ folder 
> becomes very big. As far as my little knowledge is concerned, /var/mail 
> is used for storing unread mails and /export/home for actual mbox after 
> reading the mail. But even after people reads their mail, it is still 
> left at /var/mail.
>      What i do now when the size becomes huge is to ask the users to 
> delete some of their mails. Can anyone point me in the right direction? 
> btw, most of the users use pine for checking mail.
> 
> Thanks and Regards
> Sujith Emmanuel
> 
Hi

depends on how you pop/imap server works as to where it keeps email 
after reading. Perhaps you can say which program you use as the pop or 
imap server.

-- 
Martin Hepworth
Senior Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

From res at ausics.net  Wed Dec 13 10:08:42 2006
From: res at ausics.net (Res)
Date: Wed Dec 13 10:08:52 2006
Subject: OT: mail server /var/mail
In-Reply-To: <1d1e72700612130045o6ef88bcepde7480d6f4e7d1b5@mail.gmail.com>
References: <1d1e72700612130045o6ef88bcepde7480d6f4e7d1b5@mail.gmail.com>
Message-ID: <Pine.LNX.4.64.0612132004150.3210@ebfjryy.nhfvpf.arg>

On Wed, 13 Dec 2006, Sujith Emmanuel wrote:

>    What i do now when the size becomes huge is to ask the users to delete
> some of their mails. Can anyone point me in the right direction? btw, most
> of the users use pine for checking mail.

Enforce system quotas, depends on what you call big as well, perhaps just 
use larger disk(s) or SAN, 3TB /var/mail wont fill up that quick when 
combined with quotas.


-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From sujithem at cdacb.ernet.in  Wed Dec 13 10:38:03 2006
From: sujithem at cdacb.ernet.in (Sujith Emmanuel)
Date: Wed Dec 13 10:38:09 2006
Subject: OT: mail server /var/mail
In-Reply-To: <457FC57A.6020308@solidstatelogic.com>
References: <1d1e72700612130045o6ef88bcepde7480d6f4e7d1b5@mail.gmail.com>
	<457FC57A.6020308@solidstatelogic.com>
Message-ID: <1d1e72700612130238p6c0ad296i3990016dde6cf332@mail.gmail.com>

Hi,

    Thanks for the reply, am using uw-imap 2001a for imap ipop3. Most
of the time people check mail using pine ie login into the server
directly through ssh and use pine.

Thanks and Regards
Sujith Emmanuel

On 12/13/06, Martin Hepworth <martinh@solidstatelogic.com> wrote:
> Hi
>
> depends on how you pop/imap server works as to where it keeps email
> after reading. Perhaps you can say which program you use as the pop or
> imap server.
>
> --
> Martin Hepworth
> Senior Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
> **********************************************************************
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.
>
> **********************************************************************
>
> --
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
From martinh at solidstatelogic.com  Wed Dec 13 10:51:05 2006
From: martinh at solidstatelogic.com (Martin Hepworth)
Date: Wed Dec 13 10:51:20 2006
Subject: OT: mail server /var/mail
In-Reply-To: <1d1e72700612130238p6c0ad296i3990016dde6cf332@mail.gmail.com>
References: <1d1e72700612130045o6ef88bcepde7480d6f4e7d1b5@mail.gmail.com>	<457FC57A.6020308@solidstatelogic.com>
	<1d1e72700612130238p6c0ad296i3990016dde6cf332@mail.gmail.com>
Message-ID: <457FDB19.8090201@solidstatelogic.com>

Sujith Emmanuel wrote:
> Hi,
> 
>    Thanks for the reply, am using uw-imap 2001a for imap ipop3. Most
> of the time people check mail using pine ie login into the server
> directly through ssh and use pine.
> 
> Thanks and Regards
> Sujith Emmanuel
> 

ah yes, UW-imap will keep people's inbox's in /var/spool/mail (or 
whereever the default spool file is) when using imap, any other folders 
get created in the home directory of the user.

Given they login to the server first, might be useful to move people to 
pop3 access then all the email with get moved to their home dirs.

Another thing is get people to delete stuff, move stuff to other folders 
and/or use quota's.

I think this is a common problem for mail-admins the world over, people 
don't know how to process email properly.




-- 
Martin Hepworth
Senior Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

From sujithem at cdacb.ernet.in  Wed Dec 13 11:31:30 2006
From: sujithem at cdacb.ernet.in (Sujith Emmanuel)
Date: Wed Dec 13 11:31:32 2006
Subject: OT: mail server /var/mail
In-Reply-To: <457FDB19.8090201@solidstatelogic.com>
References: <1d1e72700612130045o6ef88bcepde7480d6f4e7d1b5@mail.gmail.com>
	<457FC57A.6020308@solidstatelogic.com>
	<1d1e72700612130238p6c0ad296i3990016dde6cf332@mail.gmail.com>
	<457FDB19.8090201@solidstatelogic.com>
Message-ID: <1d1e72700612130331l5771ef44s72696824e7ec624f@mail.gmail.com>

Hi,

     Thanks for the insights, actually i have quota enabled to /home
but not for /var/mail so even if users exceed quota limit, their mails
stay in /var/mail. How do i enable quotas such that the senders get a
quota exceeded reply mail.

Thanks and Regards
Sujith Emmanuel

On 12/13/06, Martin Hepworth <martinh@solidstatelogic.com> wrote:

> ah yes, UW-imap will keep people's inbox's in /var/spool/mail (or
> whereever the default spool file is) when using imap, any other folders
> get created in the home directory of the user.
>
> Given they login to the server first, might be useful to move people to
> pop3 access then all the email with get moved to their home dirs.
>
> Another thing is get people to delete stuff, move stuff to other folders
> and/or use quota's.
>
> I think this is a common problem for mail-admins the world over, people
> don't know how to process email properly.
>
>
>
>
> --
> Martin Hepworth
> Senior Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
> **********************************************************************
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.
>
> **********************************************************************
>
> --
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
From amoore at dekalbmemorial.com  Wed Dec 13 13:49:53 2006
From: amoore at dekalbmemorial.com (Aaron K. Moore)
Date: Wed Dec 13 13:49:59 2006
Subject: MailScanner spam filtering and Thunderbird undesirable mails
In-Reply-To: <EXCH1pviOh0jCI1geel0000d9b0@mail.dekalbmemorial.com>
Message-ID: <60D398EB2DB948409CA1F50D8AF1225701C23311@exch1.dekalbmemorial.local>

Sam Przyswa wrote:
> 
> With this machine my Mozilla-thunderbird find lot of undesirable
> mails, does Thunderbird is more effective than
> MailScanner/Spamassassin or my setup is bad configured ?
> 

You may want to check out
http://wiki.mailscanner.info/doku.php?id=documentation:related_software:
mua:thunderbird&s=spam%20status .  It has directions for adding the
header that Thunderbird uses to identify spam flagged in an upstream
MTA.

-- 
Aaron Kent Moore
Information Technology Services
DeKalb Memorial Hospital, Inc.
Auburn, IN
Phone:  260.920.2808
E-mail:  amoore@dekalbmemorial.com
From martinh at solidstatelogic.com  Wed Dec 13 13:58:40 2006
From: martinh at solidstatelogic.com (Martin Hepworth)
Date: Wed Dec 13 13:59:05 2006
Subject: MailScanner spam filtering and Thunderbird undesirable mails
In-Reply-To: <60D398EB2DB948409CA1F50D8AF1225701C23311@exch1.dekalbmemorial.local>
References: <60D398EB2DB948409CA1F50D8AF1225701C23311@exch1.dekalbmemorial.local>
Message-ID: <45800710.8060205@solidstatelogic.com>

Aaron K. Moore wrote:
> Sam Przyswa wrote:
>> With this machine my Mozilla-thunderbird find lot of undesirable
>> mails, does Thunderbird is more effective than
>> MailScanner/Spamassassin or my setup is bad configured ?
>>
> 
> You may want to check out
> http://wiki.mailscanner.info/doku.php?id=documentation:related_software:
> mua:thunderbird&s=spam%20status .  It has directions for adding the
> header that Thunderbird uses to identify spam flagged in an upstream
> MTA.
> 

I'd also suggest you need to look at tuning your SA setup with extra 
rules etc.

-- 
Martin Hepworth
Senior Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

From TGFurnish at herffjones.com  Wed Dec 13 14:35:33 2006
From: TGFurnish at herffjones.com (Furnish, Trever G)
Date: Wed Dec 13 14:35:41 2006
Subject: Is this really how bayes+autolearn works?
Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC571@inex3.herffjones.hj-int>

 

> -----Original Message-----
> From: mailscanner-bounces@lists.mailscanner.info 
> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf 
> Of Scott Silva
> Sent: Tuesday, December 12, 2006 5:45 PM
> To: mailscanner@lists.mailscanner.info
> Subject: Re: Is this really how bayes+autolearn works?
 
> Furnish, Trever G spake the following on 12/12/2006 1:59 PM:
> > So Bayes is getting lots of messages that SA doesn't detect 
> as spam, 
> > and only a few similar messages that I train it to treat as 
> spam.  Is 
> > this a plausible explanation for why Bayes would consistently be 
> > misclassifying this mail?
> >  
> > So far the floods start in the afternoon and the subject 
> strings are 
> > consistent enough that I'm able to correct the damage by:
> >     - removing my bayes database and retraining from archived spam 
> > corpus (slow)
> >     - creating custom rules to, for example, filter out "Subject =~ 
> > /Good Morning/" (dangerous)
  
> I also see a lot of spam coming from bots, but I consistently 
> catch most of it. Are you using some good add-on rules?
> Do you have any samples that some of us could run through our 
> systems to see what we get?

Sure -- I'll forward as attachments after sending this message (wanted
to send this separate message on the chance that you'll filter them out
and never know I responded).

- Trever
From TGFurnish at herffjones.com  Wed Dec 13 14:37:37 2006
From: TGFurnish at herffjones.com (Furnish, Trever G)
Date: Wed Dec 13 14:38:13 2006
Subject: Is this really how bayes+autolearn works?
Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC572@inex3.herffjones.hj-int>

 

> -----Original Message-----
> From: mailscanner-bounces@lists.mailscanner.info 
> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf 
> Of Scott Silva
> Sent: Tuesday, December 12, 2006 5:45 PM
> To: mailscanner@lists.mailscanner.info
> Subject: Re: Is this really how bayes+autolearn works?

> Furnish, Trever G spake the following on 12/12/2006 1:59 PM:
> > So Bayes is getting lots of messages that SA doesn't detect 
> as spam, 
> > and only a few similar messages that I train it to treat as 
> spam.  Is 
> > this a plausible explanation for why Bayes would consistently be 
> > misclassifying this mail?
> >  
> > So far the floods start in the afternoon and the subject 
> strings are 
> > consistent enough that I'm able to correct the damage by:
> >     - removing my bayes database and retraining from archived spam 
> > corpus (slow)
> >     - creating custom rules to, for example, filter out "Subject =~ 
> > /Good Morning/" (dangerous)
 
> I also see a lot of spam coming from bots, but I consistently 
> catch most of it. Are you using some good add-on rules?
> Do you have any samples that some of us could run through our 
> systems to see what we get?

Requested samples are attached.  They're very simple messages -- but
they're flooding in without being caught and then Bayes starts to assign
-2.60 to them. :-(

--
Trever
-------------- next part --------------
An embedded message was scrubbed...
From: "Sal Oakes" <predestineborn@abz1.freeserve.co.uk>
Subject: It ready
Date: Wed, 13 Dec 2006 10:25:17 -0500
Size: 2094
Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061213/71400b51/attachment.mht
-------------- next part --------------
An embedded message was scrubbed...
From: "Young Gill" <Aesop'sLima's@acadia.eng.sun.com>
Subject: It ready
Date: Wed, 13 Dec 2006 10:23:13 -0500
Size: 2100
Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061213/71400b51/attachment-0001.mht
-------------- next part --------------
An embedded message was scrubbed...
From: "Hillary Raines" <incensesshoddiest@aais.org.uk>
Subject: It ready
Date: Wed, 13 Dec 2006 10:31:25 -0500
Size: 2126
Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061213/71400b51/attachment-0002.mht
-------------- next part --------------
An embedded message was scrubbed...
From: "Kelsey Gillis" <cuisine'sBiscay@accesswv.com>
Subject: It ready
Date: Wed, 13 Dec 2006 10:31:53 -0500
Size: 2114
Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061213/71400b51/attachment-0003.mht
From martinh at solidstatelogic.com  Wed Dec 13 14:44:47 2006
From: martinh at solidstatelogic.com (Martin Hepworth)
Date: Wed Dec 13 14:45:15 2006
Subject: Is this really how bayes+autolearn works?
In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC572@inex3.herffjones.hj-int>
References: <57573D714A832C43B9D80EAFBDA48D0302BAC572@inex3.herffjones.hj-int>
Message-ID: <458011DF.4010901@solidstatelogic.com>

Furnish, Trever G wrote:
>  
> 
>> -----Original Message-----
>> From: mailscanner-bounces@lists.mailscanner.info 
>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf 
>> Of Scott Silva
>> Sent: Tuesday, December 12, 2006 5:45 PM
>> To: mailscanner@lists.mailscanner.info
>> Subject: Re: Is this really how bayes+autolearn works?
> 
>> Furnish, Trever G spake the following on 12/12/2006 1:59 PM:
>>> So Bayes is getting lots of messages that SA doesn't detect 
>> as spam, 
>>> and only a few similar messages that I train it to treat as 
>> spam.  Is 
>>> this a plausible explanation for why Bayes would consistently be 
>>> misclassifying this mail?
>>>  
>>> So far the floods start in the afternoon and the subject 
>> strings are 
>>> consistent enough that I'm able to correct the damage by:
>>>     - removing my bayes database and retraining from archived spam 
>>> corpus (slow)
>>>     - creating custom rules to, for example, filter out "Subject =~ 
>>> /Good Morning/" (dangerous)
>  
>> I also see a lot of spam coming from bots, but I consistently 
>> catch most of it. Are you using some good add-on rules?
>> Do you have any samples that some of us could run through our 
>> systems to see what we get?
> 
> Requested samples are attached.  They're very simple messages -- but
> they're flooding in without being caught and then Bayes starts to assign
> -2.60 to them. :-(
> 
> --
> Trever

Trever

latest SARE_STOCKS should help here..

-- 
Martin Hepworth
Senior Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

From Denis.Beauchemin at USherbrooke.ca  Wed Dec 13 14:48:32 2006
From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin)
Date: Wed Dec 13 14:56:27 2006
Subject: New ClamAV out
In-Reply-To: <elnc2u$6op$1@sea.gmane.org>
References: <457EC35F.90606@USherbrooke.ca> <457EFADB.5090400@USherbrooke.ca>
	<elnc2u$6op$1@sea.gmane.org>
Message-ID: <458012C0.3020704@USherbrooke.ca>

Mark Nienberg a ?crit :
> Denis Beauchemin wrote:
>
>> Just wanted to let you know that there seems to be a problem with the 
>> new ClamAV and ZIP files: I get a lot of:
>> Dec 12 12:37:52 132.210.244.93 MailScanner[31880]: 
>> ClamAVModule::INFECTED:: Oversized.Zip:: 
>> ./kBCHaqdS004063/BIOMETISS_BIOREACTEUR_07-12-2006.zip
>>
>> I had none yesterday and I have 20 since upgrading Clam this morning.
>
> Have you tried increasing the
> ClamAVmodule Maximum Compression Ratio = 250
> setting in MailScanner.conf?
>
> Mark
>
Mark,

I have it set to:
grep "ClamAVmodule Maximum Compression Ratio" MailScanner.conf
ClamAVmodule Maximum Compression Ratio = 950

It used to be enough before upgrading to the latest ClamAV...

Denis

-- 
   _
  ?v?   Denis Beauchemin, analyste
 /(_)\  Universit? de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3595 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061213/22d59b68/smime.bin
From Denis.Beauchemin at USherbrooke.ca  Wed Dec 13 14:59:22 2006
From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin)
Date: Wed Dec 13 14:59:48 2006
Subject: Is this really how bayes+autolearn works?
In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC572@inex3.herffjones.hj-int>
References: <57573D714A832C43B9D80EAFBDA48D0302BAC572@inex3.herffjones.hj-int>
Message-ID: <4580154A.6070007@USherbrooke.ca>

Furnish, Trever G a ?crit :
>  
>
>   
>> -----Original Message-----
>> From: mailscanner-bounces@lists.mailscanner.info 
>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf 
>> Of Scott Silva
>> Sent: Tuesday, December 12, 2006 5:45 PM
>> To: mailscanner@lists.mailscanner.info
>> Subject: Re: Is this really how bayes+autolearn works?
>>     
>
>   
>> Furnish, Trever G spake the following on 12/12/2006 1:59 PM:
>>     
>>> So Bayes is getting lots of messages that SA doesn't detect 
>>>       
>> as spam, 
>>     
>>> and only a few similar messages that I train it to treat as 
>>>       
>> spam.  Is 
>>     
>>> this a plausible explanation for why Bayes would consistently be 
>>> misclassifying this mail?
>>>  
>>> So far the floods start in the afternoon and the subject 
>>>       
>> strings are 
>>     
>>> consistent enough that I'm able to correct the damage by:
>>>     - removing my bayes database and retraining from archived spam 
>>> corpus (slow)
>>>     - creating custom rules to, for example, filter out "Subject =~ 
>>> /Good Morning/" (dangerous)
>>>       
>  
>   
>> I also see a lot of spam coming from bots, but I consistently 
>> catch most of it. Are you using some good add-on rules?
>> Do you have any samples that some of us could run through our 
>> systems to see what we get?
>>     
>
> Requested samples are attached.  They're very simple messages -- but
> they're flooding in without being caught and then Bayes starts to assign
> -2.60 to them. :-(
>
> --
> Trever
Trever,

They scored 10 here:

	SpamAssassin (not cached, score=10.448, requis 4.5, BAYES_50 0.00,
	INFO_TLD 1.27, SARE_LWHUGE 1.00, SARE_LWSHORTT 0.79,
	SARE_MLB_Stock1 1.66, SARE_MLB_Stock2 1.66, SARE_MLB_Stock6 1.66,
	TVD_STOCK1 2.40)

The first one comes from base SA, all but the last one come from 
70_sare_stocks and the last one comes from 80_additional in 
/var/lib/spamassassin/3.001007/updates_spamassassin_org (auto updated by 
SA).

Denis

-- 
   _
  ?v?   Denis Beauchemin, analyste
 /(_)\  Universit? de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3595 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061213/d42fcf23/smime.bin
From TGFurnish at herffjones.com  Wed Dec 13 15:14:34 2006
From: TGFurnish at herffjones.com (Furnish, Trever G)
Date: Wed Dec 13 15:14:38 2006
Subject: Is this really how bayes+autolearn works?
Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC573@inex3.herffjones.hj-int>

 

> -----Original Message-----
> From: mailscanner-bounces@lists.mailscanner.info 
> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf 
> Of Denis Beauchemin
> Sent: Wednesday, December 13, 2006 9:59 AM
> To: MailScanner discussion
> Subject: Re: Is this really how bayes+autolearn works?

> They scored 10 here:
> 
> 	SpamAssassin (not cached, score=10.448, requis 4.5, 
> BAYES_50 0.00,
> 	INFO_TLD 1.27, SARE_LWHUGE 1.00, SARE_LWSHORTT 0.79,
> 	SARE_MLB_Stock1 1.66, SARE_MLB_Stock2 1.66, 
> SARE_MLB_Stock6 1.66,
> 	TVD_STOCK1 2.40)
> 
> The first one comes from base SA, all but the last one come 
> from 70_sare_stocks and the last one comes from 80_additional 
> in /var/lib/spamassassin/3.001007/updates_spamassassin_org 
> (auto updated by SA).
> 
> Denis

Thanks very much.  I added 70_sare_stocks and got all the same hits,
except of course the TVD_STOCK1 rule.

I'm not presently using rules_du_jour or sa-update.  Am I correct in
guessing that your
/var/lib/spamassassin/3.001007/updates_spamassassin_org directory is a
sign that you're using sa-update, or is that generated from something
else?

I've been avoiding SARE, rules_du_jour, and sa-update on the theory that
I don't have time to catch misbehaving auto-updated rules before they
wreak havoc, and that  there aren't as many eyes watching those rules to
raise an alarm if a rule is bad.  I guess it's time to reconsider that
theory...

- Trever
From TGFurnish at herffjones.com  Wed Dec 13 15:15:31 2006
From: TGFurnish at herffjones.com (Furnish, Trever G)
Date: Wed Dec 13 15:15:37 2006
Subject: Is this really how bayes+autolearn works?
Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC574@inex3.herffjones.hj-int>

 

> Trever
> 
> latest SARE_STOCKS should help here..
> 
> --
> Martin Hepworth
> Senior Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300

Thanks very much, Martin.  Added sare_stocks_70 and it is indeed
catching these.
From glenn.steen at gmail.com  Wed Dec 13 15:50:17 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Wed Dec 13 15:50:20 2006
Subject: Is this really how bayes+autolearn works?
In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC573@inex3.herffjones.hj-int>
References: <57573D714A832C43B9D80EAFBDA48D0302BAC573@inex3.herffjones.hj-int>
Message-ID: <223f97700612130750o6c517abfpcffc8ea2b1fa7b4@mail.gmail.com>

On 13/12/06, Furnish, Trever G <TGFurnish@herffjones.com> wrote:
>
(snip)
>
> I've been avoiding SARE, rules_du_jour, and sa-update on the theory that
> I don't have time to catch misbehaving auto-updated rules before they
> wreak havoc, and that  there aren't as many eyes watching those rules to
> raise an alarm if a rule is bad.  I guess it's time to reconsider that
> theory...
>
Not the best of theories, at least as applied on sa-update. Once you
get it going, updates are fairly infrequent... and a simple cron-job
should take care of it. Pretty much the same with RDJ (but updates are
more frequent:-).

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From Denis.Beauchemin at USherbrooke.ca  Wed Dec 13 15:59:23 2006
From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin)
Date: Wed Dec 13 15:59:50 2006
Subject: New ClamAV out
In-Reply-To: <458012C0.3020704@USherbrooke.ca>
References: <457EC35F.90606@USherbrooke.ca>
	<457EFADB.5090400@USherbrooke.ca>	<elnc2u$6op$1@sea.gmane.org>
	<458012C0.3020704@USherbrooke.ca>
Message-ID: <4580235B.4050405@USherbrooke.ca>

Denis Beauchemin a ?crit :
> Mark Nienberg a ?crit :
>> Denis Beauchemin wrote:
>>
>>> Just wanted to let you know that there seems to be a problem with 
>>> the new ClamAV and ZIP files: I get a lot of:
>>> Dec 12 12:37:52 132.210.244.93 MailScanner[31880]: 
>>> ClamAVModule::INFECTED:: Oversized.Zip:: 
>>> ./kBCHaqdS004063/BIOMETISS_BIOREACTEUR_07-12-2006.zip
>>>
>>> I had none yesterday and I have 20 since upgrading Clam this morning.
>>
>> Have you tried increasing the
>> ClamAVmodule Maximum Compression Ratio = 250
>> setting in MailScanner.conf?
>>
>> Mark
>>
> Mark,
>
> I have it set to:
> grep "ClamAVmodule Maximum Compression Ratio" MailScanner.conf
> ClamAVmodule Maximum Compression Ratio = 950
>
> It used to be enough before upgrading to the latest ClamAV...
>
> Denis
>
I switched to clamav instead of clamavmodule and the messages disappeared.

Denis

-- 
   _
  ?v?   Denis Beauchemin, analyste
 /(_)\  Universit? de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3595 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061213/1cc3460d/smime.bin
From Denis.Beauchemin at USherbrooke.ca  Wed Dec 13 16:14:39 2006
From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin)
Date: Wed Dec 13 16:15:36 2006
Subject: Is this really how bayes+autolearn works?
In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC573@inex3.herffjones.hj-int>
References: <57573D714A832C43B9D80EAFBDA48D0302BAC573@inex3.herffjones.hj-int>
Message-ID: <458026EF.5020900@USherbrooke.ca>

Furnish, Trever G a ?crit :
>  
>
>   
>> -----Original Message-----
>> From: mailscanner-bounces@lists.mailscanner.info 
>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf 
>> Of Denis Beauchemin
>> Sent: Wednesday, December 13, 2006 9:59 AM
>> To: MailScanner discussion
>> Subject: Re: Is this really how bayes+autolearn works?
>>     
>
>   
>> They scored 10 here:
>>
>> 	SpamAssassin (not cached, score=10.448, requis 4.5, 
>> BAYES_50 0.00,
>> 	INFO_TLD 1.27, SARE_LWHUGE 1.00, SARE_LWSHORTT 0.79,
>> 	SARE_MLB_Stock1 1.66, SARE_MLB_Stock2 1.66, 
>> SARE_MLB_Stock6 1.66,
>> 	TVD_STOCK1 2.40)
>>
>> The first one comes from base SA, all but the last one come 
>> from 70_sare_stocks and the last one comes from 80_additional 
>> in /var/lib/spamassassin/3.001007/updates_spamassassin_org 
>> (auto updated by SA).
>>
>> Denis
>>     
>
> Thanks very much.  I added 70_sare_stocks and got all the same hits,
> except of course the TVD_STOCK1 rule.
>
> I'm not presently using rules_du_jour or sa-update.  Am I correct in
> guessing that your
> /var/lib/spamassassin/3.001007/updates_spamassassin_org directory is a
> sign that you're using sa-update, or is that generated from something
> else?
>
> I've been avoiding SARE, rules_du_jour, and sa-update on the theory that
> I don't have time to catch misbehaving auto-updated rules before they
> wreak havoc, and that  there aren't as many eyes watching those rules to
> raise an alarm if a rule is bad.  I guess it's time to reconsider that
> theory...
>
> - Trever
>   
I do not use rules_du_jour either because my boss wants to review the 
changes before they are put into production (don't laugh!)... so I fetch 
them into a temp directory and send out an email whenever one rule 
changed.  If I don't get any comment from my boss, the rules are moved 
into production on the next day.  So far this system saved me some 
trouble when there was a problem with one SARE rule: I just deleted the 
file in my temp directory and waited for the corrected version to appear 
on the next day.

I don't run sa-update either (it is disabled, but I think I will enable 
it).  So my files were probably installed at the same time I installed 
SA 3.1.7.

Denis

-- 
   _
  ?v?   Denis Beauchemin, analyste
 /(_)\  Universit? de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3595 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061213/a97bbc4c/smime.bin
From nate at seekio.com  Wed Dec 13 17:39:26 2006
From: nate at seekio.com (Nate)
Date: Wed Dec 13 17:39:31 2006
Subject: Mailscanner not scanning queue
Message-ID: <45803ACE.5010509@seekio.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I just installed MailScanner + Postfix on 6 servers running Debian
Sarge.  I installed from stable packages, so mailscanner is version
4.41.3-2 and postfix is 2.1.5-9.  I tried installing the latest
mailscanner from the unstable branch, but it has too many dependencies,
and if I fulfilled them, I'd be running unstable on the whole box
instead of stable.  I followed the directions I found at
http://www.debian-administration.org/articles/172.

OK, that said, here's my problem.  After starting mailscanner everything
appears to work fine... for a little while.  On every server Mailscanner
eventually just doesn't see messages that arrive in the queue any more.
 I do a postqueue -p and can see the messages waiting in the hold queue,
but mailscanner isn't doing anything with them.

I tried enabling Debug in the conf and running check_mailscanner.  That
runs fine, but since it quits right away I don't think it hits the
problem where it's not seeing new messages.

Does anyone have any ideas of things to try from here?  Any knows bugs
that I'm maybe hitting?  If so, how do I install the latest version on
Debian Sarge?

Thanks,
Nate
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFgDrNRMRYK1K/wKQRAo7/AJ0d07bkUh+kWoPrm3tN5C3G7q00kgCfbAtv
1jeBO2VvKVqeGZAVV0HQ1ns=
=pXFE
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3491 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061213/67181197/smime.bin
From ssilva at sgvwater.com  Wed Dec 13 17:38:56 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Wed Dec 13 17:39:36 2006
Subject: Is this really how bayes+autolearn works?
In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC572@inex3.herffjones.hj-int>
References: <57573D714A832C43B9D80EAFBDA48D0302BAC572@inex3.herffjones.hj-int>
Message-ID: <elpdrh$nqd$1@sea.gmane.org>

Furnish, Trever G spake the following on 12/13/2006 6:37 AM:
>  
> 
>> -----Original Message-----
>> From: mailscanner-bounces@lists.mailscanner.info 
>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf 
>> Of Scott Silva
>> Sent: Tuesday, December 12, 2006 5:45 PM
>> To: mailscanner@lists.mailscanner.info
>> Subject: Re: Is this really how bayes+autolearn works?
> 
>> Furnish, Trever G spake the following on 12/12/2006 1:59 PM:
>>> So Bayes is getting lots of messages that SA doesn't detect 
>> as spam, 
>>> and only a few similar messages that I train it to treat as 
>> spam.  Is 
>>> this a plausible explanation for why Bayes would consistently be 
>>> misclassifying this mail?
>>>  
>>> So far the floods start in the afternoon and the subject 
>> strings are 
>>> consistent enough that I'm able to correct the damage by:
>>>     - removing my bayes database and retraining from archived spam 
>>> corpus (slow)
>>>     - creating custom rules to, for example, filter out "Subject =~ 
>>> /Good Morning/" (dangerous)
>  
>> I also see a lot of spam coming from bots, but I consistently 
>> catch most of it. Are you using some good add-on rules?
>> Do you have any samples that some of us could run through our 
>> systems to see what we get?
> 
> Requested samples are attached.  They're very simple messages -- but
> they're flooding in without being caught and then Bayes starts to assign
> -2.60 to them. :-(
> 
> --
> Trever
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> It ready
> From:
> "Sal Oakes" <predestineborn@abz1.freeserve.co.uk>
> Date:
> Wed, 13 Dec 2006 10:25:17 -0500
> To:
> <lavelez@herff-jones.com>
> 
> To:
> <lavelez@herff-jones.com>
> 
> Received:
> from inex3.herffjones.hj-int ([192.168.10.41]) by
> inex1.herffjones.hj-int with Microsoft SMTPSVC(6.0.3790.1830); Wed, 13
> Dec 2006 09:25:37 -0500
> MIME-Version:
> 1.0
> Content-Type:
> text/plain; charset="iso-8859-1"
> Content-Transfer-Encoding:
> quoted-printable
> Received:
> from relay2.public.herff-jones.com ([192.168.252.241]) by
> inex3.herffjones.hj-int with Microsoft SMTPSVC(6.0.3790.1830); Wed, 13
> Dec 2006 09:25:37 -0500
> X-MimeOLE:
> Produced By Microsoft Exchange V6.5
> Received:
> from Host (dsl54025CFD.pool.t-online.hu [84.2.92.253]) by
> relay2.public.herff-jones.com (8.12.11/8.12.11) with ESMTP id
> kBDEPI6h022465; Wed, 13 Dec 2006 09:25:20 -0500
> Received:
> from 193.252.22.141 (HELO mail-in.freeserve.com) by herff-jones.com with
> esmtp (H; 3DY5// >0N)) id 4/3*,V-N2*),Z-:, for lavelez@herff-jones.com;
> Wed, 13 Dec 2006 14:25:17 -0060
> Content-class:
> urn:content-classes:message
> Message-ID:
> <01c71ec2$830d63d0$6c822ecf@predestineborn>
> Thread-Topic:
> It ready
> Thread-Index:
> Aca6Q941UUZ9J7Z4L5A317Q=
> 
> 
> News Alert!
> 
> Fueled by the possibility of an upcoming merger, Wild Brush 
> Energy (WBRS) is gearing up for an explosion.  Tension is 
> building and soon the scramble to take a position will push 
> this one off the charts.
> 
> Wild Brush Energy
> Symbol: WBRS
> Current Price: $0.05
> Short Term Target: $0.32
> Long Term Target: $0.80
> 
> WBRS is engaged in some of the most lucrative gas regions in North 
> America.  Major discoveries are happening all the time and WBRS is in 
> the thick of it.
> 
> With the array of drilling projects Wild Brush has going on at the moment 
> tension is building.  As the drilling gets closer to completion insiders are 
> accumulating ahead of that major discovery announcement.
> 
> Finally the market is ready for explosion
> Wednesday December 13 2006. will be a huge growth of WBRS at 1.00 am
> Get ready to make some cash today!
> 
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> It ready
> From:
> "Young Gill" <Aesop'sLima's@acadia.eng.sun.com>
> Date:
> Wed, 13 Dec 2006 10:23:13 -0500
> To:
> <kokuehl@herff-jones.com>
> 
> To:
> <kokuehl@herff-jones.com>
> 
> Received:
> from inex3.herffjones.hj-int ([192.168.10.41]) by
> inex1.herffjones.hj-int with Microsoft SMTPSVC(6.0.3790.1830); Wed, 13
> Dec 2006 09:24:10 -0500
> MIME-Version:
> 1.0
> Content-Type:
> text/plain; charset="windows-1250"
> Content-Transfer-Encoding:
> quoted-printable
> Received:
> from relay2.public.herff-jones.com ([192.168.252.241]) by
> inex3.herffjones.hj-int with Microsoft SMTPSVC(6.0.3790.1830); Wed, 13
> Dec 2006 09:24:11 -0500
> X-MimeOLE:
> Produced By Microsoft Exchange V6.5
> Received:
> from pD9FFEAD5.dip.t-dialin.net (pD9FFEF55.dip.t-dialin.net
> [217.255.239.85]) by relay2.public.herff-jones.com (8.12.11/8.12.11)
> with ESMTP id kBDEN0rx021231; Wed, 13 Dec 2006 09:23:05 -0500
> Received:
> from 192.5.209.6 (HELO btmx4.sun.com) by herff-jones.com with esmtp
> (+5YBR6(>K 03; >H) id +4*841-UQ4+74-)- for kokuehl@herff-jones.com; Wed,
> 13 Dec 2006 14:23:13 -0060
> Content-class:
> urn:content-classes:message
> Message-ID:
> <01c71ec2$395db640$6c822ecf@Aesop'sLima's>
> Thread-Topic:
> It ready
> Thread-Index:
> Aca6Q0Mwseft1NU=
> 
> 
> News Alert!
> 
> Fueled by the possibility of an upcoming merger, Wild Brush 
> Energy (WBRS) is gearing up for an explosion.  Tension is 
> building and soon the scramble to take a position will push 
> this one off the charts.
> 
> Wild Brush Energy
> Symbol: WBRS
> Current Price: $0.05
> Short Term Target: $0.32
> Long Term Target: $0.80
> 
> WBRS is engaged in some of the most lucrative gas regions in North 
> America.  Major discoveries are happening all the time and WBRS is in 
> the thick of it.
> 
> With the array of drilling projects Wild Brush has going on at the moment 
> tension is building.  As the drilling gets closer to completion insiders are 
> accumulating ahead of that major discovery announcement.
> 
> Finally the market is ready for explosion
> Wednesday December 13 2006. will be a huge growth of WBRS at 1.00 am
> Get ready to make some cash today!
> 
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> It ready
> From:
> "Hillary Raines" <incensesshoddiest@aais.org.uk>
> Date:
> Wed, 13 Dec 2006 10:31:25 -0500
> To:
> "Reeck, Alyssa A" <aareeck@herffjones.com>
> 
> To:
> "Reeck, Alyssa A" <aareeck@herffjones.com>
> 
> Received:
> from inex3.herffjones.hj-int ([192.168.10.41]) by
> leex1.herffjones.hj-int with Microsoft SMTPSVC(5.0.2195.6713); Wed, 13
> Dec 2006 08:30:10 -0600
> MIME-Version:
> 1.0
> Content-Type:
> text/plain; charset="windows-1250"
> Content-Transfer-Encoding:
> quoted-printable
> Received:
> from relay2.public.herff-jones.com ([192.168.252.241]) by
> inex3.herffjones.hj-int with Microsoft SMTPSVC(6.0.3790.1830); Wed, 13
> Dec 2006 09:30:07 -0500
> X-MimeOLE:
> Produced By Microsoft Exchange V6.5
> Received:
> from p548B7FC7.dip.t-dialin.net (p548B7FC7.dip.t-dialin.net
> [84.139.127.199]) by relay2.public.herff-jones.com (8.12.11/8.12.11)
> with ESMTP id kBDETifE025143; Wed, 13 Dec 2006 09:29:45 -0500
> Received:
> from 80.243.184.9 (HELO mail.aais.org.uk) by herffjones.com with esmtp
> ((770?4RNA 860LT) id 12<06.-E8/9/E-9- for aareeck@herffjones.com; Wed,
> 13 Dec 2006 14:31:25 -0060
> Content-class:
> urn:content-classes:message
> Message-ID:
> <01c71ec3$5ea3af30$6c822ecf@incensesshoddiest>
> Thread-Topic:
> It ready
> Thread-Index:
> Aca6QT06H1P/9M1B12T10R54NL4=
> 
> 
> News Alert!
> 
> Fueled by the possibility of an upcoming merger, Wild Brush 
> Energy (WBRS) is gearing up for an explosion.  Tension is 
> building and soon the scramble to take a position will push 
> this one off the charts.
> 
> Wild Brush Energy
> Symbol: WBRS
> Current Price: $0.05
> Short Term Target: $0.32
> Long Term Target: $0.80
> 
> WBRS is engaged in some of the most lucrative gas regions in North 
> America.  Major discoveries are happening all the time and WBRS is in 
> the thick of it.
> 
> With the array of drilling projects Wild Brush has going on at the moment 
> tension is building.  As the drilling gets closer to completion insiders are 
> accumulating ahead of that major discovery announcement.
> 
> Finally the market is ready for explosion
> Wednesday December 13 2006. will be a huge growth of WBRS at 1.00 am
> Get ready to make some cash today!
> 
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> It ready
> From:
> "Kelsey Gillis" <cuisine'sBiscay@accesswv.com>
> Date:
> Wed, 13 Dec 2006 10:31:53 -0500
> To:
> <aareeck@herff-jones.com>
> 
> To:
> <aareeck@herff-jones.com>
> 
> Received:
> from inex3.herffjones.hj-int ([192.168.10.41]) by
> leex1.herffjones.hj-int with Microsoft SMTPSVC(5.0.2195.6713); Wed, 13
> Dec 2006 08:31:07 -0600
> MIME-Version:
> 1.0
> Content-Type:
> text/plain; charset="iso-8859-1"
> Content-Transfer-Encoding:
> quoted-printable
> Received:
> from relay2.public.herff-jones.com ([192.168.252.241]) by
> inex3.herffjones.hj-int with Microsoft SMTPSVC(6.0.3790.1830); Wed, 13
> Dec 2006 09:31:05 -0500
> X-MimeOLE:
> Produced By Microsoft Exchange V6.5
> Received:
> from p548B7FC7.dip.t-dialin.net (p548B7FC7.dip.t-dialin.net
> [84.139.127.199]) by relay2.public.herff-jones.com (8.12.11/8.12.11)
> with ESMTP id kBDEUCco025494; Wed, 13 Dec 2006 09:30:13 -0500
> Received:
> from 198.185.2.67 (HELO mx2.business.mindspring.com) by herff-jones.com
> with esmtp (W/9UT0)(0 (H8)DO) id 9G65X2-OPQ/F@-C= for
> aareeck@herff-jones.com; Wed, 13 Dec 2006 14:31:53 -0060
> Content-class:
> urn:content-classes:message
> Message-ID:
> <01c71ec3$6edf4350$6c822ecf@cuisine'sBiscay>
> Thread-Topic:
> It ready
> Thread-Index:
> Aca6QQL6573SZ/1I7Y35KVU2
> 
> 
> News Alert!
> 
> Fueled by the possibility of an upcoming merger, Wild Brush 
> Energy (WBRS) is gearing up for an explosion.  Tension is 
> building and soon the scramble to take a position will push 
> this one off the charts.
> 
> Wild Brush Energy
> Symbol: WBRS
> Current Price: $0.05
> Short Term Target: $0.32
> Long Term Target: $0.80
> 
> WBRS is engaged in some of the most lucrative gas regions in North 
> America.  Major discoveries are happening all the time and WBRS is in 
> the thick of it.
> 
> With the array of drilling projects Wild Brush has going on at the moment 
> tension is building.  As the drilling gets closer to completion insiders are 
> accumulating ahead of that major discovery announcement.
> 
> Finally the market is ready for explosion
> Wednesday December 13 2006. will be a huge growth of WBRS at 1.00 am
> Get ready to make some cash today!
> 
> 
Content analysis details:   (33.4 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 0.0 BOTNET_CLIENTWORDS     Hostname contains client-like substrings
 0.0 BOTNET_IPINHOSTNAME    Hostname contains its own IP address
 1.7 SARE_MLB_Stock1        BODY: SARE_MLB_Stock1
 1.7 SARE_MLB_Stock2        BODY: SARE_MLB_Stock2
 1.0 SARE_LWHUGE            BODY: SARE_LWHUGE
 0.8 SARE_LWSHORTT          BODY: SARE_LWSHORTT
 1.7 SARE_MLB_Stock6        BODY: ML obfuscated ticker symbols
 2.4 TVD_STOCK1             BODY: Message looks like it's pushing a stock...
 0.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
                            [score: 0.5000]
 1.5 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
                            above 50%
                            [cf: 100]
 1.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                            [cf: 100]
 3.7 PYZOR_CHECK            Listed in Pyzor (http://pyzor.sf.net/)
 2.2 DCC_CHECK              Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
 2.0 RCVD_IN_SORBS_DUL      RBL: SORBS: sent directly from dynamic IP address
                            [84.2.92.253 listed in dnsbl.sorbs.net]
 2.0 RCVD_IN_NJABL_DUL      RBL: NJABL: dialup sender did non-local SMTP
                            [84.2.92.253 listed in combined.njabl.org]
 2.5 DIGEST_MULTIPLE        Message hits more than one network digest check
 2.8 RATWARE_OUTLOOK_NONAME Bulk email fingerprint (Outlook no name)
                            found
 0.0 BOTNET_CLIENT          Hostname looks like a client hostname
 1.9 RATWARE_MS_HASH        Bulk email fingerprint (msgid ms hash) found
 1.7 MSGID_DOLLARS          Message-Id has pattern used in spam
 2.0 BOTNET                 The submitting mail server looks like part of a Botnet


Content analysis details:   (33.4 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 2.6 HELO_DYNAMIC_DIALIN    Relay HELO'd using suspicious hostname
                            (T-Dialin)
 0.0 BOTNET_CLIENTWORDS     Hostname contains client-like substrings
 0.0 BOTNET_IPINHOSTNAME    Hostname contains its own IP address
 1.7 SARE_MLB_Stock1        BODY: SARE_MLB_Stock1
 1.7 SARE_MLB_Stock2        BODY: SARE_MLB_Stock2
 1.0 SARE_LWHUGE            BODY: SARE_LWHUGE
 0.8 SARE_LWSHORTT          BODY: SARE_LWSHORTT
 1.7 SARE_MLB_Stock6        BODY: ML obfuscated ticker symbols
 2.4 TVD_STOCK1             BODY: Message looks like it's pushing a stock...
 0.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
                            [score: 0.5005]
 1.5 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
                            above 50%
                            [cf: 100]
 1.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                            [cf: 100]
 2.2 DCC_CHECK              Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
 2.0 RCVD_IN_SORBS_DUL      RBL: SORBS: sent directly from dynamic IP address
                            [217.255.239.85 listed in dnsbl.sorbs.net]
 2.0 RCVD_IN_NJABL_DUL      RBL: NJABL: dialup sender did non-local SMTP
                            [217.255.239.85 listed in combined.njabl.org]
 2.5 DIGEST_MULTIPLE        Message hits more than one network digest check
 2.8 RATWARE_OUTLOOK_NONAME Bulk email fingerprint (Outlook no name)
                            found
 0.0 BOTNET_CLIENT          Hostname looks like a client hostname
 1.9 RATWARE_MS_HASH        Bulk email fingerprint (msgid ms hash) found
 1.7 MSGID_DOLLARS          Message-Id has pattern used in spam
 2.0 BOTNET                 The submitting mail server looks like part of a Botnet
That is just 2 of them

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From ssilva at sgvwater.com  Wed Dec 13 17:43:53 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Wed Dec 13 17:45:14 2006
Subject: Is this really how bayes+autolearn works?
In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC573@inex3.herffjones.hj-int>
References: <57573D714A832C43B9D80EAFBDA48D0302BAC573@inex3.herffjones.hj-int>
Message-ID: <elpe4r$ppl$1@sea.gmane.org>

Furnish, Trever G spake the following on 12/13/2006 7:14 AM:
>  
> 
>> -----Original Message-----
>> From: mailscanner-bounces@lists.mailscanner.info 
>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf 
>> Of Denis Beauchemin
>> Sent: Wednesday, December 13, 2006 9:59 AM
>> To: MailScanner discussion
>> Subject: Re: Is this really how bayes+autolearn works?
> 
>> They scored 10 here:
>>
>> 	SpamAssassin (not cached, score=10.448, requis 4.5, 
>> BAYES_50 0.00,
>> 	INFO_TLD 1.27, SARE_LWHUGE 1.00, SARE_LWSHORTT 0.79,
>> 	SARE_MLB_Stock1 1.66, SARE_MLB_Stock2 1.66, 
>> SARE_MLB_Stock6 1.66,
>> 	TVD_STOCK1 2.40)
>>
>> The first one comes from base SA, all but the last one come 
>> from 70_sare_stocks and the last one comes from 80_additional 
>> in /var/lib/spamassassin/3.001007/updates_spamassassin_org 
>> (auto updated by SA).
>>
>> Denis
> 
> Thanks very much.  I added 70_sare_stocks and got all the same hits,
> except of course the TVD_STOCK1 rule.
> 
> I'm not presently using rules_du_jour or sa-update.  Am I correct in
> guessing that your
> /var/lib/spamassassin/3.001007/updates_spamassassin_org directory is a
> sign that you're using sa-update, or is that generated from something
> else?
> 
> I've been avoiding SARE, rules_du_jour, and sa-update on the theory that
> I don't have time to catch misbehaving auto-updated rules before they
> wreak havoc, and that  there aren't as many eyes watching those rules to
> raise an alarm if a rule is bad.  I guess it's time to reconsider that
> theory...
> 
> - Trever
There is a very good setup of rulesdujour with the patches to
bogus_virus_warnings that help with MailScanner false alarms at Fortress
Systems.  http://www.fsl.com/support/Rules_Du_Jour.tar.gz
And sa-update is as reliable as installing a new version of spamassassin, but
the rules get fixed or adjusted faster.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From dstraka at caspercollege.edu  Wed Dec 13 16:52:34 2006
From: dstraka at caspercollege.edu (Daniel Straka)
Date: Wed Dec 13 17:54:54 2006
Subject: OT: Botnet Plugin for SA
Message-ID: <457FCD63.61A4.0000.0@caspercollege.edu>

How can I tell if the botnet plugin for SA is working? All I have to go
on is mail log files.

Dan Straka
Systems Coordinator
Casper College
307.268.2399


-- 
This message has been scanned for viruses
and dangerous content by MailScanner at
caspercollege.edu and is believed to be clean.

-------------- next part --------------
BEGIN:VCARD
VERSION:2.1
FN:Straka, Daniel
TEL:307.268.2399
EMAIL:Dstraka@caspercollege.edu
ORG:Casper College
TITLE:Systems Coordinator
URL:http://wind.caspercollege.edu/~dstraka/
END:VCARD

From ssilva at sgvwater.com  Wed Dec 13 18:12:47 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Wed Dec 13 18:13:20 2006
Subject: OT: Botnet Plugin for SA
In-Reply-To: <457FCD63.61A4.0000.0@caspercollege.edu>
References: <457FCD63.61A4.0000.0@caspercollege.edu>
Message-ID: <elpfr0$v66$1@sea.gmane.org>

Daniel Straka spake the following on 12/13/2006 8:52 AM:
> How can I tell if the botnet plugin for SA is working? All I have to go
> on is mail log files.
> 
A spamassassin -D --lint should show the plugin loading, and a grep BOTNET
/var/log/maillog should show hits in some messages.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From Denis.Beauchemin at USherbrooke.ca  Wed Dec 13 18:41:02 2006
From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin)
Date: Wed Dec 13 18:41:33 2006
Subject: Is this really how bayes+autolearn works?
In-Reply-To: <elpdrh$nqd$1@sea.gmane.org>
References: <57573D714A832C43B9D80EAFBDA48D0302BAC572@inex3.herffjones.hj-int>
	<elpdrh$nqd$1@sea.gmane.org>
Message-ID: <4580493E.1000000@USherbrooke.ca>

Scott Silva a ?crit :
> Content analysis details:   (33.4 points, 5.0 required)
>
>  pts rule name              description
> ---- ---------------------- --------------------------------------------------
>  0.0 BOTNET_CLIENTWORDS     Hostname contains client-like substrings
>  0.0 BOTNET_IPINHOSTNAME    Hostname contains its own IP address
>  1.7 SARE_MLB_Stock1        BODY: SARE_MLB_Stock1
>  1.7 SARE_MLB_Stock2        BODY: SARE_MLB_Stock2
>  1.0 SARE_LWHUGE            BODY: SARE_LWHUGE
>  0.8 SARE_LWSHORTT          BODY: SARE_LWSHORTT
>  1.7 SARE_MLB_Stock6        BODY: ML obfuscated ticker symbols
>  2.4 TVD_STOCK1             BODY: Message looks like it's pushing a stock...
>  0.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
>                             [score: 0.5000]
>  1.5 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
>  1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
>                             above 50%
>                             [cf: 100]
>  1.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
>                             [cf: 100]
>  3.7 PYZOR_CHECK            Listed in Pyzor (http://pyzor.sf.net/)
>  2.2 DCC_CHECK              Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
>  2.0 RCVD_IN_SORBS_DUL      RBL: SORBS: sent directly from dynamic IP address
>                             [84.2.92.253 listed in dnsbl.sorbs.net]
>  2.0 RCVD_IN_NJABL_DUL      RBL: NJABL: dialup sender did non-local SMTP
>                             [84.2.92.253 listed in combined.njabl.org]
>  2.5 DIGEST_MULTIPLE        Message hits more than one network digest check
>  2.8 RATWARE_OUTLOOK_NONAME Bulk email fingerprint (Outlook no name)
>                             found
>  0.0 BOTNET_CLIENT          Hostname looks like a client hostname
>  1.9 RATWARE_MS_HASH        Bulk email fingerprint (msgid ms hash) found
>  1.7 MSGID_DOLLARS          Message-Id has pattern used in spam
>  2.0 BOTNET                 The submitting mail server looks like part of a Botnet
>
>
>
>
>   
I was wondering how you got a score so different than mine and realized 
I cited the score Trevor's message got with all its attachments 
included.  I saved one of the attachments and ran SA on it and got 
results similar to yours.

Denis

-- 
   _
  ?v?   Denis Beauchemin, analyste
 /(_)\  Universit? de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3595 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061213/a791cffb/smime.bin
From ssilva at sgvwater.com  Wed Dec 13 19:03:16 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Wed Dec 13 19:03:35 2006
Subject: Is this really how bayes+autolearn works?
In-Reply-To: <4580493E.1000000@USherbrooke.ca>
References: <57573D714A832C43B9D80EAFBDA48D0302BAC572@inex3.herffjones.hj-int>	<elpdrh$nqd$1@sea.gmane.org>
	<4580493E.1000000@USherbrooke.ca>
Message-ID: <elpipl$c3s$1@sea.gmane.org>

Denis Beauchemin spake the following on 12/13/2006 10:41 AM:
> Scott Silva a ?crit :
>> Content analysis details:   (33.4 points, 5.0 required)
>>
>>  pts rule name              description
>> ---- ----------------------
>> --------------------------------------------------
>>  0.0 BOTNET_CLIENTWORDS     Hostname contains client-like substrings
>>  0.0 BOTNET_IPINHOSTNAME    Hostname contains its own IP address
>>  1.7 SARE_MLB_Stock1        BODY: SARE_MLB_Stock1
>>  1.7 SARE_MLB_Stock2        BODY: SARE_MLB_Stock2
>>  1.0 SARE_LWHUGE            BODY: SARE_LWHUGE
>>  0.8 SARE_LWSHORTT          BODY: SARE_LWSHORTT
>>  1.7 SARE_MLB_Stock6        BODY: ML obfuscated ticker symbols
>>  2.4 TVD_STOCK1             BODY: Message looks like it's pushing a
>> stock...
>>  0.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
>>                             [score: 0.5000]
>>  1.5 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
>>  1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
>>                             above 50%
>>                             [cf: 100]
>>  1.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
>>                             [cf: 100]
>>  3.7 PYZOR_CHECK            Listed in Pyzor (http://pyzor.sf.net/)
>>  2.2 DCC_CHECK              Listed in DCC
>> (http://rhyolite.com/anti-spam/dcc/)
>>  2.0 RCVD_IN_SORBS_DUL      RBL: SORBS: sent directly from dynamic IP
>> address
>>                             [84.2.92.253 listed in dnsbl.sorbs.net]
>>  2.0 RCVD_IN_NJABL_DUL      RBL: NJABL: dialup sender did non-local SMTP
>>                             [84.2.92.253 listed in combined.njabl.org]
>>  2.5 DIGEST_MULTIPLE        Message hits more than one network digest
>> check
>>  2.8 RATWARE_OUTLOOK_NONAME Bulk email fingerprint (Outlook no name)
>>                             found
>>  0.0 BOTNET_CLIENT          Hostname looks like a client hostname
>>  1.9 RATWARE_MS_HASH        Bulk email fingerprint (msgid ms hash) found
>>  1.7 MSGID_DOLLARS          Message-Id has pattern used in spam
>>  2.0 BOTNET                 The submitting mail server looks like part
>> of a Botnet
>>
>>
>>
>>
>>   
> I was wondering how you got a score so different than mine and realized
> I cited the score Trevor's message got with all its attachments
> included.  I saved one of the attachments and ran SA on it and got
> results similar to yours.
> 
> Denis
> 
I don't think that a bare spamassassin install is going to be sufficient
anymore. At least until they add more rules.
I'm always looking to find something that can catch that extra percent or so
of messages, without too high of a processing cost. But the best bang for the
buck has been dropping at the MTA anything in sbl+xbl. That is over 75% of the
traffic not even needing to be run through spamassassin.
-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From Denis.Beauchemin at USherbrooke.ca  Wed Dec 13 19:26:25 2006
From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin)
Date: Wed Dec 13 19:27:11 2006
Subject: Is this really how bayes+autolearn works?
In-Reply-To: <elpipl$c3s$1@sea.gmane.org>
References: <57573D714A832C43B9D80EAFBDA48D0302BAC572@inex3.herffjones.hj-int>	<elpdrh$nqd$1@sea.gmane.org>	<4580493E.1000000@USherbrooke.ca>
	<elpipl$c3s$1@sea.gmane.org>
Message-ID: <458053E1.3070004@USherbrooke.ca>

Scott Silva a ?crit :
> Denis Beauchemin spake the following on 12/13/2006 10:41 AM:
>   
>> Scott Silva a ?crit :
>>     
>>> Content analysis details:   (33.4 points, 5.0 required)
>>>
>>>  pts rule name              description
>>> ---- ----------------------
>>> --------------------------------------------------
>>>  0.0 BOTNET_CLIENTWORDS     Hostname contains client-like substrings
>>>  0.0 BOTNET_IPINHOSTNAME    Hostname contains its own IP address
>>>  1.7 SARE_MLB_Stock1        BODY: SARE_MLB_Stock1
>>>  1.7 SARE_MLB_Stock2        BODY: SARE_MLB_Stock2
>>>  1.0 SARE_LWHUGE            BODY: SARE_LWHUGE
>>>  0.8 SARE_LWSHORTT          BODY: SARE_LWSHORTT
>>>  1.7 SARE_MLB_Stock6        BODY: ML obfuscated ticker symbols
>>>  2.4 TVD_STOCK1             BODY: Message looks like it's pushing a
>>> stock...
>>>  0.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
>>>                             [score: 0.5000]
>>>  1.5 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
>>>  1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
>>>                             above 50%
>>>                             [cf: 100]
>>>  1.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
>>>                             [cf: 100]
>>>  3.7 PYZOR_CHECK            Listed in Pyzor (http://pyzor.sf.net/)
>>>  2.2 DCC_CHECK              Listed in DCC
>>> (http://rhyolite.com/anti-spam/dcc/)
>>>  2.0 RCVD_IN_SORBS_DUL      RBL: SORBS: sent directly from dynamic IP
>>> address
>>>                             [84.2.92.253 listed in dnsbl.sorbs.net]
>>>  2.0 RCVD_IN_NJABL_DUL      RBL: NJABL: dialup sender did non-local SMTP
>>>                             [84.2.92.253 listed in combined.njabl.org]
>>>  2.5 DIGEST_MULTIPLE        Message hits more than one network digest
>>> check
>>>  2.8 RATWARE_OUTLOOK_NONAME Bulk email fingerprint (Outlook no name)
>>>                             found
>>>  0.0 BOTNET_CLIENT          Hostname looks like a client hostname
>>>  1.9 RATWARE_MS_HASH        Bulk email fingerprint (msgid ms hash) found
>>>  1.7 MSGID_DOLLARS          Message-Id has pattern used in spam
>>>  2.0 BOTNET                 The submitting mail server looks like part
>>> of a Botnet
>>>
>>>
>>>
>>>
>>>   
>>>       
>> I was wondering how you got a score so different than mine and realized
>> I cited the score Trevor's message got with all its attachments
>> included.  I saved one of the attachments and ran SA on it and got
>> results similar to yours.
>>
>> Denis
>>
>>     
> I don't think that a bare spamassassin install is going to be sufficient
> anymore. At least until they add more rules.
> I'm always looking to find something that can catch that extra percent or so
> of messages, without too high of a processing cost. But the best bang for the
> buck has been dropping at the MTA anything in sbl+xbl. That is over 75% of the
> traffic not even needing to be run through spamassassin.
>   
Same here!  I was blocking with safe.dnsbl.sorbs.net and added 
sbl-xbl.spamhaus.org last week.  What a difference!  The number of 
blocked connections is quite impressive: close to 400K messages/day!!!

Denis

-- 
   _
  ?v?   Denis Beauchemin, analyste
 /(_)\  Universit? de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3595 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061213/d9cdb33e/smime.bin
From bbecken at aafp.org  Wed Dec 13 20:30:13 2006
From: bbecken at aafp.org (Brad Beckenhauer)
Date: Wed Dec 13 20:32:48 2006
Subject: OT: Virus Scanners
Message-ID: <45800E73.D87E.0068.3@aafp.org>

Hello,
I'm putting together the budget for next year and looking for
suggestions for commercial anti-virus products for MailScanner running
on Linux.

I'd like to know what products are preferred and if you have any recent
pricing, it would be appreciated.

thanks.

Brad


From ssilva at sgvwater.com  Wed Dec 13 20:47:07 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Wed Dec 13 20:47:39 2006
Subject: OT: Virus Scanners
In-Reply-To: <45800E73.D87E.0068.3@aafp.org>
References: <45800E73.D87E.0068.3@aafp.org>
Message-ID: <elposb$4t1$1@sea.gmane.org>

Brad Beckenhauer spake the following on 12/13/2006 12:30 PM:
> Hello,
> I'm putting together the budget for next year and looking for
> suggestions for commercial anti-virus products for MailScanner running
> on Linux.
> 
> I'd like to know what products are preferred and if you have any recent
> pricing, it would be appreciated.
> 
> thanks.
> 
> Brad
> 
> 
The first thing I would look at is your current corporate virus scanner. Some
give you access to a commandline scanner for linux that is included in your
licensing. Our McAfee subscription gives us that, at no extra cost.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From bbecken at aafp.org  Wed Dec 13 22:07:16 2006
From: bbecken at aafp.org (Brad Beckenhauer)
Date: Wed Dec 13 22:10:54 2006
Subject: OT: Virus Scanners
In-Reply-To: <elposb$4t1$1@sea.gmane.org>
References: <45800E73.D87E.0068.3@aafp.org> <elposb$4t1$1@sea.gmane.org>
Message-ID: <45807994.8070402@aafp.org>

Scott Silva wrote:
> Brad Beckenhauer spake the following on 12/13/2006 12:30 PM:
>> Hello,
>> I'm putting together the budget for next year and looking for
>> suggestions for commercial anti-virus products for MailScanner running
>> on Linux.
>>
>> I'd like to know what products are preferred and if you have any recent
>> pricing, it would be appreciated.
>>
>> thanks.
>>
>> Brad
>>
>>
> The first thing I would look at is your current corporate virus scanner. Some
> give you access to a commandline scanner for linux that is included in your
> licensing. Our McAfee subscription gives us that, at no extra cost.
> 
Understood,  We're currently running Clamav and Norman but want to add a 
third scanner.
From res at ausics.net  Wed Dec 13 22:13:27 2006
From: res at ausics.net (Res)
Date: Wed Dec 13 22:13:37 2006
Subject: OT: Virus Scanners
In-Reply-To: <45800E73.D87E.0068.3@aafp.org>
References: <45800E73.D87E.0068.3@aafp.org>
Message-ID: <Pine.LNX.4.64.0612140759160.6711@ebfjryy.nhfvpf.arg>

On Wed, 13 Dec 2006, Brad Beckenhauer wrote:

> Hello,
> I'm putting together the budget for next year and looking for
> suggestions for commercial anti-virus products for MailScanner running
> on Linux.
>
> I'd like to know what products are preferred and if you have any recent
> pricing, it would be appreciated.


F-Prot  www.f-prot.com

I think about $AU450 (file server version, the mail server version is not
suitable as it's per user cost and is more than just a plain command line
scanner, it's more designed for groupwise apps) the annual ongoing cost 
last time I checked was about $AU350



-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From pete at enitech.com.au  Wed Dec 13 22:27:26 2006
From: pete at enitech.com.au (Peter Russell)
Date: Wed Dec 13 22:28:08 2006
Subject: OT: Virus Scanners
In-Reply-To: <45807994.8070402@aafp.org>
References: <45800E73.D87E.0068.3@aafp.org> <elposb$4t1$1@sea.gmane.org>
	<45807994.8070402@aafp.org>
Message-ID: <45807E4E.7070904@enitech.com.au>

bitdefender or antivir are free for non commercial :)

Brad Beckenhauer wrote:
> Scott Silva wrote:
>> Brad Beckenhauer spake the following on 12/13/2006 12:30 PM:
>>> Hello,
>>> I'm putting together the budget for next year and looking for
>>> suggestions for commercial anti-virus products for MailScanner running
>>> on Linux.
>>>
>>> I'd like to know what products are preferred and if you have any recent
>>> pricing, it would be appreciated.
>>>
>>> thanks.
>>>
>>> Brad
>>>
>>>
>> The first thing I would look at is your current corporate virus 
>> scanner. Some
>> give you access to a commandline scanner for linux that is included in 
>> your
>> licensing. Our McAfee subscription gives us that, at no extra cost.
>>
> Understood,  We're currently running Clamav and Norman but want to add a 
> third scanner.
From ssilva at sgvwater.com  Wed Dec 13 22:32:53 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Wed Dec 13 22:33:29 2006
Subject: OT: Virus Scanners
In-Reply-To: <45807994.8070402@aafp.org>
References: <45800E73.D87E.0068.3@aafp.org> <elposb$4t1$1@sea.gmane.org>
	<45807994.8070402@aafp.org>
Message-ID: <elpv2l$qm9$1@sea.gmane.org>

Brad Beckenhauer spake the following on 12/13/2006 2:07 PM:
> Scott Silva wrote:
>> Brad Beckenhauer spake the following on 12/13/2006 12:30 PM:
>>> Hello,
>>> I'm putting together the budget for next year and looking for
>>> suggestions for commercial anti-virus products for MailScanner running
>>> on Linux.
>>>
>>> I'd like to know what products are preferred and if you have any recent
>>> pricing, it would be appreciated.
>>>
>>> thanks.
>>>
>>> Brad
>>>
>>>
>> The first thing I would look at is your current corporate virus
>> scanner. Some
>> give you access to a commandline scanner for linux that is included in
>> your
>> licensing. Our McAfee subscription gives us that, at no extra cost.
>>
> Understood,  We're currently running Clamav and Norman but want to add a
> third scanner.
You could also look around for the free BitDefender version. I still see it
occasionally on mirror sites, and probably still have an install file laying
around. I have even had it be the sole virus scanner to hit on occasion, but
not very often. It comes in handy if one of the other ones times out, though.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From gerard at seibercom.net  Wed Dec 13 23:00:04 2006
From: gerard at seibercom.net (Gerard Seibert)
Date: Wed Dec 13 23:00:01 2006
Subject: Mailscanner not scanning queue
In-Reply-To: <45803ACE.5010509@seekio.com>
References: <45803ACE.5010509@seekio.com>
Message-ID: <20061213175736.FBB8.GERARD@seibercom.net>

On Wednesday December 13, 2006 at 12:39:26 (PM) Nate wrote:

> I just installed MailScanner + Postfix on 6 servers running Debian
> Sarge.  I installed from stable packages, so mailscanner is version
> 4.41.3-2 and postfix is 2.1.5-9.  I tried installing the latest
> mailscanner from the unstable branch, but it has too many dependencies,
> and if I fulfilled them, I'd be running unstable on the whole box
> instead of stable.  I followed the directions I found at
> http://www.debian-administration.org/articles/172.
> 
> OK, that said, here's my problem.  After starting mailscanner everything
> appears to work fine... for a little while.  On every server Mailscanner
> eventually just doesn't see messages that arrive in the queue any more.
>  I do a postqueue -p and can see the messages waiting in the hold queue,
> but mailscanner isn't doing anything with them.
> 
> I tried enabling Debug in the conf and running check_mailscanner.  That
> runs fine, but since it quits right away I don't think it hits the
> problem where it's not seeing new messages.
> 
> Does anyone have any ideas of things to try from here?  Any knows bugs
> that I'm maybe hitting?  If so, how do I install the latest version on
> Debian Sarge?


I don't know of this is relevant or not, but your copy of Postfix is
ancient. In fact, anything prior to version 2.3 is antiquated. The
latest no beta version is version 2.3.5 at present. I really believe you
might want to update your version, especially if you intend to use
SSL/TLS on your system.


-- 
Gerard
From TGFurnish at herffjones.com  Wed Dec 13 23:08:22 2006
From: TGFurnish at herffjones.com (Furnish, Trever G)
Date: Wed Dec 13 23:08:36 2006
Subject: Is this really how bayes+autolearn works?
Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC587@inex3.herffjones.hj-int>

 
> -----Original Message-----
> From: mailscanner-bounces@lists.mailscanner.info 
> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf 
> Of Denis Beauchemin
> Sent: Wednesday, December 13, 2006 2:26 PM
> To: MailScanner discussion
> Subject: Re: Is this really how bayes+autolearn works?
> 
> Scott Silva a ?crit :
> > I don't think that a bare spamassassin install is going to be 
> > sufficient anymore. At least until they add more rules.
> > I'm always looking to find something that can catch that 
> extra percent 
> > or so of messages, without too high of a processing cost. 
> But the best 
> > bang for the buck has been dropping at the MTA anything in sbl+xbl. 
> > That is over 75% of the traffic not even needing to be run 
> through spamassassin.
> >   
> Same here!  I was blocking with safe.dnsbl.sorbs.net and 
> added sbl-xbl.spamhaus.org last week.  What a difference!  
> The number of blocked connections is quite impressive: close 
> to 400K messages/day!!!
> 
> Denis
> 

I'll 'third' that -- towards the end of november our inbound message rate climbed steeply to 180k/day with a lot of false negatives -- I added sbl+xbl around December 1st with a rejection response refering to a specific web page for tracking and was delighted and surprised by the result.  The 180k msgs/day rate dropped down to 60k immediately and so far only one person's loaded the tracking URL (and that person didn't go ahead and report a false positive).

- Trever
From dward at nccumc.org  Wed Dec 13 23:14:15 2006
From: dward at nccumc.org (Douglas Ward)
Date: Wed Dec 13 23:14:17 2006
Subject: OT: Virus Scanners
In-Reply-To: <elpv2l$qm9$1@sea.gmane.org>
References: <45800E73.D87E.0068.3@aafp.org> <elposb$4t1$1@sea.gmane.org>
	<45807994.8070402@aafp.org> <elpv2l$qm9$1@sea.gmane.org>
Message-ID: <dcbe03e00612131514t7924b8etee0078a54ca4ad44@mail.gmail.com>

I have a copy of the latest BitDefender free version (that I could fine).
Anyone interested please let me know off list.

On 12/13/06, Scott Silva <ssilva@sgvwater.com> wrote:
>
> Brad Beckenhauer spake the following on 12/13/2006 2:07 PM:
> > Scott Silva wrote:
> >> Brad Beckenhauer spake the following on 12/13/2006 12:30 PM:
> >>> Hello,
> >>> I'm putting together the budget for next year and looking for
> >>> suggestions for commercial anti-virus products for MailScanner running
> >>> on Linux.
> >>>
> >>> I'd like to know what products are preferred and if you have any
> recent
> >>> pricing, it would be appreciated.
> >>>
> >>> thanks.
> >>>
> >>> Brad
> >>>
> >>>
> >> The first thing I would look at is your current corporate virus
> >> scanner. Some
> >> give you access to a commandline scanner for linux that is included in
> >> your
> >> licensing. Our McAfee subscription gives us that, at no extra cost.
> >>
> > Understood,  We're currently running Clamav and Norman but want to add a
> > third scanner.
> You could also look around for the free BitDefender version. I still see
> it
> occasionally on mirror sites, and probably still have an install file
> laying
> around. I have even had it be the sole virus scanner to hit on occasion,
> but
> not very often. It comes in handy if one of the other ones times out,
> though.
>
> --
>
> MailScanner is like deodorant...
> You hope everybody uses it, and
> you notice quickly if they don't!!!!
>
> --
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061213/ec227a33/attachment.html
From rob at robhq.com  Wed Dec 13 23:23:03 2006
From: rob at robhq.com (Rob Freeman)
Date: Wed Dec 13 23:23:25 2006
Subject: OT: Virus Scanners
In-Reply-To: <dcbe03e00612131514t7924b8etee0078a54ca4ad44@mail.gmail.com>
References: <45800E73.D87E.0068.3@aafp.org>
	<elposb$4t1$1@sea.gmane.org>	<45807994.8070402@aafp.org>
	<elpv2l$qm9$1@sea.gmane.org>
	<dcbe03e00612131514t7924b8etee0078a54ca4ad44@mail.gmail.com>
Message-ID: <000601c71f0d$a98f3880$fcada980$@com>

Do they still do updates for BitDefender?  I stopped using it once I found
out they were stopping it

 

From: mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Douglas
Ward
Sent: Wednesday, December 13, 2006 5:14 PM
To: MailScanner discussion
Subject: Re: OT: Virus Scanners

 

I have a copy of the latest BitDefender free version (that I could fine).
Anyone interested please let me know off list.

On 12/13/06, Scott Silva <HYPERLINK "mailto:ssilva@sgvwater.com"
ssilva@sgvwater.com> wrote:

Brad Beckenhauer spake the following on 12/13/2006 2:07 PM: 
> Scott Silva wrote:
>> Brad Beckenhauer spake the following on 12/13/2006 12:30 PM:
>>> Hello,
>>> I'm putting together the budget for next year and looking for
>>> suggestions for commercial anti-virus products for MailScanner running 
>>> on Linux.
>>>
>>> I'd like to know what products are preferred and if you have any recent
>>> pricing, it would be appreciated.
>>>
>>> thanks. 
>>>
>>> Brad
>>>
>>>
>> The first thing I would look at is your current corporate virus
>> scanner. Some
>> give you access to a commandline scanner for linux that is included in 
>> your
>> licensing. Our McAfee subscription gives us that, at no extra cost.
>>
> Understood,  We're currently running Clamav and Norman but want to add a
> third scanner.
You could also look around for the free BitDefender version. I still see it
occasionally on mirror sites, and probably still have an install file laying
around. I have even had it be the sole virus scanner to hit on occasion, but

not very often. It comes in handy if one of the other ones times out,
though.

--

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

--
MailScanner mailing list
HYPERLINK
"mailto:mailscanner@lists.mailscanner.info"mailscanner@lists.mailscanner.inf
o
HYPERLINK
"http://lists.mailscanner.info/mailman/listinfo/mailscanner"http://lists.mai
lscanner.info/mailman/listinfo/mailscanner 

Before posting, read HYPERLINK
"http://wiki.mailscanner.info/posting"http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

 

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.18/586 - Release Date: 12/13/2006
6:13 PM


-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.18/586 - Release Date: 12/13/2006
6:13 PM
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061213/309783b4/attachment.html
From pete at enitech.com.au  Wed Dec 13 23:39:03 2006
From: pete at enitech.com.au (Peter Russell)
Date: Wed Dec 13 23:39:12 2006
Subject: OT: REGEXP
In-Reply-To: <223f97700612130043v7c9f4829ub697df98969ba7b4@mail.gmail.com>
References: <457F28DA.4080002@enitech.com.au> <457F3102.5090508@evi-inc.com>
	<223f97700612130043v7c9f4829ub697df98969ba7b4@mail.gmail.com>
Message-ID: <45808F17.6050806@enitech.com.au>

Thanks so much for the clear explanation guys, really appreciate it.

As recommended i am going for the
 >> /^user@domain\.com(\.au)?$/
 >>
 >> That will only match exactly "user@domain.com" or "user@domain.com.au"

It does exactly what i need.

Thanks again
Pete

Glenn Steen wrote:
> On 12/12/06, Matt Kettler <mkettler@evi-inc.com> wrote:
>> Peter Russell wrote:
>> > I have postfix recipient maps and some one on here once helped me 
>> format
>> > the content using regexp so i could create one entry that covered
>> > multiple formats. I need to change that but am almost clueless as to 
>> how.
>> >
>> > Could some one offer a suggestion on how to write the following as a
>> > regexp.
>> >
>> > Current                Required
>> > user@domain.com    OK        user@domain.com        OK
>> >                 user@domain.com.au    OK
>> >
>> > Is the REGEXP something like
>> > /user@domain/.[com|/.com/.au]    OK
>>
>> Disclaimer: I know regexes VERY well, but postfix not at all.
> Well, I'll comment on the postfix side then:-). ISTR I was the one
> helping Pete out last time:-).
> (snip)
>> Provided there's not some weirdness in postfix that forces regexes
>> to match full-text, you can simplify further to:
> No "weirdness" to talk about. Postfix supports both POSIX regexps and
> Perl compatible regexps ("man regexp_table pcre_table" shows the
> difference in the postfix config, "man [5|7] regex" or "man 7
> re_format" (or similar, depending on OS) documents POSIX REs, while
> the usual perl docs on REs document the pcre part).
> In an access type file, one needs to remember that when using REs,
> postfix will not do the "magic exploding" of the address into its
> constituent parts (local/domain etc), but other than that... No real
> weirdness at all;-).
> 
>> 6) If the substring matching pointed out in 5 is over-broad for you, 
>> you can fix
>> 4 by ending anchors for beginning and end of input:
>>
>> /^user@domain\.com(\.au)?$/
>>
>> That will only match exactly "user@domain.com" or "user@domain.com.au"
> 
> This is the one I'd recommend you to use Pete.
> Keep in mind that although the RE tables are easier to maintain, the
> indexed ones are faster, and have some "magic" to make rules based on
> part(s) of the address. I wont deny that it'd be a two-line thing for
> this case, though... If you generate them with a script (and the set
> is fairly huge), you'd perhaps best try and time lookups on the
> different table types as described in the respective man pages ("less
> /etc/postfix/access" should contain the info on a regular indexed
> access file).
> 
> Other than that... You'll be very well off with Matts (excellently
> explained) RE above.
> 
From ssilva at sgvwater.com  Thu Dec 14 00:37:16 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Thu Dec 14 00:37:46 2006
Subject: OT: Virus Scanners
In-Reply-To: <000601c71f0d$a98f3880$fcada980$@com>
References: <45800E73.D87E.0068.3@aafp.org>	<elposb$4t1$1@sea.gmane.org>	<45807994.8070402@aafp.org>	<elpv2l$qm9$1@sea.gmane.org>	<dcbe03e00612131514t7924b8etee0078a54ca4ad44@mail.gmail.com>
	<000601c71f0d$a98f3880$fcada980$@com>
Message-ID: <elq6bs$h16$1@sea.gmane.org>

Rob Freeman spake the following on 12/13/2006 3:23 PM:
> Do they still do updates for BitDefender?  I stopped using it once I
> found out they were stopping it
> 
Mine still updates.

Update time: Thu Dec 14 00:52:29 2006
Signature number: 338931
Update time GMT: 1166043149
Version: 7.10461

I still see it on the BitDefender site.
http://download.bitdefender.com/unices/old/linux/free/bitdefender-console/en/
At least an english version.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From dward at nccumc.org  Thu Dec 14 00:56:24 2006
From: dward at nccumc.org (Douglas Ward)
Date: Thu Dec 14 00:56:26 2006
Subject: OT: Virus Scanners
In-Reply-To: <elq6bs$h16$1@sea.gmane.org>
References: <45800E73.D87E.0068.3@aafp.org> <elposb$4t1$1@sea.gmane.org>
	<45807994.8070402@aafp.org> <elpv2l$qm9$1@sea.gmane.org>
	<dcbe03e00612131514t7924b8etee0078a54ca4ad44@mail.gmail.com>
	<000601c71f0d$a98f3880$fcada980$@com> <elq6bs$h16$1@sea.gmane.org>
Message-ID: <dcbe03e00612131656g5c9e5e7fxf5985a280242e08@mail.gmail.com>

I have been running BitDefender-postfix-1.6.2-1.linux-gcc3x.i586.rpm.run.
Is the BitDefender-Console the newer version?  Does anyone know if it
installs over the top of the old installation?

On 12/13/06, Scott Silva <ssilva@sgvwater.com> wrote:
>
> Rob Freeman spake the following on 12/13/2006 3:23 PM:
> > Do they still do updates for BitDefender?  I stopped using it once I
> > found out they were stopping it
> >
> Mine still updates.
>
> Update time: Thu Dec 14 00:52:29 2006
> Signature number: 338931
> Update time GMT: 1166043149
> Version: 7.10461
>
> I still see it on the BitDefender site.
>
> http://download.bitdefender.com/unices/old/linux/free/bitdefender-console/en/
> At least an english version.
>
> --
>
> MailScanner is like deodorant...
> You hope everybody uses it, and
> you notice quickly if they don't!!!!
>
> --
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061213/b54dcd89/attachment.html
From michele at blacknight.ie  Thu Dec 14 09:54:12 2006
From: michele at blacknight.ie (Michele Neylon :: Blacknight)
Date: Thu Dec 14 09:52:55 2006
Subject: Any contact in Cbl?
Message-ID: <017b01c71f65$ced85330$e3f31151@blacknight.local>

Has anyone got a human contact in CBL?



Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
http://www.blacknight.ie/
http://blog.blacknight.ie/
Tel. 1850 927 280
Intl. +353 (0) 59  9183072
UK: 0870 163 0607
Direct Dial: +353 (0)59 9183090
Fax. +353 (0) 59  9164239

From glenn.steen at gmail.com  Thu Dec 14 12:34:36 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Thu Dec 14 12:34:41 2006
Subject: Mailscanner not scanning queue
In-Reply-To: <20061213175736.FBB8.GERARD@seibercom.net>
References: <45803ACE.5010509@seekio.com>
	<20061213175736.FBB8.GERARD@seibercom.net>
Message-ID: <223f97700612140434u1e353735qe32cd247a5853318@mail.gmail.com>

On 14/12/06, Gerard Seibert <gerard@seibercom.net> wrote:
> On Wednesday December 13, 2006 at 12:39:26 (PM) Nate wrote:
>
> > I just installed MailScanner + Postfix on 6 servers running Debian
> > Sarge.  I installed from stable packages, so mailscanner is version
> > 4.41.3-2 and postfix is 2.1.5-9.  I tried installing the latest
> > mailscanner from the unstable branch, but it has too many dependencies,
> > and if I fulfilled them, I'd be running unstable on the whole box
> > instead of stable.  I followed the directions I found at
> > http://www.debian-administration.org/articles/172.
> >
> > OK, that said, here's my problem.  After starting mailscanner everything
> > appears to work fine... for a little while.  On every server Mailscanner
> > eventually just doesn't see messages that arrive in the queue any more.
> >  I do a postqueue -p and can see the messages waiting in the hold queue,
> > but mailscanner isn't doing anything with them.
> >
> > I tried enabling Debug in the conf and running check_mailscanner.  That
> > runs fine, but since it quits right away I don't think it hits the
> > problem where it's not seeing new messages.
> >
> > Does anyone have any ideas of things to try from here?  Any knows bugs
> > that I'm maybe hitting?  If so, how do I install the latest version on
> > Debian Sarge?
>
>
> I don't know of this is relevant or not, but your copy of Postfix is
> ancient. In fact, anything prior to version 2.3 is antiquated. The
> latest no beta version is version 2.3.5 at present. I really believe you
> might want to update your version, especially if you intend to use
> SSL/TLS on your system.
>

Although correct in principle, this is largely beside the point here
Gerard, and further a matter of some debate (which we should _not_
perform here!).
This problem very likely (with that old version of MailScanner) stem
from "something" putting non-queue files into the hold queue
directory. If it is razor, just follow the numerous similar ways of
configuring this so that the razor log file is written somewhere sane,
if it is TNEF-related (winmail.dat etc) then try changing method
(internal/external decoder) in MailScanner.conf ... And, of course,
remove the garbage files from the hold queue.

If you want to act on Gerards advice (to update), you could very well
go unstable... it's not _that_ bad:-). Or go Ubuntu, if you want to
stay in the Debian sphere... Still would have pretty much the same
type of consieration between Dapper and Edgy, but with newer
version(s).
If you decide to go for teh lates Postfix, you will _have to_ go with
the latest MailScanner as well (well, at least pretty close to:-).

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From res at ausics.net  Thu Dec 14 13:00:57 2006
From: res at ausics.net (Res)
Date: Thu Dec 14 13:01:09 2006
Subject: Mailscanner not scanning queue
In-Reply-To: <223f97700612140434u1e353735qe32cd247a5853318@mail.gmail.com>
References: <45803ACE.5010509@seekio.com>
	<20061213175736.FBB8.GERARD@seibercom.net>
	<223f97700612140434u1e353735qe32cd247a5853318@mail.gmail.com>
Message-ID: <Pine.LNX.4.64.0612142255001.29118@ebfjryy.nhfvpf.arg>

On Thu, 14 Dec 2006, Glenn Steen wrote:

> If you want to act on Gerards advice (to update), you could very well
> go unstable... it's not _that_ bad:-). Or go Ubuntu, if you want to

This is one thing that amazes me, people post to lists saying blah doesnt 
work, but use antiquated versions, it should be mandatory that people wake 
up, and use the latest versions before trying to obtain help because 
somthing doesnt work.

People should STOP relying on old versions that are called stable by 
distros like debian and BSD and so on, and install tarballs rather than 
these so called stable ports thats are a year old.

Its like using sendmail 8.8 and saying why is my mail server blocked for 
open relaying, when the current version is 8.13 or saying I cant get my 
brand new camera to work but still use kernel 2.02  *sigh*


-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From glenn.steen at gmail.com  Thu Dec 14 14:03:02 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Thu Dec 14 14:03:12 2006
Subject: Mailscanner not scanning queue
In-Reply-To: <Pine.LNX.4.64.0612142255001.29118@ebfjryy.nhfvpf.arg>
References: <45803ACE.5010509@seekio.com>
	<20061213175736.FBB8.GERARD@seibercom.net>
	<223f97700612140434u1e353735qe32cd247a5853318@mail.gmail.com>
	<Pine.LNX.4.64.0612142255001.29118@ebfjryy.nhfvpf.arg>
Message-ID: <223f97700612140603y12e5c263o31f42641e57c8401@mail.gmail.com>

On 14/12/06, Res <res@ausics.net> wrote:
> On Thu, 14 Dec 2006, Glenn Steen wrote:
>
> > If you want to act on Gerards advice (to update), you could very well
> > go unstable... it's not _that_ bad:-). Or go Ubuntu, if you want to
>
> This is one thing that amazes me, people post to lists saying blah doesnt
> work, but use antiquated versions, it should be mandatory that people wake
> up, and use the latest versions before trying to obtain help because
> somthing doesnt work.
>
> People should STOP relying on old versions that are called stable by
> distros like debian and BSD and so on, and install tarballs rather than
> these so called stable ports thats are a year old.
>
> Its like using sendmail 8.8 and saying why is my mail server blocked for
> open relaying, when the current version is 8.13 or saying I cant get my
> brand new camera to work but still use kernel 2.02  *sigh*
>
My personal view is very close to yours Res. I've only seen grief from
the few attempts I've made ocver the years to live with the more than
insanely mossy/mouldy crap that is called "stable" in the Debian case.
"Unstable" is is in some ways more stable than at least some RPM-based
distros:-):-). And still not that close to bleeding edge either. Oh
well.

But one has to realise that this isn't always up to the one asking the
questions... It might be the result of pigheaded PHBs and
miss-directed policies. So ... a friendly clue as to how to get around
the current problem, as well as some advice ... Keeps the tone of the
forum nice, and who knows... The asker might even do an update or
three;-).

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From res at ausics.net  Thu Dec 14 14:56:18 2006
From: res at ausics.net (Res)
Date: Thu Dec 14 14:56:25 2006
Subject: Mailscanner not scanning queue
In-Reply-To: <223f97700612140603y12e5c263o31f42641e57c8401@mail.gmail.com>
References: <45803ACE.5010509@seekio.com>
	<20061213175736.FBB8.GERARD@seibercom.net>
	<223f97700612140434u1e353735qe32cd247a5853318@mail.gmail.com>
	<Pine.LNX.4.64.0612142255001.29118@ebfjryy.nhfvpf.arg>
	<223f97700612140603y12e5c263o31f42641e57c8401@mail.gmail.com>
Message-ID: <Pine.LNX.4.64.0612150053080.814@ebfjryy.nhfvpf.arg>

On Thu, 14 Dec 2006, Glenn Steen wrote:

> insanely mossy/mouldy crap that is called "stable" in the Debian case.
> "Unstable" is is in some ways more stable than at least some RPM-based
> distros:-):-). And still not that close to bleeding edge either. Oh
> well.

this is one reason why debian will never get a look in here, its  so 
calkeld curent stable is akin to using a 2.2 kernel, its so far behind
it actuallt is funny


> But one has to realise that this isn't always up to the one asking the
> questions... It might be the result of pigheaded PHBs and
> miss-directed policies. So ... a friendly clue as to how to get around

later versions  = less bugs + more security + reliability (in most cases)
so no ones policy should mandate that thall shall be rapeable, or I'd like 
to think not, but then again, thjere are windwos admins out there arnt 
there :P


> the current problem, as well as some advice ... Keeps the tone of the
> forum nice, and who knows... The asker might even do an update or
> three;-).
>

or 33 of using debian

>

-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From nate at seekio.com  Thu Dec 14 15:34:51 2006
From: nate at seekio.com (Nate)
Date: Thu Dec 14 15:34:56 2006
Subject: Mailscanner not scanning queue
In-Reply-To: <223f97700612140603y12e5c263o31f42641e57c8401@mail.gmail.com>
References: <45803ACE.5010509@seekio.com>	<20061213175736.FBB8.GERARD@seibercom.net>	<223f97700612140434u1e353735qe32cd247a5853318@mail.gmail.com>	<Pine.LNX.4.64.0612142255001.29118@ebfjryy.nhfvpf.arg>
	<223f97700612140603y12e5c263o31f42641e57c8401@mail.gmail.com>
Message-ID: <45816F1B.60008@seekio.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes, I'm running old versions of postfix and mailscanner, but here are
my reasons:

1. I followed the instructions at
http://www.debian-administration.org/articles/172 which has you install
all of the packages from apt.  These are the version that were installed.

2. I did try getting the latest version of Mailscanner since that was my
first inkling as well.  However, on
http://www.mailscanner.info/downloads.html I do not see a plain tarball
source install.  I see installs for redhat, suse, Solaris/BSD, Debian,
FreeBSD.  I tried to install the Debian version but it's from unstable
and so it choked on dependencies.  I'm not afraid of installing the
latest version from a generic tarball, but I did not see that for
Mailscanner, which I think is odd.  Am I missing something here?  Where
is the source tarball?  My only other option is to try re-compiling the
package, which I've done before, but you really can't expect a lot of
users to know how to do that, and in my experience it doesn't always
work very well.

3. I manage over 200 debian boxes.  When you manage that many,
consistency is key.  Having a few boxes be in the unstable branch while
the rest are in stable can cause problems all over the place and make
your life a living hell.  I know, I've done it before.

So at this point I figured it would be quicker and easier to just ask on
the list as the author of that install page (Ugo) suggested.  As it is,
Razor was writing it's log file to the hold queue directory.  So I fixed
that and we'll see how it goes.

Thanks, Glenn.

Nate

Glenn Steen wrote:
> On 14/12/06, Res <res@ausics.net> wrote:
>> On Thu, 14 Dec 2006, Glenn Steen wrote:
>>
>> > If you want to act on Gerards advice (to update), you could very well
>> > go unstable... it's not _that_ bad:-). Or go Ubuntu, if you want to
>>
>> This is one thing that amazes me, people post to lists saying blah doesnt
>> work, but use antiquated versions, it should be mandatory that people
>> wake
>> up, and use the latest versions before trying to obtain help because
>> somthing doesnt work.
>>
>> People should STOP relying on old versions that are called stable by
>> distros like debian and BSD and so on, and install tarballs rather than
>> these so called stable ports thats are a year old.
>>
>> Its like using sendmail 8.8 and saying why is my mail server blocked for
>> open relaying, when the current version is 8.13 or saying I cant get my
>> brand new camera to work but still use kernel 2.02  *sigh*
>>
> My personal view is very close to yours Res. I've only seen grief from
> the few attempts I've made ocver the years to live with the more than
> insanely mossy/mouldy crap that is called "stable" in the Debian case.
> "Unstable" is is in some ways more stable than at least some RPM-based
> distros:-):-). And still not that close to bleeding edge either. Oh
> well.
> 
> But one has to realise that this isn't always up to the one asking the
> questions... It might be the result of pigheaded PHBs and
> miss-directed policies. So ... a friendly clue as to how to get around
> the current problem, as well as some advice ... Keeps the tone of the
> forum nice, and who knows... The asker might even do an update or
> three;-).
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFgW8aRMRYK1K/wKQRAolaAJ4lwsVWvX7HVIY/+4iXW7A5aa+EpgCdGGPB
dOOpRzOJId3waJqT+SVcZSo=
=6F/y
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3491 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061214/5d3c9a93/smime.bin
From glenn.steen at gmail.com  Thu Dec 14 15:36:21 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Thu Dec 14 15:36:24 2006
Subject: Mailscanner not scanning queue
In-Reply-To: <Pine.LNX.4.64.0612150053080.814@ebfjryy.nhfvpf.arg>
References: <45803ACE.5010509@seekio.com>
	<20061213175736.FBB8.GERARD@seibercom.net>
	<223f97700612140434u1e353735qe32cd247a5853318@mail.gmail.com>
	<Pine.LNX.4.64.0612142255001.29118@ebfjryy.nhfvpf.arg>
	<223f97700612140603y12e5c263o31f42641e57c8401@mail.gmail.com>
	<Pine.LNX.4.64.0612150053080.814@ebfjryy.nhfvpf.arg>
Message-ID: <223f97700612140736n1088c833w48b28c420259f88c@mail.gmail.com>

On 14/12/06, Res <res@ausics.net> wrote:
> On Thu, 14 Dec 2006, Glenn Steen wrote:
>
> > insanely mossy/mouldy crap that is called "stable" in the Debian case.
> > "Unstable" is is in some ways more stable than at least some RPM-based
> > distros:-):-). And still not that close to bleeding edge either. Oh
> > well.
>
> this is one reason why debian will never get a look in here, its  so
> calkeld curent stable is akin to using a 2.2 kernel, its so far behind
> it actuallt is funny

In a rather twisted way, yes. Then again it's a rather poor joke...
Someone suffers from it:-/

> > But one has to realise that this isn't always up to the one asking the
> > questions... It might be the result of pigheaded PHBs and
> > miss-directed policies. So ... a friendly clue as to how to get around
>
> later versions  = less bugs + more security + reliability (in most cases)
> so no ones policy should mandate that thall shall be rapeable, or I'd like
> to think not, but then again, thjere are windwos admins out there arnt
> there :P

Definitely. No argument whatsoever.

> > the current problem, as well as some advice ... Keeps the tone of the
> > forum nice, and who knows... The asker might even do an update or
> > three;-).
> >
>
> or 33 of using debian

It'll be a fai bit more than that:-).

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From gerard at seibercom.net  Thu Dec 14 16:02:25 2006
From: gerard at seibercom.net (Gerard Seibert)
Date: Thu Dec 14 16:02:13 2006
Subject: Mailscanner not scanning queue
In-Reply-To: <45816F1B.60008@seekio.com>
References: <223f97700612140603y12e5c263o31f42641e57c8401@mail.gmail.com>
	<45816F1B.60008@seekio.com>
Message-ID: <20061214105428.6B84.GERARD@seibercom.net>

On Thursday December 14, 2006 at 10:34:51 (AM) Nate wrote:

> Yes, I'm running old versions of postfix and mailscanner, but here are
> my reasons:
> 
> 1. I followed the instructions at
> http://www.debian-administration.org/articles/172 which has you install
> all of the packages from apt.  These are the version that were installed.
> 
> 2. I did try getting the latest version of Mailscanner since that was my
> first inkling as well.  However, on
> http://www.mailscanner.info/downloads.html I do not see a plain tarball
> source install.  I see installs for redhat, suse, Solaris/BSD, Debian,
> FreeBSD.  I tried to install the Debian version but it's from unstable
> and so it choked on dependencies.  I'm not afraid of installing the
> latest version from a generic tarball, but I did not see that for
> Mailscanner, which I think is odd.  Am I missing something here?  Where
> is the source tarball?  My only other option is to try re-compiling the
> package, which I've done before, but you really can't expect a lot of
> users to know how to do that, and in my experience it doesn't always
> work very well.
> 
> 3. I manage over 200 debian boxes.  When you manage that many,
> consistency is key.  Having a few boxes be in the unstable branch while
> the rest are in stable can cause problems all over the place and make
> your life a living hell.  I know, I've done it before.
> 
> So at this point I figured it would be quicker and easier to just ask on
> the list as the author of that install page (Ugo) suggested.  As it is,
> Razor was writing it's log file to the hold queue directory.  So I fixed
> that and we'll see how it goes.

I am not sure if this URL will assist you or not:

http://sourceforge.net/project/showfiles.php?group_id=99989&package_id=107401&release_id=383366

Assuming the above link proves useful,  why use the very outdated
Postfix version? You are going to run into problems with the old, less
then 2.3 version of Postfix.. There have been major updates, plus it
appears to work better with Mailscanner. If you intend to use TLS you
really should consider it.


-- 
Gerard
From glenn.steen at gmail.com  Thu Dec 14 16:14:07 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Thu Dec 14 16:14:10 2006
Subject: Mailscanner not scanning queue
In-Reply-To: <45816F1B.60008@seekio.com>
References: <45803ACE.5010509@seekio.com>
	<20061213175736.FBB8.GERARD@seibercom.net>
	<223f97700612140434u1e353735qe32cd247a5853318@mail.gmail.com>
	<Pine.LNX.4.64.0612142255001.29118@ebfjryy.nhfvpf.arg>
	<223f97700612140603y12e5c263o31f42641e57c8401@mail.gmail.com>
	<45816F1B.60008@seekio.com>
Message-ID: <223f97700612140814m73e03c1bj69290fd5cf2003c3@mail.gmail.com>

On 14/12/06, Nate <nate@seekio.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Yes, I'm running old versions of postfix and mailscanner, but here are
> my reasons:
>
> 1. I followed the instructions at
> http://www.debian-administration.org/articles/172 which has you install
> all of the packages from apt.  These are the version that were installed.

Ok. While I can see that this has its merits, as you get more comfy
with MailScanner and want it (and SpamAssassin in particular) to have
better hit percentages, you will be wanting to move closer to "latest
stable" of each of those... That at least is my opinionated view:-).

> 2. I did try getting the latest version of Mailscanner since that was my
> first inkling as well.  However, on
> http://www.mailscanner.info/downloads.html I do not see a plain tarball
> source install.  I see installs for redhat, suse, Solaris/BSD, Debian,
> FreeBSD.  I tried to install the Debian version but it's from unstable
> and so it choked on dependencies.  I'm not afraid of installing the
> latest version from a generic tarball, but I did not see that for
> Mailscanner, which I think is odd.  Am I missing something here?  Where
> is the source tarball?  My only other option is to try re-compiling the
> package, which I've done before, but you really can't expect a lot of
> users to know how to do that, and in my experience it doesn't always
> work very well.

The "Solaris/*BSD/Other *nix" package *is* the tarball...
Installs into /opt in a rather self-contained manner. And it'll take
care of perl module dependencies as best it can, provided you don't
have an "insanely" old perl (ISTR 5.6.1 being ok, but might be
wrong)... Worst case, you'll have to get things via cpan. Do the same
with the clam+SA package, and you should be well on your way to
getting the latest'n'greatest (stable) going;-). If you go that way,
you'll have to remove the debs installed by apt for the respective
subsystems (MailScanner, SA and Clam)... But you knew that:-).

There are nice instructions on the official site, as well as in the
MAQ/Wiki ...;)

BTW, the "recompile" step is actually done at execute time ... After
all, this is (mostly) perl;-).

>
> 3. I manage over 200 debian boxes.  When you manage that many,
> consistency is key.  Having a few boxes be in the unstable branch while
> the rest are in stable can cause problems all over the place and make
> your life a living hell.  I know, I've done it before.

So move them all to unstable then... Or do you have a compelling reson
not to do that?
Or move over to Ubuntu... I like a lot of things about that one:-). If
you need long support cycles and semi-old packages, Dapper should be
your best pick. Might also please Desktop users:-D

> So at this point I figured it would be quicker and easier to just ask on
> the list as the author of that install page (Ugo) suggested.  As it is,
> Razor was writing it's log file to the hold queue directory.  So I fixed
> that and we'll see how it goes.

Thought so. This is the _only_ real benefit of using older versions of
things... Most bad bugs are known, and there are ususlly publicly
available workarounds.
Then again, in newer versions... those bugs are likely fixed (and new
ones introduced, yes:-)..

> Thanks, Glenn.
Glad to be of help.
(snip)
Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From ssilva at sgvwater.com  Thu Dec 14 16:49:10 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Thu Dec 14 16:49:19 2006
Subject: OT: Virus Scanners
In-Reply-To: <dcbe03e00612131656g5c9e5e7fxf5985a280242e08@mail.gmail.com>
References: <45800E73.D87E.0068.3@aafp.org>
	<elposb$4t1$1@sea.gmane.org>	<45807994.8070402@aafp.org>
	<elpv2l$qm9$1@sea.gmane.org>	<dcbe03e00612131514t7924b8etee0078a54ca4ad44@mail.gmail.com>	<000601c71f0d$a98f3880$fcada980$@com>
	<elq6bs$h16$1@sea.gmane.org>
	<dcbe03e00612131656g5c9e5e7fxf5985a280242e08@mail.gmail.com>
Message-ID: <elrva5$pm1$1@sea.gmane.org>

Douglas Ward spake the following on 12/13/2006 4:56 PM:
> I have been running
> BitDefender-postfix-1.6.2-1.linux-gcc3x.i586.rpm.run.  Is the
> BitDefender-Console the newer version?  Does anyone know if it installs
> over the top of the old installation?
> 
The BitDefender version, like any other viruscanner with mailscanner, should
be the command line version. Most of the mail-based virus scanners use some
form of direct hook into the MTA that will bypass mailscanner.
Mailscanner unpacks a batch of messages into a temp directory, then calls the
command-line scanners over that temp directory, watching the output of the
scanners, and translating that back to its own use. That is usually more
efficient than the virus scanners piping each message one at a time through
their engine.
The last free commandline version of BitDefender that was available was
BitDefender-Console-Antivirus-7.1-3.linux-gcc3x.i386.run. There is also an rpm
and a deb package.
-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From nate at seekio.com  Thu Dec 14 16:56:59 2006
From: nate at seekio.com (Nate)
Date: Thu Dec 14 16:57:06 2006
Subject: Mailscanner not scanning queue
In-Reply-To: <223f97700612140814m73e03c1bj69290fd5cf2003c3@mail.gmail.com>
References: <45803ACE.5010509@seekio.com>	<20061213175736.FBB8.GERARD@seibercom.net>	<223f97700612140434u1e353735qe32cd247a5853318@mail.gmail.com>	<Pine.LNX.4.64.0612142255001.29118@ebfjryy.nhfvpf.arg>	<223f97700612140603y12e5c263o31f42641e57c8401@mail.gmail.com>	<45816F1B.60008@seekio.com>
	<223f97700612140814m73e03c1bj69290fd5cf2003c3@mail.gmail.com>
Message-ID: <4581825B.6000702@seekio.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OK, it was not obvious to me that the Solaris/BSD version was the
generic tarball.  I'll take a look into that.

The reason we don't upgrade our 200 boxes to Unstable is because they
are servers.  They are not workstations.  We have millions of
transactions and over 2gigabit/sec of traffic coming off of them.  We
like them to be stable.  I've run debian/testing on servers before and
had problems, so there's no way I'm going near unstable on a server.  A
desktop is another matter.  99% of what we do works fine with stable.  I
know at some point we will have to make the jump to testing in
preparation for the next release of Debian (in 4 or 5 years if we're
lucky) but for right now, I have had absolutely no reason to upgrade
until MailScanner.  I have no time to deal with problems caused by
bleeding edge software, especially when you multiply the time it takes
to deal with them by over 200.

In the end I'll have to decide if I want to go with a more manual
install, upgrade to unstable for the mailscanner boxes, leave it as is,
or even go with a barracuda box or something.  So thank you all for your
opinions and help.

Thanks,
Nate

Glenn Steen wrote:
> On 14/12/06, Nate <nate@seekio.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Yes, I'm running old versions of postfix and mailscanner, but here are
>> my reasons:
>>
>> 1. I followed the instructions at
>> http://www.debian-administration.org/articles/172 which has you install
>> all of the packages from apt.  These are the version that were installed.
> 
> Ok. While I can see that this has its merits, as you get more comfy
> with MailScanner and want it (and SpamAssassin in particular) to have
> better hit percentages, you will be wanting to move closer to "latest
> stable" of each of those... That at least is my opinionated view:-).
> 
>> 2. I did try getting the latest version of Mailscanner since that was my
>> first inkling as well.  However, on
>> http://www.mailscanner.info/downloads.html I do not see a plain tarball
>> source install.  I see installs for redhat, suse, Solaris/BSD, Debian,
>> FreeBSD.  I tried to install the Debian version but it's from unstable
>> and so it choked on dependencies.  I'm not afraid of installing the
>> latest version from a generic tarball, but I did not see that for
>> Mailscanner, which I think is odd.  Am I missing something here?  Where
>> is the source tarball?  My only other option is to try re-compiling the
>> package, which I've done before, but you really can't expect a lot of
>> users to know how to do that, and in my experience it doesn't always
>> work very well.
> 
> The "Solaris/*BSD/Other *nix" package *is* the tarball...
> Installs into /opt in a rather self-contained manner. And it'll take
> care of perl module dependencies as best it can, provided you don't
> have an "insanely" old perl (ISTR 5.6.1 being ok, but might be
> wrong)... Worst case, you'll have to get things via cpan. Do the same
> with the clam+SA package, and you should be well on your way to
> getting the latest'n'greatest (stable) going;-). If you go that way,
> you'll have to remove the debs installed by apt for the respective
> subsystems (MailScanner, SA and Clam)... But you knew that:-).
> 
> There are nice instructions on the official site, as well as in the
> MAQ/Wiki ...;)
> 
> BTW, the "recompile" step is actually done at execute time ... After
> all, this is (mostly) perl;-).
> 
>>
>> 3. I manage over 200 debian boxes.  When you manage that many,
>> consistency is key.  Having a few boxes be in the unstable branch while
>> the rest are in stable can cause problems all over the place and make
>> your life a living hell.  I know, I've done it before.
> 
> So move them all to unstable then... Or do you have a compelling reson
> not to do that?
> Or move over to Ubuntu... I like a lot of things about that one:-). If
> you need long support cycles and semi-old packages, Dapper should be
> your best pick. Might also please Desktop users:-D
> 
>> So at this point I figured it would be quicker and easier to just ask on
>> the list as the author of that install page (Ugo) suggested.  As it is,
>> Razor was writing it's log file to the hold queue directory.  So I fixed
>> that and we'll see how it goes.
> 
> Thought so. This is the _only_ real benefit of using older versions of
> things... Most bad bugs are known, and there are ususlly publicly
> available workarounds.
> Then again, in newer versions... those bugs are likely fixed (and new
> ones introduced, yes:-)..
> 
>> Thanks, Glenn.
> Glad to be of help.
> (snip)
> Cheers
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFgYJURMRYK1K/wKQRApA3AJ9FFmBQ9opQNJegPPxwlrgmIBW6TwCgoFvs
V5YWYTWqdQxp0I+XlKEuMvE=
=Q2mY
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3491 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061214/ecef2047/smime.bin
From glenn.steen at gmail.com  Thu Dec 14 17:08:13 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Thu Dec 14 17:08:16 2006
Subject: Mailscanner not scanning queue
In-Reply-To: <4581825B.6000702@seekio.com>
References: <45803ACE.5010509@seekio.com>
	<20061213175736.FBB8.GERARD@seibercom.net>
	<223f97700612140434u1e353735qe32cd247a5853318@mail.gmail.com>
	<Pine.LNX.4.64.0612142255001.29118@ebfjryy.nhfvpf.arg>
	<223f97700612140603y12e5c263o31f42641e57c8401@mail.gmail.com>
	<45816F1B.60008@seekio.com>
	<223f97700612140814m73e03c1bj69290fd5cf2003c3@mail.gmail.com>
	<4581825B.6000702@seekio.com>
Message-ID: <223f97700612140908j1fdd2444raea14abe75db9aee@mail.gmail.com>

On 14/12/06, Nate <nate@seekio.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> OK, it was not obvious to me that the Solaris/BSD version was the
> generic tarball.  I'll take a look into that.
>
> The reason we don't upgrade our 200 boxes to Unstable is because they
> are servers.  They are not workstations.  We have millions of
> transactions and over 2gigabit/sec of traffic coming off of them.  We
> like them to be stable.  I've run debian/testing on servers before and
> had problems, so there's no way I'm going near unstable on a server.  A
> desktop is another matter.  99% of what we do works fine with stable.  I
> know at some point we will have to make the jump to testing in
> preparation for the next release of Debian (in 4 or 5 years if we're
> lucky) but for right now, I have had absolutely no reason to upgrade
> until MailScanner.  I have no time to deal with problems caused by
> bleeding edge software, especially when you multiply the time it takes
> to deal with them by over 200.
>
> In the end I'll have to decide if I want to go with a more manual
> install, upgrade to unstable for the mailscanner boxes, leave it as is,
> or even go with a barracuda box or something.  So thank you all for your
> opinions and help.

Fair enough. I'm not out to save your soul, just giving an opinion:-).

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From carl.andrews at crackerbarrel.com  Thu Dec 14 18:21:22 2006
From: carl.andrews at crackerbarrel.com (Carl Andrews)
Date: Thu Dec 14 18:23:15 2006
Subject: MS Version ?
In-Reply-To: <200612141710.kBEHAG7D019252@smtpgw1.crackerbarrel.com>
References: <45803ACE.5010509@seekio.com>
	<20061213175736.FBB8.GERARD@seibercom.net>
	<223f97700612140434u1e353735qe32cd247a5853318@mail.gmail.com>
	<Pine.LNX.4.64.0612142255001.29118@ebfjryy.nhfvpf.arg>
	<223f97700612140603y12e5c263o31f42641e57c8401@mail.gmail.com>
	<45816F1B.60008@seekio.com>
	<223f97700612140814m73e03c1bj69290fd5cf2003c3@mail.gmail.com>
	<4581825B.6000702@seekio.com>
	<200612141710.kBEHAG7D019252@smtpgw1.crackerbarrel.com>
Message-ID: <1166120482.4769.19.camel@candrews-lx>

Hi all. 

Yesterday, I downloaded the latest(?) version of MS from
www.mailscanner.info for a CentOS server. The version available was
4.57.6-1. Today when I go look (installing a new server different OS),
the version available today is 4.56.8-1.

What is the latest stable version?

Thanks!
Carl
From carl.andrews at crackerbarrel.com  Thu Dec 14 18:30:09 2006
From: carl.andrews at crackerbarrel.com (Carl Andrews)
Date: Thu Dec 14 18:32:00 2006
Subject: Web Interface?
In-Reply-To: <200612141827.kBEIRM7B023442@smtpgw1.crackerbarrel.com>
References: <45803ACE.5010509@seekio.com>
	<20061213175736.FBB8.GERARD@seibercom.net>
	<223f97700612140434u1e353735qe32cd247a5853318@mail.gmail.com>
	<Pine.LNX.4.64.0612142255001.29118@ebfjryy.nhfvpf.arg>
	<223f97700612140603y12e5c263o31f42641e57c8401@mail.gmail.com>
	<45816F1B.60008@seekio.com>
	<223f97700612140814m73e03c1bj69290fd5cf2003c3@mail.gmail.com>
	<4581825B.6000702@seekio.com>
	<200612141710.kBEHAG7D019252@smtpgw1.crackerbarrel.com>
	<200612141827.kBEIRM7B023442@smtpgw1.crackerbarrel.com>
Message-ID: <1166121009.4769.26.camel@candrews-lx>

I just downloaded the Flyer pdf from mailscanner.info an there are
photos of a rules editor, spam settings, and reporting. Is this now a
feature of MS? If so, how do I activate it/set it up? I have been using
MailWatch, but if the features are already part of MS I would rather use
those.


Thanks! (again),
Carl
From mkettler at evi-inc.com  Thu Dec 14 18:49:34 2006
From: mkettler at evi-inc.com (Matt Kettler)
Date: Thu Dec 14 18:49:44 2006
Subject: Web Interface?
In-Reply-To: <1166121009.4769.26.camel@candrews-lx>
References: <45803ACE.5010509@seekio.com>	<20061213175736.FBB8.GERARD@seibercom.net>	<223f97700612140434u1e353735qe32cd247a5853318@mail.gmail.com>	<Pine.LNX.4.64.0612142255001.29118@ebfjryy.nhfvpf.arg>	<223f97700612140603y12e5c263o31f42641e57c8401@mail.gmail.com>	<45816F1B.60008@seekio.com>	<223f97700612140814m73e03c1bj69290fd5cf2003c3@mail.gmail.com>	<4581825B.6000702@seekio.com>	<200612141710.kBEHAG7D019252@smtpgw1.crackerbarrel.com>	<200612141827.kBEIRM7B023442@smtpgw1.crackerbarrel.com>
	<1166121009.4769.26.camel@candrews-lx>
Message-ID: <45819CBE.8000801@evi-inc.com>

Carl Andrews wrote:
> I just downloaded the Flyer pdf from mailscanner.info an there are
> photos of a rules editor, spam settings, and reporting. Is this now a
> feature of MS? If so, how do I activate it/set it up? I have been using
> MailWatch, but if the features are already part of MS I would rather use
> those.

If you zoom in really close, those pictures are of mailwatch and other FSL tools
related to MailScanner.. It even says "MailWatch" in the title bar of the
"Reporting" picture.

The boundaries between MailScanner, MailWatch, FSL tools, and Julian's clam/sa
bundle are often ignored when discussing the features of Mailscanner.

I think a lot of that probably comes from Julian viewing them as things that "go
together" (which they do), and that's the way the commercial offerings are packaged.

This ends up causing Julian to often refer to the whole ball of wax as
"MailScanner", although more accurate might be "A complete MailScanner system
with associated tools" or "the MailScanner suite".

I don't think the blurring is inherently bad, but it does occasionally cause
confusion. Not long ago Julian and I had an extended exchange about the
MailScanner install process, and he was actually talking about the clam/sa
bundle install process.









From chandler at chapman.edu  Thu Dec 14 19:00:13 2006
From: chandler at chapman.edu (Jay Chandler)
Date: Thu Dec 14 19:00:22 2006
Subject: Web Interface?
In-Reply-To: <45819CBE.8000801@evi-inc.com>
References: <45803ACE.5010509@seekio.com>	<20061213175736.FBB8.GERARD@seibercom.net>	<223f97700612140434u1e353735qe32cd247a5853318@mail.gmail.com>	<Pine.LNX.4.64.0612142255001.29118@ebfjryy.nhfvpf.arg>	<223f97700612140603y12e5c263o31f42641e57c8401@mail.gmail.com>	<45816F1B.60008@seekio.com>	<223f97700612140814m73e03c1bj69290fd5cf2003c3@mail.gmail.com>	<4581825B.6000702@seekio.com>	<200612141710.kBEHAG7D019252@smtpgw1.crackerbarrel.com>	<200612141827.kBEIRM7B023442@smtpgw1.crackerbarrel.com>	<1166121009.4769.26.camel@candrews-lx>
	<45819CBE.8000801@evi-inc.com>
Message-ID: <45819F3D.1010801@chapman.edu>

Matt Kettler wrote:
> Carl Andrews wrote:
>   
>> I just downloaded the Flyer pdf from mailscanner.info an there are
>> photos of a rules editor, spam settings, and reporting. Is this now a
>> feature of MS? If so, how do I activate it/set it up? I have been using
>> MailWatch, but if the features are already part of MS I would rather use
>> those.
>>     
>
> If you zoom in really close, those pictures are of mailwatch and other FSL tools
> related to MailScanner.. It even says "MailWatch" in the title bar of the
> "Reporting" picture.
>
> The boundaries between MailScanner, MailWatch, FSL tools, and Julian's clam/sa
> bundle are often ignored when discussing the features of Mailscanner.
>
> I think a lot of that probably comes from Julian viewing them as things that "go
> together" (which they do), and that's the way the commercial offerings are packaged.
>
> This ends up causing Julian to often refer to the whole ball of wax as
> "MailScanner", although more accurate might be "A complete MailScanner system
> with associated tools" or "the MailScanner suite".
>
> I don't think the blurring is inherently bad, but it does occasionally cause
> confusion. Not long ago Julian and I had an extended exchange about the
> MailScanner install process, and he was actually talking about the clam/sa
> bundle install process.
>   
I don't suppose anyone's ported MailWatch or the FSL tools to FreeBSD 
yet, have they?  I did some digging and couldn't find anything.

-- 
Jay Chandler
Network Administrator, Chapman University
714.628.7249 / chandler@chapman.edu
Today's Excuse: Processes running slowly due to weak power supply 

From carl.andrews at crackerbarrel.com  Thu Dec 14 19:08:23 2006
From: carl.andrews at crackerbarrel.com (Carl Andrews)
Date: Thu Dec 14 19:10:13 2006
Subject: Web Interface?
In-Reply-To: <200612141851.kBEIpV77024424@smtpgw1.crackerbarrel.com>
References: <45803ACE.5010509@seekio.com>
	<20061213175736.FBB8.GERARD@seibercom.net>
	<223f97700612140434u1e353735qe32cd247a5853318@mail.gmail.com>
	<Pine.LNX.4.64.0612142255001.29118@ebfjryy.nhfvpf.arg>
	<223f97700612140603y12e5c263o31f42641e57c8401@mail.gmail.com>
	<45816F1B.60008@seekio.com>
	<223f97700612140814m73e03c1bj69290fd5cf2003c3@mail.gmail.com>
	<4581825B.6000702@seekio.com>
	<200612141710.kBEHAG7D019252@smtpgw1.crackerbarrel.com>
	<200612141827.kBEIRM7B023442@smtpgw1.crackerbarrel.com>
	<1166121009.4769.26.camel@candrews-lx>
	<200612141851.kBEIpV77024424@smtpgw1.crackerbarrel.com>
Message-ID: <1166123303.4769.38.camel@candrews-lx>

Thanks!

What are the "FSL tools", this is the first I have heard of them.


Thanks again,
Carl

On Thu, 2006-12-14 at 13:49 -0500, Matt Kettler wrote:
> Carl Andrews wrote:
> > I just downloaded the Flyer pdf from mailscanner.info an there are
> > photos of a rules editor, spam settings, and reporting. Is this now a
> > feature of MS? If so, how do I activate it/set it up? I have been using
> > MailWatch, but if the features are already part of MS I would rather use
> > those.
> 
> If you zoom in really close, those pictures are of mailwatch and other FSL tools
> related to MailScanner.. It even says "MailWatch" in the title bar of the
> "Reporting" picture.
> 
> The boundaries between MailScanner, MailWatch, FSL tools, and Julian's clam/sa
> bundle are often ignored when discussing the features of Mailscanner.
> 
> I think a lot of that probably comes from Julian viewing them as things that "go
> together" (which they do), and that's the way the commercial offerings are packaged.
> 
> This ends up causing Julian to often refer to the whole ball of wax as
> "MailScanner", although more accurate might be "A complete MailScanner system
> with associated tools" or "the MailScanner suite".
> 
> I don't think the blurring is inherently bad, but it does occasionally cause
> confusion. Not long ago Julian and I had an extended exchange about the
> MailScanner install process, and he was actually talking about the clam/sa
> bundle install process.
> 
> 
> 
> 
> 
> 
> 
> 
> 
From Richard.Frovarp at sendit.nodak.edu  Thu Dec 14 19:25:46 2006
From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp)
Date: Thu Dec 14 19:25:49 2006
Subject: Web Interface?
In-Reply-To: <45819F3D.1010801@chapman.edu>
References: <45803ACE.5010509@seekio.com>	<20061213175736.FBB8.GERARD@seibercom.net>	<223f97700612140434u1e353735qe32cd247a5853318@mail.gmail.com>	<Pine.LNX.4.64.0612142255001.29118@ebfjryy.nhfvpf.arg>	<223f97700612140603y12e5c263o31f42641e57c8401@mail.gmail.com>	<45816F1B.60008@seekio.com>	<223f97700612140814m73e03c1bj69290fd5cf2003c3@mail.gmail.com>	<4581825B.6000702@seekio.com>	<200612141710.kBEHAG7D019252@smtpgw1.crackerbarrel.com>	<200612141827.kBEIRM7B023442@smtpgw1.crackerbarrel.com>	<1166121009.4769.26.camel@candrews-lx>	<45819CBE.8000801@evi-inc.com>
	<45819F3D.1010801@chapman.edu>
Message-ID: <4581A53A.8000407@sendit.nodak.edu>

Jay Chandler wrote:
> Matt Kettler wrote:
>> Carl Andrews wrote:
>>  
>>> I just downloaded the Flyer pdf from mailscanner.info an there are
>>> photos of a rules editor, spam settings, and reporting. Is this now a
>>> feature of MS? If so, how do I activate it/set it up? I have been using
>>> MailWatch, but if the features are already part of MS I would rather 
>>> use
>>> those.
>>>     
>>
>> If you zoom in really close, those pictures are of mailwatch and 
>> other FSL tools
>> related to MailScanner.. It even says "MailWatch" in the title bar of 
>> the
>> "Reporting" picture.
>>
>> The boundaries between MailScanner, MailWatch, FSL tools, and 
>> Julian's clam/sa
>> bundle are often ignored when discussing the features of Mailscanner.
>>
>> I think a lot of that probably comes from Julian viewing them as 
>> things that "go
>> together" (which they do), and that's the way the commercial 
>> offerings are packaged.
>>
>> This ends up causing Julian to often refer to the whole ball of wax as
>> "MailScanner", although more accurate might be "A complete 
>> MailScanner system
>> with associated tools" or "the MailScanner suite".
>>
>> I don't think the blurring is inherently bad, but it does 
>> occasionally cause
>> confusion. Not long ago Julian and I had an extended exchange about the
>> MailScanner install process, and he was actually talking about the 
>> clam/sa
>> bundle install process.
>>   
> I don't suppose anyone's ported MailWatch or the FSL tools to FreeBSD 
> yet, have they?  I did some digging and couldn't find anything.
>
I am not sure what would be incompatible about it. MailWatch is PHP, 
Perl, and MySQL. Might need to change a few paths in configuration, but 
that should be about it.
From jfagan at firstlightnetworks.com  Thu Dec 14 19:38:58 2006
From: jfagan at firstlightnetworks.com (James Fagan)
Date: Thu Dec 14 19:37:22 2006
Subject: New ClamAV out
In-Reply-To: <4580235B.4050405@USherbrooke.ca>
Message-ID: <59E4A3A1069C2640959AD0F7518C48122F0790@FLN1.fln.local>

> >>
> >>> Just wanted to let you know that there seems to be a problem with 
> >>> the new ClamAV and ZIP files: I get a lot of:
> >>> Dec 12 12:37:52 132.210.244.93 MailScanner[31880]: 
> >>> ClamAVModule::INFECTED:: Oversized.Zip:: 
> >>> ./kBCHaqdS004063/BIOMETISS_BIOREACTEUR_07-12-2006.zip
> >>>
> >>> I had none yesterday and I have 20 since upgrading Clam 
> this morning.
> >>
> >> Have you tried increasing the
> >> ClamAVmodule Maximum Compression Ratio = 250 setting in 
> >> MailScanner.conf?
> >>
> >> Mark
> >>
> > Mark,
> >
> > I have it set to:
> > grep "ClamAVmodule Maximum Compression Ratio" MailScanner.conf 
> > ClamAVmodule Maximum Compression Ratio = 950
> >
> > It used to be enough before upgrading to the latest ClamAV...
> >
> > Denis
> >
> I switched to clamav instead of clamavmodule and the messages 
> disappeared.
> 
 

I just noticed this also, switching to clamav instead of clamavmodule as
mentioned.. we will see.
From jfagan at firstlightnetworks.com  Thu Dec 14 19:55:25 2006
From: jfagan at firstlightnetworks.com (James Fagan)
Date: Thu Dec 14 19:53:52 2006
Subject: MS Version ?
In-Reply-To: <1166120482.4769.19.camel@candrews-lx>
Message-ID: <59E4A3A1069C2640959AD0F7518C48122F0791@FLN1.fln.local>


> Hi all. 
> 
> Yesterday, I downloaded the latest(?) version of MS from 
> www.mailscanner.info for a CentOS server. The version 
> available was 4.57.6-1. Today when I go look (installing a 
> new server different OS), the version available today is 4.56.8-1.
> 
> What is the latest stable version?
> 
> Thanks!
> Carl
> --

I think the same thing happend to me. I looked today to update one of
our servers and when I DL'd the file 
it was a diffrent version than the day before. I figured I had
accidently installed the beta version. 
It worked as expected. 

But it would be nice to know what version is what :)
From mkettler at evi-inc.com  Thu Dec 14 20:00:17 2006
From: mkettler at evi-inc.com (Matt Kettler)
Date: Thu Dec 14 20:01:09 2006
Subject: Web Interface?
In-Reply-To: <1166123303.4769.38.camel@candrews-lx>
References: <45803ACE.5010509@seekio.com>	<20061213175736.FBB8.GERARD@seibercom.net>	<223f97700612140434u1e353735qe32cd247a5853318@mail.gmail.com>	<Pine.LNX.4.64.0612142255001.29118@ebfjryy.nhfvpf.arg>	<223f97700612140603y12e5c263o31f42641e57c8401@mail.gmail.com>	<45816F1B.60008@seekio.com>	<223f97700612140814m73e03c1bj69290fd5cf2003c3@mail.gmail.com>	<4581825B.6000702@seekio.com>	<200612141710.kBEHAG7D019252@smtpgw1.crackerbarrel.com>	<200612141827.kBEIRM7B023442@smtpgw1.crackerbarrel.com>	<1166121009.4769.26.camel@candrews-lx>	<200612141851.kBEIpV77024424@smtpgw1.crackerbarrel.com>
	<1166123303.4769.38.camel@candrews-lx>
Message-ID: <4581AD51.60505@evi-inc.com>


Carl Andrews wrote:
> Thanks!
> 
> What are the "FSL tools", this is the first I have heard of them.
> 


FSL - Fortress Systems Ltd. Is a company that makes commercial products based on
MailScanner.

>From what little I know of their product, they do have a few "odds and ends"
utilities they bundle in, but its largely a MailScanner/MailWatch bundle.

http://www.fsl.com/

(Julian is CTO of FSL.)
From carl.andrews at crackerbarrel.com  Thu Dec 14 20:08:16 2006
From: carl.andrews at crackerbarrel.com (Carl Andrews)
Date: Thu Dec 14 20:10:11 2006
Subject: Web Interface?
In-Reply-To: <200612142008.kBEK8G7j027521@smtpgw1.crackerbarrel.com>
References: <45803ACE.5010509@seekio.com>
	<20061213175736.FBB8.GERARD@seibercom.net>
	<223f97700612140434u1e353735qe32cd247a5853318@mail.gmail.com>
	<Pine.LNX.4.64.0612142255001.29118@ebfjryy.nhfvpf.arg>
	<223f97700612140603y12e5c263o31f42641e57c8401@mail.gmail.com>
	<45816F1B.60008@seekio.com>
	<223f97700612140814m73e03c1bj69290fd5cf2003c3@mail.gmail.com>
	<4581825B.6000702@seekio.com>
	<200612141710.kBEHAG7D019252@smtpgw1.crackerbarrel.com>
	<200612141827.kBEIRM7B023442@smtpgw1.crackerbarrel.com>
	<1166121009.4769.26.camel@candrews-lx>
	<200612141851.kBEIpV77024424@smtpgw1.crackerbarrel.com>
	<1166123303.4769.38.camel@candrews-lx>
	<200612142008.kBEK8G7j027521@smtpgw1.crackerbarrel.com>
Message-ID: <1166126896.11121.2.camel@candrews-lx>

Oh, I thought there was a package called "FSL tools" and I just could
not find it! :->

On Thu, 2006-12-14 at 15:00 -0500, Matt Kettler wrote:
> Carl Andrews wrote:
> > Thanks!
> > 
> > What are the "FSL tools", this is the first I have heard of them.
> > 
> 
> 
> FSL - Fortress Systems Ltd. Is a company that makes commercial products based on
> MailScanner.
> 
> >From what little I know of their product, they do have a few "odds and ends"
> utilities they bundle in, but its largely a MailScanner/MailWatch bundle.
> 
> http://www.fsl.com/
> 
> (Julian is CTO of FSL.)
From campbell at cnpapers.com  Thu Dec 14 21:17:29 2006
From: campbell at cnpapers.com (Steve Campbell)
Date: Thu Dec 14 21:17:53 2006
Subject: Mailscanner not scanning queue
References: <45803ACE.5010509@seekio.com><20061213175736.FBB8.GERARD@seibercom.net><223f97700612140434u1e353735qe32cd247a5853318@mail.gmail.com><Pine.LNX.4.64.0612142255001.29118@ebfjryy.nhfvpf.arg>
	<223f97700612140603y12e5c263o31f42641e57c8401@mail.gmail.com>
Message-ID: <002201c71fc5$44e81fb0$0705000a@ddf5dw71>


----- Original Message ----- 
From: "Glenn Steen" <glenn.steen@gmail.com>
To: "MailScanner discussion" <mailscanner@lists.mailscanner.info>
Sent: Thursday, December 14, 2006 9:03 AM
Subject: Re: Mailscanner not scanning queue


> On 14/12/06, Res <res@ausics.net> wrote:
>> On Thu, 14 Dec 2006, Glenn Steen wrote:
>>
>> > If you want to act on Gerards advice (to update), you could very well
>> > go unstable... it's not _that_ bad:-). Or go Ubuntu, if you want to
>>
>> This is one thing that amazes me, people post to lists saying blah doesnt
>> work, but use antiquated versions, it should be mandatory that people 
>> wake
>> up, and use the latest versions before trying to obtain help because
>> somthing doesnt work.
>>
>> People should STOP relying on old versions that are called stable by
>> distros like debian and BSD and so on, and install tarballs rather than
>> these so called stable ports thats are a year old.
>>
>> Its like using sendmail 8.8 and saying why is my mail server blocked for
>> open relaying, when the current version is 8.13 or saying I cant get my
>> brand new camera to work but still use kernel 2.02  *sigh*
>>
> My personal view is very close to yours Res. I've only seen grief from
> the few attempts I've made ocver the years to live with the more than
> insanely mossy/mouldy crap that is called "stable" in the Debian case.
> "Unstable" is is in some ways more stable than at least some RPM-based
> distros:-):-). And still not that close to bleeding edge either. Oh
> well.
>
> But one has to realise that this isn't always up to the one asking the
> questions... It might be the result of pigheaded PHBs and
> miss-directed policies. So ... a friendly clue as to how to get around
> the current problem, as well as some advice ... Keeps the tone of the
> forum nice, and who knows... The asker might even do an update or
> three;-).
>
> -- 
> -- Glenn

I agree with Glenn here to some degree. To say that something that once was 
the current stable release shouldn't work now is rediculous. As long as the 
system worked with most of the same setup should indicate that it should 
still work. Now if things have changed considerably, that's a different 
story. Improvements make things work better, so newer releases should do 
more, but improvements are not what necessarily cause things to just plain 
work.

If I were to always use the most current stable release, why not wait for 
the "final" stable release, which means I would never use the app at all. 
Sort of like the idea people have when buying a new home computer - they 
want to wait until the fastest machine comes out, but they keep getting 
faster, so they never buy one.

I know these are extreme examples, but I still feel they make a point.

Steve Campbell 


From ssilva at sgvwater.com  Thu Dec 14 23:48:37 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Thu Dec 14 23:49:20 2006
Subject: MS Version ?
In-Reply-To: <59E4A3A1069C2640959AD0F7518C48122F0791@FLN1.fln.local>
References: <1166120482.4769.19.camel@candrews-lx>
	<59E4A3A1069C2640959AD0F7518C48122F0791@FLN1.fln.local>
Message-ID: <elsnsl$jc6$1@sea.gmane.org>

James Fagan spake the following on 12/14/2006 11:55 AM:
>> Hi all. 
>>
>> Yesterday, I downloaded the latest(?) version of MS from 
>> www.mailscanner.info for a CentOS server. The version 
>> available was 4.57.6-1. Today when I go look (installing a 
>> new server different OS), the version available today is 4.56.8-1.
>>
>> What is the latest stable version?
>>
>> Thanks!
>> Carl
>> --
> 
> I think the same thing happend to me. I looked today to update one of
> our servers and when I DL'd the file 
> it was a diffrent version than the day before. I figured I had
> accidently installed the beta version. 
> It worked as expected. 
> 
> But it would be nice to know what version is what :)
4.57.6.1 is the newest stable. There must have been a problem with the
downloads page, maybe it was restored from a backup.
You can get the current here.
http://www.mailscanner.info/files/4/rpm/MailScanner-4.57.6-1.rpm.tar.gz


-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From ssilva at sgvwater.com  Thu Dec 14 23:53:46 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Thu Dec 14 23:55:43 2006
Subject: Web Interface?
In-Reply-To: <1166121009.4769.26.camel@candrews-lx>
References: <45803ACE.5010509@seekio.com>	<20061213175736.FBB8.GERARD@seibercom.net>	<223f97700612140434u1e353735qe32cd247a5853318@mail.gmail.com>	<Pine.LNX.4.64.0612142255001.29118@ebfjryy.nhfvpf.arg>	<223f97700612140603y12e5c263o31f42641e57c8401@mail.gmail.com>	<45816F1B.60008@seekio.com>	<223f97700612140814m73e03c1bj69290fd5cf2003c3@mail.gmail.com>	<4581825B.6000702@seekio.com>	<200612141710.kBEHAG7D019252@smtpgw1.crackerbarrel.com>	<200612141827.kBEIRM7B023442@smtpgw1.crackerbarrel.com>
	<1166121009.4769.26.camel@candrews-lx>
Message-ID: <elso69$jc6$2@sea.gmane.org>

Carl Andrews spake the following on 12/14/2006 10:30 AM:
> I just downloaded the Flyer pdf from mailscanner.info an there are
> photos of a rules editor, spam settings, and reporting. Is this now a
> feature of MS? If so, how do I activate it/set it up? I have been using
> MailWatch, but if the features are already part of MS I would rather use
> those.
> 
> 
> Thanks! (again),
> Carl
Those shots are actually from the commercial offshoot DefenderMX, or from what
became that product. It is available from Fortress Systems (www.fsl.com)


-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From ajos1 at onion.demon.co.uk  Fri Dec 15 08:00:52 2006
From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk)
Date: Fri Dec 15 08:01:00 2006
Subject: Mailscanner not scanning queue
Message-ID: <sentfri15dec2006080052gmtbstajos1@sonicbadger.com>

-

Using an old version of MailScanner... why do that?  It changes as spam changes... why stay in the dark ages?

Debian go unstable?  Streuth... you need to change to something modern then. Fedora 6 works well.

MailScanner dependencies cannot make a box unstable?! The dependencies it has are not that bleeding-edge... some are lastest perl modules... but a lot are normally 1 or 2 versions back from the latest.

-----Original Message-----
From: mailscanner@lists.mailscanner.info
Subj: Re: Mailscanner not scanning queue
Date: Thu, 14 Dec 2006 13:34:36 +0100

>
> > I just installed MailScanner + Postfix on 6 servers running Debian
> > Sarge.  I installed from stable packages, so mailscanner is version
> > 4.41.3-2 and postfix is 2.1.5-9.  I tried installing the latest
> > mailscanner from the unstable branch, but it has too many dependencies,
> > and if I fulfilled them, I'd be running unstable on the whole box
> > instead of stable.  I followed the directions I found at
> > http://www.debian-administration.org/articles/172.
>

==
=====================================================================
=
=  Need help dealing with Parking Tickets, Bailiffs, Capita or NTL...
=  Call...    +44 8457 90 90 90    http://www.samaritans.org/
=
=====================================================================
From glenn.steen at gmail.com  Fri Dec 15 08:25:09 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Fri Dec 15 08:25:14 2006
Subject: Web Interface?
In-Reply-To: <elso69$jc6$2@sea.gmane.org>
References: <45803ACE.5010509@seekio.com>
	<Pine.LNX.4.64.0612142255001.29118@ebfjryy.nhfvpf.arg>
	<223f97700612140603y12e5c263o31f42641e57c8401@mail.gmail.com>
	<45816F1B.60008@seekio.com>
	<223f97700612140814m73e03c1bj69290fd5cf2003c3@mail.gmail.com>
	<4581825B.6000702@seekio.com>
	<200612141710.kBEHAG7D019252@smtpgw1.crackerbarrel.com>
	<200612141827.kBEIRM7B023442@smtpgw1.crackerbarrel.com>
	<1166121009.4769.26.camel@candrews-lx> <elso69$jc6$2@sea.gmane.org>
Message-ID: <223f97700612150025o6a6cc51cu9a42605208265b59@mail.gmail.com>

On 15/12/06, Scott Silva <ssilva@sgvwater.com> wrote:
> Carl Andrews spake the following on 12/14/2006 10:30 AM:
> > I just downloaded the Flyer pdf from mailscanner.info an there are
> > photos of a rules editor, spam settings, and reporting. Is this now a
> > feature of MS? If so, how do I activate it/set it up? I have been using
> > MailWatch, but if the features are already part of MS I would rather use
> > those.
> >
> >
> > Thanks! (again),
> > Carl
> Those shots are actually from the commercial offshoot DefenderMX, or from what
> became that product. It is available from Fortress Systems (www.fsl.com)
>

Yep.
If you'd like a rule editor that integrates nicely with MailWatch
Carl, you could always get msre
(http://wiki.mailscanner.info/doku.php?id=&idx=documentation:related_software:management:msre).
Works well (after a fashion, you need to adapt your rules files to a
"comment then rule" scheme).

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From gmatt at nerc.ac.uk  Fri Dec 15 09:54:14 2006
From: gmatt at nerc.ac.uk (Greg Matthews)
Date: Fri Dec 15 09:54:31 2006
Subject: Disarmed option not working properly
Message-ID: <458270C6.4080203@nerc.ac.uk>

Just upgraded to 4.57.6 and one of my options is no longer working. I have:

Disarmed Modify Subject = no
Disarmed Subject Text = {Disarmed}

but the subject is still getting modified...

GREG
-- 
Greg Matthews           01491 692445
Head of UNIX/Linux, iTSS Wallingford

-- 
This message (and any attachments) is for the recipient only. NERC
is subject to the Freedom of Information Act 2000 and the contents
of this email and any reply you make may be disclosed by NERC unless
it is exempt from release under the Act. Any material supplied to
NERC may be stored in an electronic records management system.

From gmatt at nerc.ac.uk  Fri Dec 15 10:39:23 2006
From: gmatt at nerc.ac.uk (Greg Matthews)
Date: Fri Dec 15 10:39:41 2006
Subject: Disarmed option not working properly
In-Reply-To: <458270C6.4080203@nerc.ac.uk>
References: <458270C6.4080203@nerc.ac.uk>
Message-ID: <45827B5B.4050608@nerc.ac.uk>

(replying to myself even tho I'm not a postfix user)

Greg Matthews wrote:
> Just upgraded to 4.57.6 and one of my options is no longer working. I have:
> 
> Disarmed Modify Subject = no
> Disarmed Subject Text = {Disarmed}
> 
> but the subject is still getting modified...
> 
> GREG

some more information on this, it looks like at least one message that 
has had the subject modified with the {Disarmed} tag should perhaps have 
been tagged with {Fraud} instead, here are the logs:

Dec 13 16:07:49 mailr-k MailScanner[22140]: Found phishing fraud from 
www.eztrackz.com claiming to be www.visualclick.com in kBDG53jH022296
Dec 13 16:07:49 mailr-k MailScanner[22140]: Found phishing fraud from 
www.eztrackz.com claiming to be 
www.formoreinfo,sampletasks,fullyfunctionalevals&more...http: in 
kBDG53jH022296
Dec 13 16:07:49 mailr-k MailScanner[22140]: Content Checks: Detected and 
have disarmed phishing tags in HTML message in kBDG53jH022296 from 
bounce-1514242-44084501@list.novell.com

This looks like phishing is being lumped in with HTML tags and web bugs 
so that it triggers the Disarm rules rather than the Fraud rules.

I didnt notice this in the changelog.

Also, this doesnt explain the fact that the subject is being modified 
even tho it is configured not to altho it may point the way.

GREG
-- 
Greg Matthews           01491 692445
Head of UNIX/Linux, iTSS Wallingford

-- 
This message (and any attachments) is for the recipient only. NERC
is subject to the Freedom of Information Act 2000 and the contents
of this email and any reply you make may be disclosed by NERC unless
it is exempt from release under the Act. Any material supplied to
NERC may be stored in an electronic records management system.

From jaearick at colby.edu  Fri Dec 15 13:06:01 2006
From: jaearick at colby.edu (Jeff A. Earickson)
Date: Fri Dec 15 13:06:12 2006
Subject: 4.57.5: Max Spam Check Size
Message-ID: <Pine.GSO.4.64.0612150801241.6498@feldspar>

Gang,

With MS 4.57.5, and Max Spam Check Size = 150000, I notice
that some image spam is getting through, mostly image-spam.
I got one this morning that is 650K.  If the Check Size value
is set to zero, is that the same as turning it off?  (This
should be noted in the MailScanner.conf comments).  Has anybody
changed this value from the default, and what happened when
you did?

Jeff Earickson
Colby College
From mikej at rogers.com  Fri Dec 15 17:55:56 2006
From: mikej at rogers.com (Mike Jakubik)
Date: Fri Dec 15 17:55:34 2006
Subject: Sloppy error checking in MS code
Message-ID: <4582E1AC.6020208@rogers.com>

Recently on the postfix mailling lists, there was a debate on the usage 
of postfix  + mailscanner. I claimed that I've been using the two for 
some time now, without any problems. However one of the folks on the 
lists stated the following:

---
On Thursday December 14 2006 07:30, Mike Jakubik wrote:
 > > Could you backup this documented fact please? Are you sure you are not
 > > referring to a bug in an obsolete version of mailscanner? If this 
was an
 > > issue, im quite certain some of my users would complain.

Look at its code. There are literally hundreds of instances where a
status from a system call is just ignored (getline, print, close, flush,
stat, mkdir, chown, unlink, exec, system..., sometimes even: open).
_Anything_ can happen, and you will never know what hit you,
much less be able to track it down easily, especially if the
problem is intermittent.

  Mark
---

I'm not a perl expert, could someone verify if this is the case? Can MS 
really eat emails without any warning?

Thanks.
From mkettler at evi-inc.com  Fri Dec 15 18:31:19 2006
From: mkettler at evi-inc.com (Matt Kettler)
Date: Fri Dec 15 18:31:33 2006
Subject: OT: REGEXP
In-Reply-To: <223f97700612130043v7c9f4829ub697df98969ba7b4@mail.gmail.com>
References: <457F28DA.4080002@enitech.com.au> <457F3102.5090508@evi-inc.com>
	<223f97700612130043v7c9f4829ub697df98969ba7b4@mail.gmail.com>
Message-ID: <4582E9F7.7090202@evi-inc.com>

Glenn Steen wrote:
> On 12/12/06, Matt Kettler <mkettler@evi-inc.com> wrote:

>>
>> Disclaimer: I know regexes VERY well, but postfix not at all.
> Well, I'll comment on the postfix side then:-). ISTR I was the one
> helping Pete out last time:-).
> (snip)
>> Provided there's not some weirdness in postfix that forces regexes
>> to match full-text, you can simplify further to:
> No "weirdness" to talk about. Postfix supports both POSIX regexps and
> Perl compatible regexps ("man regexp_table pcre_table" shows the
> difference in the postfix config, "man [5|7] regex" or "man 7
> re_format" (or similar, depending on OS) documents POSIX REs, while
> the usual perl docs on REs document the pcre part).

Fair enough.. Like I said, I know nothing about postfix, so I was merely being
cautious.

I've seen several tools with "regex" support that's really not quite normal.
Most of those are Windows platform tools, but I'd not be surprised to see some
*nix tools with home-grown versions of regex in an attempt to avoid some syntax
elements that the author deems too slow.

I didn't think postfix would do that, but not knowing anything about it....




From res at ausics.net  Fri Dec 15 22:46:40 2006
From: res at ausics.net (Res)
Date: Fri Dec 15 22:47:16 2006
Subject: 4.57.5: Max Spam Check Size
In-Reply-To: <Pine.GSO.4.64.0612150801241.6498@feldspar>
References: <Pine.GSO.4.64.0612150801241.6498@feldspar>
Message-ID: <Pine.LNX.4.64.0612160842100.28276@ebfjryy.nhfvpf.arg>

On Fri, 15 Dec 2006, Jeff A. Earickson wrote:

> With MS 4.57.5, and Max Spam Check Size = 150000, I notice
> that some image spam is getting through, mostly image-spam.
> I got one this morning that is 650K.  If the Check Size value
> is set to zero, is that the same as turning it off?  (This
> should be noted in the MailScanner.conf comments).  Has anybody
> changed this value from the default, and what happened when

I changed mine to use a meg as I also found 150k to be next to useless,
the theory behind it that it costs the spammers to do bigger size msgs? 
sorry, thats just wrong with the methods they use today, it costs them 
no more to send a 10K or 1M

I agree this needs a disable value

-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From mkettler at evi-inc.com  Fri Dec 15 23:38:17 2006
From: mkettler at evi-inc.com (Matt Kettler)
Date: Fri Dec 15 23:38:37 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <4582E1AC.6020208@rogers.com>
References: <4582E1AC.6020208@rogers.com>
Message-ID: <458331E9.4060703@evi-inc.com>

Mike Jakubik wrote:
> Recently on the postfix mailling lists, there was a debate on the usage
> of postfix  + mailscanner. I claimed that I've been using the two for
> some time now, without any problems. However one of the folks on the
> lists stated the following:
> 
> ---
> On Thursday December 14 2006 07:30, Mike Jakubik wrote:
>> > Could you backup this documented fact please? Are you sure you are not
>> > referring to a bug in an obsolete version of mailscanner? If this
> was an
>> > issue, im quite certain some of my users would complain.
> 
> Look at its code. There are literally hundreds of instances where a
> status from a system call is just ignored (getline, print, close, flush,
> stat, mkdir, chown, unlink, exec, system..., sometimes even: open).
> _Anything_ can happen, and you will never know what hit you,
> much less be able to track it down easily, especially if the
> problem is intermittent.
> 
>  Mark
> ---
> 
> I'm not a perl expert, could someone verify if this is the case? Can MS
> really eat emails without any warning?

Hmm, reading PFDiskStore.pm, it does look like many system calls aren't checked.

Some cases, it doesn't really matter, because a later system call is checked,
and that will fail if the previous one did. (ie: mkdir, followed by a rename
into that dir, where mkdir isn't checked, but rename is. Clearly if the mkdir
failed to make the directory, rename is going to fail and get caught that way)

There are some other cases where I can't tell if it's bad enough to cause
problems, or just bad form.

I suspect that  the un-checked chown and chmod in this file could be bad if they
failed.. they *shouldn't* ever fail.. but at the same time, it would be nice to
check for failure and generate a message.

It also would be nice if the unlink in DeleteUnlock() was checked, much like it
is in the SMDiskStore.pm for sendmail.

That said, my code is NOT the latest, and Julian may have already fixed both of
the above..


From jdavis at standard.k12.ca.us  Sat Dec 16 00:50:21 2006
From: jdavis at standard.k12.ca.us (Jeff Davis)
Date: Sat Dec 16 00:50:25 2006
Subject: Not blocking spam?
Message-ID: <458342CD.9090909@standard.k12.ca.us>

Just got MailScanner installed, but does not seem to be tagging anything 
as spam.

Where should I start checking first?  spammassassin < {sample file} 
seems to work correctly, but mail sent from outside (GTUBE) flies right 
through.

Thanks,

-Jeff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jdavis.vcf
Type: text/x-vcard
Size: 328 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061215/a9f53a0f/jdavis.vcf
From ugob at camo-route.com  Sat Dec 16 07:24:18 2006
From: ugob at camo-route.com (Ugo Bellavance)
Date: Sat Dec 16 07:24:41 2006
Subject: Not blocking spam?
In-Reply-To: <458342CD.9090909@standard.k12.ca.us>
References: <458342CD.9090909@standard.k12.ca.us>
Message-ID: <em06v3$hg7$1@sea.gmane.org>

Jeff Davis wrote:
> Just got MailScanner installed, but does not seem to be tagging anything 
> as spam.
> 
> Where should I start checking first?  spammassassin < {sample file} 
> seems to work correctly, but mail sent from outside (GTUBE) flies right 
> through.
> 
> Thanks,
> 
> -Jeff
> 

MailScanner.conf, a setting called 'Use SpamAssassin'

http://wiki.mailscanner.info/doku.php?id=maq:index

From uxbod at splatnix.net  Sat Dec 16 09:22:17 2006
From: uxbod at splatnix.net (--[ UxBoD ]--)
Date: Sat Dec 16 09:20:45 2006
Subject: Not blocking spam?
In-Reply-To: <458342CD.9090909@standard.k12.ca.us>
References: <458342CD.9090909@standard.k12.ca.us>
Message-ID: <20061216092217.3f0950f5@localhost>

Jarvis,

Have you checked your /var/log/messages to see what is happening ?
Have you tried running MailScanner in debug mode ? MailScanner --debug

Regards,

On Fri, 15 Dec 2006 16:50:21 -0800
Jeff Davis <jdavis@standard.k12.ca.us> wrote:

> Just got MailScanner installed, but does not seem to be tagging
> anything as spam.
> 
> Where should I start checking first?  spammassassin < {sample file} 
> seems to work correctly, but mail sent from outside (GTUBE) flies
> right through.
> 
> Thanks,
> 
> -Jeff
> 

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

From glenn.steen at gmail.com  Sat Dec 16 11:18:13 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Sat Dec 16 11:18:17 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <458331E9.4060703@evi-inc.com>
References: <4582E1AC.6020208@rogers.com> <458331E9.4060703@evi-inc.com>
Message-ID: <223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>

On 16/12/06, Matt Kettler <mkettler@evi-inc.com> wrote:
> Mike Jakubik wrote:
> > Recently on the postfix mailling lists, there was a debate on the usage
> > of postfix  + mailscanner. I claimed that I've been using the two for
> > some time now, without any problems. However one of the folks on the
> > lists stated the following:
> >
> > ---
> > On Thursday December 14 2006 07:30, Mike Jakubik wrote:
> >> > Could you backup this documented fact please? Are you sure you are not
> >> > referring to a bug in an obsolete version of mailscanner? If this
> > was an
> >> > issue, im quite certain some of my users would complain.
> >
> > Look at its code. There are literally hundreds of instances where a
> > status from a system call is just ignored (getline, print, close, flush,
> > stat, mkdir, chown, unlink, exec, system..., sometimes even: open).
> > _Anything_ can happen, and you will never know what hit you,
> > much less be able to track it down easily, especially if the
> > problem is intermittent.
> >
> >  Mark
> > ---
> >
> > I'm not a perl expert, could someone verify if this is the case? Can MS
> > really eat emails without any warning?
>
> Hmm, reading PFDiskStore.pm, it does look like many system calls aren't checked.
>
> Some cases, it doesn't really matter, because a later system call is checked,
> and that will fail if the previous one did. (ie: mkdir, followed by a rename
> into that dir, where mkdir isn't checked, but rename is. Clearly if the mkdir
> failed to make the directory, rename is going to fail and get caught that way)
>
> There are some other cases where I can't tell if it's bad enough to cause
> problems, or just bad form.
>
> I suspect that  the un-checked chown and chmod in this file could be bad if they
> failed.. they *shouldn't* ever fail.. but at the same time, it would be nice to
> check for failure and generate a message.
>
> It also would be nice if the unlink in DeleteUnlock() was checked, much like it
> is in the SMDiskStore.pm for sendmail.
>
> That said, my code is NOT the latest, and Julian may have already fixed both of
> the above..
>
I've done no such audit as you've started Matt... But really, if this
was a big problem, I'm more than certain we would've ... encoutered
... it already.
I'm not saying that code audits shouldn't be done, and I'm usually a
stickler for sane error checking/handling. But I can't shake the
feeling this is motly just more of the usual FUD from the postfix
devel camp.

Since switching to the HOLD method, I've only lost messages when I
fat-fingered the MS config... And Jules has subsequently
"idiot-proofed" those settings (the * Actions). Might be just dumb
luck, I suppose, that it hasn't happened, but I doubt it:-).

That said, I'm really in forward of critically looking the PF code
over. I've been doing some looking, but then mostly to ascertain how
it works (or in some few cases... not), and to try determine whether
the PF crowd have any base for some of their allegations (unsafe
handling of queue files... AFAICS, this is untrue).
Unforunately I will have very limited time to help before X-mas/new years...
Then again, I'm not sure it's a problem needing immediate attention.

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From res at ausics.net  Sat Dec 16 13:54:32 2006
From: res at ausics.net (Res)
Date: Sat Dec 16 13:54:48 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>
References: <4582E1AC.6020208@rogers.com> <458331E9.4060703@evi-inc.com>
	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>
Message-ID: <Pine.LNX.4.64.0612162350350.10428@ebfjryy.nhfvpf.arg>

On Sat, 16 Dec 2006, Glenn Steen wrote:

> stickler for sane error checking/handling. But I can't shake the
> feeling this is motly just more of the usual FUD from the postfix
> devel camp.

>From my recollection (which is 11.50pm sat'day night amber fluid cloudied) 
the weitse patsies have always thumbed their nose at mailscanner, why 
Jules bothers with them so much I'll never know, he should treat those 
lamers with the same contempt as most of hold qmails bernstein in.


-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From waytotheweb at googlemail.com  Sat Dec 16 15:49:28 2006
From: waytotheweb at googlemail.com (Way to the Web)
Date: Sat Dec 16 15:49:35 2006
Subject: New ClamAV out
In-Reply-To: <457EFADB.5090400@USherbrooke.ca>
References: <457EC35F.90606@USherbrooke.ca> <457EFADB.5090400@USherbrooke.ca>
Message-ID: <eb59f360612160749o407fb081n6e482e07446c6a88@mail.gmail.com>

On 12/12/06, Denis Beauchemin <Denis.Beauchemin@usherbrooke.ca> wrote:
>
> Denis Beauchemin a ?crit :
> > Release Name: 0.88.7
> >
> > Hello all,
> >
> > Our security guy pointed the following advisory for Clam 0.88.6 and
> > prior versions: http://www.frsirt.com/english/advisories/2006/4948
> > Clam AntiVirus MIME Attachments Handling Remote Denial of Service
> > Vulnerability
> >
> > This comes from Clam 0.88.7:
> > This version improves scanning of mail and tar files.
> >
> > Changes:
> > Mon Dec 11 02:47:03 CET 2006
> > ----------------------------
> >  * Bugfixes:
> >    - libclamav/message.c: handle consecutive errors in base64 decoding
> >    - libclamav/mbox.c: honour recursion limit when scanning email
> > messages
> >    - clamscan: new option --mail-max-recursion
> >    - clamd/clamav-milter: new option MailMaxRecursion
> >    - libclamav/untar.c: honour archive limits
> >
> > Denis
> >
> Just wanted to let you know that there seems to be a problem with the
> new ClamAV and ZIP files: I get a lot of:
> Dec 12 12:37:52 132.210.244.93 MailScanner[31880]:
> ClamAVModule::INFECTED:: Oversized.Zip::
> ./kBCHaqdS004063/BIOMETISS_BIOREACTEUR_07-12-2006.zip
>
> I had none yesterday and I have 20 since upgrading Clam this morning.
>
> Denis
>
> --
>    _
>   ?v?   Denis Beauchemin, analyste
> /(_)\  Universit? de Sherbrooke, S.T.I.
>   ^ ^   T: 819.821.8000x62252 F: 819.821.8045
>
>
>
>
> --
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
>
>
If anyone is still seeing this problem, we found that it's fixed by force
reinstalling the clamav perl module. According to the clamav developers:

Due to the changes in libclamav, 0.88.7 is not binary compatible with
> previous
> versions. To solve the issues you have to recompile all the software which
> is
> linked against libclamav.
>

-- 
Regards,
Sarah Trayser
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061216/26d84428/attachment.html
From jdavis at standard.k12.ca.us  Sat Dec 16 17:17:31 2006
From: jdavis at standard.k12.ca.us (jdavis)
Date: Sat Dec 16 17:17:43 2006
Subject: Not blocking spam?
In-Reply-To: <em06v3$hg7$1@sea.gmane.org>
References: <em06v3$hg7$1@sea.gmane.org>
Message-ID: <db11198bd2cba2b9d14ee1dd155064b7@localhost>

It's set to yes.

Since running through spamassassin manually works, I am assuming I've hosed up a setting in my mailscanner.conf  If looked and looked (probably too much) and cannot seem to find anything.

On Sat, 16 Dec 2006 02:24:18 -0500, Ugo Bellavance <ugob@camo-route.com> wrote:
> Jeff Davis wrote:
>> Just got MailScanner installed, but does not seem to be tagging anything
>> as spam.
>>
>> Where should I start checking first?  spammassassin < {sample file}
>> seems to work correctly, but mail sent from outside (GTUBE) flies right
>> through.
>>
>> Thanks,
>>
>> -Jeff
>>
> 
> MailScanner.conf, a setting called 'Use SpamAssassin'
> 
> http://wiki.mailscanner.info/doku.php?id=maq:index
> 
> --
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website!
--
Jefferson K Davis
Technology & Information Systems Manager
Standard School District
1200 North Chester Ave
Bakersfield, CA  93308
USA
661.392.2110 ext 120

From ka at pacific.net  Sat Dec 16 17:35:58 2006
From: ka at pacific.net (Ken A)
Date: Sat Dec 16 17:36:23 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>
References: <4582E1AC.6020208@rogers.com> <458331E9.4060703@evi-inc.com>
	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>
Message-ID: <45842E7E.3050508@pacific.net>

Glenn Steen wrote:
> On 16/12/06, Matt Kettler <mkettler@evi-inc.com> wrote:
>> Mike Jakubik wrote:
>> > Recently on the postfix mailling lists, there was a debate on the usage
>> > of postfix  + mailscanner. I claimed that I've been using the two for
>> > some time now, without any problems. However one of the folks on the
>> > lists stated the following:
>> >
>> > ---
>> > On Thursday December 14 2006 07:30, Mike Jakubik wrote:
>> >> > Could you backup this documented fact please? Are you sure you 
>> are not
>> >> > referring to a bug in an obsolete version of mailscanner? If this
>> > was an
>> >> > issue, im quite certain some of my users would complain.
>> >
>> > Look at its code. There are literally hundreds of instances where a
>> > status from a system call is just ignored (getline, print, close, 
>> flush,
>> > stat, mkdir, chown, unlink, exec, system..., sometimes even: open).
>> > _Anything_ can happen, and you will never know what hit you,
>> > much less be able to track it down easily, especially if the
>> > problem is intermittent.
>> >
>> >  Mark
>> > ---
>> >
>> > I'm not a perl expert, could someone verify if this is the case? Can MS
>> > really eat emails without any warning?
>>
>> Hmm, reading PFDiskStore.pm, it does look like many system calls 
>> aren't checked.
>>
>> Some cases, it doesn't really matter, because a later system call is 
>> checked,
>> and that will fail if the previous one did. (ie: mkdir, followed by a 
>> rename
>> into that dir, where mkdir isn't checked, but rename is. Clearly if 
>> the mkdir
>> failed to make the directory, rename is going to fail and get caught 
>> that way)
>>
>> There are some other cases where I can't tell if it's bad enough to cause
>> problems, or just bad form.
>>
>> I suspect that  the un-checked chown and chmod in this file could be 
>> bad if they
>> failed.. they *shouldn't* ever fail.. but at the same time, it would 
>> be nice to
>> check for failure and generate a message.
>>
>> It also would be nice if the unlink in DeleteUnlock() was checked, 
>> much like it
>> is in the SMDiskStore.pm for sendmail.
>>
>> That said, my code is NOT the latest, and Julian may have already 
>> fixed both of
>> the above..
>>
> I've done no such audit as you've started Matt... But really, if this
> was a big problem, I'm more than certain we would've ... encoutered
> ... it already.
> I'm not saying that code audits shouldn't be done, and I'm usually a
> stickler for sane error checking/handling. But I can't shake the
> feeling this is motly just more of the usual FUD from the postfix
> devel camp.
> 
> Since switching to the HOLD method, I've only lost messages when I
> fat-fingered the MS config... And Jules has subsequently
> "idiot-proofed" those settings (the * Actions). Might be just dumb
> luck, I suppose, that it hasn't happened, but I doubt it:-).
> 
> That said, I'm really in forward of critically looking the PF code
> over. I've been doing some looking, but then mostly to ascertain how
> it works (or in some few cases... not), and to try determine whether
> the PF crowd have any base for some of their allegations (unsafe
> handling of queue files... AFAICS, this is untrue).
> Unforunately I will have very limited time to help before X-mas/new 
> years...
> Then again, I'm not sure it's a problem needing immediate attention.
> 

This kind of thing is really up to the author. I'm sure it's something 
he's thought about and not done for a reason. One person's 'sloppy' is 
another's 'efficient'. Programmers can tend to get a bit over zealous 
about such issues. More often than not, the issue that has a /potential/ 
to happen, never really happens in the software's lifetime. So the only 
_real_ issue is a theoretical, academic argument that most of us have no 
time for. :-\
Ken A
Pacific.Net

From MailScanner at ecs.soton.ac.uk  Sat Dec 16 17:38:32 2006
From: MailScanner at ecs.soton.ac.uk (Julian Field)
Date: Sat Dec 16 17:40:41 2006
Subject: 4.58.1-1 && Happy Christmas!
Message-ID: <45842F18.3090800@ecs.soton.ac.uk>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have just released the first beta of 4.58 which I intend to evolve 
into a stable release of 4.58.

Please report problems directly to me, as I still don't have the time to 
read the mailing list, for which I am most apologetic and annoyed.

My day-job has been really busy over the past few months, and shows no 
signs of slacking off for the time-being. But I will make it a New 
Year's Resolution to read the mailing list, and try my hardest to 
recover to the level of support I used to be able to offer. I can only 
offer my apologies for my lack of support over the past few months, I 
have just been so busy I haven't had time to breathe. Sorry :-(

I will try to hardest to fit in MailScanner support next year, but I 
can't make any guarantees, I've got a year-long programming job to do. 
The aim is to effectively automate the whole process of exam marks to 
degree grades, and so do away with some very long exam-board meetings. 
It's a huge job, and I am the only person in the department who can be 
trusted to do the whole job well and reliably. It's one of the 
consequences of having a certain reputation.  :-)

You are at the top of my New Year's Resolutions, I promise!

Jules

- -- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules@Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk



-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.2 (Build 4075)
Comment: Fetch my public key foot-print from www.mailscanner.info
Charset: ISO-8859-1

wj8DBQFFhC+CEfZZRxQVtlQRApe7AJ4xODOf/UWVba8XKUfKQFppgpKwLwCglSJu
o0qyyOuyqnDfRFYwa9vq1dg=
=hUOv
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk

From MailScanner at ecs.soton.ac.uk  Sat Dec 16 19:33:40 2006
From: MailScanner at ecs.soton.ac.uk (Julian Field)
Date: Sat Dec 16 19:35:19 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <45842E7E.3050508@pacific.net>
References: <4582E1AC.6020208@rogers.com>
	<458331E9.4060703@evi-inc.com>	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>
	<45842E7E.3050508@pacific.net>
Message-ID: <45844A14.7050508@ecs.soton.ac.uk>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Ken A wrote:
> Glenn Steen wrote:
>> On 16/12/06, Matt Kettler <mkettler@evi-inc.com> wrote:
>>> Mike Jakubik wrote:
>>> > Recently on the postfix mailling lists, there was a debate on the 
>>> usage
>>> > of postfix  + mailscanner. I claimed that I've been using the two for
>>> > some time now, without any problems. However one of the folks on the
>>> > lists stated the following:
>>> >
>>> > ---
>>> > On Thursday December 14 2006 07:30, Mike Jakubik wrote:
>>> >> > Could you backup this documented fact please? Are you sure you 
>>> are not
>>> >> > referring to a bug in an obsolete version of mailscanner? If this
>>> > was an
>>> >> > issue, im quite certain some of my users would complain.
>>> >
>>> > Look at its code. There are literally hundreds of instances where a
>>> > status from a system call is just ignored (getline, print, close, 
>>> flush,
>>> > stat, mkdir, chown, unlink, exec, system..., sometimes even: open).
>>> > _Anything_ can happen, and you will never know what hit you,
>>> > much less be able to track it down easily, especially if the
>>> > problem is intermittent.
>>> >
>>> >  Mark
>>> > ---
>>> >
>>> > I'm not a perl expert, could someone verify if this is the case? 
>>> Can MS
>>> > really eat emails without any warning?
>>>
>>> Hmm, reading PFDiskStore.pm, it does look like many system calls 
>>> aren't checked.
>>>
>>> Some cases, it doesn't really matter, because a later system call is 
>>> checked,
>>> and that will fail if the previous one did. (ie: mkdir, followed by 
>>> a rename
>>> into that dir, where mkdir isn't checked, but rename is. Clearly if 
>>> the mkdir
>>> failed to make the directory, rename is going to fail and get caught 
>>> that way)
>>>
>>> There are some other cases where I can't tell if it's bad enough to 
>>> cause
>>> problems, or just bad form.
>>>
>>> I suspect that  the un-checked chown and chmod in this file could be 
>>> bad if they
>>> failed.. they *shouldn't* ever fail.. but at the same time, it would 
>>> be nice to
>>> check for failure and generate a message.
>>>
>>> It also would be nice if the unlink in DeleteUnlock() was checked, 
>>> much like it
>>> is in the SMDiskStore.pm for sendmail.
>>>
>>> That said, my code is NOT the latest, and Julian may have already 
>>> fixed both of
>>> the above..
>>>
>> I've done no such audit as you've started Matt... But really, if this
>> was a big problem, I'm more than certain we would've ... encoutered
>> ... it already.
>> I'm not saying that code audits shouldn't be done, and I'm usually a
>> stickler for sane error checking/handling. But I can't shake the
>> feeling this is motly just more of the usual FUD from the postfix
>> devel camp.
>>
>> Since switching to the HOLD method, I've only lost messages when I
>> fat-fingered the MS config... And Jules has subsequently
>> "idiot-proofed" those settings (the * Actions). Might be just dumb
>> luck, I suppose, that it hasn't happened, but I doubt it:-).
>>
>> That said, I'm really in forward of critically looking the PF code
>> over. I've been doing some looking, but then mostly to ascertain how
>> it works (or in some few cases... not), and to try determine whether
>> the PF crowd have any base for some of their allegations (unsafe
>> handling of queue files... AFAICS, this is untrue).
>> Unforunately I will have very limited time to help before X-mas/new 
>> years...
>> Then again, I'm not sure it's a problem needing immediate attention.
>>
>
> This kind of thing is really up to the author. I'm sure it's something 
> he's thought about and not done for a reason. One person's 'sloppy' is 
> another's 'efficient'. Programmers can tend to get a bit over zealous 
> about such issues. More often than not, the issue that has a 
> /potential/ to happen, never really happens in the software's 
> lifetime. So the only _real_ issue is a theoretical, academic argument 
> that most of us have no time for. :-\
Ken,
Thanks for backing me up. Yes, I don't check the return value of every 
single call I make, but show me a programmer who does? (No doubt someone 
will at this point). The most common point that is made is "what if the 
system runs out of space" at this point, and all sorts of things will be 
failing at this time, there isn't any need to create more errors at this 
point, they just create noise. Yes, I quite happily admit I don't check 
the result from everything I do. But if you want a practical piece of 
software that runs at a reasonable speed.

Don't forget. Every morning you make the assumption that the floor is 
there when you step out of bed. Show me the person who checks with a 
stick that the floor is where they think it is, before putting their 
weight on the first foot out of bed in the morning. Yes, you make 
assumptions too.

Jules.

Jules

- -- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules@Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk



-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.2 (Build 4075)
Comment: Fetch my public key foot-print from www.mailscanner.info
Charset: ISO-8859-1

wj8DBQFFhEpdEfZZRxQVtlQRAmMbAKDhK1tvfzEssr/qAW4ZoitNlKU5hgCgg5nX
6Sg7uid31y+O0TBPmXSGCWc=
=7gKa
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk

From prandal at herefordshire.gov.uk  Sat Dec 16 20:11:22 2006
From: prandal at herefordshire.gov.uk (Randal, Phil)
Date: Sat Dec 16 20:11:42 2006
Subject: New ClamAV out
Message-ID: <86144ED6CE5B004DA23E1EAC0B569B58017681FC@isabella.herefordshire.gov.uk>

Perhaps Julian can amend install-Clam-SA to force a build and reinstall
of Mail::ClamAV every time.

 

Little overhead, but worth it if this is going to cause us problems
again.

 

Cheers,

 

Phil

 

  _____  

From: mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Way to
the Web
Sent: Saturday, December 16, 2006 3:49 PM
To: MailScanner discussion
Subject: Re: New ClamAV out

 

On 12/12/06, Denis Beauchemin <Denis.Beauchemin@usherbrooke.ca
<mailto:Denis.Beauchemin@usherbrooke.ca> > wrote:

Denis Beauchemin a ?crit :
> Release Name: 0.88.7
>
> Hello all,
>
> Our security guy pointed the following advisory for Clam 0.88.6 and
> prior versions: http://www.frsirt.com/english/advisories/2006/4948
<http://www.frsirt.com/english/advisories/2006/4948> 
> Clam AntiVirus MIME Attachments Handling Remote Denial of Service
> Vulnerability
>
> This comes from Clam 0.88.7:
> This version improves scanning of mail and tar files. 
>
> Changes:
> Mon Dec 11 02:47:03 CET 2006
> ----------------------------
>  * Bugfixes:
>    - libclamav/message.c: handle consecutive errors in base64 decoding
>    - libclamav/mbox.c: honour recursion limit when scanning email 
> messages
>    - clamscan: new option --mail-max-recursion
>    - clamd/clamav-milter: new option MailMaxRecursion
>    - libclamav/untar.c: honour archive limits
>
> Denis
>
Just wanted to let you know that there seems to be a problem with the
new ClamAV and ZIP files: I get a lot of:
Dec 12 12:37:52  <http://132.210.244.93> MailScanner warning: numerical
links are often malicious: 132.210.244.93 MailScanner[31880]:
ClamAVModule::INFECTED:: Oversized.Zip::
./kBCHaqdS004063/BIOMETISS_BIOREACTEUR_07-12-2006.zip

I had none yesterday and I have 20 since upgrading Clam this morning.

Denis

--
   _
  ?v?   Denis Beauchemin, analyste
/(_)\  Universit? de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045




--
MailScanner mailing list
mailscanner@lists.mailscanner.info
<mailto:mailscanner@lists.mailscanner.info>  
http://lists.mailscanner.info/mailman/listinfo/mailscanner
<http://lists.mailscanner.info/mailman/listinfo/mailscanner> 

Before posting, read http://wiki.mailscanner.info/posting
<http://wiki.mailscanner.info/posting>  

Support MailScanner development - buy the book off the website!





If anyone is still seeing this problem, we found that it's fixed by
force reinstalling the clamav perl module. According to the clamav
developers: 

Due to the changes in libclamav, 0.88.7 is not binary compatible with
previous 
versions. To solve the issues you have to recompile all the software
which is 
linked against libclamav. 


-- 
Regards,
Sarah Trayser

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061216/ccefee80/attachment.html
From jrudd at ucsc.edu  Sat Dec 16 20:19:33 2006
From: jrudd at ucsc.edu (John Rudd)
Date: Sat Dec 16 20:19:58 2006
Subject: New ClamAV out
In-Reply-To: <eb59f360612160749o407fb081n6e482e07446c6a88@mail.gmail.com>
References: <457EC35F.90606@USherbrooke.ca> <457EFADB.5090400@USherbrooke.ca>
	<eb59f360612160749o407fb081n6e482e07446c6a88@mail.gmail.com>
Message-ID: <458454D5.4090408@ucsc.edu>

Way to the Web wrote:

> If anyone is still seeing this problem, we found that it's fixed by force
> reinstalling the clamav perl module. According to the clamav developers:
> 
>> Due to the changes in libclamav, 0.88.7 is not binary compatible with
>> previous
>> versions. To solve the issues you have to recompile all the software 
>> which
>> is
>> linked against libclamav.
>>
> 

It has pretty much been my experience (which may just be due to 
coincidence since I don't use the clamav perl module in production yet, 
and have only had to do this one or two times) that any time I upgrade 
the clamav binaries, I have to forcibly reinstall the perl module in 
order for it to recognize the the new clamav version.

From mikej at rogers.com  Sat Dec 16 21:09:45 2006
From: mikej at rogers.com (Mike Jakubik)
Date: Sat Dec 16 21:09:33 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <45844A14.7050508@ecs.soton.ac.uk>
References: <4582E1AC.6020208@rogers.com>	<458331E9.4060703@evi-inc.com>	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>	<45842E7E.3050508@pacific.net>
	<45844A14.7050508@ecs.soton.ac.uk>
Message-ID: <45846099.3070209@rogers.com>

Julian Field wrote:
> Ken,
> Thanks for backing me up. Yes, I don't check the return value of every 
> single call I make, but show me a programmer who does? (No doubt someone 
> will at this point). The most common point that is made is "what if the 
> system runs out of space" at this point, and all sorts of things will be 
> failing at this time, there isn't any need to create more errors at this 
> point, they just create noise. Yes, I quite happily admit I don't check 
> the result from everything I do. But if you want a practical piece of 
> software that runs at a reasonable speed.
>   

How much of a performance impact does a check for the return value of a 
system call produce? I believe what distinguishes good software from bad 
is how the software handles errors. What you are saying seems to 
contradict, as Matt Kettler stated that identical functions have error 
checking in the sendmail code, but not in postfix. No, i don't check to 
see if there is a floor when i wake up, but the chances of an I/O 
function failing because someone tampered with the directory/changed 
permissions/disk run out of space/some other OS/HW problem are MUCH 
greater than my floor disappearing. While i have not experienced any 
problems myself (AFAIK), it would at least shut up the postfix users/MS 
haters.

From butler at globeserver.com  Sat Dec 16 21:12:53 2006
From: butler at globeserver.com (Philip Butler)
Date: Sat Dec 16 21:13:01 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <45844A14.7050508@ecs.soton.ac.uk>
References: <4582E1AC.6020208@rogers.com>
	<458331E9.4060703@evi-inc.com>	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>
	<45842E7E.3050508@pacific.net> <45844A14.7050508@ecs.soton.ac.uk>
Message-ID: <F2A81A7C-3910-4BB4-9847-1886EFF2CDB3@globeserver.com>

I am going to start carrying a stick to bed to check for the floor.   
I am doing that tonight.

My new year's resolution (for the year 2040 probably) is to check all  
of my return codes....  :)

Phil

On Dec 16, 2006, at 2:33 PM, Julian Field wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Ken A wrote:
>> Glenn Steen wrote:
>>> On 16/12/06, Matt Kettler <mkettler@evi-inc.com> wrote:
>>>> Mike Jakubik wrote:
>>>>> Recently on the postfix mailling lists, there was a debate on the
>>>> usage
>>>>> of postfix  + mailscanner. I claimed that I've been using the  
>>>>> two for
>>>>> some time now, without any problems. However one of the folks  
>>>>> on the
>>>>> lists stated the following:
>>>>>
>>>>> ---
>>>>> On Thursday December 14 2006 07:30, Mike Jakubik wrote:
>>>>>>> Could you backup this documented fact please? Are you sure you
>>>> are not
>>>>>>> referring to a bug in an obsolete version of mailscanner? If  
>>>>>>> this
>>>>> was an
>>>>>>> issue, im quite certain some of my users would complain.
>>>>>
>>>>> Look at its code. There are literally hundreds of instances  
>>>>> where a
>>>>> status from a system call is just ignored (getline, print, close,
>>>> flush,
>>>>> stat, mkdir, chown, unlink, exec, system..., sometimes even:  
>>>>> open).
>>>>> _Anything_ can happen, and you will never know what hit you,
>>>>> much less be able to track it down easily, especially if the
>>>>> problem is intermittent.
>>>>>
>>>>>  Mark
>>>>> ---
>>>>>
>>>>> I'm not a perl expert, could someone verify if this is the case?
>>>> Can MS
>>>>> really eat emails without any warning?
>>>>
>>>> Hmm, reading PFDiskStore.pm, it does look like many system calls
>>>> aren't checked.
>>>>
>>>> Some cases, it doesn't really matter, because a later system  
>>>> call is
>>>> checked,
>>>> and that will fail if the previous one did. (ie: mkdir, followed by
>>>> a rename
>>>> into that dir, where mkdir isn't checked, but rename is. Clearly if
>>>> the mkdir
>>>> failed to make the directory, rename is going to fail and get  
>>>> caught
>>>> that way)
>>>>
>>>> There are some other cases where I can't tell if it's bad enough to
>>>> cause
>>>> problems, or just bad form.
>>>>
>>>> I suspect that  the un-checked chown and chmod in this file  
>>>> could be
>>>> bad if they
>>>> failed.. they *shouldn't* ever fail.. but at the same time, it  
>>>> would
>>>> be nice to
>>>> check for failure and generate a message.
>>>>
>>>> It also would be nice if the unlink in DeleteUnlock() was checked,
>>>> much like it
>>>> is in the SMDiskStore.pm for sendmail.
>>>>
>>>> That said, my code is NOT the latest, and Julian may have already
>>>> fixed both of
>>>> the above..
>>>>
>>> I've done no such audit as you've started Matt... But really, if  
>>> this
>>> was a big problem, I'm more than certain we would've ... encoutered
>>> ... it already.
>>> I'm not saying that code audits shouldn't be done, and I'm usually a
>>> stickler for sane error checking/handling. But I can't shake the
>>> feeling this is motly just more of the usual FUD from the postfix
>>> devel camp.
>>>
>>> Since switching to the HOLD method, I've only lost messages when I
>>> fat-fingered the MS config... And Jules has subsequently
>>> "idiot-proofed" those settings (the * Actions). Might be just dumb
>>> luck, I suppose, that it hasn't happened, but I doubt it:-).
>>>
>>> That said, I'm really in forward of critically looking the PF code
>>> over. I've been doing some looking, but then mostly to ascertain how
>>> it works (or in some few cases... not), and to try determine whether
>>> the PF crowd have any base for some of their allegations (unsafe
>>> handling of queue files... AFAICS, this is untrue).
>>> Unforunately I will have very limited time to help before X-mas/new
>>> years...
>>> Then again, I'm not sure it's a problem needing immediate attention.
>>>
>>
>> This kind of thing is really up to the author. I'm sure it's  
>> something
>> he's thought about and not done for a reason. One person's  
>> 'sloppy' is
>> another's 'efficient'. Programmers can tend to get a bit over zealous
>> about such issues. More often than not, the issue that has a
>> /potential/ to happen, never really happens in the software's
>> lifetime. So the only _real_ issue is a theoretical, academic  
>> argument
>> that most of us have no time for. :-\
> Ken,
> Thanks for backing me up. Yes, I don't check the return value of every
> single call I make, but show me a programmer who does? (No doubt  
> someone
> will at this point). The most common point that is made is "what if  
> the
> system runs out of space" at this point, and all sorts of things  
> will be
> failing at this time, there isn't any need to create more errors at  
> this
> point, they just create noise. Yes, I quite happily admit I don't  
> check
> the result from everything I do. But if you want a practical piece of
> software that runs at a reasonable speed.
>
> Don't forget. Every morning you make the assumption that the floor is
> there when you step out of bed. Show me the person who checks with a
> stick that the floor is where they think it is, before putting their
> weight on the first foot out of bed in the morning. Yes, you make
> assumptions too.
>
> Jules.
>
> Jules
>
> - --
> Julian Field MEng CITP
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
>
> MailScanner customisation, or any advanced system administration help?
> Contact me at Jules@Jules.FM
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> For all your IT requirements visit www.transtec.co.uk
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.5.2 (Build 4075)
> Comment: Fetch my public key foot-print from www.mailscanner.info
> Charset: ISO-8859-1
>
> wj8DBQFFhEpdEfZZRxQVtlQRAmMbAKDhK1tvfzEssr/qAW4ZoitNlKU5hgCgg5nX
> 6Sg7uid31y+O0TBPmXSGCWc=
> =7gKa
> -----END PGP SIGNATURE-----
>
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> For all your IT requirements visit www.transtec.co.uk
>
> --
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!

From lists at masonc.com  Sat Dec 16 21:23:25 2006
From: lists at masonc.com (Chris Mason (Lists))
Date: Sat Dec 16 21:23:44 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <45844A14.7050508@ecs.soton.ac.uk>
References: <4582E1AC.6020208@rogers.com>	<458331E9.4060703@evi-inc.com>	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>	<45842E7E.3050508@pacific.net>
	<45844A14.7050508@ecs.soton.ac.uk>
Message-ID: <458463CD.2020103@masonc.com>

Julian Field wrote:
> Every morning you make the assumption that the floor is 
> there when you step out of bed. 
No, I look first. I've walked on the dog so many times, and it really 
pisses him off.

-- 
Chris Mason
(264) 497-5670 Fax: (264) 497-8463
Int:  (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271
Cell: 264-235-5670
Yahoo IM: netconcepts_anguilla@yahoo.com 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

From rich at mail.wvnet.edu  Sat Dec 16 21:48:36 2006
From: rich at mail.wvnet.edu (Richard Lynch)
Date: Sat Dec 16 21:48:41 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <45846099.3070209@rogers.com>
References: <4582E1AC.6020208@rogers.com>	<458331E9.4060703@evi-inc.com>	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>	<45842E7E.3050508@pacific.net>	<45844A14.7050508@ecs.soton.ac.uk>
	<45846099.3070209@rogers.com>
Message-ID: <458469B4.5090606@mail.wvnet.edu>

Mike Jakubik wrote:
> Julian Field wrote:
>> Ken,
>> Thanks for backing me up. Yes, I don't check the return value of 
>> every single call I make, but show me a programmer who does? (No 
>> doubt someone will at this point). The most common point that is made 
>> is "what if the system runs out of space" at this point, and all 
>> sorts of things will be failing at this time, there isn't any need to 
>> create more errors at this point, they just create noise. Yes, I 
>> quite happily admit I don't check the result from everything I do. 
>> But if you want a practical piece of software that runs at a 
>> reasonable speed.
>>   
>
> How much of a performance impact does a check for the return value of 
> a system call produce? I believe what distinguishes good software from 
> bad is how the software handles errors. What you are saying seems to 
> contradict, as Matt Kettler stated that identical functions have error 
> checking in the sendmail code, but not in postfix. No, i don't check 
> to see if there is a floor when i wake up, but the chances of an I/O 
> function failing because someone tampered with the directory/changed 
> permissions/disk run out of space/some other OS/HW problem are MUCH 
> greater than my floor disappearing. While i have not experienced any 
> problems myself (AFAIK), it would at least shut up the postfix 
> users/MS haters.
>
I doubt anything would quiet them. 

Axiom: If one is looking for fault one will find it. 
Corollary: You will find whatever you are looking for.

It's not necessary to check every possible failure just the important 
ones or the ones you want to handle.  The question becomes "Does MS 
check enough of them?".  I don't know the code so I can't say.  I can, 
however, say this.

1) MS protects over 1 billion messages a day (from the web page).
2) We use it to process approx 2 million messages a day.
3) We have had little to no problems with MS.

For us the answer to the question is, yes, MS checks enough of them,

~rich

-- 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: rich.vcf
Type: text/x-vcard
Size: 299 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061216/c5f62e3f/rich.vcf
From res at ausics.net  Sat Dec 16 21:53:24 2006
From: res at ausics.net (Res)
Date: Sat Dec 16 21:53:34 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <45846099.3070209@rogers.com>
References: <4582E1AC.6020208@rogers.com> <458331E9.4060703@evi-inc.com>
	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>
	<45842E7E.3050508@pacific.net> <45844A14.7050508@ecs.soton.ac.uk>
	<45846099.3070209@rogers.com>
Message-ID: <Pine.LNX.4.64.0612170743390.12660@ebfjryy.nhfvpf.arg>

On Sat, 16 Dec 2006, Mike Jakubik wrote:

> system call produce? I believe what distinguishes good software from bad is 
> how the software handles errors. What you are saying seems to contradict, as

If I have to evaluate two pieces of software, doing the exact same thing.
One that checks for every single error code (as is apparently so important 
to you and the postfix crybabies, and lets not forget Venema has always 
had somthing against MS) and takes 5 minutes to process a batch of 50 msgs, 
and one that checks for the only really needed calls that does a batch of 
50 in 5 seconds, the latter wins hands down.


-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From res at ausics.net  Sat Dec 16 21:59:22 2006
From: res at ausics.net (Res)
Date: Sat Dec 16 21:59:30 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <458469B4.5090606@mail.wvnet.edu>
References: <4582E1AC.6020208@rogers.com> <458331E9.4060703@evi-inc.com>
	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>
	<45842E7E.3050508@pacific.net> <45844A14.7050508@ecs.soton.ac.uk>
	<45846099.3070209@rogers.com> <458469B4.5090606@mail.wvnet.edu>
Message-ID: <Pine.LNX.4.64.0612170754410.12660@ebfjryy.nhfvpf.arg>

On Sat, 16 Dec 2006, Richard Lynch wrote:

> I doubt anything would quiet them. 
> Axiom: If one is looking for fault one will find it. Corollary: You will find 
> whatever you are looking for.
>
> It's not necessary to check every possible failure just the important ones or 
> the ones you want to handle.  The question becomes "Does MS check enough of 
> them?".  I don't know the code so I can't say.  I can, however, say this.
>
> 1) MS protects over 1 billion messages a day (from the web page).
> 2) We use it to process approx 2 million messages a day.
> 3) We have had little to no problems with MS.
>
> For us the answer to the question is, yes, MS checks enough of them,


here here.

and the only problem we've ever had with MS, was not MS, but spamassasin 
(more directly: dcc laaaaaaggggg)


On this note I'd like to wish all of you a Merry Christmas, and we can 
rest peacefully (or drink constantly :P) this festive season knowing our 
own and our clients Emails are well protected.


-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From jrudd at ucsc.edu  Sat Dec 16 22:18:41 2006
From: jrudd at ucsc.edu (John Rudd)
Date: Sat Dec 16 22:19:00 2006
Subject: New ClamAV out
In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B58017681FC@isabella.herefordshire.gov.uk>
References: <86144ED6CE5B004DA23E1EAC0B569B58017681FC@isabella.herefordshire.gov.uk>
Message-ID: <458470C1.3020001@ucsc.edu>


Actually, I kind of wish there was something like MajorSophos.sh that 
worked for ClamAV.


Randal, Phil wrote:
> Perhaps Julian can amend install-Clam-SA to force a build and reinstall
> of Mail::ClamAV every time.
> 
>  
> 
> Little overhead, but worth it if this is going to cause us problems
> again.
> 
>  
> 
> Cheers,
> 
>  
> 
> Phil
> 
>  
> 
>   _____  
> 
> From: mailscanner-bounces@lists.mailscanner.info
> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Way to
> the Web
> Sent: Saturday, December 16, 2006 3:49 PM
> To: MailScanner discussion
> Subject: Re: New ClamAV out
> 
>  
> 
> On 12/12/06, Denis Beauchemin <Denis.Beauchemin@usherbrooke.ca
> <mailto:Denis.Beauchemin@usherbrooke.ca> > wrote:
> 
> Denis Beauchemin a ?crit :
>> Release Name: 0.88.7
>>
>> Hello all,
>>
>> Our security guy pointed the following advisory for Clam 0.88.6 and
>> prior versions: http://www.frsirt.com/english/advisories/2006/4948
> <http://www.frsirt.com/english/advisories/2006/4948> 
>> Clam AntiVirus MIME Attachments Handling Remote Denial of Service
>> Vulnerability
>>
>> This comes from Clam 0.88.7:
>> This version improves scanning of mail and tar files. 
>>
>> Changes:
>> Mon Dec 11 02:47:03 CET 2006
>> ----------------------------
>>  * Bugfixes:
>>    - libclamav/message.c: handle consecutive errors in base64 decoding
>>    - libclamav/mbox.c: honour recursion limit when scanning email 
>> messages
>>    - clamscan: new option --mail-max-recursion
>>    - clamd/clamav-milter: new option MailMaxRecursion
>>    - libclamav/untar.c: honour archive limits
>>
>> Denis
>>
> Just wanted to let you know that there seems to be a problem with the
> new ClamAV and ZIP files: I get a lot of:
> Dec 12 12:37:52  <http://132.210.244.93> MailScanner warning: numerical
> links are often malicious: 132.210.244.93 MailScanner[31880]:
> ClamAVModule::INFECTED:: Oversized.Zip::
> ./kBCHaqdS004063/BIOMETISS_BIOREACTEUR_07-12-2006.zip
> 
> I had none yesterday and I have 20 since upgrading Clam this morning.
> 
> Denis
> 
> --
>    _
>   ?v?   Denis Beauchemin, analyste
> /(_)\  Universit? de Sherbrooke, S.T.I.
>   ^ ^   T: 819.821.8000x62252 F: 819.821.8045
> 
> 
> 
> 
> --
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> <mailto:mailscanner@lists.mailscanner.info>  
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> <http://lists.mailscanner.info/mailman/listinfo/mailscanner> 
> 
> Before posting, read http://wiki.mailscanner.info/posting
> <http://wiki.mailscanner.info/posting>  
> 
> Support MailScanner development - buy the book off the website!
> 
> 
> 
> 
> 
> If anyone is still seeing this problem, we found that it's fixed by
> force reinstalling the clamav perl module. According to the clamav
> developers: 
> 
> Due to the changes in libclamav, 0.88.7 is not binary compatible with
> previous 
> versions. To solve the issues you have to recompile all the software
> which is 
> linked against libclamav. 
> 
> 
> 
From jaearick at colby.edu  Sat Dec 16 22:45:27 2006
From: jaearick at colby.edu (Jeff A. Earickson)
Date: Sat Dec 16 22:45:39 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <45844A14.7050508@ecs.soton.ac.uk>
References: <4582E1AC.6020208@rogers.com> <458331E9.4060703@evi-inc.com>
	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>
	<45842E7E.3050508@pacific.net> <45844A14.7050508@ecs.soton.ac.uk>
Message-ID: <Pine.GSO.4.64.0612161737450.27156@feldspar>

On Sat, 16 Dec 2006, Julian Field wrote:

> Don't forget. Every morning you make the assumption that the floor is
> there when you step out of bed. Show me the person who checks with a
> stick that the floor is where they think it is, before putting their
> weight on the first foot out of bed in the morning. Yes, you make
> assumptions too.

I assume that I'm going to step on my glasses if I just jump out of bed,
since I put them on the floor beside it.  So I spend my first minute of
the day feeling around on the floor with my hand (yup, floor is there;
no animals underfoot, I *have* to vacuum that carpet), find my glasses, 
put them on, and THEN assume that I can get out of bed. 
Jules, you wear glasses.  I'm sure you have a similar morning ritual.

Jeff Earickson
Colby College
From mikej at rogers.com  Sat Dec 16 23:13:52 2006
From: mikej at rogers.com (Mike Jakubik)
Date: Sat Dec 16 23:13:41 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <Pine.LNX.4.64.0612170743390.12660@ebfjryy.nhfvpf.arg>
References: <4582E1AC.6020208@rogers.com>
	<458331E9.4060703@evi-inc.com>	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>	<45842E7E.3050508@pacific.net>
	<45844A14.7050508@ecs.soton.ac.uk>	<45846099.3070209@rogers.com>
	<Pine.LNX.4.64.0612170743390.12660@ebfjryy.nhfvpf.arg>
Message-ID: <45847DB0.4000707@rogers.com>

Res wrote:
> On Sat, 16 Dec 2006, Mike Jakubik wrote:
>
>> system call produce? I believe what distinguishes good software from 
>> bad is how the software handles errors. What you are saying seems to 
>> contradict, as
>
> If I have to evaluate two pieces of software, doing the exact same thing.
> One that checks for every single error code (as is apparently so 
> important to you and the postfix crybabies, and lets not forget Venema 
> has always had somthing against MS) and takes 5 minutes to process a 
> batch of 50 msgs, and one that checks for the only really needed calls 
> that does a batch of 50 in 5 seconds, the latter wins hands down.
>
>

The overhead of checking the errorlevel a function returns is almost 
non-existent, and indeed some functions are checked properly in the 
sendmail code, but not the in postfix code, why?
From rob at robhq.com  Sat Dec 16 23:16:10 2006
From: rob at robhq.com (Rob Freeman)
Date: Sat Dec 16 23:16:38 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <45846099.3070209@rogers.com>
References: <4582E1AC.6020208@rogers.com>	<458331E9.4060703@evi-inc.com>	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>	<45842E7E.3050508@pacific.net>	<45844A14.7050508@ecs.soton.ac.uk>
	<45846099.3070209@rogers.com>
Message-ID: <000001c72168$3a7f11b0$af7d3510$@com>

If any of those problems happen, u have more troubles then MailScanner.
Personally, it is not MailScanners job to monitor a server for disk space,
permissions, or any other OS / HW problems.  And if someone is tampering
with permissions, well one has much more issues then getting mail at that
point.

-----Original Message-----
From: mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mike
Jakubik
Sent: Saturday, December 16, 2006 3:10 PM
To: MailScanner discussion
Subject: Re: Sloppy error checking in MS code

Julian Field wrote:
> Ken,
> Thanks for backing me up. Yes, I don't check the return value of every 
> single call I make, but show me a programmer who does? (No doubt someone 
> will at this point). The most common point that is made is "what if the 
> system runs out of space" at this point, and all sorts of things will be 
> failing at this time, there isn't any need to create more errors at this 
> point, they just create noise. Yes, I quite happily admit I don't check 
> the result from everything I do. But if you want a practical piece of 
> software that runs at a reasonable speed.
>   

How much of a performance impact does a check for the return value of a 
system call produce? I believe what distinguishes good software from bad 
is how the software handles errors. What you are saying seems to 
contradict, as Matt Kettler stated that identical functions have error 
checking in the sendmail code, but not in postfix. No, i don't check to 
see if there is a floor when i wake up, but the chances of an I/O 
function failing because someone tampered with the directory/changed 
permissions/disk run out of space/some other OS/HW problem are MUCH 
greater than my floor disappearing. While i have not experienced any 
problems myself (AFAIK), it would at least shut up the postfix users/MS 
haters.

-- 
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.21/589 - Release Date: 12/15/2006
5:10 PM
 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.21/589 - Release Date: 12/15/2006
5:10 PM
 

From pete at enitech.com.au  Sat Dec 16 23:20:21 2006
From: pete at enitech.com.au (Pete Russell)
Date: Sat Dec 16 23:20:30 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <Pine.LNX.4.64.0612170754410.12660@ebfjryy.nhfvpf.arg>
References: <4582E1AC.6020208@rogers.com>
	<458331E9.4060703@evi-inc.com>	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>	<45842E7E.3050508@pacific.net>
	<45844A14.7050508@ecs.soton.ac.uk>	<45846099.3070209@rogers.com>
	<458469B4.5090606@mail.wvnet.edu>
	<Pine.LNX.4.64.0612170754410.12660@ebfjryy.nhfvpf.arg>
Message-ID: <45847F35.9080801@enitech.com.au>



Res wrote:
> On Sat, 16 Dec 2006, Richard Lynch wrote:
> 
>> I doubt anything would quiet them. Axiom: If one is looking for fault 
>> one will find it. Corollary: You will find whatever you are looking for.
>>
>> It's not necessary to check every possible failure just the important 
>> ones or the ones you want to handle.  The question becomes "Does MS 
>> check enough of them?".  I don't know the code so I can't say.  I can, 
>> however, say this.
>>
>> 1) MS protects over 1 billion messages a day (from the web page).
>> 2) We use it to process approx 2 million messages a day.
>> 3) We have had little to no problems with MS.
>>
>> For us the answer to the question is, yes, MS checks enough of them,
> 
> 

Its funny, seem that only the users on the postfix list experience 
problems, or theorise about them. I have been using postfix and MS for 
4+ years and i have never experienced any problems, except that postfix 
cant split the multi recipient inbound message into individual queue 
files. But that's a postfix problem...
From jrudd at ucsc.edu  Sat Dec 16 23:59:50 2006
From: jrudd at ucsc.edu (John Rudd)
Date: Sun Dec 17 00:00:10 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <Pine.GSO.4.64.0612161737450.27156@feldspar>
References: <4582E1AC.6020208@rogers.com>
	<458331E9.4060703@evi-inc.com>	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>	<45842E7E.3050508@pacific.net>
	<45844A14.7050508@ecs.soton.ac.uk>
	<Pine.GSO.4.64.0612161737450.27156@feldspar>
Message-ID: <45848876.1060800@ucsc.edu>

Jeff A. Earickson wrote:
> On Sat, 16 Dec 2006, Julian Field wrote:
> 
>> Don't forget. Every morning you make the assumption that the floor is
>> there when you step out of bed. Show me the person who checks with a
>> stick that the floor is where they think it is, before putting their
>> weight on the first foot out of bed in the morning. Yes, you make
>> assumptions too.
> 
> I assume that I'm going to step on my glasses if I just jump out of bed,
> since I put them on the floor beside it.  So I spend my first minute of
> the day feeling around on the floor with my hand (yup, floor is there;
> no animals underfoot, I *have* to vacuum that carpet), find my glasses, 
> put them on, and THEN assume that I can get out of bed. Jules, you wear 
> glasses.  I'm sure you have a similar morning ritual.
> 

You can solve that problem with a bed-side table, too.  :-)
From res at ausics.net  Sun Dec 17 00:51:59 2006
From: res at ausics.net (Res)
Date: Sun Dec 17 00:52:10 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <45847F35.9080801@enitech.com.au>
References: <4582E1AC.6020208@rogers.com> <458331E9.4060703@evi-inc.com>
	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>
	<45842E7E.3050508@pacific.net> <45844A14.7050508@ecs.soton.ac.uk>
	<45846099.3070209@rogers.com> <458469B4.5090606@mail.wvnet.edu>
	<Pine.LNX.4.64.0612170754410.12660@ebfjryy.nhfvpf.arg>
	<45847F35.9080801@enitech.com.au>
Message-ID: <Pine.LNX.4.64.0612171044400.14916@ebfjryy.nhfvpf.arg>

On Sun, 17 Dec 2006, Pete Russell wrote:

>
> Its funny, seem that only the users on the postfix list experience problems, 
> or theorise about them. I have been using postfix and MS for 4+ years and i 
> have never experienced any problems, except that postfix cant split the multi 
> recipient inbound message into individual queue files. But that's a postfix 
> problem...


Prolly more FUD from Venema to try convince PF users to not use MS.

Weitse is just like Dan Berstien infamous of qmail in his ways, well 
actually, no he's worse, as I've never seen or heard from any qmail 
fanbois that Daniel recommends they do not MS.


-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From res at ausics.net  Sun Dec 17 00:59:31 2006
From: res at ausics.net (Res)
Date: Sun Dec 17 00:59:55 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <45847DB0.4000707@rogers.com>
References: <4582E1AC.6020208@rogers.com> <458331E9.4060703@evi-inc.com>
	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>
	<45842E7E.3050508@pacific.net> <45844A14.7050508@ecs.soton.ac.uk>
	<45846099.3070209@rogers.com>
	<Pine.LNX.4.64.0612170743390.12660@ebfjryy.nhfvpf.arg>
	<45847DB0.4000707@rogers.com>
Message-ID: <Pine.LNX.4.64.0612171052430.14916@ebfjryy.nhfvpf.arg>

On Sat, 16 Dec 2006, Mike Jakubik wrote:

> The overhead of checking the errorlevel a function returns is almost 
> non-existent, and indeed some functions are checked properly in the sendmail 
> code, but not the in postfix code, why?

Maybe the PF module is not written completely by Julian, much like the Qmail
module, which is why Qmail is not officially supported by Julian.
In fact a  post made recently by anoher list member seemed to indicate he 
was the one who wrote PF module, I might be wrong, as I recall it was late 
at night when I read it.



-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From mikej at rogers.com  Sun Dec 17 01:01:17 2006
From: mikej at rogers.com (Mike Jakubik)
Date: Sun Dec 17 01:01:05 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <000001c72168$3a7f11b0$af7d3510$@com>
References: <4582E1AC.6020208@rogers.com>	<458331E9.4060703@evi-inc.com>	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>	<45842E7E.3050508@pacific.net>	<45844A14.7050508@ecs.soton.ac.uk>	<45846099.3070209@rogers.com>
	<000001c72168$3a7f11b0$af7d3510$@com>
Message-ID: <458496DD.1010209@rogers.com>

Rob Freeman wrote:
> If any of those problems happen, u have more troubles then MailScanner.
> Personally, it is not MailScanners job to monitor a server for disk space,
> permissions, or any other OS / HW problems.  And if someone is tampering
> with permissions, well one has much more issues then getting mail at that
> point.
>   

I never stated that MS should monitor my system, it should however fail 
gracefully and not eat messages.

From res at ausics.net  Sun Dec 17 01:00:59 2006
From: res at ausics.net (Res)
Date: Sun Dec 17 01:01:07 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <Pine.GSO.4.64.0612161737450.27156@feldspar>
References: <4582E1AC.6020208@rogers.com> <458331E9.4060703@evi-inc.com>
	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>
	<45842E7E.3050508@pacific.net> <45844A14.7050508@ecs.soton.ac.uk>
	<Pine.GSO.4.64.0612161737450.27156@feldspar>
Message-ID: <Pine.LNX.4.64.0612171059350.14916@ebfjryy.nhfvpf.arg>

On Sat, 16 Dec 2006, Jeff A. Earickson wrote:

> I assume that I'm going to step on my glasses if I just jump out of bed,

If you leave them on the floor you deserve to get them broken, maybe your 
partner will step on them trying to wake you, maybe your dog will crush 
them, doesnt have to be you :)



-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From root at doctor.nl2k.ab.ca  Sun Dec 17 04:01:30 2006
From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the
	Problem)
Date: Sun Dec 17 04:01:52 2006
Subject: 4.58.1-1 && Happy Christmas!
In-Reply-To: <45842F18.3090800@ecs.soton.ac.uk>
References: <45842F18.3090800@ecs.soton.ac.uk>
Message-ID: <20061217040129.GA4756@doctor.nl2k.ab.ca>

On Sat, Dec 16, 2006 at 05:38:32PM +0000, Julian Field wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I have just released the first beta of 4.58 which I intend to evolve 
> into a stable release of 4.58.
> 
> Please report problems directly to me, as I still don't have the time to 
> read the mailing list, for which I am most apologetic and annoyed.
> 
> My day-job has been really busy over the past few months, and shows no 
> signs of slacking off for the time-being. But I will make it a New 
> Year's Resolution to read the mailing list, and try my hardest to 
> recover to the level of support I used to be able to offer. I can only 
> offer my apologies for my lack of support over the past few months, I 
> have just been so busy I haven't had time to breathe. Sorry :-(
> 
> I will try to hardest to fit in MailScanner support next year, but I 
> can't make any guarantees, I've got a year-long programming job to do. 
> The aim is to effectively automate the whole process of exam marks to 
> degree grades, and so do away with some very long exam-board meetings. 
> It's a huge job, and I am the only person in the department who can be 
> trusted to do the whole job well and reliably. It's one of the 
> consequences of having a certain reputation.  :-)
> 
> You are at the top of my New Year's Resolutions, I promise!
> 
> Jules
> 
> - -- 
> Julian Field MEng CITP
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
> 
> MailScanner customisation, or any advanced system administration help?
> Contact me at Jules@Jules.FM
> 
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> For all your IT requirements visit www.transtec.co.uk
> 
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.5.2 (Build 4075)
> Comment: Fetch my public key foot-print from www.mailscanner.info
> Charset: ISO-8859-1
> 
> wj8DBQFFhC+CEfZZRxQVtlQRApe7AJ4xODOf/UWVba8XKUfKQFppgpKwLwCglSJu
> o0qyyOuyqnDfRFYwa9vq1dg=
> =hUOv
> -----END PGP SIGNATURE-----
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> For all your IT requirements visit www.transtec.co.uk
> 
> --
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website!
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 
> 
> 
> !DSPAM:4584c0cc45901124810508!

And Thank you for the beta.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

From micoots at yahoo.com  Sun Dec 17 06:13:42 2006
From: micoots at yahoo.com (Michael Mansour)
Date: Sun Dec 17 06:13:46 2006
Subject: Blocking/deleting bad/offensive words
Message-ID: <20061217061342.47084.qmail@web33308.mail.mud.yahoo.com>

Hi,

I have a user responsible for his own email domain who has provided me a list of offensive and bad words and has asked me fo rany message containing those words, he'd like it deleted without even seeing it.

I'm using the latest version of MailScanner and am wondering what's the best way to do this. I think MCP? though I have never used it before.

I'm also wondering how he can maintain his offensive/bad words list instead of sending it to me for inclusion?

Many thanks.

Michael.

Send instant messages to your online friends http://au.messenger.yahoo.com 
From glenn.steen at gmail.com  Sun Dec 17 11:43:59 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Sun Dec 17 11:44:01 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <45844A14.7050508@ecs.soton.ac.uk>
References: <4582E1AC.6020208@rogers.com> <458331E9.4060703@evi-inc.com>
	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>
	<45842E7E.3050508@pacific.net> <45844A14.7050508@ecs.soton.ac.uk>
Message-ID: <223f97700612170343i421fce2vf39d8c2e6e0013f9@mail.gmail.com>

On 16/12/06, Julian Field <MailScanner@ecs.soton.ac.uk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Ken A wrote:
> > Glenn Steen wrote:
(snip)
> >> Since switching to the HOLD method, I've only lost messages when I
> >> fat-fingered the MS config... And Jules has subsequently
> >> "idiot-proofed" those settings (the * Actions). Might be just dumb
> >> luck, I suppose, that it hasn't happened, but I doubt it:-).
> >>
> >> That said, I'm really in forward of critically looking the PF code
> >> over. I've been doing some looking, but then mostly to ascertain how
> >> it works (or in some few cases... not), and to try determine whether
> >> the PF crowd have any base for some of their allegations (unsafe
> >> handling of queue files... AFAICS, this is untrue).
> >> Unforunately I will have very limited time to help before X-mas/new
> >> years...
> >> Then again, I'm not sure it's a problem needing immediate attention.
> >>
> >
> > This kind of thing is really up to the author. I'm sure it's something
> > he's thought about and not done for a reason. One person's 'sloppy' is
> > another's 'efficient'. Programmers can tend to get a bit over zealous
> > about such issues. More often than not, the issue that has a
> > /potential/ to happen, never really happens in the software's
> > lifetime. So the only _real_ issue is a theoretical, academic argument
> > that most of us have no time for. :-\

Quite true Ken, and I'm not advocating anything like the idiotic
testing of every printf (anyone ever written anything in C knows that
a lint will ... complain... about things that don't matter... Unless
you go wild with checks (that fill no purpose, and hence will give
other ... lint errors) or spread a thick layer of typecasts to void
all over the place. Sigh). Just suggesting looking it over with a
critical eye, is all.
After all, that is one of the high points of OSS... The ability to
make sure for oneself that the code is (sanely) healthy ... Not a
shadow over Jules, not ever.

And I'm not saying that *he* should squander his limited time on this
either. It's up to us who claim a modicum of programmer skill to do
(in conjunction with Jules, of course). Unfortunately (as I said
before) I'm very busy till sometime January... But then, such a work
would probably a) not lead to much at all, b) not be that onerous, and
finally c) not be that much "in demand" (meaning: There's really no
fire to put out, that we know of, so it's mostly a case of settling
the fears of those that actually believe the PF devel crowd. I
don't!).

> Ken,
> Thanks for backing me up. Yes, I don't check the return value of every
> single call I make, but show me a programmer who does? (No doubt someone
> will at this point). The most common point that is made is "what if the
> system runs out of space" at this point, and all sorts of things will be
> failing at this time, there isn't any need to create more errors at this
> point, they just create noise. Yes, I quite happily admit I don't check
> the result from everything I do. But if you want a practical piece of
> software that runs at a reasonable speed.
>
> Don't forget. Every morning you make the assumption that the floor is
> there when you step out of bed. Show me the person who checks with a
> stick that the floor is where they think it is, before putting their
> weight on the first foot out of bed in the morning. Yes, you make
> assumptions too.
>
> Jules.

Have no fear Jules, we're all solidly in "your camp" here. I've been
singing your praises for a long time, for the simple reasons that a)
MailScanner works wonders for my organisation on a daily basis, b)
I've actually read this particular part of the code several times and
deem it very clever indeed (not that I claim to see all the nuances:-)
... Just didn't think of looking for silliness like this discussion is
about at the time, c) there is a rather large community of PF users
using it daily on rather huge amounts of mails... with no discernible
problems ... d) the list goes on, but I've no time to complete it:-).

Doing some form of more rigorous code audit is not a generally bad
idea, but it is not a top priority either, for those simple
reasons:-). Doing one is not a reflection on your ability, on the
contrary... It shows that we all take your eminent software as
seriously as you do yourself!
... And whoever said it'd even lead to any changes? Not me;-).

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From glenn.steen at gmail.com  Sun Dec 17 15:02:21 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Sun Dec 17 15:02:24 2006
Subject: Not blocking spam?
In-Reply-To: <db11198bd2cba2b9d14ee1dd155064b7@localhost>
References: <em06v3$hg7$1@sea.gmane.org>
	<db11198bd2cba2b9d14ee1dd155064b7@localhost>
Message-ID: <223f97700612170702r26a734b2o7dee11eed8314833@mail.gmail.com>

On 16/12/06, jdavis <jdavis@standard.k12.ca.us> wrote:
> It's set to yes.
>
> Since running through spamassassin manually works, I am assuming I've hosed up a setting in my mailscanner.conf  If looked and looked (probably too much) and cannot seem to find anything.
Does it look like MailScanner is involved (from headers of the
delivered GTUBE mail, or not (also look in maillog ....)? Have you run
"MailScanner --lint" etc?

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From glenn.steen at gmail.com  Sun Dec 17 15:37:52 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Sun Dec 17 15:37:55 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <45846099.3070209@rogers.com>
References: <4582E1AC.6020208@rogers.com> <458331E9.4060703@evi-inc.com>
	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>
	<45842E7E.3050508@pacific.net> <45844A14.7050508@ecs.soton.ac.uk>
	<45846099.3070209@rogers.com>
Message-ID: <223f97700612170737l48e139cdj1b3df00b6bcddda9@mail.gmail.com>

On 16/12/06, Mike Jakubik <mikej@rogers.com> wrote:
> Julian Field wrote:
> > Ken,
> > Thanks for backing me up. Yes, I don't check the return value of every
> > single call I make, but show me a programmer who does? (No doubt someone
> > will at this point). The most common point that is made is "what if the
> > system runs out of space" at this point, and all sorts of things will be
> > failing at this time, there isn't any need to create more errors at this
> > point, they just create noise. Yes, I quite happily admit I don't check
> > the result from everything I do. But if you want a practical piece of
> > software that runs at a reasonable speed.
> >
>
> How much of a performance impact does a check for the return value of a
> system call produce? I believe what distinguishes good software from bad
> is how the software handles errors. What you are saying seems to
> contradict, as Matt Kettler stated that identical functions have error
> checking in the sendmail code, but not in postfix. No, i don't check to
> see if there is a floor when i wake up, but the chances of an I/O
> function failing because someone tampered with the directory/changed
> permissions/disk run out of space/some other OS/HW problem are MUCH
> greater than my floor disappearing. While i have not experienced any
> problems myself (AFAIK), it would at least shut up the postfix users/MS
> haters.
>
There is such a thing as being _too_ conscientious too Mike. I fondly
remember retiring a communication handling system (written in C) that
checked every return code meticulously _and then did the wrong
things_, thus becoming the problem instead of solving it... I replaced
that with a rather well thought out brood of perl scripts... Went from
at least one severe "error" (where production (ID cards) ground to a
halt) to ... no errors for the next 4 years, not counting the very few
times when the customers mainframe "on the other end" had a hiccup
(which was infrequent).

I'm pretty certain we don't have any real problem here, but I do agree
we should take the time to look. Personally, I can't help with that
just now, but will be aiming at doing something around mid-January.
Nothing stopping you (or Matt) from continuing now though:-):-).

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From glenn.steen at gmail.com  Sun Dec 17 15:50:45 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Sun Dec 17 15:50:48 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <Pine.LNX.4.64.0612170754410.12660@ebfjryy.nhfvpf.arg>
References: <4582E1AC.6020208@rogers.com> <458331E9.4060703@evi-inc.com>
	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>
	<45842E7E.3050508@pacific.net> <45844A14.7050508@ecs.soton.ac.uk>
	<45846099.3070209@rogers.com> <458469B4.5090606@mail.wvnet.edu>
	<Pine.LNX.4.64.0612170754410.12660@ebfjryy.nhfvpf.arg>
Message-ID: <223f97700612170750g2ffda3d3n5b067dafd260f3dc@mail.gmail.com>

On 16/12/06, Res <res@ausics.net> wrote:
> On Sat, 16 Dec 2006, Richard Lynch wrote:
>
> > I doubt anything would quiet them.
> > Axiom: If one is looking for fault one will find it. Corollary: You will find
> > whatever you are looking for.

This is most certainly true, yes. Wietse, Victor etc have decided to
hate MailScanner for a slew of reasons that reality doesn't support
(In fact, when Wietse has been "pressured" to present a list of
stipulations a system like MailScanner need conform to, to be safe
when handling the queue files, it turns out that Jules (in his
wisdom;) already did all that: How to get the files out of the queue,
how to "deconstruct" them, how to "rebuild a new file" and finally
requeue it... So, one get the feeling that it then is a natural thing
for them to move on to something else where they can be
vitriolic/moronic).

> > It's not necessary to check every possible failure just the important ones or
> > the ones you want to handle.  The question becomes "Does MS check enough of
> > them?".  I don't know the code so I can't say.  I can, however, say this.
> >
> > 1) MS protects over 1 billion messages a day (from the web page).
> > 2) We use it to process approx 2 million messages a day.
> > 3) We have had little to no problems with MS.
> >
> > For us the answer to the question is, yes, MS checks enough of them,

Very likely this is exactly what any type of audit would show too.

> here here.
>
> and the only problem we've ever had with MS, was not MS, but spamassasin
> (more directly: dcc laaaaaaggggg)
>
>
> On this note I'd like to wish all of you a Merry Christmas, and we can
> rest peacefully (or drink constantly :P) this festive season knowing our
> own and our clients Emails are well protected.
>
Early holiday, Eh Res? A bit early, but ... Likewise, likewise...:-).
"Drink constantly" seems like an appealing option right now... Should
lead to "rest peacfully":-)
And there should be some singing too... Why not an Ode to MailScanner,
some of the poetry should lend itself to music well enough:-D

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From glenn.steen at gmail.com  Sun Dec 17 16:00:12 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Sun Dec 17 16:00:58 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <45847F35.9080801@enitech.com.au>
References: <4582E1AC.6020208@rogers.com> <458331E9.4060703@evi-inc.com>
	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>
	<45842E7E.3050508@pacific.net> <45844A14.7050508@ecs.soton.ac.uk>
	<45846099.3070209@rogers.com> <458469B4.5090606@mail.wvnet.edu>
	<Pine.LNX.4.64.0612170754410.12660@ebfjryy.nhfvpf.arg>
	<45847F35.9080801@enitech.com.au>
Message-ID: <223f97700612170800mdd1504aha3037a97ddc66af3@mail.gmail.com>

On 17/12/06, Pete Russell <pete@enitech.com.au> wrote:
>
>
> Res wrote:
> > On Sat, 16 Dec 2006, Richard Lynch wrote:
> >
> >> I doubt anything would quiet them. Axiom: If one is looking for fault
> >> one will find it. Corollary: You will find whatever you are looking for.
> >>
> >> It's not necessary to check every possible failure just the important
> >> ones or the ones you want to handle.  The question becomes "Does MS
> >> check enough of them?".  I don't know the code so I can't say.  I can,
> >> however, say this.
> >>
> >> 1) MS protects over 1 billion messages a day (from the web page).
> >> 2) We use it to process approx 2 million messages a day.
> >> 3) We have had little to no problems with MS.
> >>
> >> For us the answer to the question is, yes, MS checks enough of them,
> >
> >
>
> Its funny, seem that only the users on the postfix list experience
> problems, or theorise about them. I have been using postfix and MS for
> 4+ years and i have never experienced any problems, except that postfix
> cant split the multi recipient inbound message into individual queue
> files. But that's a postfix problem...
... Easily... is what you meant to say, I hope:-)

As to the rest... Pointing people to the correct forum would be one
thing (like we do when people ask about DefenderMX or OpenProtect).
It's the vehement allegations of non-functionality that baffles me.
Like you, I've been using this combination for quite a while, with no
ill effects whatsoever.

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From glenn.steen at gmail.com  Sun Dec 17 16:01:32 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Sun Dec 17 16:01:36 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <Pine.LNX.4.64.0612171044400.14916@ebfjryy.nhfvpf.arg>
References: <4582E1AC.6020208@rogers.com> <458331E9.4060703@evi-inc.com>
	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>
	<45842E7E.3050508@pacific.net> <45844A14.7050508@ecs.soton.ac.uk>
	<45846099.3070209@rogers.com> <458469B4.5090606@mail.wvnet.edu>
	<Pine.LNX.4.64.0612170754410.12660@ebfjryy.nhfvpf.arg>
	<45847F35.9080801@enitech.com.au>
	<Pine.LNX.4.64.0612171044400.14916@ebfjryy.nhfvpf.arg>
Message-ID: <223f97700612170801x295cda2es173bb9975895699@mail.gmail.com>

On 17/12/06, Res <res@ausics.net> wrote:
> On Sun, 17 Dec 2006, Pete Russell wrote:
>
> >
> > Its funny, seem that only the users on the postfix list experience problems,
> > or theorise about them. I have been using postfix and MS for 4+ years and i
> > have never experienced any problems, except that postfix cant split the multi
> > recipient inbound message into individual queue files. But that's a postfix
> > problem...
>
>
> Prolly more FUD from Venema to try convince PF users to not use MS.
>
> Weitse is just like Dan Berstien infamous of qmail in his ways, well
> actually, no he's worse, as I've never seen or heard from any qmail
> fanbois that Daniel recommends they do not MS.
>
I suspect you are quite correct. More's the pity.

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From glenn.steen at gmail.com  Sun Dec 17 16:04:35 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Sun Dec 17 16:04:43 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <Pine.LNX.4.64.0612171052430.14916@ebfjryy.nhfvpf.arg>
References: <4582E1AC.6020208@rogers.com> <458331E9.4060703@evi-inc.com>
	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>
	<45842E7E.3050508@pacific.net> <45844A14.7050508@ecs.soton.ac.uk>
	<45846099.3070209@rogers.com>
	<Pine.LNX.4.64.0612170743390.12660@ebfjryy.nhfvpf.arg>
	<45847DB0.4000707@rogers.com>
	<Pine.LNX.4.64.0612171052430.14916@ebfjryy.nhfvpf.arg>
Message-ID: <223f97700612170804x77bfe29fo5d480c33140f90a3@mail.gmail.com>

On 17/12/06, Res <res@ausics.net> wrote:
> On Sat, 16 Dec 2006, Mike Jakubik wrote:
>
> > The overhead of checking the errorlevel a function returns is almost
> > non-existent, and indeed some functions are checked properly in the sendmail
> > code, but not the in postfix code, why?
>
> Maybe the PF module is not written completely by Julian, much like the Qmail
> module, which is why Qmail is not officially supported by Julian.
> In fact a  post made recently by anoher list member seemed to indicate he
> was the one who wrote PF module, I might be wrong, as I recall it was late
> at night when I read it.
>
It's as with most of MailScanner... Mostly Jules, with only snippets
here and there that come from other people (and those are marked to
that effect AFAICS).... Perhaps a tad too much amber fluid?:-)

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From glenn.steen at gmail.com  Sun Dec 17 16:05:58 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Sun Dec 17 16:06:11 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <458496DD.1010209@rogers.com>
References: <4582E1AC.6020208@rogers.com> <458331E9.4060703@evi-inc.com>
	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>
	<45842E7E.3050508@pacific.net> <45844A14.7050508@ecs.soton.ac.uk>
	<45846099.3070209@rogers.com> <000001c72168$3a7f11b0$af7d3510$@com>
	<458496DD.1010209@rogers.com>
Message-ID: <223f97700612170805u43c3808t36c6cf7d5c90df9f@mail.gmail.com>

On 17/12/06, Mike Jakubik <mikej@rogers.com> wrote:
> Rob Freeman wrote:
> > If any of those problems happen, u have more troubles then MailScanner.
> > Personally, it is not MailScanners job to monitor a server for disk space,
> > permissions, or any other OS / HW problems.  And if someone is tampering
> > with permissions, well one has much more issues then getting mail at that
> > point.
> >
>
> I never stated that MS should monitor my system, it should however fail
> gracefully and not eat messages.
Quite a resonable standpoint. And we're all pretty sure that this is
the state of things too;). But we should look, yes.

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From dhawal at netmagicsolutions.com  Sun Dec 17 18:54:08 2006
From: dhawal at netmagicsolutions.com (Dhawal Doshy)
Date: Sun Dec 17 18:54:44 2006
Subject: Sloppy error checking in MS code
Message-ID: <20061218002408.a0qm082jgggg0kc8@mail.netmagicsolutions.com>


Quoting Glenn Steen <glenn.steen@gmail.com>:

> On 17/12/06, Mike Jakubik <mikej@rogers.com> wrote:
>> Rob Freeman wrote:
>>> If any of those problems happen, u have more troubles then MailScanner.
>>> Personally, it is not MailScanners job to monitor a server for disk space,
>>> permissions, or any other OS / HW problems.  And if someone is tampering
>>> with permissions, well one has much more issues then getting mail at that
>>> point.
>>>
>>
>> I never stated that MS should monitor my system, it should however fail
>> gracefully and not eat messages.
> Quite a resonable standpoint. And we're all pretty sure that this is
> the state of things too;). But we should look, yes.

Time for me to add some facts (of course for my point of view) here,  
since i follow the postfix list very regularly..

Wietse and Viktor from my little interaction with them have no problem  
with any Filtering tool (including mailscanner) as long as it uses one  
of the *documented* interfaces (how is not what i mention here, read  
the thread below for wietse's comment)

The comment on the mailscanner code being sloppy was made by *ahem*  
'Mark Martinec' of amavisd-new fame.. See this thread:
http://groups.google.com/group/list.postfix.users/browse_thread/thread/d919f921151c8cb3/d1ac170a6838855f?lnk=gst&q=mailscanner&rnum=1#d1ac170a6838855f

It is therefore understandable that Mark made this comment (and  
probably rightly so).. however let us look at the larger picture and  
those who can read code, ought to make an effort to 'audit' the code  
for the *so called* sloppiness just to re-assure themselves (and  
probably others).

 From my point of view again, checking for free disk space and other  
such things is *not* mailscanner's job.. as long as it fails  
gracefully and consistently.. there shouldn't be a scope for a *maybe*  
anywhere. And why blame postfix? the locking for sendmail changed as  
well a few versions back (try and recollect the number of times people  
on this list have been using the wrong locking mechanism for  
sendmail).. something for exim changed as well breaking things for a  
while.

Finally a few words about DJB, if you can code even half as well as  
him then you have all the right to criticize else just shut up and use  
something else. How many pieces of code from the last century work as  
they were documented.. till today???

- dhawal
From glenn.steen at gmail.com  Sun Dec 17 19:41:36 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Sun Dec 17 19:41:43 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <20061218002408.a0qm082jgggg0kc8@mail.netmagicsolutions.com>
References: <20061218002408.a0qm082jgggg0kc8@mail.netmagicsolutions.com>
Message-ID: <223f97700612171141x40ab398fxaeb922e2fdad0a58@mail.gmail.com>

On 17/12/06, Dhawal Doshy <dhawal@netmagicsolutions.com> wrote:
>
> Quoting Glenn Steen <glenn.steen@gmail.com>:
>
> > On 17/12/06, Mike Jakubik <mikej@rogers.com> wrote:
> >> Rob Freeman wrote:
> >>> If any of those problems happen, u have more troubles then MailScanner.
> >>> Personally, it is not MailScanners job to monitor a server for disk space,
> >>> permissions, or any other OS / HW problems.  And if someone is tampering
> >>> with permissions, well one has much more issues then getting mail at that
> >>> point.
> >>>
> >>
> >> I never stated that MS should monitor my system, it should however fail
> >> gracefully and not eat messages.
> > Quite a resonable standpoint. And we're all pretty sure that this is
> > the state of things too;). But we should look, yes.
>
> Time for me to add some facts (of course for my point of view) here,
> since i follow the postfix list very regularly..
>
> Wietse and Viktor from my little interaction with them have no problem
> with any Filtering tool (including mailscanner) as long as it uses one
> of the *documented* interfaces (how is not what i mention here, read
> the thread below for wietse's comment)
>
> The comment on the mailscanner code being sloppy was made by *ahem*
> 'Mark Martinec' of amavisd-new fame.. See this thread:

:-) Missed that pertinent point:-)
> http://groups.google.com/group/list.postfix.users/browse_thread/thread/d919f921151c8cb3/d1ac170a6838855f?lnk=gst&q=mailscanner&rnum=1#d1ac170a6838855f
>
> It is therefore understandable that Mark made this comment (and
> probably rightly so).. however let us look at the larger picture and
> those who can read code, ought to make an effort to 'audit' the code
> for the *so called* sloppiness just to re-assure themselves (and
> probably others).

Exactly.

>
>  From my point of view again, checking for free disk space and other
> such things is *not* mailscanner's job.. as long as it fails
> gracefully and consistently.. there shouldn't be a scope for a *maybe*
> anywhere. And why blame postfix? the locking for sendmail changed as
> well a few versions back (try and recollect the number of times people
> on this list have been using the wrong locking mechanism for
> sendmail).. something for exim changed as well breaking things for a
> while.

Still with you.

>
> Finally a few words about DJB, if you can code even half as well as
> him then you have all the right to criticize else just shut up and use
> something else. How many pieces of code from the last century work as
> they were documented.. till today???

(Playing at being more obtuse than I hopefully am:-):
Where did I criticise him? Nowhere, of course. If I were to do that,
it'd be along the lines of being a bit opinionated (not unlike
Wietse:-)... But they've earned the right to have strong opinions, so
I'm fine with that... :-):-).

The criticism in the PF users list is still mainly founded around the
_perceived_ groping of queue files. This is still where I'd
concentrate my auditing, when I have the time to do it. Notable is
that at least some of the folks are becoming more ... varied in their
approach:-).

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From dhawal at netmagicsolutions.com  Sun Dec 17 20:04:58 2006
From: dhawal at netmagicsolutions.com (Dhawal Doshy)
Date: Sun Dec 17 20:05:29 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <223f97700612171141x40ab398fxaeb922e2fdad0a58@mail.gmail.com>
References: <20061218002408.a0qm082jgggg0kc8@mail.netmagicsolutions.com>
	<223f97700612171141x40ab398fxaeb922e2fdad0a58@mail.gmail.com>
Message-ID: <20061218013458.evfbrzzpc0ogk48s@mail.netmagicsolutions.com>


Quoting Glenn Steen <glenn.steen@gmail.com>:

> On 17/12/06, Dhawal Doshy <dhawal@netmagicsolutions.com> wrote:
>>
>> Quoting Glenn Steen <glenn.steen@gmail.com>:
>>
>>> On 17/12/06, Mike Jakubik <mikej@rogers.com> wrote:
>>>> Rob Freeman wrote:
>>>>> If any of those problems happen, u have more troubles then MailScanner.
>>>>> Personally, it is not MailScanners job to monitor a server for
>> disk space,
>>>>> permissions, or any other OS / HW problems.  And if someone is tampering
>>>>> with permissions, well one has much more issues then getting mail at that
>>>>> point.
>>>>>
>>>>
>>>> I never stated that MS should monitor my system, it should however fail
>>>> gracefully and not eat messages.
>>> Quite a resonable standpoint. And we're all pretty sure that this is
>>> the state of things too;). But we should look, yes.
>>
>> Time for me to add some facts (of course for my point of view) here,
>> since i follow the postfix list very regularly..
>>
>> Wietse and Viktor from my little interaction with them have no problem
>> with any Filtering tool (including mailscanner) as long as it uses one
>> of the *documented* interfaces (how is not what i mention here, read
>> the thread below for wietse's comment)
>>
>> The comment on the mailscanner code being sloppy was made by *ahem*
>> 'Mark Martinec' of amavisd-new fame.. See this thread:
>
> :-) Missed that pertinent point:-)
>> http://groups.google.com/group/list.postfix.users/browse_thread/thread/d919f921151c8cb3/d1ac170a6838855f?lnk=gst&q=mailscanner&rnum=1#d1ac170a6838855f
>>
>> It is therefore understandable that Mark made this comment (and
>> probably rightly so).. however let us look at the larger picture and
>> those who can read code, ought to make an effort to 'audit' the code
>> for the *so called* sloppiness just to re-assure themselves (and
>> probably others).
>
> Exactly.
>
>>
>> From my point of view again, checking for free disk space and other
>> such things is *not* mailscanner's job.. as long as it fails
>> gracefully and consistently.. there shouldn't be a scope for a *maybe*
>> anywhere. And why blame postfix? the locking for sendmail changed as
>> well a few versions back (try and recollect the number of times people
>> on this list have been using the wrong locking mechanism for
>> sendmail).. something for exim changed as well breaking things for a
>> while.
>
> Still with you.
>
>>
>> Finally a few words about DJB, if you can code even half as well as
>> him then you have all the right to criticize else just shut up and use
>> something else. How many pieces of code from the last century work as
>> they were documented.. till today???
>
> (Playing at being more obtuse than I hopefully am:-):
> Where did I criticise him? Nowhere, of course. If I were to do that,
> it'd be along the lines of being a bit opinionated (not unlike
> Wietse:-)... But they've earned the right to have strong opinions, so
> I'm fine with that... :-):-).

Ah come on Glenn, by 'you' i meant 'one'.. my reply wasn't to you but  
to the thread.

> The criticism in the PF users list is still mainly founded around the
> _perceived_ groping of queue files. This is still where I'd
> concentrate my auditing, when I have the time to do it. Notable is
> that at least some of the folks are becoming more ... varied in their
> approach:-).

exactly.. now if only i could read code as well as i can rant ;-) btw  
check http://archives.neohapsis.com/archives/postfix/2004-01/3562.html  
(looks quite neat.. eh?)

- dhawal
From glenn.steen at gmail.com  Sun Dec 17 21:30:13 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Sun Dec 17 21:30:51 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <20061218013458.evfbrzzpc0ogk48s@mail.netmagicsolutions.com>
References: <20061218002408.a0qm082jgggg0kc8@mail.netmagicsolutions.com>
	<223f97700612171141x40ab398fxaeb922e2fdad0a58@mail.gmail.com>
	<20061218013458.evfbrzzpc0ogk48s@mail.netmagicsolutions.com>
Message-ID: <223f97700612171330y730206deo8e384a7afe34ff2e@mail.gmail.com>

On 17/12/06, Dhawal Doshy <dhawal@netmagicsolutions.com> wrote:
>
> Quoting Glenn Steen <glenn.steen@gmail.com>:
>
> > On 17/12/06, Dhawal Doshy <dhawal@netmagicsolutions.com> wrote:
> >>
> >> Quoting Glenn Steen <glenn.steen@gmail.com>:
> >>
> >>> On 17/12/06, Mike Jakubik <mikej@rogers.com> wrote:
> >>>> Rob Freeman wrote:
> >>>>> If any of those problems happen, u have more troubles then MailScanner.
> >>>>> Personally, it is not MailScanners job to monitor a server for
> >> disk space,
> >>>>> permissions, or any other OS / HW problems.  And if someone is tampering
> >>>>> with permissions, well one has much more issues then getting mail at that
> >>>>> point.
> >>>>>
> >>>>
> >>>> I never stated that MS should monitor my system, it should however fail
> >>>> gracefully and not eat messages.
> >>> Quite a resonable standpoint. And we're all pretty sure that this is
> >>> the state of things too;). But we should look, yes.
> >>
> >> Time for me to add some facts (of course for my point of view) here,
> >> since i follow the postfix list very regularly..
> >>
> >> Wietse and Viktor from my little interaction with them have no problem
> >> with any Filtering tool (including mailscanner) as long as it uses one
> >> of the *documented* interfaces (how is not what i mention here, read
> >> the thread below for wietse's comment)
> >>
> >> The comment on the mailscanner code being sloppy was made by *ahem*
> >> 'Mark Martinec' of amavisd-new fame.. See this thread:
> >
> > :-) Missed that pertinent point:-)
> >> http://groups.google.com/group/list.postfix.users/browse_thread/thread/d919f921151c8cb3/d1ac170a6838855f?lnk=gst&q=mailscanner&rnum=1#d1ac170a6838855f
> >>
> >> It is therefore understandable that Mark made this comment (and
> >> probably rightly so).. however let us look at the larger picture and
> >> those who can read code, ought to make an effort to 'audit' the code
> >> for the *so called* sloppiness just to re-assure themselves (and
> >> probably others).
> >
> > Exactly.
> >
> >>
> >> From my point of view again, checking for free disk space and other
> >> such things is *not* mailscanner's job.. as long as it fails
> >> gracefully and consistently.. there shouldn't be a scope for a *maybe*
> >> anywhere. And why blame postfix? the locking for sendmail changed as
> >> well a few versions back (try and recollect the number of times people
> >> on this list have been using the wrong locking mechanism for
> >> sendmail).. something for exim changed as well breaking things for a
> >> while.
> >
> > Still with you.
> >
> >>
> >> Finally a few words about DJB, if you can code even half as well as
> >> him then you have all the right to criticize else just shut up and use
> >> something else. How many pieces of code from the last century work as
> >> they were documented.. till today???
> >
> > (Playing at being more obtuse than I hopefully am:-):
> > Where did I criticise him? Nowhere, of course. If I were to do that,
> > it'd be along the lines of being a bit opinionated (not unlike
> > Wietse:-)... But they've earned the right to have strong opinions, so
> > I'm fine with that... :-):-).
>
> Ah come on Glenn, by 'you' i meant 'one'.. my reply wasn't to you but
> to the thread.

I know, just pulling your chain a bit;-)

> > The criticism in the PF users list is still mainly founded around the
> > _perceived_ groping of queue files. This is still where I'd
> > concentrate my auditing, when I have the time to do it. Notable is
> > that at least some of the folks are becoming more ... varied in their
> > approach:-).
>
> exactly.. now if only i could read code as well as i can rant ;-) btw
> check http://archives.neohapsis.com/archives/postfix/2004-01/3562.html
> (looks quite neat.. eh?)

Yep. A clever way to both have the cake and eat it, no doubt.
It's also a bit funny to see that we're percieved as taking this
"personally" whereas we're always having the feeling its the entirely
other way around:-). Oh well.

In another life we'll have more time and sharper/faster code-reading eyes;).

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From res at ausics.net  Sun Dec 17 23:55:04 2006
From: res at ausics.net (Res)
Date: Sun Dec 17 23:55:13 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <223f97700612170750g2ffda3d3n5b067dafd260f3dc@mail.gmail.com>
References: <4582E1AC.6020208@rogers.com> <458331E9.4060703@evi-inc.com>
	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>
	<45842E7E.3050508@pacific.net> <45844A14.7050508@ecs.soton.ac.uk>
	<45846099.3070209@rogers.com> <458469B4.5090606@mail.wvnet.edu>
	<Pine.LNX.4.64.0612170754410.12660@ebfjryy.nhfvpf.arg>
	<223f97700612170750g2ffda3d3n5b067dafd260f3dc@mail.gmail.com>
Message-ID: <Pine.LNX.4.64.0612180949130.25870@ebfjryy.nhfvpf.arg>

On Sun, 17 Dec 2006, Glenn Steen wrote:

> This is most certainly true, yes. Wietse, Victor etc have decided to
> hate MailScanner for a slew of reasons that reality doesn't support

I have not cared to investigate this, but maybe Wietse has an interest in 
or was going to program an identical to MS, and is pissed MS works so
well.  Cetianly would explain his sour puss attitude towards it :)


>> On this note I'd like to wish all of you a Merry Christmas, and we can
>> 
> Early holiday, Eh Res? A bit early, but ... Likewise, likewise...:-).

Yes, I have big project to kick off in January so I'm well resting myself 
now hehe


> And there should be some singing too... Why not an Ode to MailScanner,

Oh trust me you don't want me to sing :D but then again after a bottle 
or so of JD I dont think it would really matter coz I prolly wont remember ;)



-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From res at ausics.net  Mon Dec 18 00:10:51 2006
From: res at ausics.net (Res)
Date: Mon Dec 18 00:10:58 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <20061218002408.a0qm082jgggg0kc8@mail.netmagicsolutions.com>
References: <20061218002408.a0qm082jgggg0kc8@mail.netmagicsolutions.com>
Message-ID: <Pine.LNX.4.64.0612181000470.25870@ebfjryy.nhfvpf.arg>

On Mon, 18 Dec 2006, Dhawal Doshy wrote:

>
> Time for me to add some facts (of course for my point of view) here, since i 
> follow the postfix list very regularly..
>
> Wietse and Viktor from my little interaction with them have no problem with 
> any Filtering tool (including mailscanner) as long as it uses one of the

This contradicts what I have read in several forums over the past couple 
years, but you are entitled to your opinion on the state of things.


> Finally a few words about DJB, if you can code even half as well as him then 
> you have all the right to criticize else just shut up and use something else.

I probably could, just look at a default qmail, no not netqmail but qmail
that is the most poorly written peice of mail software I have ever used, 
it is also no longer maintained by Bernstien, nor has it been for years, 
christ, you can't even compile it on modern systems without searching for 
patches or error code and some other tripe, it is in effect abandenware

It does have its place today courtesy of the hundreds of others who wrote 
patches to MAKE qmail usable today, like checking backscatter with its 
VDs, such a critical thing in this day and age, so many qmail servers dont 
run any form of check user patch, and wonder why there is tens and tens 
of thousands of messages in the queue and why they end up in spamcop and 
sorbs for sending to traps.

From sandrews at andrewscompanies.com  Mon Dec 18 02:44:53 2006
From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com)
Date: Mon Dec 18 02:44:57 2006
Subject: Sloppy error checking in MS code
Message-ID: <1964AAFBC212F742958F9275BF63DBB0429B84@winchester.andrewscompanies.com>

So what if the system runs out of resources?  It'll crash.  Oh my god,
run around in circles, the sky is falling!  What kind of crappy admin
lets his boxes run out of resources?

I hate fanboys that can't see the forest through the trees. 

Steve

-----Original Message-----
From: mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Richard
Lynch
Sent: Saturday, December 16, 2006 4:49 PM
To: MailScanner discussion
Subject: Re: Sloppy error checking in MS code

Mike Jakubik wrote:
> Julian Field wrote:
>> Ken,
>> Thanks for backing me up. Yes, I don't check the return value of 
>> every single call I make, but show me a programmer who does? (No 
>> doubt someone will at this point). The most common point that is made

>> is "what if the system runs out of space" at this point, and all 
>> sorts of things will be failing at this time, there isn't any need to

>> create more errors at this point, they just create noise. Yes, I 
>> quite happily admit I don't check the result from everything I do.
>> But if you want a practical piece of software that runs at a 
>> reasonable speed.
>>   
>
> How much of a performance impact does a check for the return value of 
> a system call produce? I believe what distinguishes good software from

> bad is how the software handles errors. What you are saying seems to 
> contradict, as Matt Kettler stated that identical functions have error

> checking in the sendmail code, but not in postfix. No, i don't check 
> to see if there is a floor when i wake up, but the chances of an I/O 
> function failing because someone tampered with the directory/changed 
> permissions/disk run out of space/some other OS/HW problem are MUCH 
> greater than my floor disappearing. While i have not experienced any 
> problems myself (AFAIK), it would at least shut up the postfix 
> users/MS haters.
>
I doubt anything would quiet them. 

Axiom: If one is looking for fault one will find it. 
Corollary: You will find whatever you are looking for.

It's not necessary to check every possible failure just the important
ones or the ones you want to handle.  The question becomes "Does MS
check enough of them?".  I don't know the code so I can't say.  I can,
however, say this.

1) MS protects over 1 billion messages a day (from the web page).
2) We use it to process approx 2 million messages a day.
3) We have had little to no problems with MS.

For us the answer to the question is, yes, MS checks enough of them,

~rich

-- 




From sandrews at andrewscompanies.com  Mon Dec 18 02:54:25 2006
From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com)
Date: Mon Dec 18 02:54:28 2006
Subject: Sloppy error checking in MS code
Message-ID: <1964AAFBC212F742958F9275BF63DBB0431C04@winchester.andrewscompanies.com>

This is patently false.  The overhead, as you're measuring as "almost
non-existent", may be small on a single operation; but when you scale it
to many messages it will add up.

Nonetheless...

Here's the deal.  Rewrite the postfix code yourself.  If you find it
acceptable and peer review says you've checked everything, some postfix
user or two will thank you for it.  MS is not some sort of granite
monument that's going to stand for all to see for a billion years; it's
a piece of functional software that adds enormous value to the standard
spamassassin rig and we all ought to be forced to bow to Julian a half
dozen times a day for the sheer privlilege of using it, ny...just
looking at it from a distance, let alone using it to make all our lives
happier.

Questioning Julian...we should all be ashamed of ourselves... <wags
finger>

Steve

-----Original Message-----
From: mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mike
Jakubik
Sent: Saturday, December 16, 2006 6:14 PM
To: MailScanner discussion
Subject: Re: Sloppy error checking in MS code

Res wrote:
> On Sat, 16 Dec 2006, Mike Jakubik wrote:
>
>> system call produce? I believe what distinguishes good software from 
>> bad is how the software handles errors. What you are saying seems to 
>> contradict, as
>
> If I have to evaluate two pieces of software, doing the exact same
thing.
> One that checks for every single error code (as is apparently so 
> important to you and the postfix crybabies, and lets not forget Venema

> has always had somthing against MS) and takes 5 minutes to process a 
> batch of 50 msgs, and one that checks for the only really needed calls

> that does a batch of 50 in 5 seconds, the latter wins hands down.
>
>

The overhead of checking the errorlevel a function returns is almost
non-existent, and indeed some functions are checked properly in the
sendmail code, but not the in postfix code, why?
--
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 


From sandrews at andrewscompanies.com  Mon Dec 18 02:55:53 2006
From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com)
Date: Mon Dec 18 02:55:55 2006
Subject: Sloppy error checking in MS code
Message-ID: <1964AAFBC212F742958F9275BF63DBB0429B86@winchester.andrewscompanies.com>

Let Julian try an remove the PF code and watch them really cry and
seethe.... ;) 

-----Original Message-----
From: mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Res
Sent: Saturday, December 16, 2006 7:52 PM
To: MailScanner discussion
Subject: Re: Sloppy error checking in MS code

On Sun, 17 Dec 2006, Pete Russell wrote:

>
> Its funny, seem that only the users on the postfix list experience 
> problems, or theorise about them. I have been using postfix and MS for

> 4+ years and i have never experienced any problems, except that 
> postfix cant split the multi recipient inbound message into individual

> queue files. But that's a postfix problem...


Prolly more FUD from Venema to try convince PF users to not use MS.

Weitse is just like Dan Berstien infamous of qmail in his ways, well
actually, no he's worse, as I've never seen or heard from any qmail
fanbois that Daniel recommends they do not MS.


--
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


--
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 


From res at ausics.net  Mon Dec 18 07:07:18 2006
From: res at ausics.net (Res)
Date: Mon Dec 18 07:07:32 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0429B86@winchester.andrewscompanies.com>
References: <1964AAFBC212F742958F9275BF63DBB0429B86@winchester.andrewscompanies.com>
Message-ID: <Pine.LNX.4.64.0612181704570.26947@ebfjryy.nhfvpf.arg>

On Sun, 17 Dec 2006, sandrews@andrewscompanies.com wrote:

> Let Julian try an remove the PF code and watch them really cry and
> seethe.... ;)

hehehe yeah :) Its simple, if it doesnt do what you like, don't use it, 
the other countless thousands of us will continue to use it.


-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From martinh at solidstatelogic.com  Mon Dec 18 09:50:21 2006
From: martinh at solidstatelogic.com (Martin Hepworth)
Date: Mon Dec 18 09:50:52 2006
Subject: Not blocking spam?
In-Reply-To: <db11198bd2cba2b9d14ee1dd155064b7@localhost>
References: <em06v3$hg7$1@sea.gmane.org>
	<db11198bd2cba2b9d14ee1dd155064b7@localhost>
Message-ID: <4586645D.5070903@solidstatelogic.com>

jdavis wrote:
> It's set to yes.
> 
> Since running through spamassassin manually works, I am assuming I've hosed up a setting in my mailscanner.conf  If looked and looked (probably too much) and cannot seem to find anything.
> 
> On Sat, 16 Dec 2006 02:24:18 -0500, Ugo Bellavance <ugob@camo-route.com> wrote:
>> Jeff Davis wrote:
>>> Just got MailScanner installed, but does not seem to be tagging anything
>>> as spam.
>>>
>>> Where should I start checking first?  spammassassin < {sample file}
>>> seems to work correctly, but mail sent from outside (GTUBE) flies right
>>> through.
>>>
>>> Thanks,
>>>
>>> -Jeff
>>>
>> MailScanner.conf, a setting called 'Use SpamAssassin'
>>
>> http://wiki.mailscanner.info/doku.php?id=maq:index
>>
>> --
>> MailScanner mailing list
>> mailscanner@lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
> --
> Jefferson K Davis
> Technology & Information Systems Manager
> Standard School District
> 1200 North Chester Ave
> Bakersfield, CA  93308
> USA
> 661.392.2110 ext 120
> 

you can debug this will the "MailScanner --debug --debug-sa --lint" so 
see what's happening

-- 
Martin Hepworth
Senior Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

From bbecken at aafp.org  Mon Dec 18 15:23:01 2006
From: bbecken at aafp.org (Brad Beckenhauer)
Date: Mon Dec 18 15:23:23 2006
Subject: Feature request
Message-ID: <45865DF4.D87E.0068.3@aafp.org>

Can we have "MailScanner --lint" verify that the version of
MailScanner.conf matches the running version of the executable
"/usr/sbin/MailScanner"?   

This will at least warn someone (me in this case) if they forgot to
upgrade the configuration files.

thanks

From Richard.Frovarp at sendit.nodak.edu  Mon Dec 18 16:33:54 2006
From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp)
Date: Mon Dec 18 16:33:58 2006
Subject: IPV6 Support
Message-ID: <4586C2F2.2060002@sendit.nodak.edu>

I am going to start testing MailScanner, SpamAssassin, ClamAV, and 
Sendmail on IPV6. Anyone have any hints or tips about configuring 
everything to support IPV6?

Thanks,

Richard
From martinh at solidstatelogic.com  Mon Dec 18 16:47:52 2006
From: martinh at solidstatelogic.com (Martin Hepworth)
Date: Mon Dec 18 16:48:21 2006
Subject: IPV6 Support
In-Reply-To: <4586C2F2.2060002@sendit.nodak.edu>
References: <4586C2F2.2060002@sendit.nodak.edu>
Message-ID: <4586C638.8020108@solidstatelogic.com>

Richard Frovarp wrote:
> I am going to start testing MailScanner, SpamAssassin, ClamAV, and 
> Sendmail on IPV6. Anyone have any hints or tips about configuring 
> everything to support IPV6?
> 
> Thanks,
> 
> Richard
Richard

the main developer os MS runs IPV6 on his own networks so there 
'shouldnt' be any issues

-- 
Martin Hepworth
Senior Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

From naolson at gmail.com  Mon Dec 18 16:49:24 2006
From: naolson at gmail.com (Nathan Olson)
Date: Mon Dec 18 16:49:29 2006
Subject: IPV6 Support
In-Reply-To: <4586C2F2.2060002@sendit.nodak.edu>
References: <4586C2F2.2060002@sendit.nodak.edu>
Message-ID: <8f54b4330612180849h22fc0d63oa8f69db56bbf2373@mail.gmail.com>

Those sendit folks are so old-fashioned.
We've already deployed IPV7.

*in-joke*,
Nate
From danc at bluestarshows.com  Mon Dec 18 16:46:56 2006
From: danc at bluestarshows.com (Dan Carl)
Date: Mon Dec 18 16:51:01 2006
Subject: allowing attachment filelname
Message-ID: <00ac01c722c4$2149fd60$0200000a@danc3>

Ok I have a certain filename I want to let through.
I added a rule to my filename.rules.conf.
A followed the instructions 
NOTE: Fields are separated by TAB characters --- Important!
I've checked my mailscanner.conf and its set to:
Filename Rules = %etc-dir%/filename.rules.conf
Why is the attachment still being quarantined?
Im using ClamAV and F-Prot
From ecasarero at gmail.com  Mon Dec 18 17:08:38 2006
From: ecasarero at gmail.com (Eduardo Casarero)
Date: Mon Dec 18 17:08:49 2006
Subject: OT: rcpt to: verification
Message-ID: <7d9b3cf20612180908m4221ed88p2f89db69ad7beaac@mail.gmail.com>

Hi, i'm running MS 4.55.10, sendmail 8.13.7 milter-ahead. I check emails
with MS for several domains with diferents destination.

Does anyone know how to do rcpt verification (milter does it great) but
using destination servers that doesn't check rcpt? (ex exchange 5.5). Some
way to load the real address somewhere and then milter can check it? or
there is another product or scripts or something?


Please any help appreciated.

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061218/9ea1d6cd/attachment.html
From samp at arial-concept.com  Mon Dec 18 17:17:16 2006
From: samp at arial-concept.com (Sam Przyswa)
Date: Mon Dec 18 17:17:42 2006
Subject: Bayes learn problem
Message-ID: <4586CD1C.90609@arial-concept.com>

Hi,

I have a problem with Spamassassin and Bayes the command "sa-learn -p 
/etc/MailScanner/spam.assassin.pref --dump magic" give me:

0.000          0          3          0  non-token data: bayes db version
0.000          0      37411          0  non-token data: nspam
0.000          0      82399          0  non-token data: nham
0.000          0     142717          0  non-token data: ntokens
0.000          0 1163567938          0  non-token data: oldest atime
0.000          0 1166315229          0  non-token data: newest atime
0.000          0 1163774133          0  non-token data: last journal 
sync atime
0.000          0 1163774206          0  non-token data: last expiry atime
0.000          0     234789          0  non-token data: last expire 
atime delta
0.000          0          0          0  non-token data: last expire 
reduction count

Then after found more than 180 spam mails in my inbox with Thunderbird I 
put these mail in a learn directory and run the command "sa-learn -p 
/etc/MailScanner/spam.assassin.pref --spam <learn directory>" I got:

Learned tokens from 106 message(s) (188 message(s) examined)

And then the command "sa-learn -p /etc/MailScanner/spam.assassin.pref 
--dump magic" give me:

0.000          0          3          0  non-token data: bayes db version
0.000          0      37411          0  non-token data: nspam
0.000          0      82401          0  non-token data: nham
0.000          0     142717          0  non-token data: ntokens
0.000          0 1163567938          0  non-token data: oldest atime
0.000          0 1166315229          0  non-token data: newest atime
0.000          0 1163774133          0  non-token data: last journal 
sync atime
0.000          0 1163774206          0  non-token data: last expiry atime
0.000          0     234789          0  non-token data: last expire 
atime delta
0.000          0          0          0  non-token data: last expire 
reduction count

No new spam or tokens added ?

Today SA found 1511 spam mails but about 180 are not deterted.

When I test a learned spam message with the command "spamassassin -p 
/etc/MailScanner/spam.assassin.pref -D < learned_spam_message' I got :

...
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on
        neuilly.neuilly.geismar.com
X-Spam-Level: *
X-Spam-Status: No, score=1.2 required=5.0 tests=AWL,BAYES_50
        autolearn=unavailable version=3.1.0
...

 From the header checked mail, the score is only 1.2 for a learned spam 
mail !?

What's wrong ?

Sam.


-- 
Ce message a ?t? v?rifi? par MailScanner
pour des virus ou des polluriels et rien de
suspect n'a ?t? trouv?.

From Richard.Frovarp at sendit.nodak.edu  Mon Dec 18 17:44:41 2006
From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp)
Date: Mon Dec 18 17:44:46 2006
Subject: ORDB.org is shutting down
Message-ID: <4586D389.7000704@sendit.nodak.edu>

Saw this on the SA list:

See: http://www.ordb.org/news/?id=38

DNS is being turned off today. It would seem that ORDB is in the default 
list for MailScanner to lookup for the Spam List. That is bound to cause 
some timeouts for those that have that feature enabled. Grepping through 
my SA files I don't see any reference to it there.

Richard

From jdavis at standard.k12.ca.us  Mon Dec 18 17:47:18 2006
From: jdavis at standard.k12.ca.us (Jeff Davis)
Date: Mon Dec 18 17:47:30 2006
Subject: Not blocking spam?
In-Reply-To: <4586645D.5070903@solidstatelogic.com>
References: <em06v3$hg7$1@sea.gmane.org>	<db11198bd2cba2b9d14ee1dd155064b7@localhost>
	<4586645D.5070903@solidstatelogic.com>
Message-ID: <4586D426.5030504@standard.k12.ca.us>

Thanks,

What should I be looking for?

So far this is what I've gotten:

Read 759 hostnames from the phishing whitelist
MailScanner setting GID to  (89)
MailScanner setting UID to  (89)

Checking for SpamAssassin errors (if you use it)...
Using SpamAssassin results cache
Connected to SpamAssassin cache database

But I'm not seeing any new headers in my email, and nothing is being 
tagged as spam or otherwise...

-Jeff

Martin Hepworth wrote:
> jdavis wrote:
>> It's set to yes.
>>
>> Since running through spamassassin manually works, I am assuming I've 
>> hosed up a setting in my mailscanner.conf  If looked and looked 
>> (probably too much) and cannot seem to find anything.
>>
>> On Sat, 16 Dec 2006 02:24:18 -0500, Ugo Bellavance 
>> <ugob@camo-route.com> wrote:
>>> Jeff Davis wrote:
>>>> Just got MailScanner installed, but does not seem to be tagging 
>>>> anything
>>>> as spam.
>>>>
>>>> Where should I start checking first?  spammassassin < {sample file}
>>>> seems to work correctly, but mail sent from outside (GTUBE) flies 
>>>> right
>>>> through.
>>>>
>>>> Thanks,
>>>>
>>>> -Jeff
>>>>
>>> MailScanner.conf, a setting called 'Use SpamAssassin'
>>>
>>> http://wiki.mailscanner.info/doku.php?id=maq:index
>>>
>>> -- 
>>> MailScanner mailing list
>>> mailscanner@lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>> -- 
>> Jefferson K Davis
>> Technology & Information Systems Manager
>> Standard School District
>> 1200 North Chester Ave
>> Bakersfield, CA  93308
>> USA
>> 661.392.2110 ext 120
>>
>
> you can debug this will the "MailScanner --debug --debug-sa --lint" so 
> see what's happening
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jdavis.vcf
Type: text/x-vcard
Size: 341 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061218/4a7d1fc0/jdavis.vcf
From jaearick at colby.edu  Mon Dec 18 17:55:02 2006
From: jaearick at colby.edu (Jeff A. Earickson)
Date: Mon Dec 18 17:55:15 2006
Subject: ORDB.org is shutting down
In-Reply-To: <4586D389.7000704@sendit.nodak.edu>
References: <4586D389.7000704@sendit.nodak.edu>
Message-ID: <Pine.GSO.4.64.0612181253570.1098@feldspar>

Thanks for the heads up.  I had it in my Mailscanner.conf file in
"Spam List =".  Others might check there too.  Now yanked out.

Jeff Earickson
Colby College

On Mon, 18 Dec 2006, Richard Frovarp wrote:

> Date: Mon, 18 Dec 2006 11:44:41 -0600
> From: Richard Frovarp <Richard.Frovarp@sendit.nodak.edu>
> Reply-To: MailScanner discussion <mailscanner@lists.mailscanner.info>
> To: mailscanner@lists.mailscanner.info
> Subject: ORDB.org is shutting down
> 
> Saw this on the SA list:
>
> See: http://www.ordb.org/news/?id=38
>
> DNS is being turned off today. It would seem that ORDB is in the default list 
> for MailScanner to lookup for the Spam List. That is bound to cause some 
> timeouts for those that have that feature enabled. Grepping through my SA 
> files I don't see any reference to it there.
>
> Richard
>
> -- 
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
From jstevens at athensdistributing.com  Mon Dec 18 17:56:42 2006
From: jstevens at athensdistributing.com (James R. Stevens)
Date: Mon Dec 18 17:56:51 2006
Subject: ORDB.org is shutting down
Message-ID: <1A65E6BAEADF9B4F865314484A13ECF16087A7@atlas.athensdistributing.com>

Thanks for the heads-up on this. 

-----Original Message-----
From: mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Richard
Frovarp
Sent: Monday, December 18, 2006 11:45 AM
To: mailscanner@lists.mailscanner.info
Subject: ORDB.org is shutting down

Saw this on the SA list:

See: http://www.ordb.org/news/?id=38

DNS is being turned off today. It would seem that ORDB is in the default
list for MailScanner to lookup for the Spam List. That is bound to cause
some timeouts for those that have that feature enabled. Grepping through
my SA files I don't see any reference to it there.

Richard

--
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

--
This message has been scanned for viruses and dangerous content by
Athens Hyperion Scanner, and is believed to be clean.


-- 
This message has been scanned for viruses and
dangerous content by Athens Hyperion Scanner, and is
believed to be clean.

From jdavis at standard.k12.ca.us  Mon Dec 18 18:06:15 2006
From: jdavis at standard.k12.ca.us (Jeff Davis)
Date: Mon Dec 18 18:06:25 2006
Subject: Not blocking spam?
In-Reply-To: <4586645D.5070903@solidstatelogic.com>
References: <em06v3$hg7$1@sea.gmane.org>	<db11198bd2cba2b9d14ee1dd155064b7@localhost>
	<4586645D.5070903@solidstatelogic.com>
Message-ID: <4586D897.9090709@standard.k12.ca.us>

More info:  I wasn't patient enough...


Read 759 hostnames from the phishing whitelist
MailScanner setting GID to  (89)
MailScanner setting UID to  (89)

Checking for SpamAssassin errors (if you use it)...
Using SpamAssassin results cache
Connected to SpamAssassin cache database
SpamAssassin reported no errors.
Using locktype = flock
MailScanner.conf says "Virus Scanners = sophos"
Found these virus scanners installed: clamav, sophossavi


Martin Hepworth wrote:
> jdavis wrote:
>> It's set to yes.
>>
>> Since running through spamassassin manually works, I am assuming I've 
>> hosed up a setting in my mailscanner.conf  If looked and looked 
>> (probably too much) and cannot seem to find anything.
>>
>> On Sat, 16 Dec 2006 02:24:18 -0500, Ugo Bellavance 
>> <ugob@camo-route.com> wrote:
>>> Jeff Davis wrote:
>>>> Just got MailScanner installed, but does not seem to be tagging 
>>>> anything
>>>> as spam.
>>>>
>>>> Where should I start checking first?  spammassassin < {sample file}
>>>> seems to work correctly, but mail sent from outside (GTUBE) flies 
>>>> right
>>>> through.
>>>>
>>>> Thanks,
>>>>
>>>> -Jeff
>>>>
>>> MailScanner.conf, a setting called 'Use SpamAssassin'
>>>
>>> http://wiki.mailscanner.info/doku.php?id=maq:index
>>>
>>> -- 
>>> MailScanner mailing list
>>> mailscanner@lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>> -- 
>> Jefferson K Davis
>> Technology & Information Systems Manager
>> Standard School District
>> 1200 North Chester Ave
>> Bakersfield, CA  93308
>> USA
>> 661.392.2110 ext 120
>>
>
> you can debug this will the "MailScanner --debug --debug-sa --lint" so 
> see what's happening
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jdavis.vcf
Type: text/x-vcard
Size: 341 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061218/b8d5fcc0/jdavis.vcf
From taz at taz-mania.com  Mon Dec 18 18:19:04 2006
From: taz at taz-mania.com (Dennis Willson)
Date: Mon Dec 18 18:19:08 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <Pine.LNX.4.64.0612181704570.26947@ebfjryy.nhfvpf.arg>
Message-ID: <web-8932987@namesystems.net>

I think this is a bit out of hand...

I was a software architect for a very large company doing enterprise 
level projects for many years. I have done a very brief overview of 
some of the MS code and found that, no it doesn't check every possible 
return. What it does check I believe is enough to ensure that mail is 
not dropped.

Thre are basically 5 things that can happen when an error occurs:
1. The error is 'worked around' by the software and recovered from and 
processing continues normally.
2. The mail is passed through to the user unprocessed allowing Spam 
through as well.
3. mail is bounced notifiying the sender that it was not delivered
4. mail builds up in the incoming queue not being picked up by MS
5. mail dropped and lost forever.

I believe that only number 5 is totally unacceptable and I believe 
that Juilan has done enough error checking to be sure that doesn't 
happen.

Can we move on now????

From glenn.steen at gmail.com  Mon Dec 18 18:54:42 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Mon Dec 18 18:54:46 2006
Subject: allowing attachment filelname
In-Reply-To: <00ac01c722c4$2149fd60$0200000a@danc3>
References: <00ac01c722c4$2149fd60$0200000a@danc3>
Message-ID: <223f97700612181054o5358398dmc70ff5dbc5eb5189@mail.gmail.com>

On 18/12/06, Dan Carl <danc@bluestarshows.com> wrote:
> Ok I have a certain filename I want to let through.
> I added a rule to my filename.rules.conf.
> A followed the instructions
> NOTE: Fields are separated by TAB characters --- Important!
> I've checked my mailscanner.conf and its set to:
> Filename Rules = %etc-dir%/filename.rules.conf
> Why is the attachment still being quarantined?
> Im using ClamAV and F-Prot
Well, why is it quarantined? Look in the logs... Should tell you well enough...
One could guess that perhaps it is blocked by filetype? Or by an AV
scanner? Or perhaps you forgot to restart MailScanner?
Without better/more info than the above, we can't really be more
specific, sorry.

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From sandrews at andrewscompanies.com  Mon Dec 18 18:56:10 2006
From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com)
Date: Mon Dec 18 18:56:13 2006
Subject: ORDB.org is shutting down
Message-ID: <1964AAFBC212F742958F9275BF63DBB0429B9E@winchester.andrewscompanies.com>

Any suggestions on what I should have for "Spam Lists ="? 

-----Original Message-----
From: mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of James
R. Stevens
Sent: Monday, December 18, 2006 12:57 PM
To: MailScanner discussion
Subject: RE: ORDB.org is shutting down

Thanks for the heads-up on this. 

-----Original Message-----
From: mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Richard
Frovarp
Sent: Monday, December 18, 2006 11:45 AM
To: mailscanner@lists.mailscanner.info
Subject: ORDB.org is shutting down

Saw this on the SA list:

See: http://www.ordb.org/news/?id=38

DNS is being turned off today. It would seem that ORDB is in the default
list for MailScanner to lookup for the Spam List. That is bound to cause
some timeouts for those that have that feature enabled. Grepping through
my SA files I don't see any reference to it there.

Richard

--
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

--
This message has been scanned for viruses and dangerous content by
Athens Hyperion Scanner, and is believed to be clean.


--
This message has been scanned for viruses and dangerous content by
Athens Hyperion Scanner, and is believed to be clean.

--
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 


From glenn.steen at gmail.com  Mon Dec 18 19:06:07 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Mon Dec 18 19:06:22 2006
Subject: Not blocking spam?
In-Reply-To: <4586D426.5030504@standard.k12.ca.us>
References: <em06v3$hg7$1@sea.gmane.org>
	<db11198bd2cba2b9d14ee1dd155064b7@localhost>
	<4586645D.5070903@solidstatelogic.com>
	<4586D426.5030504@standard.k12.ca.us>
Message-ID: <223f97700612181106h71e59354gf957f286636d2c85@mail.gmail.com>

On 18/12/06, Jeff Davis <jdavis@standard.k12.ca.us> wrote:
> Thanks,
>
> What should I be looking for?
>
> So far this is what I've gotten:
>
> Read 759 hostnames from the phishing whitelist
> MailScanner setting GID to  (89)
> MailScanner setting UID to  (89)
>
> Checking for SpamAssassin errors (if you use it)...
> Using SpamAssassin results cache
> Connected to SpamAssassin cache database
>
> But I'm not seeing any new headers in my email, and nothing is being
> tagged as spam or otherwise...
>
> -Jeff
>
Lets try that again... I assume the 89.89 UID.GID is postfix.postfix?
Have you checked that you have a correctly set HOLD thing? Else
MailScanner will never see anything at all...:). When you send a
testmessage through, does any lines in your log reflect that
MailScanner is processing messages (Found X messages etc etc)?

As you can gather, I'm thinking something really basic is wrong here;-)
Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From ryan at marinocrane.com  Mon Dec 18 19:03:03 2006
From: ryan at marinocrane.com (Ryan Pitt)
Date: Mon Dec 18 19:07:25 2006
Subject: ORDB.org is shutting down
In-Reply-To: <1A65E6BAEADF9B4F865314484A13ECF16087A7@atlas.athensdistributing.com>
References: <1A65E6BAEADF9B4F865314484A13ECF16087A7@atlas.athensdistributing.com>
Message-ID: <4586E5E7.3010000@marinocrane.com>

As a matter of interest, what else is everyone using for RBLs?
When I take out ORDB-RBL I will be left with SBL+XBL
Thanks
Ryan

James R. Stevens wrote:
> Thanks for the heads-up on this. 
>
> -----Original Message-----
> From: mailscanner-bounces@lists.mailscanner.info
> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Richard
> Frovarp
> Sent: Monday, December 18, 2006 11:45 AM
> To: mailscanner@lists.mailscanner.info
> Subject: ORDB.org is shutting down
>
> Saw this on the SA list:
>
> See: http://www.ordb.org/news/?id=38
>
> DNS is being turned off today. It would seem that ORDB is in the default
> list for MailScanner to lookup for the Spam List. That is bound to cause
> some timeouts for those that have that feature enabled. Grepping through
> my SA files I don't see any reference to it there.
>
> Richard
From Denis.Beauchemin at USherbrooke.ca  Mon Dec 18 19:14:32 2006
From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin)
Date: Mon Dec 18 19:18:31 2006
Subject: allowing attachment filelname
In-Reply-To: <00ac01c722c4$2149fd60$0200000a@danc3>
References: <00ac01c722c4$2149fd60$0200000a@danc3>
Message-ID: <4586E898.5030201@USherbrooke.ca>

Dan Carl a ?crit :
> Ok I have a certain filename I want to let through.
> I added a rule to my filename.rules.conf.
> A followed the instructions 
> NOTE: Fields are separated by TAB characters --- Important!
> I've checked my mailscanner.conf and its set to:
> Filename Rules = %etc-dir%/filename.rules.conf
> Why is the attachment still being quarantined?
> Im using ClamAV and F-Prot
>   
Dan,

Are you sure it's not filetype.rules.conf that blocks your attachment?  
What does the message say?

Denis

-- 
   _
  ?v?   Denis Beauchemin, analyste
 /(_)\  Universit? de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3595 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061218/2b4bc15f/smime.bin
From gordon at itnt.co.za  Mon Dec 18 19:18:25 2006
From: gordon at itnt.co.za (Gordon Colyn)
Date: Mon Dec 18 19:18:42 2006
Subject: Oversized.zip issues
Message-ID: <03e101c722d9$4ad921a0$0d02a8c0@Gordon>

ITNT Banner CampaignOversized.zip problem with clamavmodule 0.88.7

Anyone know how to sort this problem out.  I see references to the problem 
in the lists but no resolution.

Regards
Gordon Colyn
InTheNet Technologies
www.itnt.co.za
MSN: gordoncolyn@hotmail.com
SKYPE: gordoncolyn
086 123 ITNT (4868)
086 682 5204 (Fax)
+27 (0)83 296 7534
Confidentiality: This e-mail including any attachments is intended for the 
above named addressee(s) only and contains confidential information. If you 
have received this email in error you must take no action based on its 
contents, nor must you reproduce or show the e-mail or any attachments or 
any part thereof or communicate the contents to anyone; please reply to the 
sender of this e-mail informing them of the error.
Viruses: We recommend that in keeping with good computing practice the 
recipient should ensure that e-mails received are virus free before opening. 

From jaearick at colby.edu  Mon Dec 18 19:41:00 2006
From: jaearick at colby.edu (Jeff A. Earickson)
Date: Mon Dec 18 19:41:16 2006
Subject: ORDB.org is shutting down
In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0429B9E@winchester.andrewscompanies.com>
References: <1964AAFBC212F742958F9275BF63DBB0429B9E@winchester.andrewscompanies.com>
Message-ID: <Pine.GSO.4.64.0612181440280.1098@feldspar>

I am using:

Spam List = SORBS-DNSBL NJABL

I used spamhaus.org (xbl+sbl) at the MTA level.

Jeff Earickson
Colby College

On Mon, 18 Dec 2006, sandrews@andrewscompanies.com wrote:

> Date: Mon, 18 Dec 2006 13:56:10 -0500
> From: sandrews@andrewscompanies.com
> Reply-To: MailScanner discussion <mailscanner@lists.mailscanner.info>
> To: mailscanner@lists.mailscanner.info
> Subject: RE: ORDB.org is shutting down
> 
> Any suggestions on what I should have for "Spam Lists ="?
>
> -----Original Message-----
> From: mailscanner-bounces@lists.mailscanner.info
> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of James
> R. Stevens
> Sent: Monday, December 18, 2006 12:57 PM
> To: MailScanner discussion
> Subject: RE: ORDB.org is shutting down
>
> Thanks for the heads-up on this.
>
> -----Original Message-----
> From: mailscanner-bounces@lists.mailscanner.info
> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Richard
> Frovarp
> Sent: Monday, December 18, 2006 11:45 AM
> To: mailscanner@lists.mailscanner.info
> Subject: ORDB.org is shutting down
>
> Saw this on the SA list:
>
> See: http://www.ordb.org/news/?id=38
>
> DNS is being turned off today. It would seem that ORDB is in the default
> list for MailScanner to lookup for the Spam List. That is bound to cause
> some timeouts for those that have that feature enabled. Grepping through
> my SA files I don't see any reference to it there.
>
> Richard
>
> --
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
> --
> This message has been scanned for viruses and dangerous content by
> Athens Hyperion Scanner, and is believed to be clean.
>
>
> --
> This message has been scanned for viruses and dangerous content by
> Athens Hyperion Scanner, and is believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
> -- 
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
From danc at bluestarshows.com  Mon Dec 18 19:41:28 2006
From: danc at bluestarshows.com (Dan Carl)
Date: Mon Dec 18 19:45:33 2006
Subject: allowing attachment filelname
References: <00ac01c722c4$2149fd60$0200000a@danc3>
	<223f97700612181054o5358398dmc70ff5dbc5eb5189@mail.gmail.com>
Message-ID: <012601c722dc$82edcac0$0200000a@danc3>

----- Original Message ----- 
From: "Glenn Steen" <glenn.steen@gmail.com>
To: "MailScanner discussion" <mailscanner@lists.mailscanner.info>
Sent: Monday, December 18, 2006 12:54 PM
Subject: Re: allowing attachment filelname


> On 18/12/06, Dan Carl <danc@bluestarshows.com> wrote:
> > Ok I have a certain filename I want to let through.
> > I added a rule to my filename.rules.conf.
> > A followed the instructions
> > NOTE: Fields are separated by TAB characters --- Important!
> > I've checked my mailscanner.conf and its set to:
> > Filename Rules = %etc-dir%/filename.rules.conf
> > Why is the attachment still being quarantined?
> > Im using ClamAV and F-Prot
> Well, why is it quarantined? Look in the logs... Should tell you well
enough...
> One could guess that perhaps it is blocked by filetype? Or by an AV
At Mon Dec 18 10:30:14 2006 the virus scanner said:
   ClamAV Module: BACKUP.qpb was infected: Encrypted.Zip

> scanner? Or perhaps you forgot to restart MailScanner?
Yes restarted
> Without better/more info than the above, we can't really be more
Here's the line I added to filename.rules.conf
> specific, sorry.
>
> -- 
> -- Glenn
> email: glenn < dot > steen < at > gmail < dot > com
> work: glenn < dot > steen < at > ap1 < dot > se
> -- 
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!

From michele at blacknight.ie  Mon Dec 18 20:00:41 2006
From: michele at blacknight.ie (Michele Neylon :: Blacknight)
Date: Mon Dec 18 20:00:47 2006
Subject: ORDB.org is shutting down
In-Reply-To: <4586E5E7.3010000@marinocrane.com>
References: <1A65E6BAEADF9B4F865314484A13ECF16087A7@atlas.athensdistributing.com>
	<4586E5E7.3010000@marinocrane.com>
Message-ID: <4586F369.3030801@blacknight.ie>

Ryan Pitt wrote:
> As a matter of interest, what else is everyone using for RBLs?
> When I take out ORDB-RBL I will be left with SBL+XBL
> Thanks
> Ryan

XBL

SBL gives too many issues to be used by us for outright blocking ..........

-- 
Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
http://www.blacknight.ie/
http://blog.blacknight.ie/
Tel. 1850 927 280
Intl. +353 (0) 59  9183072
UK: 0870 163 0607
Fax. +353 (0) 59  9164239
From michele at blacknight.ie  Mon Dec 18 20:01:11 2006
From: michele at blacknight.ie (Michele Neylon :: Blacknight)
Date: Mon Dec 18 20:01:18 2006
Subject: ORDB.org is shutting down
In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0429B9E@winchester.andrewscompanies.com>
References: <1964AAFBC212F742958F9275BF63DBB0429B9E@winchester.andrewscompanies.com>
Message-ID: <4586F387.6080706@blacknight.ie>

sandrews@andrewscompanies.com wrote:
> Any suggestions on what I should have for "Spam Lists ="? 

There's nothing to stop you leaving it blank :)


> 


-- 
Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
http://www.blacknight.ie/
http://blog.blacknight.ie/
Tel. 1850 927 280
Intl. +353 (0) 59  9183072
UK: 0870 163 0607
Fax. +353 (0) 59  9164239
From daniel.maher at ubisoft.com  Mon Dec 18 20:20:03 2006
From: daniel.maher at ubisoft.com (Daniel Maher)
Date: Mon Dec 18 20:20:07 2006
Subject: ORDB.org is shutting down
In-Reply-To: <4586E5E7.3010000@marinocrane.com>
Message-ID: <1E293D3FF63A3740B10AD5AAD88535D203E6B020@UBIMAIL1.ubisoft.org>

SBL+XBL spamcop.net SORBS-DNSBL

Perhaps?

--
  _
 ?v?  Daniel Maher
/(_)\ Administrateur Syst?me Unix
 ^ ^  Unix System Administrator
 
SMASH '5' FOR VICTORY!
> -----Original Message-----
> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-
> bounces@lists.mailscanner.info] On Behalf Of Ryan Pitt
> Sent: December 18, 2006 2:03 PM
> To: MailScanner discussion
> Subject: Re: ORDB.org is shutting down
> 
> As a matter of interest, what else is everyone using for RBLs?
> When I take out ORDB-RBL I will be left with SBL+XBL
> Thanks
> Ryan
> 
> James R. Stevens wrote:
> > Thanks for the heads-up on this.
> >
> > -----Original Message-----
> > From: mailscanner-bounces@lists.mailscanner.info
> > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Richard
> > Frovarp
> > Sent: Monday, December 18, 2006 11:45 AM
> > To: mailscanner@lists.mailscanner.info
> > Subject: ORDB.org is shutting down
> >
> > Saw this on the SA list:
> >
> > See: http://www.ordb.org/news/?id=38
> >
> > DNS is being turned off today. It would seem that ORDB is in the default
> > list for MailScanner to lookup for the Spam List. That is bound to cause
> > some timeouts for those that have that feature enabled. Grepping through
> > my SA files I don't see any reference to it there.
> >
> > Richard
> --
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website!
From ecasarero at gmail.com  Mon Dec 18 20:31:35 2006
From: ecasarero at gmail.com (Eduardo Casarero)
Date: Mon Dec 18 20:31:43 2006
Subject: Oversized.zip issues
In-Reply-To: <03e101c722d9$4ad921a0$0d02a8c0@Gordon>
References: <03e101c722d9$4ad921a0$0d02a8c0@Gordon>
Message-ID: <7d9b3cf20612181231j384b5833q8a8482aea35c65c9@mail.gmail.com>

some told me that it was an issue with libclamav, you should build again
clamav from source. and it will work.

regards,

2006/12/18, Gordon Colyn <gordon@itnt.co.za>:
>
> ITNT Banner CampaignOversized.zip problem with clamavmodule 0.88.7
>
> Anyone know how to sort this problem out.  I see references to the problem
> in the lists but no resolution.
>
> Regards
> Gordon Colyn
> InTheNet Technologies
> www.itnt.co.za
> MSN: gordoncolyn@hotmail.com
> SKYPE: gordoncolyn
> 086 123 ITNT (4868)
> 086 682 5204 (Fax)
> +27 (0)83 296 7534
> Confidentiality: This e-mail including any attachments is intended for the
> above named addressee(s) only and contains confidential information. If
> you
> have received this email in error you must take no action based on its
> contents, nor must you reproduce or show the e-mail or any attachments or
> any part thereof or communicate the contents to anyone; please reply to
> the
> sender of this e-mail informing them of the error.
> Viruses: We recommend that in keeping with good computing practice the
> recipient should ensure that e-mails received are virus free before
> opening.
>
> --
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061218/4d585b94/attachment.html
From drew at technologytiger.net  Mon Dec 18 20:39:06 2006
From: drew at technologytiger.net (Drew Marshall)
Date: Mon Dec 18 20:39:17 2006
Subject: Oversized.zip issues
In-Reply-To: <03e101c722d9$4ad921a0$0d02a8c0@Gordon>
References: <03e101c722d9$4ad921a0$0d02a8c0@Gordon>
Message-ID: <929965EB-2C02-4D39-8DAB-39A3F25916CC@technologytiger.net>

On 18 Dec 2006, at 19:18, Gordon Colyn wrote:

> ITNT Banner CampaignOversized.zip problem with clamavmodule 0.88.7
>
> Anyone know how to sort this problem out.  I see references to the  
> problem
> in the lists but no resolution.

Yes, you missed it today. Rebuild your ClamAV Perl module as it needs  
to be re-complied against the new ClamAV libraries.

I did that about 5 hours ago and fixed the problem.

Drew
From dhawal at netmagicsolutions.com  Mon Dec 18 20:57:28 2006
From: dhawal at netmagicsolutions.com (Dhawal Doshy)
Date: Mon Dec 18 20:57:54 2006
Subject: Oversized.zip issues
In-Reply-To: <03e101c722d9$4ad921a0$0d02a8c0@Gordon>
References: <03e101c722d9$4ad921a0$0d02a8c0@Gordon>
Message-ID: <20061219022728.zcnvisiwo0k8kwkc@mail.netmagicsolutions.com>


Quoting Gordon Colyn <gordon@itnt.co.za>:

> ITNT Banner CampaignOversized.zip problem with clamavmodule 0.88.7
>
> Anyone know how to sort this problem out.  I see references to the problem
> in the lists but no resolution.

Force a re-install of the Perl ClamAV Module..

# perl -MCPAN -eshell
cpan> force install Mail::ClamAV

- dhawal
From campbell at cnpapers.com  Mon Dec 18 20:58:49 2006
From: campbell at cnpapers.com (Steve Campbell)
Date: Mon Dec 18 20:59:26 2006
Subject: OT - ORDB SA confirmation, please?
Message-ID: <009c01c722e7$513c8920$0705000a@ddf5dw71>

OT - Sorry folks.

Since ORDB is shutting down, I checked my SpamAssassin rules for any 
references to relays.ordb.org, etc. and found none, so can I assume that I 
have no rules that score in SA that references ORDB? I don't use MS for 
these type of things.

Thanks.

Steve Campbell
campbell@cnpapers.com
Charleston Newspapers 


From glenn.steen at gmail.com  Mon Dec 18 21:00:12 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Mon Dec 18 21:00:16 2006
Subject: allowing attachment filelname
In-Reply-To: <012601c722dc$82edcac0$0200000a@danc3>
References: <00ac01c722c4$2149fd60$0200000a@danc3>
	<223f97700612181054o5358398dmc70ff5dbc5eb5189@mail.gmail.com>
	<012601c722dc$82edcac0$0200000a@danc3>
Message-ID: <223f97700612181300y4efe4272q2609db7e5dff673a@mail.gmail.com>

On 18/12/06, Dan Carl <danc@bluestarshows.com> wrote:
> ----- Original Message -----
> From: "Glenn Steen" <glenn.steen@gmail.com>
> To: "MailScanner discussion" <mailscanner@lists.mailscanner.info>
> Sent: Monday, December 18, 2006 12:54 PM
> Subject: Re: allowing attachment filelname
>
>
> > On 18/12/06, Dan Carl <danc@bluestarshows.com> wrote:
> > > Ok I have a certain filename I want to let through.
> > > I added a rule to my filename.rules.conf.
> > > A followed the instructions
> > > NOTE: Fields are separated by TAB characters --- Important!
> > > I've checked my mailscanner.conf and its set to:
> > > Filename Rules = %etc-dir%/filename.rules.conf
> > > Why is the attachment still being quarantined?
> > > Im using ClamAV and F-Prot
> > Well, why is it quarantined? Look in the logs... Should tell you well
> enough...
> > One could guess that perhaps it is blocked by filetype? Or by an AV
> At Mon Dec 18 10:30:14 2006 the virus scanner said:
>    ClamAV Module: BACKUP.qpb was infected: Encrypted.Zip

Aha, so it's really clamav (or rather clamavmodule:-) that is triggering.
You'll have to make it accept that filename (in clamscan,
clamavmodule), or not let clam block password encrypted archives
(might be a tad too forgiving:) or just plain stop
encrypting/passwd-protecting the zipfile ... or something similar that
fits your bill:-).

Haven't checked this, but what happens if you set "Allow Password
Protected Archives = yes" (or a ruleset to that effect)? There're some
settings for ClamavModule too that might effect how this plays out ...
Perhaps do a limit of recursion? I'm not sure if that will work...
Look at http://www.mailscanner.info/MailScanner.conf.index.html#ClamAVmodule%20Maximum%20Recursion%20Level
...

If you use clamscan, you could edit the wrapper and set/unset things
there ... I suppose:-)-

> > scanner? Or perhaps you forgot to restart MailScanner?
> Yes restarted
> > Without better/more info than the above, we can't really be more
> Here's the line I added to filename.rules.conf
Didn't reach us/me, but no matter... As you can see already... this
isn't a filename problem.

> > specific, sorry.
> >


-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From glenn.steen at gmail.com  Mon Dec 18 21:02:47 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Mon Dec 18 21:02:55 2006
Subject: ORDB.org is shutting down
In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D203E6B020@UBIMAIL1.ubisoft.org>
References: <4586E5E7.3010000@marinocrane.com>
	<1E293D3FF63A3740B10AD5AAD88535D203E6B020@UBIMAIL1.ubisoft.org>
Message-ID: <223f97700612181302i7995e7eenc8b855b15469843e@mail.gmail.com>

On 18/12/06, Daniel Maher <daniel.maher@ubisoft.com> wrote:
> SBL+XBL spamcop.net SORBS-DNSBL
>
> Perhaps?
>
For policy reasons I only have SBL+XBL now... none in the MTA and the
rest in SA. Works good for me/my setup/rules...:)

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From ssilva at sgvwater.com  Mon Dec 18 21:03:03 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Mon Dec 18 21:04:29 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <Pine.LNX.4.64.0612162350350.10428@ebfjryy.nhfvpf.arg>
References: <4582E1AC.6020208@rogers.com>
	<458331E9.4060703@evi-inc.com>	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>
	<Pine.LNX.4.64.0612162350350.10428@ebfjryy.nhfvpf.arg>
Message-ID: <em6vm7$qhn$1@sea.gmane.org>

Res spake the following on 12/16/2006 5:54 AM:
> On Sat, 16 Dec 2006, Glenn Steen wrote:
> 
>> stickler for sane error checking/handling. But I can't shake the
>> feeling this is motly just more of the usual FUD from the postfix
>> devel camp.
> 
>> From my recollection (which is 11.50pm sat'day night amber fluid
>> cloudied) 
> the weitse patsies have always thumbed their nose at mailscanner, why
> Jules bothers with them so much I'll never know, he should treat those
> lamers with the same contempt as most of hold qmails bernstein in.
> 
> 
Wietse can be a real prima donna over his code, but postfix is very good
software. I think Julian works with their "attitudes" because of that. Might
explain why he never embraced Qmail.


-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From glenn.steen at gmail.com  Mon Dec 18 21:16:24 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Mon Dec 18 21:16:27 2006
Subject: allowing attachment filelname
In-Reply-To: <223f97700612181300y4efe4272q2609db7e5dff673a@mail.gmail.com>
References: <00ac01c722c4$2149fd60$0200000a@danc3>
	<223f97700612181054o5358398dmc70ff5dbc5eb5189@mail.gmail.com>
	<012601c722dc$82edcac0$0200000a@danc3>
	<223f97700612181300y4efe4272q2609db7e5dff673a@mail.gmail.com>
Message-ID: <223f97700612181316q59d21513t6a0da32e0ae88c20@mail.gmail.com>

On 18/12/06, Glenn Steen <glenn.steen@gmail.com> wrote:
> On 18/12/06, Dan Carl <danc@bluestarshows.com> wrote:
> > ----- Original Message -----
> > From: "Glenn Steen" <glenn.steen@gmail.com>
> > To: "MailScanner discussion" <mailscanner@lists.mailscanner.info>
> > Sent: Monday, December 18, 2006 12:54 PM
> > Subject: Re: allowing attachment filelname
> >
> >
> > > On 18/12/06, Dan Carl <danc@bluestarshows.com> wrote:
> > > > Ok I have a certain filename I want to let through.
> > > > I added a rule to my filename.rules.conf.
> > > > A followed the instructions
> > > > NOTE: Fields are separated by TAB characters --- Important!
> > > > I've checked my mailscanner.conf and its set to:
> > > > Filename Rules = %etc-dir%/filename.rules.conf
> > > > Why is the attachment still being quarantined?
> > > > Im using ClamAV and F-Prot
> > > Well, why is it quarantined? Look in the logs... Should tell you well
> > enough...
> > > One could guess that perhaps it is blocked by filetype? Or by an AV
> > At Mon Dec 18 10:30:14 2006 the virus scanner said:
> >    ClamAV Module: BACKUP.qpb was infected: Encrypted.Zip
>
> Aha, so it's really clamav (or rather clamavmodule:-) that is triggering.
> You'll have to make it accept that filename (in clamscan,
> clamavmodule), or not let clam block password encrypted archives
> (might be a tad too forgiving:) or just plain stop
> encrypting/passwd-protecting the zipfile ... or something similar that
> fits your bill:-).
>
> Haven't checked this, but what happens if you set "Allow Password
> Protected Archives = yes" (or a ruleset to that effect)? There're some
> settings for ClamavModule too that might effect how this plays out ...
> Perhaps do a limit of recursion? I'm not sure if that will work...
> Look at http://www.mailscanner.info/MailScanner.conf.index.html#ClamAVmodule%20Maximum%20Recursion%20Level
> ...
>
> If you use clamscan, you could edit the wrapper and set/unset things
> there ... I suppose:-)-
>
> > > scanner? Or perhaps you forgot to restart MailScanner?
> > Yes restarted
> > > Without better/more info than the above, we can't really be more
> > Here's the line I added to filename.rules.conf
> Didn't reach us/me, but no matter... As you can see already... this
> isn't a filename problem.
>
> > > specific, sorry.
> > >
If you upgraded ClamAV resently you might need rebuild Clamav-module
... If this is it, thank Drew:-)

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From ssilva at sgvwater.com  Mon Dec 18 21:16:53 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Mon Dec 18 21:17:36 2006
Subject: Not blocking spam?
In-Reply-To: <458342CD.9090909@standard.k12.ca.us>
References: <458342CD.9090909@standard.k12.ca.us>
Message-ID: <em70g3$qhn$2@sea.gmane.org>

Jeff Davis spake the following on 12/15/2006 4:50 PM:
> Just got MailScanner installed, but does not seem to be tagging anything
> as spam.
> 
> Where should I start checking first?  spammassassin < {sample file}
> seems to work correctly, but mail sent from outside (GTUBE) flies right
> through.
> 
> Thanks,
> 
> -Jeff
> 
Did you make sure to stop the sendmail process?
chkconfig sendmail off
service sendmail stop
(on a redhat type system)


-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From ssilva at sgvwater.com  Mon Dec 18 21:20:33 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Mon Dec 18 21:25:45 2006
Subject: 4.58.1-1 && Happy Christmas!
In-Reply-To: <45842F18.3090800@ecs.soton.ac.uk>
References: <45842F18.3090800@ecs.soton.ac.uk>
Message-ID: <em70mv$qhn$3@sea.gmane.org>

Julian Field spake the following on 12/16/2006 9:38 AM:
> I have just released the first beta of 4.58 which I intend to evolve
> into a stable release of 4.58.
> 
> Please report problems directly to me, as I still don't have the time to
> read the mailing list, for which I am most apologetic and annoyed.
> 
> My day-job has been really busy over the past few months, and shows no
> signs of slacking off for the time-being. But I will make it a New
> Year's Resolution to read the mailing list, and try my hardest to
> recover to the level of support I used to be able to offer. I can only
> offer my apologies for my lack of support over the past few months, I
> have just been so busy I haven't had time to breathe. Sorry :-(
> 
> I will try to hardest to fit in MailScanner support next year, but I
> can't make any guarantees, I've got a year-long programming job to do.
> The aim is to effectively automate the whole process of exam marks to
> degree grades, and so do away with some very long exam-board meetings.
> It's a huge job, and I am the only person in the department who can be
> trusted to do the whole job well and reliably. It's one of the
> consequences of having a certain reputation.  :-)
> 
> You are at the top of my New Year's Resolutions, I promise!
> 
> Jules
> 
We as list members have been trying to take some of the load off by helping
with the lesser issues.
I hope you can at least get a small break for the holidays!
Merry Christmas from your loyal users!
And a happy New Year!!

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From daniel.maher at ubisoft.com  Mon Dec 18 21:26:39 2006
From: daniel.maher at ubisoft.com (Daniel Maher)
Date: Mon Dec 18 21:26:43 2006
Subject: prevent virus scanning?
Message-ID: <1E293D3FF63A3740B10AD5AAD88535D203E6B145@UBIMAIL1.ubisoft.org>

Hello all,

 

Is it possible, via MailScanner, to not virus-scan emails from a particular, well-defined source?

 

Thanks!

 

--

  _
 ?v?  Daniel Maher
/(_)\ Administrateur Syst?me Unix
 ^ ^  Unix System Administrator

 

SMASH '5' FOR VICTORY!

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061218/ba2e8484/attachment.html
From mkettler at evi-inc.com  Mon Dec 18 21:34:41 2006
From: mkettler at evi-inc.com (Matt Kettler)
Date: Mon Dec 18 21:34:54 2006
Subject: OT - ORDB SA confirmation, please?
In-Reply-To: <009c01c722e7$513c8920$0705000a@ddf5dw71>
References: <009c01c722e7$513c8920$0705000a@ddf5dw71>
Message-ID: <45870971.3060303@evi-inc.com>

Steve Campbell wrote:
> OT - Sorry folks.
> 
> Since ORDB is shutting down, I checked my SpamAssassin rules for any
> references to relays.ordb.org, etc. and found none, so can I assume that
> I have no rules that score in SA that references ORDB? I don't use MS
> for these type of things.

Actual built-in support for querying ORDB was removed in SA version 2.60. So if
your version of SA is 2.60 or newer, it doesn't by default use ORDB. (Of course,
someone could have always added an add-on rule that does so, but your grep
should have found it.)

That said, there is some ordb "residue", that you might find in your greps, but
it is not harmful and won't cause queries.

Alternate-language descriptions of the rules continued to exist for all of the
2.6x series, but were irrelevant and harmless. These were removed in 3.0.0 when
--lint started complaining about descriptions for nonexistent rules.

Some of the test-data samples used to test the parser during "make test" still
(at least up to 3.1.5) contain samples that were generated with old versions of
SA that supported ordb. However, this is only used to test SA's ability to rip
out various SA markup formats, so it doesn't matter. FWIW, the file containing a
reference to ordb is t/data/spam/003 under the tarball's root.



From arturs at netvision.net.il  Mon Dec 18 21:29:42 2006
From: arturs at netvision.net.il (Arthur Sherman)
Date: Mon Dec 18 21:49:53 2006
Subject: ORDB.org is shutting down
In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D203E6B020@UBIMAIL1.ubisoft.org>
Message-ID: <013c01c722eb$a6f8f160$3701a8c0@lapxp>

> SBL+XBL spamcop.net SORBS-DNSBL


There are some issues with SPAMCOP which led to it removal from my system a
couple weeks ago.
The BL was blocking the Spamassassin mailer...


Best,

--
Arthur Sherman

+972-52-4878851
CPTeam  

From glenn.steen at gmail.com  Mon Dec 18 22:32:10 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Mon Dec 18 22:32:14 2006
Subject: Not blocking spam?
In-Reply-To: <em70g3$qhn$2@sea.gmane.org>
References: <458342CD.9090909@standard.k12.ca.us> <em70g3$qhn$2@sea.gmane.org>
Message-ID: <223f97700612181432u3b164446ne2259dd319909034@mail.gmail.com>

On 18/12/06, Scott Silva <ssilva@sgvwater.com> wrote:
> Jeff Davis spake the following on 12/15/2006 4:50 PM:
> > Just got MailScanner installed, but does not seem to be tagging anything
> > as spam.
> >
> > Where should I start checking first?  spammassassin < {sample file}
> > seems to work correctly, but mail sent from outside (GTUBE) flies right
> > through.
> >
> > Thanks,
> >
> > -Jeff
> >
> Did you make sure to stop the sendmail process?
> chkconfig sendmail off
> service sendmail stop
> (on a redhat type system)
>
Good instincts Scott, but I'm pretty certain Jeff's running postfix...:)

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From glenn.steen at gmail.com  Mon Dec 18 22:34:10 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Mon Dec 18 22:34:14 2006
Subject: 4.58.1-1 && Happy Christmas!
In-Reply-To: <em70mv$qhn$3@sea.gmane.org>
References: <45842F18.3090800@ecs.soton.ac.uk> <em70mv$qhn$3@sea.gmane.org>
Message-ID: <223f97700612181434o1a566e9ch3dcd113946a057ca@mail.gmail.com>

On 18/12/06, Scott Silva <ssilva@sgvwater.com> wrote:
> Julian Field spake the following on 12/16/2006 9:38 AM:
> > I have just released the first beta of 4.58 which I intend to evolve
> > into a stable release of 4.58.
> >
> > Please report problems directly to me, as I still don't have the time to
> > read the mailing list, for which I am most apologetic and annoyed.
> >
> > My day-job has been really busy over the past few months, and shows no
> > signs of slacking off for the time-being. But I will make it a New
> > Year's Resolution to read the mailing list, and try my hardest to
> > recover to the level of support I used to be able to offer. I can only
> > offer my apologies for my lack of support over the past few months, I
> > have just been so busy I haven't had time to breathe. Sorry :-(
> >
> > I will try to hardest to fit in MailScanner support next year, but I
> > can't make any guarantees, I've got a year-long programming job to do.
> > The aim is to effectively automate the whole process of exam marks to
> > degree grades, and so do away with some very long exam-board meetings.
> > It's a huge job, and I am the only person in the department who can be
> > trusted to do the whole job well and reliably. It's one of the
> > consequences of having a certain reputation.  :-)
> >
> > You are at the top of my New Year's Resolutions, I promise!
> >
> > Jules
> >
> We as list members have been trying to take some of the load off by helping
> with the lesser issues.
> I hope you can at least get a small break for the holidays!
> Merry Christmas from your loyal users!
> And a happy New Year!!
>
> --
>
> MailScanner is like deodorant...
> You hope everybody uses it, and
> you notice quickly if they don't!!!!
>
Hear Hear!

While you're at it, don't forget to order some nice pickled herring
and a bottle of Julsnaps (Harrods should have everything on
stock....:-).

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From glenn.steen at gmail.com  Mon Dec 18 22:37:05 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Mon Dec 18 22:37:08 2006
Subject: prevent virus scanning?
In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D203E6B145@UBIMAIL1.ubisoft.org>
References: <1E293D3FF63A3740B10AD5AAD88535D203E6B145@UBIMAIL1.ubisoft.org>
Message-ID: <223f97700612181437i74e7c437w105a13e4de1642b6@mail.gmail.com>

On 18/12/06, Daniel Maher <daniel.maher@ubisoft.com> wrote:
>
>
>
>
> Hello all,
>
>
>
> Is it possible, via MailScanner, to not virus-scan emails from a particular,
> well-defined source?
>
>
>
> Thanks!
>
Yes. Depending on what you need "avoid" the list of settings to have a
ruleset for might differ a bit.
Start looking at
http://www.mailscanner.info/MailScanner.conf.index.html#Scan%20Messages
and so on...:-).

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From res at ausics.net  Mon Dec 18 23:07:22 2006
From: res at ausics.net (Res)
Date: Mon Dec 18 23:07:31 2006
Subject: ORDB.org is shutting down
In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D203E6B020@UBIMAIL1.ubisoft.org>
References: <1E293D3FF63A3740B10AD5AAD88535D203E6B020@UBIMAIL1.ubisoft.org>
Message-ID: <Pine.LNX.4.64.0612190906180.27901@ebfjryy.nhfvpf.arg>

On Mon, 18 Dec 2006, Daniel Maher wrote:

> SBL+XBL spamcop.net SORBS-DNSBL

agreed, I use all three, but I use them at MTA, makes a hell of a 
difference of workhorse servers


>
> Perhaps?
>
> --
>  _
> ?v?  Daniel Maher
> /(_)\ Administrateur Syst?me Unix
> ^ ^  Unix System Administrator
>
> SMASH '5' FOR VICTORY!
>> -----Original Message-----
>> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-
>> bounces@lists.mailscanner.info] On Behalf Of Ryan Pitt
>> Sent: December 18, 2006 2:03 PM
>> To: MailScanner discussion
>> Subject: Re: ORDB.org is shutting down
>>
>> As a matter of interest, what else is everyone using for RBLs?
>> When I take out ORDB-RBL I will be left with SBL+XBL
>> Thanks
>> Ryan
>>
>> James R. Stevens wrote:
>>> Thanks for the heads-up on this.
>>>
>>> -----Original Message-----
>>> From: mailscanner-bounces@lists.mailscanner.info
>>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Richard
>>> Frovarp
>>> Sent: Monday, December 18, 2006 11:45 AM
>>> To: mailscanner@lists.mailscanner.info
>>> Subject: ORDB.org is shutting down
>>>
>>> Saw this on the SA list:
>>>
>>> See: http://www.ordb.org/news/?id=38
>>>
>>> DNS is being turned off today. It would seem that ORDB is in the default
>>> list for MailScanner to lookup for the Spam List. That is bound to cause
>>> some timeouts for those that have that feature enabled. Grepping through
>>> my SA files I don't see any reference to it there.
>>>
>>> Richard
>> --
>> MailScanner mailing list
>> mailscanner@lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>

-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd

From TGFurnish at herffjones.com  Mon Dec 18 23:04:29 2006
From: TGFurnish at herffjones.com (Furnish, Trever G)
Date: Mon Dec 18 23:10:40 2006
Subject: OT: spammers get long vacations?
Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC5CE@inex3.herffjones.hj-int>

Sorry, this is very trivial and OT, but I'm just curious...

Anyone else keeping track of their overall mail stats and noting a
dramatic decrease in overall inbound mail?  Our inbound flow has dropped
from about 65k messages per day to 35k messages per day in the past
several days.  Probably some of it's the weekend, but over mail levels
haven't been that low in quite a while.
 
--
Trever Furnish, tgfurnish at herffjones d0t com
Herff Jones, Inc. Unix / Network Administrator
Phone: 317.612.3519
Any sufficiently advanced technology is indistinguishable from Unix.
From res at ausics.net  Mon Dec 18 23:15:40 2006
From: res at ausics.net (Res)
Date: Mon Dec 18 23:15:47 2006
Subject: ORDB.org is shutting down
In-Reply-To: <223f97700612181302i7995e7eenc8b855b15469843e@mail.gmail.com>
References: <4586E5E7.3010000@marinocrane.com>
	<1E293D3FF63A3740B10AD5AAD88535D203E6B020@UBIMAIL1.ubisoft.org>
	<223f97700612181302i7995e7eenc8b855b15469843e@mail.gmail.com>
Message-ID: <Pine.LNX.4.64.0612190908070.27901@ebfjryy.nhfvpf.arg>

On Mon, 18 Dec 2006, Glenn Steen wrote:

> On 18/12/06, Daniel Maher <daniel.maher@ubisoft.com> wrote:
>> SBL+XBL spamcop.net SORBS-DNSBL
>> 
>> Perhaps?
>> 
> For policy reasons I only have SBL+XBL now... none in the MTA and the
> rest in SA. Works good for me/my setup/rules...:)

Must suck to have people decide what you can and cant by policy, 
you need to get on the policy making board :)

Luckily for me I get the final say here. I create all security policies 
and they have to live with it :) I however do believe in being upfront 
with everyone, so long as you advise prospective clients the actions you
take or reserve the right to take and don't hide anything, you have 
nothing to worry about.


-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From danc at bluestarshows.com  Mon Dec 18 23:12:41 2006
From: danc at bluestarshows.com (Dan Carl)
Date: Mon Dec 18 23:17:13 2006
Subject: allowing attachment filelname
References: <00ac01c722c4$2149fd60$0200000a@danc3><223f97700612181054o5358398dmc70ff5dbc5eb5189@mail.gmail.com><012601c722dc$82edcac0$0200000a@danc3>
	<223f97700612181300y4efe4272q2609db7e5dff673a@mail.gmail.com>
Message-ID: <011001c722fa$04c55c80$0200000a@danc3>


----- Original Message ----- 
From: "Glenn Steen" <glenn.steen@gmail.com>
To: "MailScanner discussion" <mailscanner@lists.mailscanner.info>
Sent: Monday, December 18, 2006 3:00 PM
Subject: Re: allowing attachment filelname


> On 18/12/06, Dan Carl <danc@bluestarshows.com> wrote:
> > ----- Original Message -----
> > From: "Glenn Steen" <glenn.steen@gmail.com>
> > To: "MailScanner discussion" <mailscanner@lists.mailscanner.info>
> > Sent: Monday, December 18, 2006 12:54 PM
> > Subject: Re: allowing attachment filelname
> >
> >
> > > On 18/12/06, Dan Carl <danc@bluestarshows.com> wrote:
> > > > Ok I have a certain filename I want to let through.
> > > > I added a rule to my filename.rules.conf.
> > > > A followed the instructions
> > > > NOTE: Fields are separated by TAB characters --- Important!
> > > > I've checked my mailscanner.conf and its set to:
> > > > Filename Rules = %etc-dir%/filename.rules.conf
> > > > Why is the attachment still being quarantined?
> > > > Im using ClamAV and F-Prot
> > > Well, why is it quarantined? Look in the logs... Should tell you well
> > enough...
> > > One could guess that perhaps it is blocked by filetype? Or by an AV
> > At Mon Dec 18 10:30:14 2006 the virus scanner said:
> >    ClamAV Module: BACKUP.qpb was infected: Encrypted.Zip
>
> Aha, so it's really clamav (or rather clamavmodule:-) that is triggering.
> You'll have to make it accept that filename (in clamscan,
> clamavmodule), or not let clam block password encrypted archives
> (might be a tad too forgiving:) or just plain stop
> encrypting/passwd-protecting the zipfile ... or something similar that
> fits your bill:-).
>

Its a backup from quick books point of sale.
It is automatically encryted there no way round it.

> Haven't checked this, but what happens if you set "Allow Password
> Protected Archives = yes" (or a ruleset to that effect)? There're some
> settings for ClamavModule too that might effect how this plays out ...
> Perhaps do a limit of recursion? I'm not sure if that will work...
> Look at
http://www.mailscanner.info/MailScanner.conf.index.html#ClamAVmodule%20Maximum%20Recursion%20Level
> ...

Ok setting Allow Password Protected Archives= yes
Allowed the file to come through.
I know I can make a rule set to tighten it up alot more, but I this my only
alternive?
I know could have then use ftp server to send/receive but I'm affraid this
would turn into a support nightmare for me.

Why does adding it to filename.rules.conf have no effect?


>
> If you use clamscan, you could edit the wrapper and set/unset things
> there ... I suppose:-)-
>
> > > scanner? Or perhaps you forgot to restart MailScanner?
> > Yes restarted
> > > Without better/more info than the above, we can't really be more
> > Here's the line I added to filename.rules.conf
> Didn't reach us/me, but no matter... As you can see already... this
> isn't a filename problem.
>
> > > specific, sorry.
> > >
>
>
> -- 
> -- Glenn
> email: glenn < dot > steen < at > gmail < dot > com
> work: glenn < dot > steen < at > ap1 < dot > se
> -- 
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!

From res at ausics.net  Mon Dec 18 23:24:40 2006
From: res at ausics.net (Res)
Date: Mon Dec 18 23:24:49 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <em6vm7$qhn$1@sea.gmane.org>
References: <4582E1AC.6020208@rogers.com> <458331E9.4060703@evi-inc.com>
	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>
	<Pine.LNX.4.64.0612162350350.10428@ebfjryy.nhfvpf.arg>
	<em6vm7$qhn$1@sea.gmane.org>
Message-ID: <Pine.LNX.4.64.0612190916240.27901@ebfjryy.nhfvpf.arg>

On Mon, 18 Dec 2006, Scott Silva wrote:

> Wietse can be a real prima donna over his code, but postfix is very good
> software. I think Julian works with their "attitudes" because of that. Might
> explain why he never embraced Qmail.

Any current MTA is very good software, be it even sendmail or exim, qmail 
has not been supported for years, so I guess it is dying, the only saving 
grace it has, is how easy it is with virtual domains and vpopmail, there 
is not a better or equal solution, the sendmail/postfix +cyrus is still a
pain, and yes I know they tried to incorporate postfix with vpopmail, but
last I heard you still needed to do qmail directory installs, so you might
as well just use qmail so long as it has had the dozen or so decent 
security and performance tightening patches applied that is :)


-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From res at ausics.net  Mon Dec 18 23:32:20 2006
From: res at ausics.net (Res)
Date: Mon Dec 18 23:32:31 2006
Subject: OT: spammers get long vacations?
In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC5CE@inex3.herffjones.hj-int>
References: <57573D714A832C43B9D80EAFBDA48D0302BAC5CE@inex3.herffjones.hj-int>
Message-ID: <Pine.LNX.4.64.0612190926241.27901@ebfjryy.nhfvpf.arg>

On Mon, 18 Dec 2006, Furnish, Trever G wrote:

> Sorry, this is very trivial and OT, but I'm just curious...
>
> Anyone else keeping track of their overall mail stats and noting a
> dramatic decrease in overall inbound mail?  Our inbound flow has dropped
> from about 65k messages per day to 35k messages per day in the past
> several days.  Probably some of it's the weekend, but over mail levels
> haven't been that low in quite a while.

Even low life moronic privacy invading scum need take a break sometime :)
But yes, it has dropped off here by about 20%


-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From jon.bates at summitmotors.com.au  Mon Dec 18 23:48:47 2006
From: jon.bates at summitmotors.com.au (Jon Bates)
Date: Mon Dec 18 23:49:02 2006
Subject: OT: Whats the best way to update ClamAV?
Message-ID: <200612182348.kBINmn89004467@summitmotors.com.au>


Hi, I recently changed to the virus scanners option to clamavmodule to
resolve separate issue. 

I'm just wondering if this means that I need to change the way that I update
ClamAV. Do you update ClamAV in the same way if using clamavmodule? I'm not
really clear on the distinction between the two.

Any guidance would be appreciated.

- Jon Bates

From r.berber at computer.org  Tue Dec 19 00:17:23 2006
From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=)
Date: Tue Dec 19 00:23:27 2006
Subject: OT: Whats the best way to update ClamAV?
In-Reply-To: <200612182348.kBINmn89004467@summitmotors.com.au>
References: <200612182348.kBINmn89004467@summitmotors.com.au>
Message-ID: <em7b2j$891$1@sea.gmane.org>

Jon Bates wrote:

> Hi, I recently changed to the virus scanners option to clamavmodule to
> resolve separate issue. 
> 
> I'm just wondering if this means that I need to change the way that I update
> ClamAV. Do you update ClamAV in the same way if using clamavmodule? I'm not
> really clear on the distinction between the two.

Almost the same.

As has been pointed out in recent postings (and in ClamAV's list), it is
recommended after updating that you rebuild the perl module.

Using the cpan shell:

cpan> force install Mail::ClamAV

MS's clamavmodule uses Mail:ClamAV which is linked to the clamav library.
Forcing the install you assure that the perl module is linked to the latest
library, the one you updated.
-- 
Ren? Berber

From ssilva at sgvwater.com  Tue Dec 19 00:23:34 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Tue Dec 19 00:27:06 2006
Subject: Not blocking spam?
In-Reply-To: <223f97700612181432u3b164446ne2259dd319909034@mail.gmail.com>
References: <458342CD.9090909@standard.k12.ca.us> <em70g3$qhn$2@sea.gmane.org>
	<223f97700612181432u3b164446ne2259dd319909034@mail.gmail.com>
Message-ID: <em7be4$60n$1@sea.gmane.org>

Glenn Steen spake the following on 12/18/2006 2:32 PM:
> On 18/12/06, Scott Silva <ssilva@sgvwater.com> wrote:
>> Jeff Davis spake the following on 12/15/2006 4:50 PM:
>> > Just got MailScanner installed, but does not seem to be tagging
>> anything
>> > as spam.
>> >
>> > Where should I start checking first?  spammassassin < {sample file}
>> > seems to work correctly, but mail sent from outside (GTUBE) flies right
>> > through.
>> >
>> > Thanks,
>> >
>> > -Jeff
>> >
>> Did you make sure to stop the sendmail process?
>> chkconfig sendmail off
>> service sendmail stop
>> (on a redhat type system)
>>
> Good instincts Scott, but I'm pretty certain Jeff's running postfix...:)
> 
Reading the list through GMANE, I don't always look at mail headers to see
where things are coming from. besides, I'm just lurking on the list while home
on vacation. Can't afford a proper holiday so close to christmas, but I have
to take the time or never see it again.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From ssilva at sgvwater.com  Tue Dec 19 00:35:30 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Tue Dec 19 00:42:27 2006
Subject: OT: spammers get long vacations?
In-Reply-To: <Pine.LNX.4.64.0612190926241.27901@ebfjryy.nhfvpf.arg>
References: <57573D714A832C43B9D80EAFBDA48D0302BAC5CE@inex3.herffjones.hj-int>
	<Pine.LNX.4.64.0612190926241.27901@ebfjryy.nhfvpf.arg>
Message-ID: <em7c4g$60n$2@sea.gmane.org>

Res spake the following on 12/18/2006 3:32 PM:
> On Mon, 18 Dec 2006, Furnish, Trever G wrote:
> 
>> Sorry, this is very trivial and OT, but I'm just curious...
>>
>> Anyone else keeping track of their overall mail stats and noting a
>> dramatic decrease in overall inbound mail?  Our inbound flow has dropped
>> from about 65k messages per day to 35k messages per day in the past
>> several days.  Probably some of it's the weekend, but over mail levels
>> haven't been that low in quite a while.
> 
> Even low life moronic privacy invading scum need take a break sometime :)
> But yes, it has dropped off here by about 20%
> 
> 
Just wait until all the PC newbies get their brand-spanking new PC's for
christmas. Then after they are hooked straight to the internet and allowed to
stagnate, we will have another half million spam zombies attacking us.
I can hardly wait!!  ;-D



-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From ka at pacific.net  Tue Dec 19 00:57:32 2006
From: ka at pacific.net (Ken A)
Date: Tue Dec 19 00:54:40 2006
Subject: OT: spammers get long vacations?
In-Reply-To: <em7c4g$60n$2@sea.gmane.org>
References: <57573D714A832C43B9D80EAFBDA48D0302BAC5CE@inex3.herffjones.hj-int>	<Pine.LNX.4.64.0612190926241.27901@ebfjryy.nhfvpf.arg>
	<em7c4g$60n$2@sea.gmane.org>
Message-ID: <458738FC.1090202@pacific.net>

You must be missing out on all the hottest new stocks.
FPMC.PK is all the rage at the moment.... ho hum..
Ken A



Scott Silva wrote:
> Res spake the following on 12/18/2006 3:32 PM:
>> On Mon, 18 Dec 2006, Furnish, Trever G wrote:
>>
>>> Sorry, this is very trivial and OT, but I'm just curious...
>>>
>>> Anyone else keeping track of their overall mail stats and noting a
>>> dramatic decrease in overall inbound mail?  Our inbound flow has dropped
>>> from about 65k messages per day to 35k messages per day in the past
>>> several days.  Probably some of it's the weekend, but over mail levels
>>> haven't been that low in quite a while.
>> Even low life moronic privacy invading scum need take a break sometime :)
>> But yes, it has dropped off here by about 20%
>>
>>
> Just wait until all the PC newbies get their brand-spanking new PC's for
> christmas. Then after they are hooked straight to the internet and allowed to
> stagnate, we will have another half million spam zombies attacking us.
> I can hardly wait!!  ;-D
> 
> 
> 
From res at ausics.net  Tue Dec 19 01:06:15 2006
From: res at ausics.net (Res)
Date: Tue Dec 19 01:06:24 2006
Subject: OT: spammers get long vacations?
In-Reply-To: <em7c4g$60n$2@sea.gmane.org>
References: <57573D714A832C43B9D80EAFBDA48D0302BAC5CE@inex3.herffjones.hj-int>
	<Pine.LNX.4.64.0612190926241.27901@ebfjryy.nhfvpf.arg>
	<em7c4g$60n$2@sea.gmane.org>
Message-ID: <Pine.LNX.4.64.0612191059500.512@ebfjryy.nhfvpf.arg>

On Mon, 18 Dec 2006, Scott Silva wrote:

> Just wait until all the PC newbies get their brand-spanking new PC's for
> christmas. Then after they are hooked straight to the internet and allowed to
> stagnate, we will have another half million spam zombies attacking us.
> I can hardly wait!!  ;-D


Ah easy fix...

policy-options {
 	term n00bies {
 		from {
 			source-address-filter 0.0.0.0/0 orlonger;
 	 	}
            	then reject;
       	}
 	term default {
             then accept;
         }
}

how nice and peacfull Christmas will be :P

-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From jon.bates at summitmotors.com.au  Tue Dec 19 04:01:50 2006
From: jon.bates at summitmotors.com.au (Jon Bates)
Date: Tue Dec 19 04:02:32 2006
Subject: OT: Whats the best way to update ClamAV?
Message-ID: <200612190402.kBJ41twB013738@summitmotors.com.au>

> > Jon Bates wrote:

> > Hi, I recently changed to the virus scanners option to clamavmodule to
> > resolve separate issue. 
> > 
> > I'm just wondering if this means that I need to change the way that I
update
> > ClamAV. Do you update ClamAV in the same way if using clamavmodule? I'm
not
> > really clear on the distinction between the two.


> Ren? Berber Wrote:

> Almost the same.
> 
> As has been pointed out in recent postings (and in ClamAV's list), it is
> recommended after updating that you rebuild the perl module.
> 
> Using the cpan shell:
> 
> cpan> force install Mail::ClamAV
> 
> MS's clamavmodule uses Mail:ClamAV which is linked to the clamav library.
> Forcing the install you assure that the perl module is linked to the
latest
> library, the one you updated.
> -- 
> Ren? Berber
 
 
Great, thanks for that Ren?! I tried this, and it seemed to work perfectly. 

Thanks for your help.

- Jon Bates

From gordon at itnt.co.za  Tue Dec 19 05:26:14 2006
From: gordon at itnt.co.za (Gordon Colyn)
Date: Tue Dec 19 05:26:33 2006
Subject: Oversized.zip issues
References: <03e101c722d9$4ad921a0$0d02a8c0@Gordon>
	<20061219022728.zcnvisiwo0k8kwkc@mail.netmagicsolutions.com>
Message-ID: <009101c7232e$3466ab40$0d02a8c0@Gordon>

Thanks, I have now done this.  Do I need to re-install the clamav 0.88.7 
package again?

I still get the oversized.zip problem

Gordon
----- Original Message ----- 
From: "Dhawal Doshy" <dhawal@netmagicsolutions.com>
To: <mailscanner@lists.mailscanner.info>
Sent: Monday, December 18, 2006 10:57 PM
Subject: Re: Oversized.zip issues



Quoting Gordon Colyn <gordon@itnt.co.za>:

> ITNT Banner CampaignOversized.zip problem with clamavmodule 0.88.7
>
> Anyone know how to sort this problem out.  I see references to the problem
> in the lists but no resolution.

Force a re-install of the Perl ClamAV Module..

# perl -MCPAN -eshell
cpan> force install Mail::ClamAV

- dhawal
-- 
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

From gordon at itnt.co.za  Tue Dec 19 05:35:59 2006
From: gordon at itnt.co.za (Gordon Colyn)
Date: Tue Dec 19 05:36:16 2006
Subject: Oversized.zip issues
References: <03e101c722d9$4ad921a0$0d02a8c0@Gordon><20061219022728.zcnvisiwo0k8kwkc@mail.netmagicsolutions.com>
	<009101c7232e$3466ab40$0d02a8c0@Gordon>
Message-ID: <015c01c7232f$9076fa60$0d02a8c0@Gordon>

ok, don't worry.  Restarted MaiLScanner and all is fine!

Thanks for your help.

Gordon
----- Original Message ----- 
From: "Gordon Colyn" <gordon@itnt.co.za>
To: "MailScanner discussion" <mailscanner@lists.mailscanner.info>
Sent: Tuesday, December 19, 2006 7:26 AM
Subject: Re: Oversized.zip issues


Thanks, I have now done this.  Do I need to re-install the clamav 0.88.7
package again?

I still get the oversized.zip problem

Gordon
----- Original Message ----- 
From: "Dhawal Doshy" <dhawal@netmagicsolutions.com>
To: <mailscanner@lists.mailscanner.info>
Sent: Monday, December 18, 2006 10:57 PM
Subject: Re: Oversized.zip issues



Quoting Gordon Colyn <gordon@itnt.co.za>:

> ITNT Banner CampaignOversized.zip problem with clamavmodule 0.88.7
>
> Anyone know how to sort this problem out.  I see references to the problem
> in the lists but no resolution.

Force a re-install of the Perl ClamAV Module..

# perl -MCPAN -eshell
cpan> force install Mail::ClamAV

- dhawal
-- 
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

-- 
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

From campbell at cnpapers.com  Tue Dec 19 07:14:02 2006
From: campbell at cnpapers.com (Steve Campbell)
Date: Tue Dec 19 07:14:47 2006
Subject: OT - ORDB SA confirmation, please?
In-Reply-To: <45870971.3060303@evi-inc.com>
References: <009c01c722e7$513c8920$0705000a@ddf5dw71>
	<45870971.3060303@evi-inc.com>
Message-ID: <1166512442.4587913a2e7bc@perdition.cnpapers.net>

Quoting Matt Kettler <mkettler@evi-inc.com>:

> Steve Campbell wrote:
> > OT - Sorry folks.
> > 
> > Since ORDB is shutting down, I checked my SpamAssassin rules for any
> > references to relays.ordb.org, etc. and found none, so can I assume that
> > I have no rules that score in SA that references ORDB? I don't use MS
> > for these type of things.
> 
> Actual built-in support for querying ORDB was removed in SA version 2.60. So
> if
> your version of SA is 2.60 or newer, it doesn't by default use ORDB. (Of
> course,
> someone could have always added an add-on rule that does so, but your grep
> should have found it.)
> 
> That said, there is some ordb "residue", that you might find in your greps,
> but
> it is not harmful and won't cause queries.
> 
> Alternate-language descriptions of the rules continued to exist for all of
> the
> 2.6x series, but were irrelevant and harmless. These were removed in 3.0.0
> when
> --lint started complaining about descriptions for nonexistent rules.
> 
> Some of the test-data samples used to test the parser during "make test"
> still
> (at least up to 3.1.5) contain samples that were generated with old versions
> of
> SA that supported ordb. However, this is only used to test SA's ability to
> rip
> out various SA markup formats, so it doesn't matter. FWIW, the file
> containing a
> reference to ordb is t/data/spam/003 under the tarball's root.

Thanks, Matt.

Steve




-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
From mailinglists at bueker.net  Tue Dec 19 07:38:31 2006
From: mailinglists at bueker.net (=?ISO-8859-1?Q?Thorsten_B=FCker?=)
Date: Tue Dec 19 07:38:49 2006
Subject: Work Dir is not cleaned up
Message-ID: <458796F7.5010901@bueker.net>

Dear all,

since migrating our mailing systems, which consist of MailScanner 
between two instances of postfix, into virtual machines by using the 
http://linux-vserver.org patch, the working dir is not cleaned up anymore.

The temporary directories, each named with the pid of previously stopped 
childs, are neither deleted after starting new childs automatically nor 
after stopping the whole MailScanner.

Google did not lead to any hint, yet, but the changelog states, that 
version 4.50.15-1 "fixed bug where temporary files were not cleaned up 
properly". Alas instead of compiling a newer version I'd prefer to keep 
the original package (4.41.3-2) shipped with Debian Sarge on the 
productive machines.

So, do you have any hint for to look for the reason or is there any 
reason not to stop MailScanner by a nightly cronjob, delete the working 
dir, and start it again?

thanks in advance,
   Thorsten
From ram at netcore.co.in  Tue Dec 19 07:45:03 2006
From: ram at netcore.co.in (Ramprasad)
Date: Tue Dec 19 07:45:12 2006
Subject: OT: spammers get long vacations?
In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC5CE@inex3.herffjones.hj-int>
References: <57573D714A832C43B9D80EAFBDA48D0302BAC5CE@inex3.herffjones.hj-int>
Message-ID: <1166514303.31113.15.camel@darkstar.netcore.co.in>


On Mon, 2006-12-18 at 18:04 -0500, Furnish, Trever G wrote:
> Sorry, this is very trivial and OT, but I'm just curious...
> 
> Anyone else keeping track of their overall mail stats and noting a
> dramatic decrease in overall inbound mail?  Our inbound flow has dropped
> from about 65k messages per day to 35k messages per day in the past
> several days.  Probably some of it's the weekend, but over mail levels
> haven't been that low in quite a while.
>  
Our traffix is down to 60%.
Probably spammers are lying low until christmas. If they keeping
shooting now they will get their ips listed in RBL's and will not be
able to have go when they want to  .. just a guess


Thanks
Ram




From ylacan at teicam.com  Tue Dec 19 08:21:42 2006
From: ylacan at teicam.com (Youri LACAN-BARTLEY)
Date: Tue Dec 19 08:22:01 2006
Subject: ORDB.org is shutting down
In-Reply-To: <Pine.LNX.4.64.0612190906180.27901@ebfjryy.nhfvpf.arg>
References: <1E293D3FF63A3740B10AD5AAD88535D203E6B020@UBIMAIL1.ubisoft.org>
	<Pine.LNX.4.64.0612190906180.27901@ebfjryy.nhfvpf.arg>
Message-ID: <4587A116.5050005@teicam.com>

I'm currently doing all RBL checks at MTA myself.

	reject_rbl_client zen.spamhaus.org
        reject_rbl_client dul.dnsbl.sorbs.net
        reject_rbl_client list.dsbl.org

A little note for those using sbl+xbl :

	http://www.spamhaus.org/zen/

You might want to update your RBL lists ...


Res wrote:
> On Mon, 18 Dec 2006, Daniel Maher wrote:
> 
>> SBL+XBL spamcop.net SORBS-DNSBL
> 
> agreed, I use all three, but I use them at MTA, makes a hell of a
> difference of workhorse servers
> 
> 
>>
>> Perhaps?
>>
>> -- 
>>  _
>> ?v?  Daniel Maher
>> /(_)\ Administrateur Syst?me Unix
>> ^ ^  Unix System Administrator
>>
>> SMASH '5' FOR VICTORY!
>>> -----Original Message-----
>>> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-
>>> bounces@lists.mailscanner.info] On Behalf Of Ryan Pitt
>>> Sent: December 18, 2006 2:03 PM
>>> To: MailScanner discussion
>>> Subject: Re: ORDB.org is shutting down
>>>
>>> As a matter of interest, what else is everyone using for RBLs?
>>> When I take out ORDB-RBL I will be left with SBL+XBL
>>> Thanks
>>> Ryan
>>>
>>> James R. Stevens wrote:
>>>> Thanks for the heads-up on this.
>>>>
>>>> -----Original Message-----
>>>> From: mailscanner-bounces@lists.mailscanner.info
>>>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of
>>>> Richard
>>>> Frovarp
>>>> Sent: Monday, December 18, 2006 11:45 AM
>>>> To: mailscanner@lists.mailscanner.info
>>>> Subject: ORDB.org is shutting down
>>>>
>>>> Saw this on the SA list:
>>>>
>>>> See: http://www.ordb.org/news/?id=38
>>>>
>>>> DNS is being turned off today. It would seem that ORDB is in the
>>>> default
>>>> list for MailScanner to lookup for the Spam List. That is bound to
>>>> cause
>>>> some timeouts for those that have that feature enabled. Grepping
>>>> through
>>>> my SA files I don't see any reference to it there.
>>>>
>>>> Richard
>>> -- 
>>> MailScanner mailing list
>>> mailscanner@lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>>
> 

-- 
Cordialement,

Youri LACAN-BARTLEY

PCAM
Espace HERVANN
641 Chemin des terriers
06600 ANTIBES
Tel: 04.93.33.26.25
Fax: 04.93.33.73.45
From mailscanner at mail.kz7.co.uk  Tue Dec 19 08:36:09 2006
From: mailscanner at mail.kz7.co.uk (Mail Scanner)
Date: Tue Dec 19 08:36:46 2006
Subject: Pyzor Error
In-Reply-To: <223f97700612140434u1e353735qe32cd247a5853318@mail.gmail.com>
References: <45803ACE.5010509@seekio.com>
	<20061213175736.FBB8.GERARD@seibercom.net>
	<223f97700612140434u1e353735qe32cd247a5853318@mail.gmail.com>
Message-ID: <20061219083609.GA6426@mail.kz7.co.uk>

Hi,

I have been using MailScanner for a while now.  Never really had a problem with spam before now.  It has now started to appear.  I think read a lot of different howto's.  I run the command and got the following

MailScanner --debug --debug-sa --lint

Read 747 hostnames from the phishing whitelist
MailScanner setting GID to  (89)
MailScanner setting UID to  (89)
Checking for SpamAssassin errors (if you use it)...
Using SpamAssassin results cache
Connected to SpamAssassin cache database
pyzor: check failed: internal error
SpamAssassin reported no errors.

As you can see there is a pyzor error.  When I run the pyzor ping I get the following result.

82.94.255.100:24441     (200, 'OK')

Can some one please give me some more ideas of where to look for the problem.

Thanks

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

From martinh at solidstatelogic.com  Tue Dec 19 09:06:40 2006
From: martinh at solidstatelogic.com (Martin Hepworth)
Date: Tue Dec 19 09:07:30 2006
Subject: Pyzor Error
In-Reply-To: <20061219083609.GA6426@mail.kz7.co.uk>
References: <45803ACE.5010509@seekio.com>	<20061213175736.FBB8.GERARD@seibercom.net>	<223f97700612140434u1e353735qe32cd247a5853318@mail.gmail.com>
	<20061219083609.GA6426@mail.kz7.co.uk>
Message-ID: <4587ABA0.9090109@solidstatelogic.com>

Mail Scanner wrote:
> Hi,
> 
> I have been using MailScanner for a while now.  Never really had a problem with spam before now.  It has now started to appear.  I think read a lot of different howto's.  I run the command and got the following
> 
> MailScanner --debug --debug-sa --lint
> 
> Read 747 hostnames from the phishing whitelist
> MailScanner setting GID to  (89)
> MailScanner setting UID to  (89)
> Checking for SpamAssassin errors (if you use it)...
> Using SpamAssassin results cache
> Connected to SpamAssassin cache database
> pyzor: check failed: internal error
> SpamAssassin reported no errors.
> 
> As you can see there is a pyzor error.  When I run the pyzor ping I get the following result.
> 
> 82.94.255.100:24441     (200, 'OK')
> 
> Can some one please give me some more ideas of where to look for the problem.
> 
> Thanks
> 

There's been issues with pyzor for months, bandwidth issues/timeouts, no 
updates to the DB developer not responding to offers of help etc etc..


I find it still usefule for some of the 'older' spam but I recommend you 
look at razor2 and DCC as something thats actually updated...

-- 
Martin Hepworth
Senior Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

From martinh at solidstatelogic.com  Tue Dec 19 09:07:39 2006
From: martinh at solidstatelogic.com (Martin Hepworth)
Date: Tue Dec 19 09:07:57 2006
Subject: Not blocking spam?
In-Reply-To: <4586D426.5030504@standard.k12.ca.us>
References: <em06v3$hg7$1@sea.gmane.org>	<db11198bd2cba2b9d14ee1dd155064b7@localhost>	<4586645D.5070903@solidstatelogic.com>
	<4586D426.5030504@standard.k12.ca.us>
Message-ID: <4587ABDB.5060308@solidstatelogic.com>

Jeff Davis wrote:
> Thanks,
> 
> What should I be looking for?
> 
> So far this is what I've gotten:
> 
> Read 759 hostnames from the phishing whitelist
> MailScanner setting GID to  (89)
> MailScanner setting UID to  (89)
> 
> Checking for SpamAssassin errors (if you use it)...
> Using SpamAssassin results cache
> Connected to SpamAssassin cache database
> 
> But I'm not seeing any new headers in my email, and nothing is being 
> tagged as spam or otherwise...
> 
> -Jeff
> 
> Martin Hepworth wrote:
>> jdavis wrote:
>>> It's set to yes.
>>>
>>> Since running through spamassassin manually works, I am assuming I've 
>>> hosed up a setting in my mailscanner.conf  If looked and looked 
>>> (probably too much) and cannot seem to find anything.
>>>
>>> On Sat, 16 Dec 2006 02:24:18 -0500, Ugo Bellavance 
>>> <ugob@camo-route.com> wrote:
>>>> Jeff Davis wrote:
>>>>> Just got MailScanner installed, but does not seem to be tagging 
>>>>> anything
>>>>> as spam.
>>>>>
>>>>> Where should I start checking first?  spammassassin < {sample file}
>>>>> seems to work correctly, but mail sent from outside (GTUBE) flies 
>>>>> right
>>>>> through.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> -Jeff
>>>>>
>>>> MailScanner.conf, a setting called 'Use SpamAssassin'
>>>>
>>>> http://wiki.mailscanner.info/doku.php?id=maq:index
>>>>
>>>> -- 
>>>> MailScanner mailing list
>>>> mailscanner@lists.mailscanner.info
>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>
>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>
>>>> Support MailScanner development - buy the book off the website!
>>> -- 
>>> Jefferson K Davis
>>> Technology & Information Systems Manager
>>> Standard School District
>>> 1200 North Chester Ave
>>> Bakersfield, CA  93308
>>> USA
>>> 661.392.2110 ext 120
>>>
>>
>> you can debug this will the "MailScanner --debug --debug-sa --lint" so 
>> see what's happening
>>

Jeff

Check you're config, it could be you've broke the setup so postfix isn't 
dropping amil into  the hold queue anymore, so mailscanner never has any 
work to do!

-- 
Martin Hepworth
Senior Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

From glenn.steen at gmail.com  Tue Dec 19 09:22:13 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Tue Dec 19 09:22:16 2006
Subject: Work Dir is not cleaned up
In-Reply-To: <458796F7.5010901@bueker.net>
References: <458796F7.5010901@bueker.net>
Message-ID: <223f97700612190122rbb0ed69j3dcb85354d5167a8@mail.gmail.com>

On 19/12/06, Thorsten B?ker <mailinglists@bueker.net> wrote:
> Dear all,
>
> since migrating our mailing systems, which consist of MailScanner
> between two instances of postfix, into virtual machines by using the
> http://linux-vserver.org patch, the working dir is not cleaned up anymore.

Thorsten, stop right there!
The piece of language you have above implies that you still use the
_unsafe_ and _deprecated_ defer method with Postfix. Please tell me
you don't...
If you do... You should immediately stop doing this. Use the new,
safe, HOLD method as described in
http://www.mailscanner.info/postfix.html amongst other places.


> The temporary directories, each named with the pid of previously stopped
> childs, are neither deleted after starting new childs automatically nor
> after stopping the whole MailScanner.
>
> Google did not lead to any hint, yet, but the changelog states, that
> version 4.50.15-1 "fixed bug where temporary files were not cleaned up
> properly". Alas instead of compiling a newer version I'd prefer to keep
> the original package (4.41.3-2) shipped with Debian Sarge on the
> productive machines.

This is indeed true, it is an old error. I'm in part guilty for both
the introduction (and the fix, along with Spike Cacti, IIRC:-)...
Because PF queue IDs aren't "random enough" for SQL logging purposes,
I badgered Jules into introducing the .XXXXX randomness... Which broke
the cleanup of the work dir. The fix was simply to add in the "." in
the match for the cleanup-able stuff.
I don't want to go digging it up... It's in the mail list archives;-).
You really should abandon that old MS version and go with a newer
one... Either by using the tarball install, or going unstable, or
switching OS/distro completely. Debian stable is just too moldy when
it comes to this.

> So, do you have any hint for to look for the reason or is there any
> reason not to stop MailScanner by a nightly cronjob, delete the working
> dir, and start it again?

You *could* do that too. A bandaid, at best, but sure... that would work too.

> thanks in advance,
>    Thorsten

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From glenn.steen at gmail.com  Tue Dec 19 09:28:36 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Tue Dec 19 09:28:38 2006
Subject: Pyzor Error
In-Reply-To: <20061219083609.GA6426@mail.kz7.co.uk>
References: <45803ACE.5010509@seekio.com>
	<20061213175736.FBB8.GERARD@seibercom.net>
	<223f97700612140434u1e353735qe32cd247a5853318@mail.gmail.com>
	<20061219083609.GA6426@mail.kz7.co.uk>
Message-ID: <223f97700612190128s74de09aep39ccfc9e5619d777@mail.gmail.com>

On 19/12/06, Mail Scanner <mailscanner@mail.kz7.co.uk> wrote:
> Hi,
>
> I have been using MailScanner for a while now.  Never really had a problem with spam before now.  It has now started to appear.  I think read a lot of different howto's.  I run the command and got the following
>
> MailScanner --debug --debug-sa --lint
>
> Read 747 hostnames from the phishing whitelist
> MailScanner setting GID to  (89)
> MailScanner setting UID to  (89)
> Checking for SpamAssassin errors (if you use it)...
> Using SpamAssassin results cache
> Connected to SpamAssassin cache database
> pyzor: check failed: internal error
> SpamAssassin reported no errors.
>
> As you can see there is a pyzor error.  When I run the pyzor ping I get the following result.
>
> 82.94.255.100:24441     (200, 'OK')
>
> Can some one please give me some more ideas of where to look for the problem.
>
> Thanks
>
Is that pyzor ping done as the postfix user (89.89 is postfix.postfix, right?)?
Does that user also use the alternate pyzor server?

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From glenn.steen at gmail.com  Tue Dec 19 09:34:51 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Tue Dec 19 09:34:54 2006
Subject: allowing attachment filelname
In-Reply-To: <011001c722fa$04c55c80$0200000a@danc3>
References: <00ac01c722c4$2149fd60$0200000a@danc3>
	<223f97700612181054o5358398dmc70ff5dbc5eb5189@mail.gmail.com>
	<012601c722dc$82edcac0$0200000a@danc3>
	<223f97700612181300y4efe4272q2609db7e5dff673a@mail.gmail.com>
	<011001c722fa$04c55c80$0200000a@danc3>
Message-ID: <223f97700612190134u123cbb15k7b373181e30312c9@mail.gmail.com>

On 19/12/06, Dan Carl <danc@bluestarshows.com> wrote:
>
> ----- Original Message -----
> From: "Glenn Steen" <glenn.steen@gmail.com>
> To: "MailScanner discussion" <mailscanner@lists.mailscanner.info>
> Sent: Monday, December 18, 2006 3:00 PM
> Subject: Re: allowing attachment filelname
>
>
> > On 18/12/06, Dan Carl <danc@bluestarshows.com> wrote:
> > > ----- Original Message -----
> > > From: "Glenn Steen" <glenn.steen@gmail.com>
> > > To: "MailScanner discussion" <mailscanner@lists.mailscanner.info>
> > > Sent: Monday, December 18, 2006 12:54 PM
> > > Subject: Re: allowing attachment filelname
> > >
> > >
> > > > On 18/12/06, Dan Carl <danc@bluestarshows.com> wrote:
> > > > > Ok I have a certain filename I want to let through.
> > > > > I added a rule to my filename.rules.conf.
> > > > > A followed the instructions
> > > > > NOTE: Fields are separated by TAB characters --- Important!
> > > > > I've checked my mailscanner.conf and its set to:
> > > > > Filename Rules = %etc-dir%/filename.rules.conf
> > > > > Why is the attachment still being quarantined?
> > > > > Im using ClamAV and F-Prot
> > > > Well, why is it quarantined? Look in the logs... Should tell you well
> > > enough...
> > > > One could guess that perhaps it is blocked by filetype? Or by an AV
> > > At Mon Dec 18 10:30:14 2006 the virus scanner said:
> > >    ClamAV Module: BACKUP.qpb was infected: Encrypted.Zip
> >
> > Aha, so it's really clamav (or rather clamavmodule:-) that is triggering.
> > You'll have to make it accept that filename (in clamscan,
> > clamavmodule), or not let clam block password encrypted archives
> > (might be a tad too forgiving:) or just plain stop
> > encrypting/passwd-protecting the zipfile ... or something similar that
> > fits your bill:-).
> >
>
> Its a backup from quick books point of sale.
> It is automatically encryted there no way round it.

Ok. Was worth a shot:-).

> > Haven't checked this, but what happens if you set "Allow Password
> > Protected Archives = yes" (or a ruleset to that effect)? There're some
> > settings for ClamavModule too that might effect how this plays out ...
> > Perhaps do a limit of recursion? I'm not sure if that will work...
> > Look at
> http://www.mailscanner.info/MailScanner.conf.index.html#ClamAVmodule%20Maximum%20Recursion%20Level
> > ...
>
> Ok setting Allow Password Protected Archives= yes
> Allowed the file to come through.

Good.

> I know I can make a rule set to tighten it up alot more, but I this my only
> alternive?

Probably you best bet. Other would be routing it through a mail path
that precludes MailScanner, or trying to make the clamav module more
intelligent _for that one sender_... Not good options, IMO.

> I know could have then use ftp server to send/receive but I'm affraid this
> would turn into a support nightmare for me.

Some intelligent scripting should be your helping hand there, but
really... You know what IP address and sender they come from, right?
It should be an easy enough ruleset to construct. If you need help
with that, just holler and someone will jump in (if I'm too busy;).

> Why does adding it to filename.rules.conf have no effect?

Because it is not the filename checking that is blocking it. It is the
anti-virus program. Simple as that.

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From glenn.steen at gmail.com  Tue Dec 19 09:42:16 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Tue Dec 19 09:42:19 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <Pine.LNX.4.64.0612190916240.27901@ebfjryy.nhfvpf.arg>
References: <4582E1AC.6020208@rogers.com> <458331E9.4060703@evi-inc.com>
	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>
	<Pine.LNX.4.64.0612162350350.10428@ebfjryy.nhfvpf.arg>
	<em6vm7$qhn$1@sea.gmane.org>
	<Pine.LNX.4.64.0612190916240.27901@ebfjryy.nhfvpf.arg>
Message-ID: <223f97700612190142hf932112w946c3e2dd4386589@mail.gmail.com>

On 19/12/06, Res <res@ausics.net> wrote:
> On Mon, 18 Dec 2006, Scott Silva wrote:
>
> > Wietse can be a real prima donna over his code, but postfix is very good
> > software. I think Julian works with their "attitudes" because of that. Might
> > explain why he never embraced Qmail.
>
> Any current MTA is very good software, be it even sendmail or exim, qmail
> has not been supported for years, so I guess it is dying, the only saving
> grace it has, is how easy it is with virtual domains and vpopmail, there
> is not a better or equal solution, the sendmail/postfix +cyrus is still a
> pain, and yes I know they tried to incorporate postfix with vpopmail, but
> last I heard you still needed to do qmail directory installs, so you might
> as well just use qmail so long as it has had the dozen or so decent
> security and performance tightening patches applied that is :)
>
>
That's pretty close to an endorsement of postmix.... You gotta get a
grip, or lay of the amber stuff, Res:-D

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From res at ausics.net  Tue Dec 19 09:44:58 2006
From: res at ausics.net (Res)
Date: Tue Dec 19 09:45:12 2006
Subject: Sloppy error checking in MS code
In-Reply-To: <223f97700612190142hf932112w946c3e2dd4386589@mail.gmail.com>
References: <4582E1AC.6020208@rogers.com> <458331E9.4060703@evi-inc.com>
	<223f97700612160318p5682c970ue4c399e8da7aee3@mail.gmail.com>
	<Pine.LNX.4.64.0612162350350.10428@ebfjryy.nhfvpf.arg>
	<em6vm7$qhn$1@sea.gmane.org>
	<Pine.LNX.4.64.0612190916240.27901@ebfjryy.nhfvpf.arg>
	<223f97700612190142hf932112w946c3e2dd4386589@mail.gmail.com>
Message-ID: <Pine.LNX.4.64.0612191943540.2347@ebfjryy.nhfvpf.arg>

On Tue, 19 Dec 2006, Glenn Steen wrote:

> On 19/12/06, Res <res@ausics.net> wrote:
>> On Mon, 18 Dec 2006, Scott Silva wrote:
>> 
>> > Wietse can be a real prima donna over his code, but postfix is very good
>> > software. I think Julian works with their "attitudes" because of that. 
>> Might
>> > explain why he never embraced Qmail.
>> 
>> Any current MTA is very good software, be it even sendmail or exim, qmail
>> has not been supported for years, so I guess it is dying, the only saving
>> grace it has, is how easy it is with virtual domains and vpopmail, there
>> is not a better or equal solution, the sendmail/postfix +cyrus is still a
>> pain, and yes I know they tried to incorporate postfix with vpopmail, but
>> last I heard you still needed to do qmail directory installs, so you might
>> as well just use qmail so long as it has had the dozen or so decent
>> security and performance tightening patches applied that is :)
>> 
>> 
> That's pretty close to an endorsement of postmix.... You gotta get a
> grip, or lay of the amber stuff, Res:-D

hahahahahahaha  bugger! I might have to stop holidays now...
or erm hrmmm , back later, i need to go wash my mouth out  (with more 
amber :P )


-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From glenn.steen at gmail.com  Tue Dec 19 09:48:30 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Tue Dec 19 09:48:33 2006
Subject: OT: spammers get long vacations?
In-Reply-To: <1166514303.31113.15.camel@darkstar.netcore.co.in>
References: <57573D714A832C43B9D80EAFBDA48D0302BAC5CE@inex3.herffjones.hj-int>
	<1166514303.31113.15.camel@darkstar.netcore.co.in>
Message-ID: <223f97700612190148t68d0640o160eb14603c773dc@mail.gmail.com>

On 19/12/06, Ramprasad <ram@netcore.co.in> wrote:
>
> On Mon, 2006-12-18 at 18:04 -0500, Furnish, Trever G wrote:
> > Sorry, this is very trivial and OT, but I'm just curious...
> >
> > Anyone else keeping track of their overall mail stats and noting a
> > dramatic decrease in overall inbound mail?  Our inbound flow has dropped
> > from about 65k messages per day to 35k messages per day in the past
> > several days.  Probably some of it's the weekend, but over mail levels
> > haven't been that low in quite a while.
> >
> Our traffix is down to 60%.
> Probably spammers are lying low until christmas. If they keeping
> shooting now they will get their ips listed in RBL's and will not be
> able to have go when they want to  .. just a guess
>
>
> Thanks
> Ram
>
Well, everything is relative... We saw an 900% (approximately... I'm
being cautious here;) from May to the end of November (the "incline"
was steeper than that, but that was where it ... eased off a bit).
Since then it has stabilized at 15-20% below the "all-time-high" of
November.

I fully expect the holidays to bring me a new increase... Just what I
put on my list to Santa... not:).

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From mailscanner at mail.kz7.co.uk  Tue Dec 19 09:49:19 2006
From: mailscanner at mail.kz7.co.uk (Mail Scanner)
Date: Tue Dec 19 09:49:56 2006
Subject: Pyzor Error
In-Reply-To: <4587ABA0.9090109@solidstatelogic.com>
References: <45803ACE.5010509@seekio.com>
	<20061213175736.FBB8.GERARD@seibercom.net>
	<223f97700612140434u1e353735qe32cd247a5853318@mail.gmail.com>
	<20061219083609.GA6426@mail.kz7.co.uk>
	<4587ABA0.9090109@solidstatelogic.com>
Message-ID: <20061219094919.GB6426@mail.kz7.co.uk>

On Tue, Dec 19, 2006 at 09:06:40AM +0000, Martin Hepworth wrote:
> Mail Scanner wrote:
> >Hi,
> >
> >I have been using MailScanner for a while now.  Never really had a problem 
> >with spam before now.  It has now started to appear.  I think read a lot 
> >of different howto's.  I run the command and got the following
> >
> >MailScanner --debug --debug-sa --lint
> >
> >Read 747 hostnames from the phishing whitelist
> >MailScanner setting GID to  (89)
> >MailScanner setting UID to  (89)
> >Checking for SpamAssassin errors (if you use it)...
> >Using SpamAssassin results cache
> >Connected to SpamAssassin cache database
> >pyzor: check failed: internal error
> >SpamAssassin reported no errors.
> >
> >As you can see there is a pyzor error.  When I run the pyzor ping I get 
> >the following result.
> >
> >82.94.255.100:24441     (200, 'OK')
> >
> >Can some one please give me some more ideas of where to look for the 
> >problem.
> >
> >Thanks
> >
> 
> There's been issues with pyzor for months, bandwidth issues/timeouts, no 
> updates to the DB developer not responding to offers of help etc etc..
> 
> 
> I find it still usefule for some of the 'older' spam but I recommend you 
> look at razor2 and DCC as something thats actually updated...
> 
> -- 
> Martin Hepworth
> Senior Systems Administrator

I have both razor2 and DCC installed.  This is the first time I have tried to get spam filtering to work.  Maybe I should start from scratch.  Does any one know of a good how to so I can get all this working on a Centos Server.

Thanks

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

From glenn.steen at gmail.com  Tue Dec 19 10:00:22 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Tue Dec 19 10:00:26 2006
Subject: Pyzor Error
In-Reply-To: <20061219094919.GB6426@mail.kz7.co.uk>
References: <45803ACE.5010509@seekio.com>
	<20061213175736.FBB8.GERARD@seibercom.net>
	<223f97700612140434u1e353735qe32cd247a5853318@mail.gmail.com>
	<20061219083609.GA6426@mail.kz7.co.uk>
	<4587ABA0.9090109@solidstatelogic.com>
	<20061219094919.GB6426@mail.kz7.co.uk>
Message-ID: <223f97700612190200i1c913468hf7eca675f6dbe464@mail.gmail.com>

On 19/12/06, Mail Scanner <mailscanner@mail.kz7.co.uk> wrote:
> On Tue, Dec 19, 2006 at 09:06:40AM +0000, Martin Hepworth wrote:
> > Mail Scanner wrote:
> > >Hi,
> > >
> > >I have been using MailScanner for a while now.  Never really had a problem
> > >with spam before now.  It has now started to appear.  I think read a lot
> > >of different howto's.  I run the command and got the following
> > >
> > >MailScanner --debug --debug-sa --lint
> > >
> > >Read 747 hostnames from the phishing whitelist
> > >MailScanner setting GID to  (89)
> > >MailScanner setting UID to  (89)
> > >Checking for SpamAssassin errors (if you use it)...
> > >Using SpamAssassin results cache
> > >Connected to SpamAssassin cache database
> > >pyzor: check failed: internal error
> > >SpamAssassin reported no errors.
> > >
> > >As you can see there is a pyzor error.  When I run the pyzor ping I get
> > >the following result.
> > >
> > >82.94.255.100:24441     (200, 'OK')
> > >
> > >Can some one please give me some more ideas of where to look for the
> > >problem.
> > >
> > >Thanks
> > >
> >
> > There's been issues with pyzor for months, bandwidth issues/timeouts, no
> > updates to the DB developer not responding to offers of help etc etc..
> >
> >
> > I find it still usefule for some of the 'older' spam but I recommend you
> > look at razor2 and DCC as something thats actually updated...
> >
> > --
> > Martin Hepworth
> > Senior Systems Administrator
>
> I have both razor2 and DCC installed.  This is the first time I have tried to get spam filtering to work.  Maybe I should start from scratch.  Does any one know of a good how to so I can get all this working on a Centos Server.
>
> Thanks
>
There are excellent docs ... at least look at the official site, the
MAQ and the wiki....:
http://www.mailscanner.info/install_guides.html
http://wiki.mailscanner.info/doku.php?id=maq:index#how_to_setup_a_mailscanner_server
http://wiki.mailscanner.info/doku.php?id=&idx=documentation (at least
look through the install_upgrade and configuration parts... and
anti_spam ...)

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From wjohns at balita.ph  Tue Dec 19 10:04:23 2006
From: wjohns at balita.ph (Wayne)
Date: Tue Dec 19 10:04:25 2006
Subject: Whitelist
Message-ID: <200612191004.kBJA4Kve006459@balita.ph>

Hi

Compliments of the season to all on the list.

In logwatch I am seeing many instances where something is show as whitelisted:

For example:

Message kBIBvLqI013726 from 72.130.65.233 
(summerliness@rushcliffedirect.com) is whitelisted : 1 Time(s)

I have very few actual entries in the whitelist file - could it be 
that these items are specifically addressed to a name on the 
whitelist causing it to be highlighted as whitelisted.

- Wayne -


-- 
This email has been scanned by the Balita server.

From michele at blacknight.ie  Tue Dec 19 12:53:57 2006
From: michele at blacknight.ie (Michele Neylon :: Blacknight)
Date: Tue Dec 19 12:52:41 2006
Subject: List Maintenance This Evening
Message-ID: <013601c7236c$bf3266e0$e3f31151@blacknight.local>

Hi all

This list will be unavailable / offline for about an hour this evening as we
are migrating it to a new server

Regards

Michele

Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
http://www.blacknight.ie/
http://blog.blacknight.ie/
Tel. 1850 927 280
Intl. +353 (0) 59  9183072
UK: 0870 163 0607
Direct Dial: +353 (0)59 9183090
Fax. +353 (0) 59  9164239

From glenn.steen at gmail.com  Tue Dec 19 13:19:58 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Tue Dec 19 13:20:12 2006
Subject: Whitelist
In-Reply-To: <200612191004.kBJA4Kve006459@balita.ph>
References: <200612191004.kBJA4Kve006459@balita.ph>
Message-ID: <223f97700612190519m49629034l40b8603d93eb4eb6@mail.gmail.com>

On 19/12/06, Wayne <wjohns@balita.ph> wrote:
> Hi
>
> Compliments of the season to all on the list.
>
> In logwatch I am seeing many instances where something is show as whitelisted:
>
> For example:
>
> Message kBIBvLqI013726 from 72.130.65.233
> (summerliness@rushcliffedirect.com) is whitelisted : 1 Time(s)
>
> I have very few actual entries in the whitelist file - could it be
> that these items are specifically addressed to a name on the
> whitelist causing it to be highlighted as whitelisted.
>
> - Wayne -

Hi Wayne,

Are you by any chance whitelisting by (envelope) email address only (in MS)?
That is inherently "unsafe", since that can easily be spoofed.
Either use IP address of sender server, a combination of
sender/recipient (limits the effects a bit at least), or move the
whitelisting into SA (or similar, where you can use a couple of
different methods to assign different negative point values).

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From ram at netcore.co.in  Tue Dec 19 14:37:48 2006
From: ram at netcore.co.in (Ramprasad)
Date: Tue Dec 19 14:37:56 2006
Subject: skipping spamchecks for whitelisted mails
Message-ID: <1166539068.31113.53.camel@darkstar.netcore.co.in>

how do I skip spamchecks for whitelisted mails.

Thanks
Ram



From glenn.steen at gmail.com  Tue Dec 19 15:06:48 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Tue Dec 19 15:06:50 2006
Subject: skipping spamchecks for whitelisted mails
In-Reply-To: <1166539068.31113.53.camel@darkstar.netcore.co.in>
References: <1166539068.31113.53.camel@darkstar.netcore.co.in>
Message-ID: <223f97700612190706j4d292d6dx260d67641e8d2c1d@mail.gmail.com>

On 19/12/06, Ramprasad <ram@netcore.co.in> wrote:
> how do I skip spamchecks for whitelisted mails.
>
> Thanks
> Ram
>
A ruleset on http://www.mailscanner.info/MailScanner.conf.index.html#Use%20SpamAssassin
perhaps?

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From mgt at stellarcore.net  Tue Dec 19 15:10:15 2006
From: mgt at stellarcore.net (Mike Tremaine)
Date: Tue Dec 19 15:10:30 2006
Subject: OT: ClamAV 0.88.7 [clamavmodule and gmp]
In-Reply-To: <200612191200.kBJC0IRB002804@bkserver.blacknight.ie>
References: <200612191200.kBJC0IRB002804@bkserver.blacknight.ie>
Message-ID: <458800D7.8080309@stellarcore.net>


I'm pushing out my updates today and wanted to get a sanity check from those 
who have already made the move. Is it sufficent to just do a "force install 
Mail::ClamAV" in cpan after the new ClamAV has been installed? I did this on my 
personal server and sent a couple of zip files to myself and it seems to be 
working but before I hit the other 10 boxes I wanted to make sure. :)

As a side question has anyone ever got GMP2 installed under Solaris 10 so that 
it works with ClamAV and you do not get the "SECURITY WARNING: NO SUPPORT FOR 
DIGITAL SIGNATURES". I know I've built it a few times and tried to point clamav 
at it but it never seems to work for me and I've given up.

-Mike
From shuttlebox at gmail.com  Tue Dec 19 15:23:39 2006
From: shuttlebox at gmail.com (shuttlebox)
Date: Tue Dec 19 15:23:43 2006
Subject: OT: ClamAV 0.88.7 [clamavmodule and gmp]
In-Reply-To: <458800D7.8080309@stellarcore.net>
References: <200612191200.kBJC0IRB002804@bkserver.blacknight.ie>
	<458800D7.8080309@stellarcore.net>
Message-ID: <625385e30612190723j31b7a917vd71a09cc6f860252@mail.gmail.com>

On 12/19/06, Mike Tremaine <mgt@stellarcore.net> wrote:
> As a side question has anyone ever got GMP2 installed under Solaris 10 so that
> it works with ClamAV and you do not get the "SECURITY WARNING: NO SUPPORT FOR
> DIGITAL SIGNATURES". I know I've built it a few times and tried to point clamav
> at it but it never seems to work for me and I've given up.

In Solaris 9 I had to compile it in 32-bit mode, I have no problems with Clam.

# ABI=32 ./configure
# make
# make install

-- 
/peter
From wjohns at balita.ph  Tue Dec 19 16:56:47 2006
From: wjohns at balita.ph (Wayne)
Date: Tue Dec 19 16:56:51 2006
Subject: Whitelist
In-Reply-To: <223f97700612190519m49629034l40b8603d93eb4eb6@mail.gmail.co
 m>
References: <200612191004.kBJA4Kve006459@balita.ph>
	<223f97700612190519m49629034l40b8603d93eb4eb6@mail.gmail.com>
Message-ID: <200612191656.kBJGuipe031021@balita.ph>

At 13:19 19/12/2006, you wrote:

Many thanks Glenn ... bit unsure what whitelisting by (envelope) email
address entails or implies :-( I set my whitelist up in the
SpamAssassin plugin of Webmin.

I did add my own email address in spam.whitelist.rules but as it
already appears in the SA whitelist rule maybe that is what you mean -
envelope - I will remove it.

- Wayne -


>Are you by any chance whitelisting by (envelope) email address only (in MS)?
>That is inherently "unsafe", since that can easily be spoofed.
>Either use IP address of sender server, a combination of
>sender/recipient (limits the effects a bit at least), or move the
>whitelisting into SA (or similar, where you can use a couple of
>different methods to assign different negative point values).


-- 
This email has been scanned by the Balita server.

From samp at arial-concept.com  Fri Dec 22 16:55:29 2006
From: samp at arial-concept.com (Sam Przyswa)
Date: Sat Dec 23 10:32:18 2006
Subject: MailScanner and Bogofilter
In-Reply-To: <223f97700612211515x1353c06dr3009f8e6ff9bf37@mail.gmail.com>
References: <4589F672.7020002@arial-concept.com>	<458A524D.6030501@solidstatelogic.com>	<458A8F84.3090200@arial-concept.com>	<223f97700612210611q3d136af2nccb94c78e6317a23@mail.gmail.com>	<458AB06A.6080105@arial-concept.com>	<458AB500.10100@solidstatelogic.com>	<458AF23F.3030408@arial-concept.com>
	<223f97700612211515x1353c06dr3009f8e6ff9bf37@mail.gmail.com>
Message-ID: <458BFFF1.7050905@arial-concept.com>

Glenn Steen a ?crit :
>
>>
>> > the tuning I'm taking about are the SARE rules etc from
>> > www.rulesmeporium.com.
>>
>> The site doesn't exist anymore.
> As mentioned by others, a simple typo (meporium instead of emporium:-).
> You'll find many nice things here like ImageInfo, custom rules (stocks 
> etc etc).

Ok I find it, thanks !

>
>> > using DCC/razor2 etc, making sure you're running network tests and the
>> > URI-RBLs
>>
>> I installed the last razor version.
>
> Good move. Now, to truly make the disgest checks make a difference,
> I'd suggest that you get at least DCC too, and possibly Pyzor as well,
> and try them out for a few days.

Ok I wiil install DCC too.

>>
>>
>> I do that and now after upgrade to MS 4.55.10 the ham learning doesn't
>> work after the learning command I got :
>>
>> sa-learn -u postfix --ham --mbox /hda3/przyswa/Maildir/.Spam.Ham/cur/
>> Learned tokens from 0 message(s) (0 message(s) examined)
>
> Peculiar... If you just specify a single mbox file, does that work?

I tried "sa-learn -u postfix --ham --mbox 
/hda3/przyswa/Maildir/.Spam.Ham/cur/file_name" with and without "--mbox" 
it's the same !?

SpamAssassin version 3.1.7
  running on Perl version 5.8.8

I have to set my sender address in the whitelist file...

Sam.


-- 
Ce message a ?t? v?rifi? par MailScanner
pour des virus ou des polluriels et rien de
suspect n'a ?t? trouv?.

From sandrews at andrewscompanies.com  Fri Dec 22 15:13:01 2006
From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com)
Date: Sat Dec 23 10:33:19 2006
Subject: virus scan only
Message-ID: <1964AAFBC212F742958F9275BF63DBB0429BEC@winchester.andrewscompanies.com>

I'd certainly not do that.  I'd wait a few months until they start
spewing out crap, turn them off and tell them they're taking both
direction antivirus and antispam or they can find someone else to do it
for them.

Honestly, any customer that says they don't want yet another level of
virus scanning needs some education, even if by force, if they don't
learn after that, they can go to AOL.  ;) 

-----Original Message-----
From: mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Res
Sent: Friday, December 22, 2006 6:05 AM
To: MailScanner discussion
Subject: Re: virus scan only

On Fri, 22 Dec 2006, Michele Neylon :: Blacknight wrote:

> Simon Jones wrote:
>> Hi,
>>  how do I configure a domain for virus scanning ONLY, the customer 
>> doesn't want spam filtering  thanks.
>>  Simon
>> 
> Simon
>
> You need to have a look at ruleset settings
>
> You can change the spam filtering from being on for everyone to being 
> a ruleset
>
> Regards
>
> Michele



I'd certainly also apply it to their outgoing and just exclude the
inbound, those that demand thety not be spam checked outbound tend to be
the ones who need to be.

>
>

-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


-- 
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 


From paul at blacknight.ie  Sat Dec 23 11:39:24 2006
From: paul at blacknight.ie (Paul Kelly :: Blacknight)
Date: Sat Dec 23 10:39:50 2006
Subject: List Outage
Message-ID: <1166870365.7366.13.camel@localhost>

Hi All,

We lost the box the MS list was on yesterday. I've been beavering away
to get it back and as most mail will be queued it should get through
eventually as dns servers catch up on the dns change.

The last sync of the archives was Tuesday so we've lost a couple of
days, I do apologise for this. I need to check with one of our other
admins where he had the backups going to. he was syncing mailmans setup
hourly from the original box.

Hopefully this won't happen again.

I would like to take this opportunity to wish you all a merry Christmas
and a happy New Year!

Regards, 

Paul

From technician at cenpac.net.nr  Sat Dec 23 11:49:26 2006
From: technician at cenpac.net.nr (Jon Leeman)
Date: Sat Dec 23 10:49:41 2006
Subject: Recommended RBL's on MTA?
In-Reply-To: <EE2E1E6A-4804-4C6B-AADA-466658DFCDF1@gray.net.au>
References: <EE2E1E6A-4804-4C6B-AADA-466658DFCDF1@gray.net.au>
Message-ID: <458D09B6.6020907@cenpac.net.nr>


James Gray wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi All,
> 
> This is slightly off topic, but I figured it was a good place to ask.  
> What RBL's are people using on their MTA?  I'm currently driving a 
> number of Postfix boxes so far have all the RBL's in SpamAssassin, but 
> would really prefer to block some of the rubbish before it gets that far.
> 
> What RBL's have people had success with? More importantly, which ones 
> should I avoid?
> 
> Cheers,
> 
> James

Very low volume ( ~ 4 K per day ) Postfix gateway MX here and have had 
no problems with;

sbl.spamhaus.org, list.dsbl.org, bl.spamcop.net

Rgds.,

Jon (Nauru, 2047 local, Temp 25 deg. C. clear skies [with apologies to 
Glenn])
From michele at blacknight.ie  Sat Dec 23 11:49:35 2006
From: michele at blacknight.ie (Michele Neylon)
Date: Sat Dec 23 10:50:05 2006
Subject: Recommended RBL's on MTA?
In-Reply-To: <EE2E1E6A-4804-4C6B-AADA-466658DFCDF1@gray.net.au>
References: <EE2E1E6A-4804-4C6B-AADA-466658DFCDF1@gray.net.au>
Message-ID: <458D09BF.5070107@blacknight.ie>

James Gray wrote:
> Hi All,
> 
> This is slightly off topic, but I figured it was a good place to ask. 
> What RBL's are people using on their MTA?  I'm currently driving a
> number of Postfix boxes so far have all the RBL's in SpamAssassin, but
> would really prefer to block some of the rubbish before it gets that far.
> 
> What RBL's have people had success with? More importantly, which ones
> should I avoid?
> 
> Cheers,
> 
> James

xbl works well

Avoid spamcop (obviously)


From vinay_poojary2000 at yahoo.co.in  Sat Dec 23 10:03:28 2006
From: vinay_poojary2000 at yahoo.co.in (vinay poojary)
Date: Sat Dec 23 10:50:28 2006
Subject: error in maillog file
In-Reply-To: <915E1C03-0BF5-4E9B-A540-4B620A0EA8F5@gray.net.au>
Message-ID: <20061223090328.23070.qmail@web8326.mail.in.yahoo.com>

red hat el4
   
  sendmail version -> sendmail-8.13.1-2 (default rhel4)
  i have not compiled it .I installeded the above rpm 
   
   
  Regards,
  vinay Poojary 
   
   
   
  

James Gray <james@gray.net.au> wrote:
  On 22/12/2006, at 3:09 PM, vinay poojary wrote:

> dear Sir,
>
> I am using mailscanner with sendmail
> my maillog file is getting filled up with the below error
>
> sendmail[7977]: STARTTLS: read error=generic SSL error (0)
>
> Is ther any way i could avoid it .I dont want to recompile 
> sendmail / Mailscanner

No idea. What sendmail version? How have you configured TLS? What 
operating system? What options did you compile sendmail with? etc, 
etc, etc.

> waiting 4 u reply

Good grief. You have a full keyboard right? Can you please use all 
the characters when spelling words...this isn't an SMS service :)

Cheers,

James


-- 
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 


 Send free SMS to your Friends on Mobile from your Yahoo! Messenger. Download Now! http://messenger.yahoo.com/download.php
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061223/58099c37/attachment.html
From technician at cenpac.net.nr  Sat Dec 23 12:02:31 2006
From: technician at cenpac.net.nr (Jon Leeman)
Date: Sat Dec 23 11:02:39 2006
Subject: Recommended RBL's on MTA?
In-Reply-To: <458D09BF.5070107@blacknight.ie>
References: <EE2E1E6A-4804-4C6B-AADA-466658DFCDF1@gray.net.au>
	<458D09BF.5070107@blacknight.ie>
Message-ID: <458D0CC7.9000100@cenpac.net.nr>


Michele Neylon wrote:
> James Gray wrote:
>> Hi All,
>>
>> This is slightly off topic, but I figured it was a good place to ask. 
>> What RBL's are people using on their MTA?  I'm currently driving a
>> number of Postfix boxes so far have all the RBL's in SpamAssassin, but
>> would really prefer to block some of the rubbish before it gets that far.
>>
>> What RBL's have people had success with? More importantly, which ones
>> should I avoid?
>>
>> Cheers,
>>
>> James
> 
> xbl works well
> 
> Avoid spamcop (obviously)
> 
> 

Why obviously please?

Jon
From jason.broome at freecom.net  Sat Dec 23 12:02:33 2006
From: jason.broome at freecom.net (Jason Broome)
Date: Sat Dec 23 11:02:53 2006
Subject: MailScanner Digest, Vol 12, Issue 30 [Scanned by Freecom.net]
Message-ID: <899110992@mail.freecom.net>

*****This is a automated response - Please do not reply - as no response will be given*****

Thank you for your e-mail. 

Our offices are now closed for the Christmas period until Tuesday January 2nd 2007.
Please rest assured that all services are being fully monitored and maintained throughout
the festive period.

If your enquiry is regarding an attachment release, as our Mail Scanners have removed it, one of our on call
engineers will forward it on shortly.

May we take this opportunity to wish you a Merry Christmas and a Happy New year from all at Freecom.net.

Kind Regards,

Freecom.net Technical Support Team
From norbert.schmidt at interactivedata.com  Sat Dec 23 12:06:17 2006
From: norbert.schmidt at interactivedata.com (Norbert Schmidt)
Date: Sat Dec 23 11:06:42 2006
Subject: Norbert Schmidt ist =?iso-8859-1?q?au=DFer_Haus=2E?=
Message-ID: <OF45D60290.AF8D8B7A-ONC125724D.003D002F-C125724D.003D002F@is-teledata.com>



I will be out of the office starting  23.12.2006 and will not return until
02.01.2007.

I'll answer to your mail, when I get back. If it is an urgent problem,
please contact dirk.peifer@interactivedata.com
Ich werde Deine Mail nach meiner R?ckkehr beantworten...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061223/15784dda/attachment.html
From mailinglists at bueker.net  Fri Dec 22 15:45:06 2006
From: mailinglists at bueker.net (=?ISO-8859-1?Q?Thorsten_B=FCker?=)
Date: Sat Dec 23 11:06:56 2006
Subject: Work Dir is not cleaned up
In-Reply-To: <223f97700612190122rbb0ed69j3dcb85354d5167a8@mail.gmail.com>
References: <458796F7.5010901@bueker.net>
	<223f97700612190122rbb0ed69j3dcb85354d5167a8@mail.gmail.com>
Message-ID: <458BEF72.2090708@bueker.net>

Dear Glenn,

> Thorsten, stop right there!
> The piece of language you have above implies that you still use the
> _unsafe_ and _deprecated_ defer method with Postfix. Please tell me
> you don't...

...well, ehm, I did ;-)
The howto, I used about three years ago, indeed described the setup 
based on two instances of postfix. Thanks for the hint, in the meantime 
I configured the services to make use of the HOLD method.

> This is indeed true, it is an old error. I'm in part guilty for both
> the introduction (and the fix, along with Spike Cacti, IIRC:-)...
> Because PF queue IDs aren't "random enough" for SQL logging purposes,
> I badgered Jules into introducing the .XXXXX randomness... Which broke
> the cleanup of the work dir. The fix was simply to add in the "." in
> the match for the cleanup-able stuff.
> I don't want to go digging it up... It's in the mail list archives;-).
> You really should abandon that old MS version and go with a newer
> one... Either by using the tarball install, or going unstable, or
> switching OS/distro completely. Debian stable is just too moldy when
> it comes to this.

Hoping for an upcoming release of Etch I'm going to keep the old version 
of MailScanner, at least for some weeks. But in case the release gets 
delayed, I might try to backport the current Debian sources to Sarge.

kind regards, thanks again,
   Thorsten
From michele at blacknight.ie  Sat Dec 23 12:09:40 2006
From: michele at blacknight.ie (Michele Neylon)
Date: Sat Dec 23 11:10:10 2006
Subject: Recommended RBL's on MTA?
In-Reply-To: <458D0CC7.9000100@cenpac.net.nr>
References: <EE2E1E6A-4804-4C6B-AADA-466658DFCDF1@gray.net.au>	<458D09BF.5070107@blacknight.ie>
	<458D0CC7.9000100@cenpac.net.nr>
Message-ID: <458D0E74.1070908@blacknight.ie>

Jon Leeman wrote:
> 
> Michele Neylon wrote:
>> James Gray wrote:
>>> Hi All,
>>>
>>> This is slightly off topic, but I figured it was a good place to ask.
>>> What RBL's are people using on their MTA?  I'm currently driving a
>>> number of Postfix boxes so far have all the RBL's in SpamAssassin, but
>>> would really prefer to block some of the rubbish before it gets that
>>> far.
>>>
>>> What RBL's have people had success with? More importantly, which ones
>>> should I avoid?
>>>
>>> Cheers,
>>>
>>> James
>>
>> xbl works well
>>
>> Avoid spamcop (obviously)
>>
>>
> 
> Why obviously please?
> 
> Jon

Jon

Spamcop is fine for scoring, but you would lose a lot of valid mail if
you used it for blocking

Michele
From res at ausics.net  Sat Dec 23 12:34:03 2006
From: res at ausics.net (Res)
Date: Sat Dec 23 11:34:29 2006
Subject: Recommended RBL's on MTA?
In-Reply-To: <EE2E1E6A-4804-4C6B-AADA-466658DFCDF1@gray.net.au>
References: <EE2E1E6A-4804-4C6B-AADA-466658DFCDF1@gray.net.au>
Message-ID: <Pine.LNX.4.64.0612232123320.25764@ebfjryy.nhfvpf.arg>

On Sat, 23 Dec 2006, James Gray wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi All,
>
> This is slightly off topic, but I figured it was a good place to ask.  What 
> RBL's are people using on their MTA?  I'm currently driving a number of 
> Postfix boxes so far have all the RBL's in SpamAssassin, but would really 
> prefer to block some of the rubbish before it gets that far.
>
> What RBL's have people had success with? More importantly, which ones should 
> I avoid?

spamhaus, spamcop and sorbs

Beware the people attacking spamcop, many of them dont like the way that 
if their users send to one of spamcops "traps" they will block you, which 
is fair enough, as the trap addresses are not real and not advertised.

On a network processing 1700 messages per minute, no complaints and no 
more false positives then any other RBL, and we had maybe 2 or 3 
complaints a month about RBL blockings, we have about 3 a day panicing 
cause of MS's phishing warning :)

One thig with SORBS though, they will block any server, including hotmail, 
though its only the particular server in the cluster, so you'll probably 
get most through without noticing anything out of the ordinary, the safest 
way would be to whitelist hotmail.com in your MTA, then let MS deal with 
whats spam. It's not that much of a problem really, as your in au and 
maybe wondering about consequences here, Optus use them.



-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From res at ausics.net  Sat Dec 23 12:37:17 2006
From: res at ausics.net (Res)
Date: Sat Dec 23 11:37:43 2006
Subject: virus scan only
In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0429BEC@winchester.andrewscompanies.com>
References: <1964AAFBC212F742958F9275BF63DBB0429BEC@winchester.andrewscompanies.com>
Message-ID: <Pine.LNX.4.64.0612232134430.25764@ebfjryy.nhfvpf.arg>

On Fri, 22 Dec 2006, sandrews@andrewscompanies.com wrote:

> I'd certainly not do that.  I'd wait a few months until they start
> spewing out crap, turn them off and tell them they're taking both
> direction antivirus and antispam or they can find someone else to do it
> for them.

Better to prevent problems in the first place. I will allow them to get 
what they want in, but any customer who demands we not scan their outbound 
would be to cop it or leave.


-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From csweeney at osubucks.org  Sat Dec 23 13:47:53 2006
From: csweeney at osubucks.org (Chris Sweeney)
Date: Sat Dec 23 12:48:27 2006
Subject: MailScanner Digest, Vol 12, Issue 30 [Scanned by Freecom.net]
In-Reply-To: <899110992@mail.freecom.net>
References: <899110992@mail.freecom.net>
Message-ID: <458D2579.2010604@osubucks.org>

All the talk on here about BAD auto responders and it never fails there
are still ding bats who use them on mailing list.

Jason Broome wrote:
> *****This is a automated response - Please do not reply - as no response will be given*****
>
> Thank you for your e-mail. 
>
> Our offices are now closed for the Christmas period until Tuesday January 2nd 2007.
> Please rest assured that all services are being fully monitored and maintained throughout
> the festive period.
>
> If your enquiry is regarding an attachment release, as our Mail Scanners have removed it, one of our on call
> engineers will forward it on shortly.
>
> May we take this opportunity to wish you a Merry Christmas and a Happy New year from all at Freecom.net.
>
> Kind Regards,
>
> Freecom.net Technical Support Team
>   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5188 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061223/aff0bfaf/smime.bin
From gerard at seibercom.net  Sat Dec 23 14:04:46 2006
From: gerard at seibercom.net (Gerard)
Date: Sat Dec 23 13:05:08 2006
Subject: MailScanner Digest, Vol 12, Issue 30
In-Reply-To: <458D2579.2010604@osubucks.org>
References: <899110992@mail.freecom.net> <458D2579.2010604@osubucks.org>
Message-ID: <20061223080441.552B.GERARD@seibercom.net>

On Saturday December 23, 2006 at 07:47:53 (AM) Chris Sweeney wrote:

> All the talk on here about BAD auto responders and it never fails there
> are still ding bats who use them on mailing list.
> 
> Jason Broome wrote:
> > *****This is a automated response - Please do not reply - as no response will be given*****
> >
> > Thank you for your e-mail. 
> >
> > Our offices are now closed for the Christmas period until Tuesday January 2nd 2007.
> > Please rest assured that all services are being fully monitored and maintained throughout
> > the festive period.
> >
> > If your enquiry is regarding an attachment release, as our Mail Scanners have removed it, one of our on call
> > engineers will forward it on shortly.
> >
> > May we take this opportunity to wish you a Merry Christmas and a Happy New year from all at Freecom.net.
> >
> > Kind Regards,
> >
> > Freecom.net Technical Support Team

Please don't top post. If you don't know what that means, Google for it.

There is not much that you can do about those morons. They are either
too lazy or stupid to exclude mailing lists from being notified by their
vacation program. I will let one through, but the second time I get a
notice like that from the same user, I create a rule and have Postfix
/dev/null that user's mail. End of problem. I could bounce the message;
however, that would only add backscatter into the mix. I could also
receive another notice from that user that could cause an endless loop.

-- 
Gerard
From res at ausics.net  Sat Dec 23 23:17:44 2006
From: res at ausics.net (Res)
Date: Sat Dec 23 22:18:13 2006
Subject: MailScanner Digest, Vol 12, Issue 30
In-Reply-To: <20061223080441.552B.GERARD@seibercom.net>
References: <899110992@mail.freecom.net> <458D2579.2010604@osubucks.org>
	<20061223080441.552B.GERARD@seibercom.net>
Message-ID: <Pine.LNX.4.64.0612240814150.27546@ebfjryy.nhfvpf.arg>

Sometimes top posting is acceptable, and Chris's comments is one of those 
times, people also should learn how to cut posts to whats relevant in 
quotes, if you dont like my top post, please feel free to have a merry 
christmas and /dev/null me, last time I looked your name is not Julian, 
he is the only person who has any right to ask anyone on here what to do 
or not to do.



  On Sat, 23 Dec 2006, Gerard wrote:

> On Saturday December 23, 2006 at 07:47:53 (AM) Chris Sweeney wrote:
>
>> All the talk on here about BAD auto responders and it never fails there
>> are still ding bats who use them on mailing list.

>
> Please don't top post. If you don't know what that means, Google for it.
>
> There is not much that you can do about those morons. They are either
> too lazy or stupid to exclude mailing lists from being notified by their
> vacation program. I will let one through, but the second time I get a
> notice like that from the same user, I create a rule and have Postfix
> /dev/null that user's mail. End of problem. I could bounce the message;
> however, that would only add backscatter into the mix. I could also
> receive another notice from that user that could cause an endless loop.
>
>

-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From james at gray.net.au  Sun Dec 24 00:37:23 2006
From: james at gray.net.au (James Gray)
Date: Sat Dec 23 23:38:06 2006
Subject: Recommended RBL's on MTA?
In-Reply-To: <EE2E1E6A-4804-4C6B-AADA-466658DFCDF1@gray.net.au>
References: <EE2E1E6A-4804-4C6B-AADA-466658DFCDF1@gray.net.au>
Message-ID: <C741135C-C68C-4C0B-8E9E-4AB219A1FA97@gray.net.au>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 23/12/2006, at 4:42 PM, James Gray wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi All,
>
> This is slightly off topic, but I figured it was a good place to  
> ask.  What RBL's are people using on their MTA?  I'm currently  
> driving a number of Postfix boxes so far have all the RBL's in  
> SpamAssassin, but would really prefer to block some of the rubbish  
> before it gets that far.
>
> What RBL's have people had success with? More importantly, which  
> ones should I avoid?

Thanks to all that responded.  I've started with spamhaus and dsbl.   
I'll see if they are sufficient before adding more.  My logs are  
already busy enough without trying to track half a dozen RBL's too :P

Merry Christmas for tomorrow everyone!!

- -- James
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFFjb22wBHpdJO7b9ERAr3JAKDH4+3ZshxKuL7uIoDpLZ11EdWT1wCgjyp8
X0hJRkjgcg0AcU7u1S2POT0=
=jzTH
-----END PGP SIGNATURE-----
From mike at vesol.com  Sun Dec 24 02:17:22 2006
From: mike at vesol.com (Mike Kercher)
Date: Sun Dec 24 01:19:52 2006
Subject: Recommended RBL's on MTA?
In-Reply-To: <C741135C-C68C-4C0B-8E9E-4AB219A1FA97@gray.net.au>
Message-ID: <EAE39E9E242F774099806D1052118953370BA9@samba2003.home.middlefinger.net>

mailscanner-bounces@lists.mailscanner.info <> scribbled on :

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> On 23/12/2006, at 4:42 PM, James Gray wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> Hi All,
>> 
>> This is slightly off topic, but I figured it was a good
> place to ask.
>> What RBL's are people using on their MTA?  I'm currently driving a
>> number of Postfix boxes so far have all the RBL's in
> SpamAssassin, but
>> would really prefer to block some of the rubbish before it
> gets that
>> far.
>> 
>> What RBL's have people had success with? More importantly,
> which ones
>> should I avoid?
> 
> Thanks to all that responded.  I've started with spamhaus and dsbl.
> I'll see if they are sufficient before adding more.  My logs
> are already busy enough without trying to track half a dozen
> RBL's too :P
> 
> Merry Christmas for tomorrow everyone!!
> 

Might I suggest zen.spamhaus.org

http://www.spamhaus.org/zen/

Mike
From mailscanner at barendse.to  Sun Dec 24 16:43:40 2006
From: mailscanner at barendse.to (Remco Barendse)
Date: Sun Dec 24 15:44:10 2006
Subject: Why doesn't DCC help against image spam?
Message-ID: <Pine.LNX.4.64.0612241640080.24888@raveon.vaag.nu>

Now that ORDB is down my mailscanner is not filtering any spam anymore, i 
might as well disable it.

But out of curiosity, why doesn't DCC work for the image spam?

A checksum should be reasonably effective against the image spam i think? 
Assuming that they are not dynamically building each picture a bit 
differently for each e-mail that is sent?
From glenn.steen at gmail.com  Mon Dec 25 16:04:58 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Mon Dec 25 15:05:29 2006
Subject: List Outage
In-Reply-To: <1166870365.7366.13.camel@localhost>
References: <1166870365.7366.13.camel@localhost>
Message-ID: <223f97700612250704l563019b3x2e008755e1848603@mail.gmail.com>

On 23/12/06, Paul Kelly :: Blacknight <paul@blacknight.ie> wrote:
> Hi All,
>
> We lost the box the MS list was on yesterday. I've been beavering away
> to get it back and as most mail will be queued it should get through
> eventually as dns servers catch up on the dns change.
>
> The last sync of the archives was Tuesday so we've lost a couple of
> days, I do apologise for this. I need to check with one of our other
> admins where he had the backups going to. he was syncing mailmans setup
> hourly from the original box.
>
> Hopefully this won't happen again.
>
> I would like to take this opportunity to wish you all a merry Christmas
> and a happy New Year!

Same to you Paul.
Have a julsnaps or two... Will give a ... better ... perspective on
the ... mishap;)

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From glenn.steen at gmail.com  Mon Dec 25 16:12:56 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Mon Dec 25 15:13:27 2006
Subject: Work Dir is not cleaned up
In-Reply-To: <458BEF72.2090708@bueker.net>
References: <458796F7.5010901@bueker.net>
	<223f97700612190122rbb0ed69j3dcb85354d5167a8@mail.gmail.com>
	<458BEF72.2090708@bueker.net>
Message-ID: <223f97700612250712p6e013a5p169a73e8d853bd23@mail.gmail.com>

On 22/12/06, Thorsten B?ker <mailinglists@bueker.net> wrote:
> Dear Glenn,
>
> > Thorsten, stop right there!
> > The piece of language you have above implies that you still use the
> > _unsafe_ and _deprecated_ defer method with Postfix. Please tell me
> > you don't...
>
> ...well, ehm, I did ;-)
> The howto, I used about three years ago, indeed described the setup
> based on two instances of postfix. Thanks for the hint, in the meantime
> I configured the services to make use of the HOLD method.
Good move.

> > This is indeed true, it is an old error. I'm in part guilty for both
> > the introduction (and the fix, along with Spike Cacti, IIRC:-)...
> > Because PF queue IDs aren't "random enough" for SQL logging purposes,
> > I badgered Jules into introducing the .XXXXX randomness... Which broke
> > the cleanup of the work dir. The fix was simply to add in the "." in
> > the match for the cleanup-able stuff.
> > I don't want to go digging it up... It's in the mail list archives;-).
> > You really should abandon that old MS version and go with a newer
> > one... Either by using the tarball install, or going unstable, or
> > switching OS/distro completely. Debian stable is just too moldy when
> > it comes to this.
>
> Hoping for an upcoming release of Etch I'm going to keep the old version
> of MailScanner, at least for some weeks. But in case the release gets
> delayed, I might try to backport the current Debian sources to Sarge.

Well, by the time it comes out as stable... It'll not be that "fresh"... Sigh.
What you could do, if you have a spare box to play with, is to try out
the source tarball install (who are we kidding here... It's perl....
It's always source:-)... Will install into a "more monolithic"
/opt/MailScanner, but apart from that doesn't differ _that_ much from
the other packages of MailScanner. And perhaps try out Jules Clam+SA
package too. If you do that, it is simply two packages that you manage
"outside" the distribution (well, and the perl modules they depend
on:-). The source tarball is the one for Solaris/etc/etc on the
download page.

> kind regards, thanks again,
Glad to be of help.

>    Thorsten
Merry X-mas!
Cheers!
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From arturs at netvision.net.il  Tue Dec 26 10:25:02 2006
From: arturs at netvision.net.il (Arthur Sherman)
Date: Tue Dec 26 09:28:59 2006
Subject: Recommended RBL's on MTA?
In-Reply-To: <Pine.LNX.4.64.0612232123320.25764@ebfjryy.nhfvpf.arg>
Message-ID: <015601c728cf$bbeed000$3701a8c0@lapxp>

> Beware the people attacking spamcop, many of them dont like 
> the way that 
> if their users send to one of spamcops "traps" they will 
> block you, which 
> is fair enough, as the trap addresses are not real and not advertised.


The only problem with Spamcop was blocking hermes.apache.org, which holds
SpamAssassin ML.
Besides that, it is very good.


Best,

--
Arthur Sherman

+972-52-4878851
CPTeam  

From res at ausics.net  Tue Dec 26 11:00:52 2006
From: res at ausics.net (Res)
Date: Tue Dec 26 10:01:33 2006
Subject: Recommended RBL's on MTA?
In-Reply-To: <015601c728cf$bbeed000$3701a8c0@lapxp>
References: <015601c728cf$bbeed000$3701a8c0@lapxp>
Message-ID: <Pine.LNX.4.64.0612261947310.9122@ebfjryy.nhfvpf.arg>

On Tue, 26 Dec 2006, Arthur Sherman wrote:

>> Beware the people attacking spamcop, many of them dont like
>> the way that
>> if their users send to one of spamcops "traps" they will
>> block you, which
>> is fair enough, as the trap addresses are not real and not advertised.
>
>
> The only problem with Spamcop was blocking hermes.apache.org, which holds
> SpamAssassin ML.
> Besides that, it is very good.
>

That was ages ago, and since there is more talk on this list about SA
then there is MS does it really matter if SA list is blocked :)

Every RBL has listed a list server at some time, not like its the end of 
the world. Even spamhaus has taken out an industry list server 
(hosted by jupiter media), spamcop has had em, as has sorbs, nothing is 
immune when you have stupid idiot users of those lists.


-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From arturs at netvision.net.il  Tue Dec 26 15:19:23 2006
From: arturs at netvision.net.il (Arthur Sherman)
Date: Tue Dec 26 14:23:29 2006
Subject: Recommended RBL's on MTA?
In-Reply-To: <Pine.LNX.4.64.0612261947310.9122@ebfjryy.nhfvpf.arg>
Message-ID: <015f01c728f8$dd7e7080$3701a8c0@lapxp>

> That was ages ago, and since there is more talk on this list about SA
> then there is MS does it really matter if SA list is blocked :)

This was twice during December.
And if I use SA as a 'plugin' for MS, then yes, it does matter.

> Every RBL has listed a list server at some time, not like its 
> the end of 
> the world. Even spamhaus has taken out an industry list server 
> (hosted by jupiter media), spamcop has had em, as has sorbs, 
> nothing is 
> immune when you have stupid idiot users of those lists.

Quite agree.


Best,

--
Arthur Sherman

+972-52-4878851
CPTeam  

From naolson at gmail.com  Tue Dec 26 15:43:35 2006
From: naolson at gmail.com (Nathan Olson)
Date: Tue Dec 26 14:44:10 2006
Subject: Recommended RBL's on MTA?
In-Reply-To: <015f01c728f8$dd7e7080$3701a8c0@lapxp>
References: <Pine.LNX.4.64.0612261947310.9122@ebfjryy.nhfvpf.arg>
	<015f01c728f8$dd7e7080$3701a8c0@lapxp>
Message-ID: <8f54b4330612260643x54d56d67td6010c6b4eb1193d@mail.gmail.com>

I use the attached script to help determine which
RBLs to move from SA to sendmail.

You may have to adjust the _THRESHOLD variables.

./rbl.pl maillog

Nate
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rbl.pl
Type: application/x-perl
Size: 1509 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061226/db9ef9cd/rbl.bin
From ssilva at sgvwater.com  Tue Dec 26 17:15:38 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Tue Dec 26 16:18:36 2006
Subject: List Outage
In-Reply-To: <1166870365.7366.13.camel@localhost>
References: <1166870365.7366.13.camel@localhost>
Message-ID: <emrhv3$v4d$1@sea.gmane.org>

Paul Kelly :: Blacknight spake the following on 12/23/2006 2:39 AM:
> Hi All,
> 
> We lost the box the MS list was on yesterday. I've been beavering away
> to get it back and as most mail will be queued it should get through
> eventually as dns servers catch up on the dns change.
> 
> The last sync of the archives was Tuesday so we've lost a couple of
> days, I do apologise for this. I need to check with one of our other
> admins where he had the backups going to. he was syncing mailmans setup
> hourly from the original box.
> 
> Hopefully this won't happen again.
> 
> I would like to take this opportunity to wish you all a merry Christmas
> and a happy New Year!
> 
> Regards, 
> 
> Paul
> 
You could always get anything missing from one of the archives like gmane if
you really NEED to have it.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From ssilva at sgvwater.com  Tue Dec 26 17:21:51 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Tue Dec 26 16:24:55 2006
Subject: Recommended RBL's on MTA?
In-Reply-To: <EE2E1E6A-4804-4C6B-AADA-466658DFCDF1@gray.net.au>
References: <EE2E1E6A-4804-4C6B-AADA-466658DFCDF1@gray.net.au>
Message-ID: <emriao$2ka$1@sea.gmane.org>

James Gray spake the following on 12/22/2006 9:42 PM:
> Hi All,
> 
> This is slightly off topic, but I figured it was a good place to ask. 
> What RBL's are people using on their MTA?  I'm currently driving a
> number of Postfix boxes so far have all the RBL's in SpamAssassin, but
> would really prefer to block some of the rubbish before it gets that far.
> 
> What RBL's have people had success with? More importantly, which ones
> should I avoid?
> 
> Cheers,
> 
> James
Since you have been using them in spamassassin, you could look through your
logs and see how the different lists are hitting. I am using zen.spamhaus.org
and combined.njabl.org, although the latter doesn't hit much because most of
the junk has already been rejected by zen. If your logs don't show FP's on a
list, you would be safe to put it in the MTA.
-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From ssilva at sgvwater.com  Tue Dec 26 17:40:51 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Tue Dec 26 16:45:38 2006
Subject: Why doesn't DCC help against image spam?
In-Reply-To: <Pine.LNX.4.64.0612241640080.24888@raveon.vaag.nu>
References: <Pine.LNX.4.64.0612241640080.24888@raveon.vaag.nu>
Message-ID: <emrjec$587$1@sea.gmane.org>

Remco Barendse spake the following on 12/24/2006 7:43 AM:
> Now that ORDB is down my mailscanner is not filtering any spam anymore,
> i might as well disable it.
> 
> But out of curiosity, why doesn't DCC work for the image spam?
> 
> A checksum should be reasonably effective against the image spam i
> think? Assuming that they are not dynamically building each picture a
> bit differently for each e-mail that is sent?
But that could be what they are doing. Spammers are like cockroaches. They
adapt very quickly, and after they mass-fire their crap, they change up a bit,
and reload for the next salvo.

It's war, and we are always on the defense.


-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From mkettler at evi-inc.com  Tue Dec 26 17:56:02 2006
From: mkettler at evi-inc.com (Matt Kettler)
Date: Tue Dec 26 16:56:50 2006
Subject: Why doesn't DCC help against image spam?
In-Reply-To: <Pine.LNX.4.64.0612241640080.24888@raveon.vaag.nu>
References: <Pine.LNX.4.64.0612241640080.24888@raveon.vaag.nu>
Message-ID: <45915422.5010906@evi-inc.com>

Remco Barendse wrote:
> Now that ORDB is down my mailscanner is not filtering any spam anymore,
> i might as well disable it.
> 
> But out of curiosity, why doesn't DCC work for the image spam?
> 
> A checksum should be reasonably effective against the image spam i
> think? Assuming that they are not dynamically building each picture a
> bit differently for each e-mail that is sent?

They are dynamically building a different image for each email. Behold the power
of botnets. A typical infected home-user PC has by far more spare CPU time than
it does upstream bandwidth.

As best I can tell, the original message is sent to the clients in HTML or some
other marked-up text format. The clients then render it, and at least the
following things can be randomized per-message:

Font size
Word-wrap boundary
Exact shade for various text colors (slightly darker or lighter than called for)
"stipple dots"
stipple blotches (with option to force them only to the edges of the image)
small vertical offsets per-character (creates the "wavy line" text)
geometric shapes laid over background.
stripes laid over the background

The last 3 are primarily used as anti-OCR features, but they also add randomness.


From glenn.steen at gmail.com  Tue Dec 26 17:58:27 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Tue Dec 26 16:59:02 2006
Subject: Why doesn't DCC help against image spam?
In-Reply-To: <emrjec$587$1@sea.gmane.org>
References: <Pine.LNX.4.64.0612241640080.24888@raveon.vaag.nu>
	<emrjec$587$1@sea.gmane.org>
Message-ID: <223f97700612260858g5fda9f4cx543e6bcd6e3d28e0@mail.gmail.com>

On 26/12/06, Scott Silva <ssilva@sgvwater.com> wrote:
> Remco Barendse spake the following on 12/24/2006 7:43 AM:
> > Now that ORDB is down my mailscanner is not filtering any spam anymore,
> > i might as well disable it.
> >
> > But out of curiosity, why doesn't DCC work for the image spam?
> >
> > A checksum should be reasonably effective against the image spam i
> > think? Assuming that they are not dynamically building each picture a
> > bit differently for each e-mail that is sent?
> But that could be what they are doing. Spammers are like cockroaches. They
> adapt very quickly, and after they mass-fire their crap, they change up a bit,
> and reload for the next salvo.
>
> It's war, and we are always on the defense.
Depressing but true... I think I'll have another Julsnaps... To
enliven my defenses... (If the snaps fails to do that.... well, at
least I'll be having more fun...:-)

Seriously though, I think the only real effective defenses (on my
sysytems at least) against image-based spam has been a combination of
the digests (yes, they do take _some_ of it), RFC "strictness" checks
(in PF) and ImageInfo (and some TVD rules picked up by an sa-update).
When these fail I'll be going for FuzzyOcr (have just tested this so
far, but ... it really needs muscle that the production boxes lack).
Or someone really clever will have found another method:-).

Ceers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From ka at pacific.net  Tue Dec 26 18:19:58 2006
From: ka at pacific.net (Ken A)
Date: Tue Dec 26 17:17:34 2006
Subject: Why doesn't DCC help against image spam?
In-Reply-To: <223f97700612260858g5fda9f4cx543e6bcd6e3d28e0@mail.gmail.com>
References: <Pine.LNX.4.64.0612241640080.24888@raveon.vaag.nu>	<emrjec$587$1@sea.gmane.org>
	<223f97700612260858g5fda9f4cx543e6bcd6e3d28e0@mail.gmail.com>
Message-ID: <459159BE.3010200@pacific.net>



Glenn Steen wrote:
> On 26/12/06, Scott Silva <ssilva@sgvwater.com> wrote:
>> Remco Barendse spake the following on 12/24/2006 7:43 AM:
>> > Now that ORDB is down my mailscanner is not filtering any spam anymore,
>> > i might as well disable it.
>> >
>> > But out of curiosity, why doesn't DCC work for the image spam?
>> >
>> > A checksum should be reasonably effective against the image spam i
>> > think? Assuming that they are not dynamically building each picture a
>> > bit differently for each e-mail that is sent?
>> But that could be what they are doing. Spammers are like cockroaches. 
>> They
>> adapt very quickly, and after they mass-fire their crap, they change 
>> up a bit,
>> and reload for the next salvo.
>>
>> It's war, and we are always on the defense.
> Depressing but true... I think I'll have another Julsnaps... To
> enliven my defenses... (If the snaps fails to do that.... well, at
> least I'll be having more fun...:-)
> 
> Seriously though, I think the only real effective defenses (on my
> sysytems at least) against image-based spam has been a combination of
> the digests (yes, they do take _some_ of it), RFC "strictness" checks
> (in PF) and ImageInfo (and some TVD rules picked up by an sa-update).
> When these fail I'll be going for FuzzyOcr (have just tested this so
> far, but ... it really needs muscle that the production boxes lack).
> Or someone really clever will have found another method:-).

FuzzyOCR runs by default with a low priority (runs as last SA test), so 
it only run when the SA score (so far) is > $X, so set that to your low 
threshold, and FuzzyOCR only runs on spam that hasn't been tagged yet. 
Works quite well, and doesn't take all that much cpu, since > 70% of the 
image spam is caught by the other methods.
Ken A.
Pacific.Net

> Ceers
From glenn.steen at gmail.com  Tue Dec 26 18:26:11 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Tue Dec 26 17:26:47 2006
Subject: Why doesn't DCC help against image spam?
In-Reply-To: <459159BE.3010200@pacific.net>
References: <Pine.LNX.4.64.0612241640080.24888@raveon.vaag.nu>
	<emrjec$587$1@sea.gmane.org>
	<223f97700612260858g5fda9f4cx543e6bcd6e3d28e0@mail.gmail.com>
	<459159BE.3010200@pacific.net>
Message-ID: <223f97700612260926s7a2c51dcm50c108d7e5da6502@mail.gmail.com>

On 26/12/06, Ken A <ka@pacific.net> wrote:
>
>
> Glenn Steen wrote:
> > On 26/12/06, Scott Silva <ssilva@sgvwater.com> wrote:
> >> Remco Barendse spake the following on 12/24/2006 7:43 AM:
> >> > Now that ORDB is down my mailscanner is not filtering any spam anymore,
> >> > i might as well disable it.
> >> >
> >> > But out of curiosity, why doesn't DCC work for the image spam?
> >> >
> >> > A checksum should be reasonably effective against the image spam i
> >> > think? Assuming that they are not dynamically building each picture a
> >> > bit differently for each e-mail that is sent?
> >> But that could be what they are doing. Spammers are like cockroaches.
> >> They
> >> adapt very quickly, and after they mass-fire their crap, they change
> >> up a bit,
> >> and reload for the next salvo.
> >>
> >> It's war, and we are always on the defense.
> > Depressing but true... I think I'll have another Julsnaps... To
> > enliven my defenses... (If the snaps fails to do that.... well, at
> > least I'll be having more fun...:-)
> >
> > Seriously though, I think the only real effective defenses (on my
> > sysytems at least) against image-based spam has been a combination of
> > the digests (yes, they do take _some_ of it), RFC "strictness" checks
> > (in PF) and ImageInfo (and some TVD rules picked up by an sa-update).
> > When these fail I'll be going for FuzzyOcr (have just tested this so
> > far, but ... it really needs muscle that the production boxes lack).
> > Or someone really clever will have found another method:-).
>
> FuzzyOCR runs by default with a low priority (runs as last SA test), so
> it only run when the SA score (so far) is > $X, so set that to your low
> threshold, and FuzzyOCR only runs on spam that hasn't been tagged yet.
> Works quite well, and doesn't take all that much cpu, since > 70% of the
> image spam is caught by the other methods.
True enough... When I've been testing I haven't been taking that into
consideration (looking at "synthetic" situations can blind one to
things:-). Will likely implement it in production some time early next
year then. Thanks Ken.

> > Ceers
Hm, perhaps I should take it easy with that Snaps:-). Or not....
Cheers,
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From ssilva at sgvwater.com  Tue Dec 26 18:30:16 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Tue Dec 26 17:33:09 2006
Subject: Why doesn't DCC help against image spam?
In-Reply-To: <223f97700612260858g5fda9f4cx543e6bcd6e3d28e0@mail.gmail.com>
References: <Pine.LNX.4.64.0612241640080.24888@raveon.vaag.nu>	<emrjec$587$1@sea.gmane.org>
	<223f97700612260858g5fda9f4cx543e6bcd6e3d28e0@mail.gmail.com>
Message-ID: <emrmb1$co3$1@sea.gmane.org>

Glenn Steen spake the following on 12/26/2006 8:58 AM:
> On 26/12/06, Scott Silva <ssilva@sgvwater.com> wrote:
>> Remco Barendse spake the following on 12/24/2006 7:43 AM:
>> > Now that ORDB is down my mailscanner is not filtering any spam anymore,
>> > i might as well disable it.
>> >
>> > But out of curiosity, why doesn't DCC work for the image spam?
>> >
>> > A checksum should be reasonably effective against the image spam i
>> > think? Assuming that they are not dynamically building each picture a
>> > bit differently for each e-mail that is sent?
>> But that could be what they are doing. Spammers are like cockroaches.
>> They
>> adapt very quickly, and after they mass-fire their crap, they change
>> up a bit,
>> and reload for the next salvo.
>>
>> It's war, and we are always on the defense.
> Depressing but true... I think I'll have another Julsnaps... To
> enliven my defenses... (If the snaps fails to do that.... well, at
> least I'll be having more fun...:-)
> 
> Seriously though, I think the only real effective defenses (on my
> sysytems at least) against image-based spam has been a combination of
> the digests (yes, they do take _some_ of it), RFC "strictness" checks
> (in PF) and ImageInfo (and some TVD rules picked up by an sa-update).
> When these fail I'll be going for FuzzyOcr (have just tested this so
> far, but ... it really needs muscle that the production boxes lack).
> Or someone really clever will have found another method:-).
> 
> Ceers
Since I have to work, have a Julsnaps for me!

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From ylacan at teicam.com  Tue Dec 26 18:37:09 2006
From: ylacan at teicam.com (Youri LACAN-BARTLEY)
Date: Tue Dec 26 17:37:56 2006
Subject: Recommended RBL's on MTA?
In-Reply-To: <EE2E1E6A-4804-4C6B-AADA-466658DFCDF1@gray.net.au>
References: <EE2E1E6A-4804-4C6B-AADA-466658DFCDF1@gray.net.au>
Message-ID: <45915DC5.6070305@teicam.com>

James Gray wrote:
> Hi All,
> 
> This is slightly off topic, but I figured it was a good place to ask. 
> What RBL's are people using on their MTA?  I'm currently driving a
> number of Postfix boxes so far have all the RBL's in SpamAssassin, but
> would really prefer to block some of the rubbish before it gets that far.
> 
> What RBL's have people had success with? More importantly, which ones
> should I avoid?

Hi there, I personally use the following with Postfix and haven't had
any false positives whatsoever:

	zen.spamhaus.org
        dul.dnsbl.sorbs.net
        list.dsbl.org

Obviously, the most efficient one is the spamhaus DNSBL which catches
around 80% of the total blocked messages.

I've had issues with spamcop and abuseat.org at MTA level, steer clear
of them.

Good luck


> 
> Cheers,
> 
> James
--MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!
From ka at pacific.net  Tue Dec 26 18:50:24 2006
From: ka at pacific.net (Ken A)
Date: Tue Dec 26 17:48:01 2006
Subject: Why doesn't DCC help against image spam?
In-Reply-To: <emrmb1$co3$1@sea.gmane.org>
References: <Pine.LNX.4.64.0612241640080.24888@raveon.vaag.nu>	<emrjec$587$1@sea.gmane.org>	<223f97700612260858g5fda9f4cx543e6bcd6e3d28e0@mail.gmail.com>
	<emrmb1$co3$1@sea.gmane.org>
Message-ID: <459160E0.9090306@pacific.net>



Scott Silva wrote:
> Glenn Steen spake the following on 12/26/2006 8:58 AM:
>> On 26/12/06, Scott Silva <ssilva@sgvwater.com> wrote:
>>> Remco Barendse spake the following on 12/24/2006 7:43 AM:
>>>> Now that ORDB is down my mailscanner is not filtering any spam anymore,
>>>> i might as well disable it.
>>>>
>>>> But out of curiosity, why doesn't DCC work for the image spam?
>>>>
>>>> A checksum should be reasonably effective against the image spam i
>>>> think? Assuming that they are not dynamically building each picture a
>>>> bit differently for each e-mail that is sent?
>>> But that could be what they are doing. Spammers are like cockroaches.
>>> They
>>> adapt very quickly, and after they mass-fire their crap, they change
>>> up a bit,
>>> and reload for the next salvo.
>>>
>>> It's war, and we are always on the defense.
>> Depressing but true... I think I'll have another Julsnaps... To
>> enliven my defenses... (If the snaps fails to do that.... well, at
>> least I'll be having more fun...:-)
>>
>> Seriously though, I think the only real effective defenses (on my
>> sysytems at least) against image-based spam has been a combination of
>> the digests (yes, they do take _some_ of it), RFC "strictness" checks
>> (in PF) and ImageInfo (and some TVD rules picked up by an sa-update).
>> When these fail I'll be going for FuzzyOcr (have just tested this so
>> far, but ... it really needs muscle that the production boxes lack).
>> Or someone really clever will have found another method:-).
>>
>> Ceers
> Since I have to work, have a Julsnaps for me!
> 

"What's in a Julsnaps?", said the curious fellow in California?
I can't have one unless I know how to make it!
:-)
Ken A
Pacific.Net
From ssilva at sgvwater.com  Tue Dec 26 19:27:10 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Tue Dec 26 18:30:11 2006
Subject: Why doesn't DCC help against image spam?
In-Reply-To: <459160E0.9090306@pacific.net>
References: <Pine.LNX.4.64.0612241640080.24888@raveon.vaag.nu>	<emrjec$587$1@sea.gmane.org>	<223f97700612260858g5fda9f4cx543e6bcd6e3d28e0@mail.gmail.com>	<emrmb1$co3$1@sea.gmane.org>
	<459160E0.9090306@pacific.net>
Message-ID: <emrplo$muu$1@sea.gmane.org>

Ken A spake the following on 12/26/2006 9:50 AM:
> 
> 
> Scott Silva wrote:
>> Glenn Steen spake the following on 12/26/2006 8:58 AM:
>>> On 26/12/06, Scott Silva <ssilva@sgvwater.com> wrote:
>>>> Remco Barendse spake the following on 12/24/2006 7:43 AM:
>>>>> Now that ORDB is down my mailscanner is not filtering any spam
>>>>> anymore,
>>>>> i might as well disable it.
>>>>>
>>>>> But out of curiosity, why doesn't DCC work for the image spam?
>>>>>
>>>>> A checksum should be reasonably effective against the image spam i
>>>>> think? Assuming that they are not dynamically building each picture a
>>>>> bit differently for each e-mail that is sent?
>>>> But that could be what they are doing. Spammers are like cockroaches.
>>>> They
>>>> adapt very quickly, and after they mass-fire their crap, they change
>>>> up a bit,
>>>> and reload for the next salvo.
>>>>
>>>> It's war, and we are always on the defense.
>>> Depressing but true... I think I'll have another Julsnaps... To
>>> enliven my defenses... (If the snaps fails to do that.... well, at
>>> least I'll be having more fun...:-)
>>>
>>> Seriously though, I think the only real effective defenses (on my
>>> sysytems at least) against image-based spam has been a combination of
>>> the digests (yes, they do take _some_ of it), RFC "strictness" checks
>>> (in PF) and ImageInfo (and some TVD rules picked up by an sa-update).
>>> When these fail I'll be going for FuzzyOcr (have just tested this so
>>> far, but ... it really needs muscle that the production boxes lack).
>>> Or someone really clever will have found another method:-).
>>>
>>> Ceers
>> Since I have to work, have a Julsnaps for me!
>>
> 
> "What's in a Julsnaps?", said the curious fellow in California?
> I can't have one unless I know how to make it!
> :-)
> Ken A
> Pacific.Net
Glenn could answer this better, but it is an herbal liquor found in the Nordic
regions of europe. It is usually served as close to frozen as you can get any
form of alcohol. It has a distinct kind of nutty-fruity taste, and seems to
have a fairly high alcohol content. I haven't had it for more than 20 years,
but I still remember it. And I have not had anything like it since.

So since you can't "make" it, you might be able to find some in a place like
Bevmo in California. Some variations are called akvavit, but if I remember
correctly, Julesnaps is a variety served around the christmas holidays.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From ssilva at sgvwater.com  Tue Dec 26 19:40:08 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Tue Dec 26 18:43:01 2006
Subject: Why doesn't DCC help against image spam?
In-Reply-To: <emrplo$muu$1@sea.gmane.org>
References: <Pine.LNX.4.64.0612241640080.24888@raveon.vaag.nu>	<emrjec$587$1@sea.gmane.org>	<223f97700612260858g5fda9f4cx543e6bcd6e3d28e0@mail.gmail.com>	<emrmb1$co3$1@sea.gmane.org>	<459160E0.9090306@pacific.net>
	<emrplo$muu$1@sea.gmane.org>
Message-ID: <emrqe1$p2a$1@sea.gmane.org>

Scott Silva spake the following on 12/26/2006 10:27 AM:
> Ken A spake the following on 12/26/2006 9:50 AM:
>>
>> Scott Silva wrote:
>>> Glenn Steen spake the following on 12/26/2006 8:58 AM:
>>>> On 26/12/06, Scott Silva <ssilva@sgvwater.com> wrote:
>>>>> Remco Barendse spake the following on 12/24/2006 7:43 AM:
>>>>>> Now that ORDB is down my mailscanner is not filtering any spam
>>>>>> anymore,
>>>>>> i might as well disable it.
>>>>>>
>>>>>> But out of curiosity, why doesn't DCC work for the image spam?
>>>>>>
>>>>>> A checksum should be reasonably effective against the image spam i
>>>>>> think? Assuming that they are not dynamically building each picture a
>>>>>> bit differently for each e-mail that is sent?
>>>>> But that could be what they are doing. Spammers are like cockroaches.
>>>>> They
>>>>> adapt very quickly, and after they mass-fire their crap, they change
>>>>> up a bit,
>>>>> and reload for the next salvo.
>>>>>
>>>>> It's war, and we are always on the defense.
>>>> Depressing but true... I think I'll have another Julsnaps... To
>>>> enliven my defenses... (If the snaps fails to do that.... well, at
>>>> least I'll be having more fun...:-)
>>>>
>>>> Seriously though, I think the only real effective defenses (on my
>>>> sysytems at least) against image-based spam has been a combination of
>>>> the digests (yes, they do take _some_ of it), RFC "strictness" checks
>>>> (in PF) and ImageInfo (and some TVD rules picked up by an sa-update).
>>>> When these fail I'll be going for FuzzyOcr (have just tested this so
>>>> far, but ... it really needs muscle that the production boxes lack).
>>>> Or someone really clever will have found another method:-).
>>>>
>>>> Ceers
>>> Since I have to work, have a Julsnaps for me!
>>>
>> "What's in a Julsnaps?", said the curious fellow in California?
>> I can't have one unless I know how to make it!
>> :-)
>> Ken A
>> Pacific.Net
> Glenn could answer this better, but it is an herbal liquor found in the Nordic
> regions of europe. It is usually served as close to frozen as you can get any
> form of alcohol. It has a distinct kind of nutty-fruity taste, and seems to
> have a fairly high alcohol content. I haven't had it for more than 20 years,
> but I still remember it. And I have not had anything like it since.
> 
> So since you can't "make" it, you might be able to find some in a place like
> Bevmo in California. Some variations are called akvavit, but if I remember
> correctly, Julesnaps is a variety served around the christmas holidays.
> 
Sorry -- meant to send that off-list.


-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From glenn.steen at gmail.com  Tue Dec 26 21:35:16 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Tue Dec 26 20:35:54 2006
Subject: Why doesn't DCC help against image spam?
In-Reply-To: <emrqe1$p2a$1@sea.gmane.org>
References: <Pine.LNX.4.64.0612241640080.24888@raveon.vaag.nu>
	<emrjec$587$1@sea.gmane.org>
	<223f97700612260858g5fda9f4cx543e6bcd6e3d28e0@mail.gmail.com>
	<emrmb1$co3$1@sea.gmane.org> <459160E0.9090306@pacific.net>
	<emrplo$muu$1@sea.gmane.org> <emrqe1$p2a$1@sea.gmane.org>
Message-ID: <223f97700612261235m60a7d3es10a55d50935e9e6b@mail.gmail.com>

On 26/12/06, Scott Silva <ssilva@sgvwater.com> wrote:
> Scott Silva spake the following on 12/26/2006 10:27 AM:
> > Ken A spake the following on 12/26/2006 9:50 AM:
> >>
> >> Scott Silva wrote:
> >>> Glenn Steen spake the following on 12/26/2006 8:58 AM:
> >>>> On 26/12/06, Scott Silva <ssilva@sgvwater.com> wrote:
> >>>>> Remco Barendse spake the following on 12/24/2006 7:43 AM:
> >>>>>> Now that ORDB is down my mailscanner is not filtering any spam
> >>>>>> anymore,
> >>>>>> i might as well disable it.
> >>>>>>
> >>>>>> But out of curiosity, why doesn't DCC work for the image spam?
> >>>>>>
> >>>>>> A checksum should be reasonably effective against the image spam i
> >>>>>> think? Assuming that they are not dynamically building each picture a
> >>>>>> bit differently for each e-mail that is sent?
> >>>>> But that could be what they are doing. Spammers are like cockroaches.
> >>>>> They
> >>>>> adapt very quickly, and after they mass-fire their crap, they change
> >>>>> up a bit,
> >>>>> and reload for the next salvo.
> >>>>>
> >>>>> It's war, and we are always on the defense.
> >>>> Depressing but true... I think I'll have another Julsnaps... To
> >>>> enliven my defenses... (If the snaps fails to do that.... well, at
> >>>> least I'll be having more fun...:-)
> >>>>
> >>>> Seriously though, I think the only real effective defenses (on my
> >>>> sysytems at least) against image-based spam has been a combination of
> >>>> the digests (yes, they do take _some_ of it), RFC "strictness" checks
> >>>> (in PF) and ImageInfo (and some TVD rules picked up by an sa-update).
> >>>> When these fail I'll be going for FuzzyOcr (have just tested this so
> >>>> far, but ... it really needs muscle that the production boxes lack).
> >>>> Or someone really clever will have found another method:-).
> >>>>
> >>>> Ceers
> >>> Since I have to work, have a Julsnaps for me!
> >>>
> >> "What's in a Julsnaps?", said the curious fellow in California?
> >> I can't have one unless I know how to make it!
> >> :-)
> >> Ken A
> >> Pacific.Net
> > Glenn could answer this better, but it is an herbal liquor found in the Nordic
> > regions of europe. It is usually served as close to frozen as you can get any
> > form of alcohol. It has a distinct kind of nutty-fruity taste, and seems to
> > have a fairly high alcohol content. I haven't had it for more than 20 years,
> > but I still remember it. And I have not had anything like it since.
> >
> > So since you can't "make" it, you might be able to find some in a place like
> > Bevmo in California. Some variations are called akvavit, but if I remember
> > correctly, Julesnaps is a variety served around the christmas holidays.
> >
> Sorry -- meant to send that off-list.
Well, off-topic, but basically correct.... Not that bad a performance Scott;-).

Actually, you can very well make your own... Get some basically
flavourless alcohol (vodka style ... Absolut, if you can't get Renat
or Br?nnvin Special or somesuch), put in the herbs/flavourings you
like, steep for a few weeks (time depends on the herbs), strain it (my
"cooking english" is even worse than my usual... "Remove all solid
parts from the fluid"), coll it to about 4 degrees celsius (you _can_
serve it warmer... but 4-8 degrees is best), serve in small vessels
... about 4-8 centiliters. Down them whole, or in quarter increments,
preferably to pickeled herring(!), but should go well as a side drink
to any food.
Fennel and anis are common flavourings, but... you can experiment:-D.

If you're looking for the treat Scott is talking about it's probably
Aalborgs Juleakvavit (made in Denmark), a very richly flavoured
akvavit. One of my personal favourites... Then again, I like most of
them (whether made in Denmark, Norway or Sweden:-).

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From ka at pacific.net  Wed Dec 27 00:06:33 2006
From: ka at pacific.net (Ken A)
Date: Tue Dec 26 23:04:11 2006
Subject: Why doesn't DCC help against image spam?
In-Reply-To: <223f97700612261235m60a7d3es10a55d50935e9e6b@mail.gmail.com>
References: <Pine.LNX.4.64.0612241640080.24888@raveon.vaag.nu>	<emrjec$587$1@sea.gmane.org>	<223f97700612260858g5fda9f4cx543e6bcd6e3d28e0@mail.gmail.com>	<emrmb1$co3$1@sea.gmane.org>
	<459160E0.9090306@pacific.net>	<emrplo$muu$1@sea.gmane.org>
	<emrqe1$p2a$1@sea.gmane.org>
	<223f97700612261235m60a7d3es10a55d50935e9e6b@mail.gmail.com>
Message-ID: <4591AAF9.7000504@pacific.net>



Glenn Steen wrote:
> On 26/12/06, Scott Silva <ssilva@sgvwater.com> wrote:
>> Scott Silva spake the following on 12/26/2006 10:27 AM:
>> > Ken A spake the following on 12/26/2006 9:50 AM:
>> >>
>> >> Scott Silva wrote:
>> >>> Glenn Steen spake the following on 12/26/2006 8:58 AM:
>> >>>> On 26/12/06, Scott Silva <ssilva@sgvwater.com> wrote:
>> >>>>> Remco Barendse spake the following on 12/24/2006 7:43 AM:
>> >>>>>> Now that ORDB is down my mailscanner is not filtering any spam
>> >>>>>> anymore,
>> >>>>>> i might as well disable it.
>> >>>>>>
>> >>>>>> But out of curiosity, why doesn't DCC work for the image spam?
>> >>>>>>
>> >>>>>> A checksum should be reasonably effective against the image spam i
>> >>>>>> think? Assuming that they are not dynamically building each 
>> picture a
>> >>>>>> bit differently for each e-mail that is sent?
>> >>>>> But that could be what they are doing. Spammers are like 
>> cockroaches.
>> >>>>> They
>> >>>>> adapt very quickly, and after they mass-fire their crap, they 
>> change
>> >>>>> up a bit,
>> >>>>> and reload for the next salvo.
>> >>>>>
>> >>>>> It's war, and we are always on the defense.
>> >>>> Depressing but true... I think I'll have another Julsnaps... To
>> >>>> enliven my defenses... (If the snaps fails to do that.... well, at
>> >>>> least I'll be having more fun...:-)
>> >>>>
>> >>>> Seriously though, I think the only real effective defenses (on my
>> >>>> sysytems at least) against image-based spam has been a 
>> combination of
>> >>>> the digests (yes, they do take _some_ of it), RFC "strictness" 
>> checks
>> >>>> (in PF) and ImageInfo (and some TVD rules picked up by an 
>> sa-update).
>> >>>> When these fail I'll be going for FuzzyOcr (have just tested this so
>> >>>> far, but ... it really needs muscle that the production boxes lack).
>> >>>> Or someone really clever will have found another method:-).
>> >>>>
>> >>>> Ceers
>> >>> Since I have to work, have a Julsnaps for me!
>> >>>
>> >> "What's in a Julsnaps?", said the curious fellow in California?
>> >> I can't have one unless I know how to make it!
>> >> :-)
>> >> Ken A
>> >> Pacific.Net
>> > Glenn could answer this better, but it is an herbal liquor found in 
>> the Nordic
>> > regions of europe. It is usually served as close to frozen as you 
>> can get any
>> > form of alcohol. It has a distinct kind of nutty-fruity taste, and 
>> seems to
>> > have a fairly high alcohol content. I haven't had it for more than 
>> 20 years,
>> > but I still remember it. And I have not had anything like it since.
>> >
>> > So since you can't "make" it, you might be able to find some in a 
>> place like
>> > Bevmo in California. Some variations are called akvavit, but if I 
>> remember
>> > correctly, Julesnaps is a variety served around the christmas holidays.
>> >
>> Sorry -- meant to send that off-list.
> Well, off-topic, but basically correct.... Not that bad a performance 
> Scott;-).

Yep, bevmo was the ticket.
http://www.bevmo.com/productinfo.asp?sku=00000001131
How do you make Julesnaps seems to be like asking someone what your 
favorite eggnog recipe is. ;-)
Thanks,
Ken A.
Pacific.Net


> Actually, you can very well make your own... Get some basically
> flavourless alcohol (vodka style ... Absolut, if you can't get Renat
> or Br?nnvin Special or somesuch), put in the herbs/flavourings you
> like, steep for a few weeks (time depends on the herbs), strain it (my
> "cooking english" is even worse than my usual... "Remove all solid
> parts from the fluid"), coll it to about 4 degrees celsius (you _can_
> serve it warmer... but 4-8 degrees is best), serve in small vessels
> ... about 4-8 centiliters. Down them whole, or in quarter increments,
> preferably to pickeled herring(!), but should go well as a side drink
> to any food.
> Fennel and anis are common flavourings, but... you can experiment:-D.
> 
> If you're looking for the treat Scott is talking about it's probably
> Aalborgs Juleakvavit (made in Denmark), a very richly flavoured
> akvavit. One of my personal favourites... Then again, I like most of
> them (whether made in Denmark, Norway or Sweden:-).
> 
> Cheers

From pete at enitech.com.au  Wed Dec 27 03:17:04 2006
From: pete at enitech.com.au (Pete Russell)
Date: Wed Dec 27 02:17:47 2006
Subject: Why doesn't DCC help against image spam?
In-Reply-To: <223f97700612260926s7a2c51dcm50c108d7e5da6502@mail.gmail.com>
References: <Pine.LNX.4.64.0612241640080.24888@raveon.vaag.nu>	<emrjec$587$1@sea.gmane.org>	<223f97700612260858g5fda9f4cx543e6bcd6e3d28e0@mail.gmail.com>	<459159BE.3010200@pacific.net>
	<223f97700612260926s7a2c51dcm50c108d7e5da6502@mail.gmail.com>
Message-ID: <4591D7A0.8010803@enitech.com.au>



Glenn Steen wrote:
> On 26/12/06, Ken A <ka@pacific.net> wrote:
>>
>>
>> Glenn Steen wrote:
>> > On 26/12/06, Scott Silva <ssilva@sgvwater.com> wrote:
>> >> Remco Barendse spake the following on 12/24/2006 7:43 AM:
>> >> > Now that ORDB is down my mailscanner is not filtering any spam 
>> anymore,
>> >> > i might as well disable it.
>> >> >
>> >> > But out of curiosity, why doesn't DCC work for the image spam?
>> >> >
>> >> > A checksum should be reasonably effective against the image spam i
>> >> > think? Assuming that they are not dynamically building each 
>> picture a
>> >> > bit differently for each e-mail that is sent?
>> >> But that could be what they are doing. Spammers are like cockroaches.
>> >> They
>> >> adapt very quickly, and after they mass-fire their crap, they change
>> >> up a bit,
>> >> and reload for the next salvo.
>> >>
>> >> It's war, and we are always on the defense.
>> > Depressing but true... I think I'll have another Julsnaps... To
>> > enliven my defenses... (If the snaps fails to do that.... well, at
>> > least I'll be having more fun...:-)
>> >
>> > Seriously though, I think the only real effective defenses (on my
>> > sysytems at least) against image-based spam has been a combination of
>> > the digests (yes, they do take _some_ of it), RFC "strictness" checks
>> > (in PF) and ImageInfo (and some TVD rules picked up by an sa-update).
>> > When these fail I'll be going for FuzzyOcr (have just tested this so
>> > far, but ... it really needs muscle that the production boxes lack).
>> > Or someone really clever will have found another method:-).
>>
>> FuzzyOCR runs by default with a low priority (runs as last SA test), so
>> it only run when the SA score (so far) is > $X, so set that to your low
>> threshold, and FuzzyOCR only runs on spam that hasn't been tagged yet.
>> Works quite well, and doesn't take all that much cpu, since > 70% of the
>> image spam is caught by the other methods.
> True enough... When I've been testing I haven't been taking that into
> consideration (looking at "synthetic" situations can blind one to
> things:-). Will likely implement it in production some time early next
> year then. Thanks Ken.

Should one use imageinfo OR FuzzyOCR, or both together?
From mkettler at evi-inc.com  Wed Dec 27 17:21:47 2006
From: mkettler at evi-inc.com (Matt Kettler)
Date: Wed Dec 27 16:22:34 2006
Subject: Why doesn't DCC help against image spam?
In-Reply-To: <4591D7A0.8010803@enitech.com.au>
References: <Pine.LNX.4.64.0612241640080.24888@raveon.vaag.nu>	<emrjec$587$1@sea.gmane.org>	<223f97700612260858g5fda9f4cx543e6bcd6e3d28e0@mail.gmail.com>	<459159BE.3010200@pacific.net>	<223f97700612260926s7a2c51dcm50c108d7e5da6502@mail.gmail.com>
	<4591D7A0.8010803@enitech.com.au>
Message-ID: <45929D9B.8050909@evi-inc.com>

Pete Russell wrote:
> 
> 
> Glenn Steen wrote:
>>>
>>> FuzzyOCR runs by default with a low priority (runs as last SA test), so
>>> it only run when the SA score (so far) is > $X, so set that to your low
>>> threshold, and FuzzyOCR only runs on spam that hasn't been tagged yet.
>>> Works quite well, and doesn't take all that much cpu, since > 70% of the
>>> image spam is caught by the other methods.
>> True enough... When I've been testing I haven't been taking that into
>> consideration (looking at "synthetic" situations can blind one to
>> things:-). Will likely implement it in production some time early next
>> year then. Thanks Ken.
> 
> Should one use imageinfo OR FuzzyOCR, or both together?

If you have plenty of CPU cycles to spare, go for both.

imageinfo is pretty lightweight, so anyone should be able to use it unless their
SA box is already overloaded.

FuzzyOCR isn't too bad because of the priority thing, but it is still a
noticeable load. Folks with servers that are already getting to be a little bit
marginal should skip this.

From taz at taz-mania.com  Wed Dec 27 18:52:26 2006
From: taz at taz-mania.com (Dennis Willson)
Date: Wed Dec 27 17:53:06 2006
Subject: Why doesn't DCC help against image spam?
In-Reply-To: <45929D9B.8050909@evi-inc.com>
Message-ID: <web-8957933@namesystems.net>


The only "image" Spam that is currently getting through my filters is 
the "stock scam" images and they are different everytime I see it and 
they are using wavy text, odd colors and mixed fonts, etc... to try 
and fool the OCR scanners.

So, my question would be, how effective are the OCR scanners when the 
Spammers are doing this?

Since I put my new Spam Trap in place I have seen a reduction of this 
Spam getting through. It appears the honeypots are seeing the sources 
of the images first (or close to it) and stopping that source... 
ofcourse they rotate sources through out the day, but the honeypots 
are getting over 2000-3000 new IP address every day. The "hit rate" on 
the now blacklisted source is fairly high.



On Wed, 27 Dec 2006 11:21:47 -0500
  Matt Kettler <mkettler@evi-inc.com> wrote:
>Pete Russell wrote:
>> 
>> 
>> Glenn Steen wrote:
>>>>
>>>> FuzzyOCR runs by default with a low priority (runs as last SA test), 
>>>>so
>>>> it only run when the SA score (so far) is > $X, so set that to your 
>>>>low
>>>> threshold, and FuzzyOCR only runs on spam that hasn't been tagged 
>>>>yet.
>>>> Works quite well, and doesn't take all that much cpu, since > 70% of 
>>>>the
>>>> image spam is caught by the other methods.
>>> True enough... When I've been testing I haven't been taking that 
>>>into
>>> consideration (looking at "synthetic" situations can blind one to
>>> things:-). Will likely implement it in production some time early 
>>>next
>>> year then. Thanks Ken.
>> 
>> Should one use imageinfo OR FuzzyOCR, or both together?
>
>If you have plenty of CPU cycles to spare, go for both.
>
>imageinfo is pretty lightweight, so anyone should be able to use it 
>unless their
>SA box is already overloaded.
>
>FuzzyOCR isn't too bad because of the priority thing, but it is still 
>a
>noticeable load. Folks with servers that are already getting to be a 
>little bit
>marginal should skip this.
>
>-- 
>MailScanner mailing list
>mailscanner@lists.mailscanner.info
>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>Before posting, read http://wiki.mailscanner.info/posting
>
>Support MailScanner development - buy the book off the website! 


--------------------------------------------------
Dennis Willson

taz@taz-mania.com
http://www.taz-mania.com

Ham (Extra Class): ka6lsw
Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, 
Gas Blender

Owner: Kepnet Internet Services

Life should not be a journey to the grave with the intention of 
arriving safely in a nice looking and well preserved body, but rather 
to skid in broadside, thoroughly used up, totally worn out, and loudly 
proclaiming, "WOW! WHAT A RIDE!"
From mike at vesol.com  Wed Dec 27 18:58:32 2006
From: mike at vesol.com (Mike Kercher)
Date: Wed Dec 27 18:01:57 2006
Subject: Why doesn't DCC help against image spam?
References: <web-8957933@namesystems.net>
Message-ID: <EAE39E9E242F774099806D1052118953142884@samba2003.home.middlefinger.net>




-----Original Message-----
From: mailscanner-bounces@lists.mailscanner.info on behalf of Dennis
Willson
Sent: Wed 12/27/2006 11:52 AM
To: MailScanner discussion
Subject: Re: Why doesn't DCC help against image spam?
 

The only "image" Spam that is currently getting through my filters is 
the "stock scam" images and they are different everytime I see it and 
they are using wavy text, odd colors and mixed fonts, etc... to try 
and fool the OCR scanners.

So, my question would be, how effective are the OCR scanners when the 
Spammers are doing this?

Since I put my new Spam Trap in place I have seen a reduction of this 
Spam getting through. It appears the honeypots are seeing the sources 
of the images first (or close to it) and stopping that source... 
ofcourse they rotate sources through out the day, but the honeypots 
are getting over 2000-3000 new IP address every day. The "hit rate" on 
the now blacklisted source is fairly high.

_____________________________________

What spam trap did you put in place?

Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 3129 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061227/1e74d667/attachment.bin
From taz at taz-mania.com  Wed Dec 27 19:11:16 2006
From: taz at taz-mania.com (Dennis Willson)
Date: Wed Dec 27 18:11:57 2006
Subject: Why doesn't DCC help against image spam?
In-Reply-To: <EAE39E9E242F774099806D1052118953142884@samba2003.home.middlefinger.net>
Message-ID: <web-8957978@namesystems.net>

I wrote my own... It's a milter that allows me to decare specific 
email addresses and even full domains to be honeypot addresses and it 
then collects the IP addresses of the senders and uses them as a 
blacklist.

It can run on the same Sendmail as your normal mail server as it does 
not interfere with non-honeypot email addresses (unless the source IP 
is in the blacklist, then optionally you can reject, discard or allow 
to continue for further processing).

I'm currently working to two extensions... One is a routine that will 
take the list of IP addresses and create a BIND zone file so that the 
blacklist can be shared via a DNSBL. Two is a mailwatch extension to 
manage and monitor the spamtrap and see statistics that it collects.


On Wed, 27 Dec 2006 11:58:32 -0600
  "Mike Kercher" <mike@vesol.com> wrote:
>
>
>
>-----Original Message-----
>From: mailscanner-bounces@lists.mailscanner.info on behalf of Dennis
>Willson
>Sent: Wed 12/27/2006 11:52 AM
>To: MailScanner discussion
>Subject: Re: Why doesn't DCC help against image spam?
>  
>
>The only "image" Spam that is currently getting through my filters is 
>the "stock scam" images and they are different everytime I see it and 
>they are using wavy text, odd colors and mixed fonts, etc... to try 
>and fool the OCR scanners.
>
>So, my question would be, how effective are the OCR scanners when the 
>Spammers are doing this?
>
>Since I put my new Spam Trap in place I have seen a reduction of this 
>Spam getting through. It appears the honeypots are seeing the sources 
>of the images first (or close to it) and stopping that source... 
>ofcourse they rotate sources through out the day, but the honeypots 
>are getting over 2000-3000 new IP address every day. The "hit rate" 
>on 
>the now blacklisted source is fairly high.
>
>_____________________________________
>
>What spam trap did you put in place?
>
>Mike


--------------------------------------------------
Dennis Willson

taz@taz-mania.com
http://www.taz-mania.com

Ham (Extra Class): ka6lsw
Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, 
Gas Blender

Owner: Kepnet Internet Services

Life should not be a journey to the grave with the intention of 
arriving safely in a nice looking and well preserved body, but rather 
to skid in broadside, thoroughly used up, totally worn out, and loudly 
proclaiming, "WOW! WHAT A RIDE!"
From mike at vesol.com  Wed Dec 27 19:24:14 2006
From: mike at vesol.com (Mike Kercher)
Date: Wed Dec 27 18:27:40 2006
Subject: Why doesn't DCC help against image spam?
References: <web-8957978@namesystems.net>
Message-ID: <EAE39E9E242F774099806D1052118953142885@samba2003.home.middlefinger.net>




-----Original Message-----
From: mailscanner-bounces@lists.mailscanner.info on behalf of Dennis
Willson
Sent: Wed 12/27/2006 12:11 PM
To: MailScanner discussion
Subject: Re: Why doesn't DCC help against image spam?
 
I wrote my own... It's a milter that allows me to decare specific 
email addresses and even full domains to be honeypot addresses and it 
then collects the IP addresses of the senders and uses them as a 
blacklist.

It can run on the same Sendmail as your normal mail server as it does 
not interfere with non-honeypot email addresses (unless the source IP 
is in the blacklist, then optionally you can reject, discard or allow 
to continue for further processing).

I'm currently working to two extensions... One is a routine that will 
take the list of IP addresses and create a BIND zone file so that the 
blacklist can be shared via a DNSBL. Two is a mailwatch extension to 
manage and monitor the spamtrap and see statistics that it collects.


On Wed, 27 Dec 2006 11:58:32 -0600
  "Mike Kercher" <mike@vesol.com> wrote:
>
>
>
>-----Original Message-----
>From: mailscanner-bounces@lists.mailscanner.info on behalf of Dennis
>Willson
>Sent: Wed 12/27/2006 11:52 AM
>To: MailScanner discussion
>Subject: Re: Why doesn't DCC help against image spam?
>  
>
>The only "image" Spam that is currently getting through my filters is 
>the "stock scam" images and they are different everytime I see it and 
>they are using wavy text, odd colors and mixed fonts, etc... to try 
>and fool the OCR scanners.
>
>So, my question would be, how effective are the OCR scanners when the 
>Spammers are doing this?
>
>Since I put my new Spam Trap in place I have seen a reduction of this 
>Spam getting through. It appears the honeypots are seeing the sources 
>of the images first (or close to it) and stopping that source... 
>ofcourse they rotate sources through out the day, but the honeypots 
>are getting over 2000-3000 new IP address every day. The "hit rate" 
>on 
>the now blacklisted source is fairly high.
>
>_____________________________________
>
>What spam trap did you put in place?
>
>Mike


--------------------------------------------------

Interesting concept!

Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 3761 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061227/b8360508/attachment.bin
From martinh at solidstatelogic.com  Wed Dec 27 20:34:08 2006
From: martinh at solidstatelogic.com (Martin.Hepworth)
Date: Wed Dec 27 19:35:06 2006
Subject: Why doesn't DCC help against image spam?
In-Reply-To: <web-8957933@namesystems.net>
Message-ID: <87faa5b259d5bc4d9a79308f93facbf2@solidstatelogic.com>

Dennis

You'll probably find the SARE rules (esp SARE_Stocks) and Fred's Rules
from www.rulesemporium.com are very effective again these stock spams.

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

> -----Original Message-----
> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-
> bounces@lists.mailscanner.info] On Behalf Of Dennis Willson
> Sent: 27 December 2006 17:52
> To: MailScanner discussion
> Subject: Re: Why doesn't DCC help against image spam?
>
>
> The only "image" Spam that is currently getting through my filters is
> the "stock scam" images and they are different everytime I see it and
> they are using wavy text, odd colors and mixed fonts, etc... to try
> and fool the OCR scanners.
>
> So, my question would be, how effective are the OCR scanners when the
> Spammers are doing this?
>
> Since I put my new Spam Trap in place I have seen a reduction of this
> Spam getting through. It appears the honeypots are seeing the sources
> of the images first (or close to it) and stopping that source...
> ofcourse they rotate sources through out the day, but the honeypots
> are getting over 2000-3000 new IP address every day. The "hit rate" on
> the now blacklisted source is fairly high.
>
>
>
> On Wed, 27 Dec 2006 11:21:47 -0500
>   Matt Kettler <mkettler@evi-inc.com> wrote:
> >Pete Russell wrote:
> >>
> >>
> >> Glenn Steen wrote:
> >>>>
> >>>> FuzzyOCR runs by default with a low priority (runs as last SA
test),
> >>>>so
> >>>> it only run when the SA score (so far) is > $X, so set that to
your
> >>>>low
> >>>> threshold, and FuzzyOCR only runs on spam that hasn't been tagged
> >>>>yet.
> >>>> Works quite well, and doesn't take all that much cpu, since > 70%
of
> >>>>the
> >>>> image spam is caught by the other methods.
> >>> True enough... When I've been testing I haven't been taking that
> >>>into
> >>> consideration (looking at "synthetic" situations can blind one to
> >>> things:-). Will likely implement it in production some time early
> >>>next
> >>> year then. Thanks Ken.
> >>
> >> Should one use imageinfo OR FuzzyOCR, or both together?
> >
> >If you have plenty of CPU cycles to spare, go for both.
> >
> >imageinfo is pretty lightweight, so anyone should be able to use it
> >unless their
> >SA box is already overloaded.
> >
> >FuzzyOCR isn't too bad because of the priority thing, but it is still
> >a
> >noticeable load. Folks with servers that are already getting to be a
> >little bit
> >marginal should skip this.
> >
> >--
> >MailScanner mailing list
> >mailscanner@lists.mailscanner.info
> >http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> >Before posting, read http://wiki.mailscanner.info/posting
> >
> >Support MailScanner development - buy the book off the website!
>
>
> --------------------------------------------------
> Dennis Willson
>
> taz@taz-mania.com
> http://www.taz-mania.com
>
> Ham (Extra Class): ka6lsw
> Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer,
> Gas Blender
>
> Owner: Kepnet Internet Services
>
> Life should not be a journey to the grave with the intention of
> arriving safely in a nice looking and well preserved body, but rather
> to skid in broadside, thoroughly used up, totally worn out, and loudly
> proclaiming, "WOW! WHAT A RIDE!"
> --
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!




**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

From mailscanner at barendse.to  Thu Dec 28 00:02:22 2006
From: mailscanner at barendse.to (Remco Barendse)
Date: Wed Dec 27 23:03:07 2006
Subject: Why doesn't DCC help against image spam?
In-Reply-To: <45929D9B.8050909@evi-inc.com>
References: <Pine.LNX.4.64.0612241640080.24888@raveon.vaag.nu>
	<emrjec$587$1@sea.gmane.org>
	<223f97700612260858g5fda9f4cx543e6bcd6e3d28e0@mail.gmail.com>
	<459159BE.3010200@pacific.net>
	<223f97700612260926s7a2c51dcm50c108d7e5da6502@mail.gmail.com>
	<4591D7A0.8010803@enitech.com.au> <45929D9B.8050909@evi-inc.com>
Message-ID: <Pine.LNX.4.64.0612272355570.24888@raveon.vaag.nu>

On Wed, 27 Dec 2006, Matt Kettler wrote:

>> Should one use imageinfo OR FuzzyOCR, or both together?
>
> If you have plenty of CPU cycles to spare, go for both.
>
> imageinfo is pretty lightweight, so anyone should be able to use it unless their
> SA box is already overloaded.
>
> FuzzyOCR isn't too bad because of the priority thing, but it is still a
> noticeable load. Folks with servers that are already getting to be a little bit
> marginal should skip this.

If I would need more cpu cycles, I'd buy them, the cycles cost less than 
all the people deleting this crap in paid hours.

Are there any howto's on how to install FuzzyOCR and/or imageinfo or are 
they included in some other package? (I hope I don't have to sort out 10 
million dependencies) :)

Thanks for all the replies, really interesting!

I also have some regular honeypots that I advertsise hidden in webpages on 
several webpages but that doesn't stop much of the spam unfortunately. 
The honeypots are simply ending in the 'definatively spam' box for 
SpamAssassin.
From root at doctor.nl2k.ab.ca  Thu Dec 28 22:15:49 2006
From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the
	Problem)
Date: Thu Dec 28 21:18:59 2006
Subject: 4.58.1-1 && Happy Christmas!
In-Reply-To: <223f97700612181434o1a566e9ch3dcd113946a057ca@mail.gmail.com>
References: <45842F18.3090800@ecs.soton.ac.uk> <em70mv$qhn$3@sea.gmane.org>
	<223f97700612181434o1a566e9ch3dcd113946a057ca@mail.gmail.com>
Message-ID: <20061228211542.GA20768@doctor.nl2k.ab.ca>

On Mon, Dec 18, 2006 at 11:34:10PM +0100, Glenn Steen wrote:
> On 18/12/06, Scott Silva <ssilva@sgvwater.com> wrote:
> >Julian Field spake the following on 12/16/2006 9:38 AM:
> >> I have just released the first beta of 4.58 which I intend to evolve
> >> into a stable release of 4.58.
> >>
> >> Please report problems directly to me, as I still don't have the time to
> >> read the mailing list, for which I am most apologetic and annoyed.
> >>
> >> My day-job has been really busy over the past few months, and shows no
> >> signs of slacking off for the time-being. But I will make it a New
> >> Year's Resolution to read the mailing list, and try my hardest to
> >> recover to the level of support I used to be able to offer. I can only
> >> offer my apologies for my lack of support over the past few months, I
> >> have just been so busy I haven't had time to breathe. Sorry :-(
> >>
> >> I will try to hardest to fit in MailScanner support next year, but I
> >> can't make any guarantees, I've got a year-long programming job to do.
> >> The aim is to effectively automate the whole process of exam marks to
> >> degree grades, and so do away with some very long exam-board meetings.
> >> It's a huge job, and I am the only person in the department who can be
> >> trusted to do the whole job well and reliably. It's one of the
> >> consequences of having a certain reputation.  :-)
> >>
> >> You are at the top of my New Year's Resolutions, I promise!
> >>
> >> Jules
> >>
> >We as list members have been trying to take some of the load off by helping
> >with the lesser issues.
> >I hope you can at least get a small break for the holidays!
> >Merry Christmas from your loyal users!
> >And a happy New Year!!
> >
> >--
> >
> >MailScanner is like deodorant...
> >You hope everybody uses it, and
> >you notice quickly if they don't!!!!
> >
> Hear Hear!
> 
> While you're at it, don't forget to order some nice pickled herring
> and a bottle of Julsnaps (Harrods should have everything on
> stock....:-).
>

Including the Saha replacement?  I hate MAn U!

Still I wonder if MailScanner should add SPF functionality? 

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

From ram at netcore.co.in  Fri Dec 29 08:16:25 2006
From: ram at netcore.co.in (Ramprasad)
Date: Fri Dec 29 07:17:21 2006
Subject: whitelist_to getting exploited
Message-ID: <1167376585.1585.34.camel@darkstar.netcore.co.in>

In our setup where we do email scanning for our clients we have a
feature by which clients can opt-out some ids from spamscan 

So I use in Mailscanner.conf

Spam Checks = spamcheck.rules

This file has 

To: user-1 NO
default YES

Now a spammer marks a mail to multiple people with user-1  in BCC and
the mail passes straight 
How can I get rid of this problem. If I use the user_in_whitelist_to
feature at spamassassin then too I would have the same issue 

Thanks
Ram













From res at ausics.net  Fri Dec 29 10:34:13 2006
From: res at ausics.net (Res)
Date: Fri Dec 29 09:35:06 2006
Subject: whitelist_to getting exploited
In-Reply-To: <1167376585.1585.34.camel@darkstar.netcore.co.in>
References: <1167376585.1585.34.camel@darkstar.netcore.co.in>
Message-ID: <Pine.LNX.4.64.0612291930540.683@ebfjryy.nhfvpf.arg>

On Fri, 29 Dec 2006, Ramprasad wrote:

> In our setup where we do email scanning for our clients we have a
> feature by which clients can opt-out some ids from spamscan
>
> So I use in Mailscanner.conf
>
> Spam Checks = spamcheck.rules
>
> This file has
>
> To: user-1 NO
> default YES
>
> Now a spammer marks a mail to multiple people with user-1  in BCC and
> the mail passes straight
> How can I get rid of this problem. If I use the user_in_whitelist_to
> feature at spamassassin then too I would have the same issue

MailScanner is doing exactly what you have told it to, you either 
whitelist user-1 or you don't, you can extend this to using the
format of 'from and to' but that will be a restricted list, unless you
are going to waste time constantly adding all the people he wants mail 
from in the 'and to' segment.

The cure  Ram is to remove him from the To: whitelist


-- 
Cheers
Res

"Just a world that we all must share, it's not enough just to stand and
stare, is it only a dream that there'll be no more turning away" - Floyd


From ram at netcore.co.in  Fri Dec 29 11:21:51 2006
From: ram at netcore.co.in (Ramprasad)
Date: Fri Dec 29 10:22:49 2006
Subject: whitelist_to getting exploited
In-Reply-To: <Pine.LNX.4.64.0612291930540.683@ebfjryy.nhfvpf.arg>
References: <1167376585.1585.34.camel@darkstar.netcore.co.in>
	<Pine.LNX.4.64.0612291930540.683@ebfjryy.nhfvpf.arg>
Message-ID: <1167387711.1585.44.camel@darkstar.netcore.co.in>

On Fri, 2006-12-29 at 19:34 +1000, Res wrote:
> On Fri, 29 Dec 2006, Ramprasad wrote:
> 
> > In our setup where we do email scanning for our clients we have a
> > feature by which clients can opt-out some ids from spamscan
> >
> > So I use in Mailscanner.conf
> >
> > Spam Checks = spamcheck.rules
> >
> > This file has
> >
> > To: user-1 NO
> > default YES
> >
> > Now a spammer marks a mail to multiple people with user-1  in BCC and
> > the mail passes straight
> > How can I get rid of this problem. If I use the user_in_whitelist_to
> > feature at spamassassin then too I would have the same issue
> 
> MailScanner is doing exactly what you have told it to, you either 
> whitelist user-1 or you don't, you can extend this to using the
> format of 'from and to' but that will be a restricted list, unless you
> are going to waste time constantly adding all the people he wants mail 
> from in the 'and to' segment.
> 
> The cure  Ram is to remove him from the To: whitelist

But user-1 wants all mails including spam  , not others

For eg If I want to allow abuse@mydomain to get all mail without check 
someone sends a mail 
To:the_top_man@domain,abuse@domain 

Then this mail would bypass spam checks and reach the_top_man@domain 
Obviously this would be a concern to everyone , how are you folks
getting over this issue


Thanks
Ram



From ms-list at alexb.ch  Fri Dec 29 12:26:04 2006
From: ms-list at alexb.ch (Alex Broens)
Date: Fri Dec 29 11:26:56 2006
Subject: whitelist_to getting exploited
In-Reply-To: <1167387711.1585.44.camel@darkstar.netcore.co.in>
References: <1167376585.1585.34.camel@darkstar.netcore.co.in>	<Pine.LNX.4.64.0612291930540.683@ebfjryy.nhfvpf.arg>
	<1167387711.1585.44.camel@darkstar.netcore.co.in>
Message-ID: <4594FB4C.6090202@alexb.ch>

On 12/29/2006 11:21 AM, Ramprasad wrote:
> On Fri, 2006-12-29 at 19:34 +1000, Res wrote:
>> On Fri, 29 Dec 2006, Ramprasad wrote:
>>
>>> In our setup where we do email scanning for our clients we have a
>>> feature by which clients can opt-out some ids from spamscan
>>>
>>> So I use in Mailscanner.conf
>>>
>>> Spam Checks = spamcheck.rules
>>>
>>> This file has
>>>
>>> To: user-1 NO
>>> default YES
>>>
>>> Now a spammer marks a mail to multiple people with user-1  in BCC and
>>> the mail passes straight
>>> How can I get rid of this problem. If I use the user_in_whitelist_to
>>> feature at spamassassin then too I would have the same issue
>> MailScanner is doing exactly what you have told it to, you either 
>> whitelist user-1 or you don't, you can extend this to using the
>> format of 'from and to' but that will be a restricted list, unless you
>> are going to waste time constantly adding all the people he wants mail 
>> from in the 'and to' segment.
>>
>> The cure  Ram is to remove him from the To: whitelist
> 
> But user-1 wants all mails including spam  , not others
> 
> For eg If I want to allow abuse@mydomain to get all mail without check 
> someone sends a mail 
> To:the_top_man@domain,abuse@domain 
> 
> Then this mail would bypass spam checks and reach the_top_man@domain 
> Obviously this would be a concern to everyone , how are you folks
> getting over this issue
> 

IDEA: why not use a SA (meta?) rule instead?

something like :

header __TO_ABUSE  	To =~ /abuse@mydomain/i
header __MYDOMAIN_MANY  To =~/(\@mydomain)(2,10)/i

meta   MY_ABUSE_PASSTHRU   (__TO_ABUSE && !__MYDOMAIN_MANY)
score  MY_ABUSE_PASSTHRU   -100.0

DISCLAIMER:
This is just a "concept" rule - Regex is untested and may contain errors 
and blow up your box, step on dog's tail or pull baby's ears!!!

Happy 2007 to everyone

Alex

From john at netdirect.ca  Fri Dec 29 15:28:53 2006
From: john at netdirect.ca (John Van Ostrand)
Date: Fri Dec 29 14:29:52 2006
Subject: whitelist_to getting exploited
In-Reply-To: <Pine.LNX.4.64.0612291930540.683@ebfjryy.nhfvpf.arg>
References: <1167376585.1585.34.camel@darkstar.netcore.co.in>
	<Pine.LNX.4.64.0612291930540.683@ebfjryy.nhfvpf.arg>
Message-ID: <1167402533.23496.81.camel@venture.office.netdirect.ca>

On Fri, 2006-12-29 at 19:34 +1000, Res wrote:
> On Fri, 29 Dec 2006, Ramprasad wrote:
> > Now a spammer marks a mail to multiple people with user-1  in BCC and
> > the mail passes straight
> > How can I get rid of this problem. If I use the user_in_whitelist_to
> > feature at spamassassin then too I would have the same issue
> 
> MailScanner is doing exactly what you have told it to, you either 
> whitelist user-1 or you don't, you can extend this to using the
> format of 'from and to' but that will be a restricted list, unless you
> are going to waste time constantly adding all the people he wants mail 
> from in the 'and to' segment.
> 
> The cure  Ram is to remove him from the To: whitelist

Have you considered using "Use Default Rules With Multiple Recipients =
yes". 

If that's a problem because you want an absolute whitelist on emails to
that user then there are sendmail techniques I've heard of split
messages when addressed to multiple recipients.

-- 
John Van Ostrand                       Net Direct Inc.
CTO, co-CEO                   564 Weber St. N. Unit 12
                                  Waterloo, ON N2L 5C6
john@netdirect.ca                     ph: 518-883-1172 x5102
Linux Solutions / IBM Hardware        fx: 519-883-8533

From ugob at camo-route.com  Fri Dec 29 15:31:49 2006
From: ugob at camo-route.com (Ugo Bellavance)
Date: Fri Dec 29 14:33:00 2006
Subject: 4.58.1-1 && Happy Christmas!
In-Reply-To: <20061228211542.GA20768@doctor.nl2k.ab.ca>
References: <45842F18.3090800@ecs.soton.ac.uk>
	<em70mv$qhn$3@sea.gmane.org>	<223f97700612181434o1a566e9ch3dcd113946a057ca@mail.gmail.com>
	<20061228211542.GA20768@doctor.nl2k.ab.ca>
Message-ID: <en38sr$vuk$1@sea.gmane.org>

Dave Shariff Yadallee - System Administrator a.k.a. The Root of the 
Problem wrote:

> 
> Still I wonder if MailScanner should add SPF functionality? 
> 

It is in SA already.

Ugo

From ugob at camo-route.com  Fri Dec 29 15:33:50 2006
From: ugob at camo-route.com (Ugo Bellavance)
Date: Fri Dec 29 14:35:55 2006
Subject: whitelist_to getting exploited
In-Reply-To: <1167376585.1585.34.camel@darkstar.netcore.co.in>
References: <1167376585.1585.34.camel@darkstar.netcore.co.in>
Message-ID: <en390k$vuk$2@sea.gmane.org>

Ramprasad wrote:
> In our setup where we do email scanning for our clients we have a
> feature by which clients can opt-out some ids from spamscan 
> 
> So I use in Mailscanner.conf
> 
> Spam Checks = spamcheck.rules
> 
> This file has 
> 
> To: user-1 NO
> default YES
> 
> Now a spammer marks a mail to multiple people with user-1  in BCC and
> the mail passes straight 
> How can I get rid of this problem. If I use the user_in_whitelist_to
> feature at spamassassin then too I would have the same issue 

Does your MTA split messages?

Ugo

From TGFurnish at herffjones.com  Fri Dec 29 19:23:48 2006
From: TGFurnish at herffjones.com (Furnish, Trever G)
Date: Fri Dec 29 18:24:47 2006
Subject: whitelist_to getting exploited
Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC614@inex3.herffjones.hj-int>

 
> -----Original Message-----
> From: mailscanner-bounces@lists.mailscanner.info 
> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf 
> Of Ramprasad
> Sent: Friday, December 29, 2006 5:22 AM
> To: MailScanner discussion
> Subject: Re: whitelist_to getting exploited
> 
> On Fri, 2006-12-29 at 19:34 +1000, Res wrote:
> > On Fri, 29 Dec 2006, Ramprasad wrote:
> But user-1 wants all mails including spam  , not others
> 
> For eg If I want to allow abuse@mydomain to get all mail 
> without check someone sends a mail To:the_top_man@domain,abuse@domain 
> 
> Then this mail would bypass spam checks and reach 
> the_top_man@domain Obviously this would be a concern to 
> everyone , how are you folks getting over this issue

Mailscanner can't split one message into several and treat them
differently based on recipient.  Doing so would risk queue filename
conflicts.

But you can have your MTA split messages with multiple recipients into
one message per recipient -- then each message that mailscanner sees
only has one recipient.

There are some definite caveats to consider though:
	- you'll use more bandwidth, since you're 
	  delivering multiple copies of a message where 
	  before you only delivered one.  This may or may 
	  not be significant for you.

	- you'll increase the number of rows in your 
	  mailwatch tables, if you're using mailwatch.
		- However, mailwatch 1.x is 'broken' in that 
		  it only records one recipient per message 
		  anyway, so while you're increasing the load 
		  a bit, you also may be saving yourself a 
		  different headache later.

	- you'll increase the number of log entries -- this 
	  is probably insignificant.

	- you'll increase the mailscanner processing load, 
	  since e.g. one message may become five messages.

I used to split all inbound messages.  I wish I still could, but in my
case I started bumping against the limits of my hardware and opted to
gain some performance by turning off the splitting.
From vernon at comp-wiz.com  Fri Dec 29 22:21:42 2006
From: vernon at comp-wiz.com (Vernon Webb)
Date: Fri Dec 29 21:22:36 2006
Subject: Using MailScanner With SpamAssassin & Pyzor
Message-ID: <20061229211842.M37224@comp-wiz.com>

I am using MailSacnner with SpamAssassian, pyzor, dcc, clamav, and a few other plugins 
for SA. I am trying to install rules_du_jour but am getting errors. On the lint test 
for SA I get the following errors which I am some how getting the feeling is in some 
way realted to MailScanner:

[6960] warn: config: failed to parse line, skipping: pyzor_add_header 1
[6960] warn: lint: 1 issues detected, please rerun with debug enabled for more 
information

Anyone have any ideas?
From mrm at medicine.wisc.edu  Fri Dec 29 22:28:35 2006
From: mrm at medicine.wisc.edu (Michael Masse)
Date: Fri Dec 29 21:29:53 2006
Subject: fetchmail/MS long shot
Message-ID: <45953422.7FBE.00FC.3@medicine.wisc.edu>

I've read the archives and the wiki and have found plenty of information
on using fetchmail to pop messages from one email system and insert them
into another, but what I'm trying to do is a bit different, so I thought
I'd ask.     A certain ISP does a really bad job of spam detection and I
know it's possible to use fetchmail to download all of the mail from
that ISP and do MS / SA scanning on the mail, but is there a way to then
stick the ham email back on the ISP inbox so that the user doesn't
really have to do anything different in particular?   The problem I see
is how would fetchmail then know which messages have been scanned
already?   I'm not married to fetchmail if there is a better way to do
what I'm looking for BTW.

Mike




From ssilva at sgvwater.com  Fri Dec 29 22:42:55 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Fri Dec 29 21:41:48 2006
Subject: whitelist_to getting exploited
In-Reply-To: <1167376585.1585.34.camel@darkstar.netcore.co.in>
References: <1167376585.1585.34.camel@darkstar.netcore.co.in>
Message-ID: <en4214$erb$2@sea.gmane.org>

Ramprasad spake the following on 12/28/2006 11:16 PM:
> In our setup where we do email scanning for our clients we have a
> feature by which clients can opt-out some ids from spamscan 
> 
> So I use in Mailscanner.conf
> 
> Spam Checks = spamcheck.rules
> 
> This file has 
> 
> To: user-1 NO
> default YES
> 
> Now a spammer marks a mail to multiple people with user-1  in BCC and
> the mail passes straight 
> How can I get rid of this problem. If I use the user_in_whitelist_to
> feature at spamassassin then too I would have the same issue 
> 
You need to set up your MTA to split mails to multiple recipients, although I
think it will break the concept of BCC's, as a new copy of the message is
generated for each recipient.. So recipient A will get his spam, and recipient
B will get it filtered.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From ssilva at sgvwater.com  Fri Dec 29 22:47:48 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Fri Dec 29 21:51:56 2006
Subject: fetchmail/MS long shot
In-Reply-To: <45953422.7FBE.00FC.3@medicine.wisc.edu>
References: <45953422.7FBE.00FC.3@medicine.wisc.edu>
Message-ID: <en42aa$erb$3@sea.gmane.org>

Michael Masse spake the following on 12/29/2006 1:28 PM:
> I've read the archives and the wiki and have found plenty of information
> on using fetchmail to pop messages from one email system and insert them
> into another, but what I'm trying to do is a bit different, so I thought
> I'd ask.     A certain ISP does a really bad job of spam detection and I
> know it's possible to use fetchmail to download all of the mail from
> that ISP and do MS / SA scanning on the mail, but is there a way to then
> stick the ham email back on the ISP inbox so that the user doesn't
> really have to do anything different in particular?   The problem I see
> is how would fetchmail then know which messages have been scanned
> already?   I'm not married to fetchmail if there is a better way to do
> what I'm looking for BTW.
> 
> Mike
> 
> 
> 
> 
The simple solution would be to use fetchmail from the ISP, and have the user
pop the mail from your server. Otherwise, you would just keep getting the same
ham messages over and over again.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From glenn.steen at gmail.com  Sat Dec 30 12:15:36 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Sat Dec 30 11:16:28 2006
Subject: whitelist_to getting exploited
In-Reply-To: <en4214$erb$2@sea.gmane.org>
References: <1167376585.1585.34.camel@darkstar.netcore.co.in>
	<en4214$erb$2@sea.gmane.org>
Message-ID: <223f97700612300315k37980db4t2ef366f686eb79cd@mail.gmail.com>

On 29/12/06, Scott Silva <ssilva@sgvwater.com> wrote:
> Ramprasad spake the following on 12/28/2006 11:16 PM:
> > In our setup where we do email scanning for our clients we have a
> > feature by which clients can opt-out some ids from spamscan
> >
> > So I use in Mailscanner.conf
> >
> > Spam Checks = spamcheck.rules
> >
> > This file has
> >
> > To: user-1 NO
> > default YES
> >
> > Now a spammer marks a mail to multiple people with user-1  in BCC and
> > the mail passes straight
> > How can I get rid of this problem. If I use the user_in_whitelist_to
> > feature at spamassassin then too I would have the same issue
> >
> You need to set up your MTA to split mails to multiple recipients, although I
> think it will break the concept of BCC's, as a new copy of the message is
> generated for each recipient.. So recipient A will get his spam, and recipient
> B will get it filtered.

Um, Scott... Why would splitting break BCC's? Do you mean that the MTA
of your choice would "transform" the BCC to a normal (visible)
recipient? Sounds a bit strange to me... The split should be very
transparent... and the BCC should still be ... "invisible" to all the
rest...

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From glenn.steen at gmail.com  Sat Dec 30 12:38:30 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Sat Dec 30 11:39:23 2006
Subject: whitelist_to getting exploited
In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC614@inex3.herffjones.hj-int>
References: <57573D714A832C43B9D80EAFBDA48D0302BAC614@inex3.herffjones.hj-int>
Message-ID: <223f97700612300338q6cd5aaf5y8884c7eec161daae@mail.gmail.com>

Hi Trever,

Just a few odd comments below...

> > Of Ramprasad
> > Sent: Friday, December 29, 2006 5:22 AM
> > To: MailScanner discussion
> > Subject: Re: whitelist_to getting exploited
> >
> > On Fri, 2006-12-29 at 19:34 +1000, Res wrote:
> > > On Fri, 29 Dec 2006, Ramprasad wrote:
> > But user-1 wants all mails including spam  , not others
> >
> > For eg If I want to allow abuse@mydomain to get all mail
> > without check someone sends a mail To:the_top_man@domain,abuse@domain
> >
> > Then this mail would bypass spam checks and reach
> > the_top_man@domain Obviously this would be a concern to
> > everyone , how are you folks getting over this issue
>
> Mailscanner can't split one message into several and treat them
> differently based on recipient.  Doing so would risk queue filename
> conflicts.

This should be possible to handle....:-).

> But you can have your MTA split messages with multiple recipients into
> one message per recipient -- then each message that mailscanner sees
> only has one recipient.
>
> There are some definite caveats to consider though:
>         - you'll use more bandwidth, since you're
>           delivering multiple copies of a message where
>           before you only delivered one.  This may or may
>           not be significant for you.

With gateway systems (which is a very common setup, after all, of
MailScanner) this is generally not a concern, since you will have a
very much more capable LAN/"internal WAN" link than "internet-facing"
link.
But true enough, it might be a concern... One could limit that (and
the things below) by more restrictive message size constraints (at MTA
level).

>         - you'll increase the number of rows in your
>           mailwatch tables, if you're using mailwatch.
>                 - However, mailwatch 1.x is 'broken' in that
>                   it only records one recipient per message
>                   anyway, so while you're increasing the load
>                   a bit, you also may be saving yourself a
>                   different headache later.

Both these are true, and if I understood how Steve intends to handle
these for multiple recipient mails in 2.0 (fixing the broken behaviour
of 1.x) the first point will continue to be a real concern for sites
with large amounts of messages... Splitting will likely make it one of
your jobs to keep on top of daily. Sigh. One more ...:-). But if one
has a low volume setup, it doesn't matter that much.

>         - you'll increase the number of log entries -- this
>           is probably insignificant.
Agreed.

>         - you'll increase the mailscanner processing load,
>           since e.g. one message may become five messages.

The worst "hog" in MS is SA, and with the SpamAssassin result cache
feature on, you really take the sting out of this one. True, you'll
likely see a bit of load from AV scanners etc, but SA should yield
only the cache fingerprint "cost" and nothing more.

> I used to split all inbound messages.  I wish I still could, but in my
> case I started bumping against the limits of my hardware and opted to
> gain some performance by turning off the splitting.

Do you by any chance run BDC still? It can "hurt" things bad... Or do
you have a lot of BLs in MS? That could well be "hurtfull too,
depending on what limit you encounter... Or was it the MW bit you
mention? Hopefully 2.0 will make a lot of difference there:-)

Anyway, as said, just a few random comment from a mind definitely
still on holiday leave:-)
Best Regards & Happy New Year!
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From glenn.steen at gmail.com  Sat Dec 30 12:47:05 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Sat Dec 30 11:47:58 2006
Subject: fetchmail/MS long shot
In-Reply-To: <en42aa$erb$3@sea.gmane.org>
References: <45953422.7FBE.00FC.3@medicine.wisc.edu>
	<en42aa$erb$3@sea.gmane.org>
Message-ID: <223f97700612300347g1aa45cm1917fa60e135ab35@mail.gmail.com>

On 29/12/06, Scott Silva <ssilva@sgvwater.com> wrote:
> Michael Masse spake the following on 12/29/2006 1:28 PM:
> > I've read the archives and the wiki and have found plenty of information
> > on using fetchmail to pop messages from one email system and insert them
> > into another, but what I'm trying to do is a bit different, so I thought
> > I'd ask.     A certain ISP does a really bad job of spam detection and I
> > know it's possible to use fetchmail to download all of the mail from
> > that ISP and do MS / SA scanning on the mail, but is there a way to then
> > stick the ham email back on the ISP inbox so that the user doesn't
> > really have to do anything different in particular?   The problem I see
> > is how would fetchmail then know which messages have been scanned
> > already?   I'm not married to fetchmail if there is a better way to do
> > what I'm looking for BTW.
> >
> > Mike
> >
> >
> >
> >
> The simple solution would be to use fetchmail from the ISP, and have the user
> pop the mail from your server. Otherwise, you would just keep getting the same
> ham messages over and over again.
>
An alternative, if you don't want to expose your server to the net
(for POP/IMAP/Webmail), would be to have fetchmail deliver to a local
alias which (after MS&friends) expand to a second address at the
ISPs... Would make the user "plunder" a second account for HAM, while
you get a go at all the nice SPAM&HAM once, and once only.

Obviously not a solution one would want to maintain for large amounts
of users:-).

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From ssilva at sgvwater.com  Sat Dec 30 19:04:53 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Sat Dec 30 18:05:59 2006
Subject: whitelist_to getting exploited
In-Reply-To: <223f97700612300315k37980db4t2ef366f686eb79cd@mail.gmail.com>
References: <1167376585.1585.34.camel@darkstar.netcore.co.in>	<en4214$erb$2@sea.gmane.org>
	<223f97700612300315k37980db4t2ef366f686eb79cd@mail.gmail.com>
Message-ID: <en69o7$72q$1@sea.gmane.org>

Glenn Steen spake the following on 12/30/2006 3:15 AM:
> On 29/12/06, Scott Silva <ssilva@sgvwater.com> wrote:
>> Ramprasad spake the following on 12/28/2006 11:16 PM:
>> > In our setup where we do email scanning for our clients we have a
>> > feature by which clients can opt-out some ids from spamscan
>> >
>> > So I use in Mailscanner.conf
>> >
>> > Spam Checks = spamcheck.rules
>> >
>> > This file has
>> >
>> > To: user-1 NO
>> > default YES
>> >
>> > Now a spammer marks a mail to multiple people with user-1  in BCC and
>> > the mail passes straight
>> > How can I get rid of this problem. If I use the user_in_whitelist_to
>> > feature at spamassassin then too I would have the same issue
>> >
>> You need to set up your MTA to split mails to multiple recipients,
>> although I
>> think it will break the concept of BCC's, as a new copy of the message is
>> generated for each recipient.. So recipient A will get his spam, and
>> recipient
>> B will get it filtered.
> 
> Um, Scott... Why would splitting break BCC's? Do you mean that the MTA
> of your choice would "transform" the BCC to a normal (visible)
> recipient? Sounds a bit strange to me... The split should be very
> transparent... and the BCC should still be ... "invisible" to all the
> rest...
> 
Won't the recipient show up if you have the envelope-to headers enabled?
I was just going on memory of past postings. I haven't split messages yet, as
  I haven't seen the need.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From ssilva at sgvwater.com  Sat Dec 30 19:08:00 2006
From: ssilva at sgvwater.com (Scott Silva)
Date: Sat Dec 30 18:10:59 2006
Subject: McAfee and lack of detection
Message-ID: <en69u3$7h6$1@sea.gmane.org>

Is any one else using McAfee with the 5100 engine seen a lack of detection
lately? Maybe a month or so. I just had some time to look back through logs
and noticed that McAfee isn't hitting, and a mail test today missed all but a
straight eicar.com test.
-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

From rob at robhq.com  Sat Dec 30 19:50:54 2006
From: rob at robhq.com (Rob Freeman)
Date: Sat Dec 30 18:52:07 2006
Subject: McAfee and lack of detection
In-Reply-To: <en69u3$7h6$1@sea.gmane.org>
References: <en69u3$7h6$1@sea.gmane.org>
Message-ID: <000001c72c43$6f84beb0$4e8e3c10$@com>

We used to use mcafee but stopped using it as it did not detected nearly the
amount of virus's that clamav and f-prot were getting.  Just added overhead.


-----Original Message-----
From: mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva
Sent: Saturday, December 30, 2006 12:08 PM
To: mailscanner@lists.mailscanner.info
Subject: McAfee and lack of detection

Is any one else using McAfee with the 5100 engine seen a lack of detection
lately? Maybe a month or so. I just had some time to look back through logs
and noticed that McAfee isn't hitting, and a mail test today missed all but
a
straight eicar.com test.
-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

-- 
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.16.0/609 - Release Date: 12/29/2006
4:48 PM
 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.16.0/609 - Release Date: 12/29/2006
4:48 PM
 

From res at ausics.net  Sat Dec 30 22:52:21 2006
From: res at ausics.net (Res)
Date: Sat Dec 30 21:53:26 2006
Subject: McAfee and lack of detection
In-Reply-To: <000001c72c43$6f84beb0$4e8e3c10$@com>
References: <en69u3$7h6$1@sea.gmane.org> <000001c72c43$6f84beb0$4e8e3c10$@com>
Message-ID: <Pine.LNX.4.64.0612310749370.13455@ebfjryy.nhfvpf.arg>

On Sat, 30 Dec 2006, Rob Freeman wrote:

> We used to use mcafee but stopped using it as it did not detected nearly the
> amount of virus's that clamav and f-prot were getting.  Just added overhead.


And to add to that, clamav doesn't detect near as much as f-prot,
earlier this year some lamer tried to upload a 2 yo rootkit, clamav let it 
through, f-prot caught it. (gota love pure-ftpds ability to scan uploads)



-- 
Cheers
Res

"So, you think you can tell Heaven from Hell?" - Roger Waters


From rabellino at di.unito.it  Sat Dec 30 23:00:59 2006
From: rabellino at di.unito.it (Sergio Rabellino)
Date: Sat Dec 30 22:02:20 2006
Subject: McAfee and lack of detection
References: <en69u3$7h6$1@sea.gmane.org> <000001c72c43$6f84beb0$4e8e3c10$@com>
Message-ID: <000801c72c5d$fe5e6bd0$6689a8c0@di.unito.it>

I'm using mcafee on my solaris box as follow

Scan engine v4.4.00 for Solaris.
Virus data file v4929 created Dec 29 2006
Scanning for 221898 viruses, trojans and variants.

I'vent noticed any lack in detection for viruses.

Happy new year.

----- Original Message ----- 
From: "Rob Freeman" <rob@robhq.com>
To: "'MailScanner discussion'" <mailscanner@lists.mailscanner.info>
Sent: Saturday, December 30, 2006 7:50 PM
Subject: RE: McAfee and lack of detection


> We used to use mcafee but stopped using it as it did not detected nearly 
> the
> amount of virus's that clamav and f-prot were getting.  Just added 
> overhead.
>
>
> -----Original Message-----
> From: mailscanner-bounces@lists.mailscanner.info
> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott 
> Silva
> Sent: Saturday, December 30, 2006 12:08 PM
> To: mailscanner@lists.mailscanner.info
> Subject: McAfee and lack of detection
>
> Is any one else using McAfee with the 5100 engine seen a lack of detection
> lately? Maybe a month or so. I just had some time to look back through 
> logs
> and noticed that McAfee isn't hitting, and a mail test today missed all 
> but
> a
> straight eicar.com test.
> -- 
>
> MailScanner is like deodorant...
> You hope everybody uses it, and
> you notice quickly if they don't!!!!
>
> -- 
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
> -- 
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.432 / Virus Database: 268.16.0/609 - Release Date: 12/29/2006
> 4:48 PM
>
>
> -- 
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.5.432 / Virus Database: 268.16.0/609 - Release Date: 12/29/2006
> 4:48 PM
>
>
> -- 
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
> 

From pete at enitech.com.au  Sat Dec 30 23:13:09 2006
From: pete at enitech.com.au (Pete Russell)
Date: Sat Dec 30 22:14:09 2006
Subject: Using MailScanner With SpamAssassin & Pyzor
In-Reply-To: <20061229211842.M37224@comp-wiz.com>
References: <20061229211842.M37224@comp-wiz.com>
Message-ID: <4596E475.7040708@enitech.com.au>

The ruledujour wont run while there is an error in your sa config. In 
your sa prefs file find that line and either correct it or comment it 
out...run the ruledujour again.

Vernon Webb wrote:
> I am using MailSacnner with SpamAssassian, pyzor, dcc, clamav, and a few other plugins 
> for SA. I am trying to install rules_du_jour but am getting errors. On the lint test 
> for SA I get the following errors which I am some how getting the feeling is in some 
> way realted to MailScanner:
> 
> [6960] warn: config: failed to parse line, skipping: pyzor_add_header 1
> [6960] warn: lint: 1 issues detected, please rerun with debug enabled for more 
> information
> 
> Anyone have any ideas?
From ard at pergamentum.com  Sat Dec 30 23:33:08 2006
From: ard at pergamentum.com (Alisdair Davey)
Date: Sat Dec 30 22:34:26 2006
Subject: McAfee and lack of detection
In-Reply-To: <Pine.LNX.4.64.0612310749370.13455@ebfjryy.nhfvpf.arg>
References: <en69u3$7h6$1@sea.gmane.org> <000001c72c43$6f84beb0$4e8e3c10$@com>
	<Pine.LNX.4.64.0612310749370.13455@ebfjryy.nhfvpf.arg>
Message-ID: <1167517989.6464.31.camel@upney.pergamentum.com>

On Sun, 2006-12-31 at 07:52 +1000, Res wrote:
> On Sat, 30 Dec 2006, Rob Freeman wrote:
> 
> > We used to use mcafee but stopped using it as it did not detected nearly the
> > amount of virus's that clamav and f-prot were getting.  Just added overhead.

> And to add to that, clamav doesn't detect near as much as f-prot,

I think this is a YMMV situation. I started getting inundated with
postcard.exe files starting on Thu which Clamav caught as
Trojan.Downloader-388 / Trojan.Downloader-390. It wasn't until 
lunchtime today that f-prot finally tagged one as "a security risk named
W32/Tibs.gen4". In my experience f-prot has only been quicker to detect
a new virus on only 3 occasions in the two years I have been using it. 
I'm sure people can provide counter example to this. It just shows we
should all be using more than one virus scanner and then of course
MailScanner, for the countless times it stopped files that none of the
virus scanners thought contained a virus!
Cheers
Alisdair

-- 
Alisdair Davey                                  ard@pergamentum.com
2066 Dailey Ln                                  www.pergamentum.com
Superior, CO 80027

From glenn.steen at gmail.com  Sun Dec 31 00:38:38 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Sat Dec 30 23:39:34 2006
Subject: whitelist_to getting exploited
In-Reply-To: <en69o7$72q$1@sea.gmane.org>
References: <1167376585.1585.34.camel@darkstar.netcore.co.in>
	<en4214$erb$2@sea.gmane.org>
	<223f97700612300315k37980db4t2ef366f686eb79cd@mail.gmail.com>
	<en69o7$72q$1@sea.gmane.org>
Message-ID: <223f97700612301538t485efdd7o8f93dab3d3bfee96@mail.gmail.com>

On 30/12/06, Scott Silva <ssilva@sgvwater.com> wrote:
> Glenn Steen spake the following on 12/30/2006 3:15 AM:
> > On 29/12/06, Scott Silva <ssilva@sgvwater.com> wrote:
> >> Ramprasad spake the following on 12/28/2006 11:16 PM:
> >> > In our setup where we do email scanning for our clients we have a
> >> > feature by which clients can opt-out some ids from spamscan
> >> >
> >> > So I use in Mailscanner.conf
> >> >
> >> > Spam Checks = spamcheck.rules
> >> >
> >> > This file has
> >> >
> >> > To: user-1 NO
> >> > default YES
> >> >
> >> > Now a spammer marks a mail to multiple people with user-1  in BCC and
> >> > the mail passes straight
> >> > How can I get rid of this problem. If I use the user_in_whitelist_to
> >> > feature at spamassassin then too I would have the same issue
> >> >
> >> You need to set up your MTA to split mails to multiple recipients,
> >> although I
> >> think it will break the concept of BCC's, as a new copy of the message is
> >> generated for each recipient.. So recipient A will get his spam, and
> >> recipient
> >> B will get it filtered.
> >
> > Um, Scott... Why would splitting break BCC's? Do you mean that the MTA
> > of your choice would "transform" the BCC to a normal (visible)
> > recipient? Sounds a bit strange to me... The split should be very
> > transparent... and the BCC should still be ... "invisible" to all the
> > rest...
> >
> Won't the recipient show up if you have the envelope-to headers enabled?
> I was just going on memory of past postings. I haven't split messages yet, as
>   I haven't seen the need.
>
Yes, if you have that on, sure. But that happens _after_ the MTA has
split them, so... Splitting actually helps there, since every message
will have only one recipient;-).

Anyway, have a great New Year (I'll tip a nice bubbly in your general
direction tomorrow... eh, tonight:).

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From res at ausics.net  Sun Dec 31 00:43:49 2006
From: res at ausics.net (Res)
Date: Sat Dec 30 23:45:16 2006
Subject: McAfee and lack of detection
In-Reply-To: <1167517989.6464.31.camel@upney.pergamentum.com>
References: <en69u3$7h6$1@sea.gmane.org> <000001c72c43$6f84beb0$4e8e3c10$@com>
	<Pine.LNX.4.64.0612310749370.13455@ebfjryy.nhfvpf.arg>
	<1167517989.6464.31.camel@upney.pergamentum.com>
Message-ID: <Pine.LNX.4.64.0612310940290.14788@ebfjryy.nhfvpf.arg>


On Sat, 30 Dec 2006, Alisdair Davey wrote:

I'll paste a reply to this in pvt email to you, as in case it is still 
exploitable I don't wish to publicise the rootkits name and place those 
using clamav only at risk by some L-users who might be trolling through 
the lists archives.


>
>

-- 
Cheers
Res

"So, you think you can tell Heaven from Hell?" - Roger Waters


From glenn.steen at gmail.com  Sun Dec 31 00:45:27 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Sat Dec 30 23:46:22 2006
Subject: McAfee and lack of detection
In-Reply-To: <en69u3$7h6$1@sea.gmane.org>
References: <en69u3$7h6$1@sea.gmane.org>
Message-ID: <223f97700612301545m3959aa7ct9d2edc4f00a0cef4@mail.gmail.com>

On 30/12/06, Scott Silva <ssilva@sgvwater.com> wrote:
> Is any one else using McAfee with the 5100 engine seen a lack of detection
> lately? Maybe a month or so. I just had some time to look back through logs
> and noticed that McAfee isn't hitting, and a mail test today missed all but a
> straight eicar.com test.
Disclaimer: Haven't been as present as usual at work the last week...
So things might have changed...:)

Been using 5100 since it was released, with pretty consistent (same as
4400, but seemingly slightly faster) detection/non-detection rate.
Might just be dependant on what I get hit with though. Running bdc,
clam and mcafee, where clam gets most (still the phishing bit), and I
_still_ have situations where they all are the sole catcher, even bdc.

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From res at ausics.net  Sun Dec 31 02:53:07 2006
From: res at ausics.net (Res)
Date: Sun Dec 31 01:54:18 2006
Subject: McAfee and lack of detection
In-Reply-To: <Pine.LNX.4.64.0612310940290.14788@ebfjryy.nhfvpf.arg>
References: <en69u3$7h6$1@sea.gmane.org> <000001c72c43$6f84beb0$4e8e3c10$@com>
	<Pine.LNX.4.64.0612310749370.13455@ebfjryy.nhfvpf.arg>
	<1167517989.6464.31.camel@upney.pergamentum.com>
	<Pine.LNX.4.64.0612310940290.14788@ebfjryy.nhfvpf.arg>
Message-ID: <Pine.LNX.4.64.0612311150330.16240@ebfjryy.nhfvpf.arg>


Just a follow up to this, for anyone using clamav following this thread.

On Sun, 31 Dec 2006, Res wrote:

> I'll paste a reply to this in pvt email to you, as in case it is still 
> exploitable I don't wish to publicise the rootkits name and place those using 
> clamav only at risk by some L-users who might be trolling through the lists 
> archives.

Alisdair has tested this and confirms Clamav now catches the RK in
question, you can all sleep, an extra 40 winks more tonight :)


-- 
Cheers
Res

"So, you think you can tell Heaven from Hell?" - Roger Waters


From glenn.steen at gmail.com  Sun Dec 31 11:52:12 2006
From: glenn.steen at gmail.com (Glenn Steen)
Date: Sun Dec 31 10:53:10 2006
Subject: McAfee and lack of detection
In-Reply-To: <Pine.LNX.4.64.0612311150330.16240@ebfjryy.nhfvpf.arg>
References: <en69u3$7h6$1@sea.gmane.org> <000001c72c43$6f84beb0$4e8e3c10$@com>
	<Pine.LNX.4.64.0612310749370.13455@ebfjryy.nhfvpf.arg>
	<1167517989.6464.31.camel@upney.pergamentum.com>
	<Pine.LNX.4.64.0612310940290.14788@ebfjryy.nhfvpf.arg>
	<Pine.LNX.4.64.0612311150330.16240@ebfjryy.nhfvpf.arg>
Message-ID: <223f97700612310252s24e02a07xe407b87b8016f7d@mail.gmail.com>

On 31/12/06, Res <res@ausics.net> wrote:
>
> Just a follow up to this, for anyone using clamav following this thread.
>
> On Sun, 31 Dec 2006, Res wrote:
>
> > I'll paste a reply to this in pvt email to you, as in case it is still
> > exploitable I don't wish to publicise the rootkits name and place those using
> > clamav only at risk by some L-users who might be trolling through the lists
> > archives.
>
> Alisdair has tested this and confirms Clamav now catches the RK in
> question, you can all sleep, an extra 40 winks more tonight :)
>
Thanks for the vigilance Res&Alisdair! Those 40 winks were marvelous:-D
Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
From prandal at herefordshire.gov.uk  Sun Dec 31 11:59:19 2006
From: prandal at herefordshire.gov.uk (Randal, Phil)
Date: Sun Dec 31 11:00:26 2006
Subject: McAfee and lack of detection
Message-ID: <86144ED6CE5B004DA23E1EAC0B569B5801768200@isabella.herefordshire.gov.uk>

You'll need to upgrade to the 5100 engine based scanner ASAP.  Support
for the 4400 engine ends on January 31st, 2007.

Phil


-----Original Message-----
From: mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Sergio
Rabellino
Sent: Saturday, December 30, 2006 10:01 PM
To: MailScanner discussion
Subject: Re: McAfee and lack of detection

I'm using mcafee on my solaris box as follow

Scan engine v4.4.00 for Solaris.
Virus data file v4929 created Dec 29 2006
Scanning for 221898 viruses, trojans and variants.

I'vent noticed any lack in detection for viruses.

Happy new year.

----- Original Message ----- 
From: "Rob Freeman" <rob@robhq.com>
To: "'MailScanner discussion'" <mailscanner@lists.mailscanner.info>
Sent: Saturday, December 30, 2006 7:50 PM
Subject: RE: McAfee and lack of detection


> We used to use mcafee but stopped using it as it did not detected
nearly 
> the
> amount of virus's that clamav and f-prot were getting.  Just added 
> overhead.
>
>
> -----Original Message-----
> From: mailscanner-bounces@lists.mailscanner.info
> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott

> Silva
> Sent: Saturday, December 30, 2006 12:08 PM
> To: mailscanner@lists.mailscanner.info
> Subject: McAfee and lack of detection
>
> Is any one else using McAfee with the 5100 engine seen a lack of
detection
> lately? Maybe a month or so. I just had some time to look back through

> logs
> and noticed that McAfee isn't hitting, and a mail test today missed
all 
> but
> a
> straight eicar.com test.
> -- 
>
> MailScanner is like deodorant...
> You hope everybody uses it, and
> you notice quickly if they don't!!!!
>
> -- 
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
> -- 
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.432 / Virus Database: 268.16.0/609 - Release Date:
12/29/2006
> 4:48 PM
>
>
> -- 
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.5.432 / Virus Database: 268.16.0/609 - Release Date:
12/29/2006
> 4:48 PM
>
>
> -- 
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
> 

-- 
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
From rabellino at di.unito.it  Sun Dec 31 12:20:25 2006
From: rabellino at di.unito.it (Sergio Rabellino)
Date: Sun Dec 31 11:22:00 2006
Subject: McAfee and lack of detection
References: <86144ED6CE5B004DA23E1EAC0B569B5801768200@isabella.herefordshire.gov.uk>
Message-ID: <001201c72ccd$af16e6e0$6689a8c0@di.unito.it>

Thks. for the info, i'll check on the mcafee website for an upgrade.

----- Original Message ----- 
From: "Randal, Phil" <prandal@herefordshire.gov.uk>
To: "'MailScanner discussion'" <mailscanner@lists.mailscanner.info>
Sent: Sunday, December 31, 2006 11:59 AM
Subject: RE: McAfee and lack of detection


> You'll need to upgrade to the 5100 engine based scanner ASAP.  Support
> for the 4400 engine ends on January 31st, 2007.
> 
> Phil
> 
> 
> -----Original Message-----
> From: mailscanner-bounces@lists.mailscanner.info
> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Sergio
> Rabellino
> Sent: Saturday, December 30, 2006 10:01 PM
> To: MailScanner discussion
> Subject: Re: McAfee and lack of detection
> 
> I'm using mcafee on my solaris box as follow
> 
> Scan engine v4.4.00 for Solaris.
> Virus data file v4929 created Dec 29 2006
> Scanning for 221898 viruses, trojans and variants.
> 
> I'vent noticed any lack in detection for viruses.
> 
> Happy new year.
> 
> ----- Original Message ----- 
> From: "Rob Freeman" <rob@robhq.com>
> To: "'MailScanner discussion'" <mailscanner@lists.mailscanner.info>
> Sent: Saturday, December 30, 2006 7:50 PM
> Subject: RE: McAfee and lack of detection
> 
> 
>> We used to use mcafee but stopped using it as it did not detected
> nearly 
>> the
>> amount of virus's that clamav and f-prot were getting.  Just added 
>> overhead.
>>
>>
>> -----Original Message-----
>> From: mailscanner-bounces@lists.mailscanner.info
>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott
> 
>> Silva
>> Sent: Saturday, December 30, 2006 12:08 PM
>> To: mailscanner@lists.mailscanner.info
>> Subject: McAfee and lack of detection
>>
>> Is any one else using McAfee with the 5100 engine seen a lack of
> detection
>> lately? Maybe a month or so. I just had some time to look back through
> 
>> logs
>> and noticed that McAfee isn't hitting, and a mail test today missed
> all 
>> but
>> a
>> straight eicar.com test.
>> -- 
>>
>> MailScanner is like deodorant...
>> You hope everybody uses it, and
>> you notice quickly if they don't!!!!
>>
>> -- 
>> MailScanner mailing list
>> mailscanner@lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>> -- 
>> No virus found in this incoming message.
>> Checked by AVG Free Edition.
>> Version: 7.5.432 / Virus Database: 268.16.0/609 - Release Date:
> 12/29/2006
>> 4:48 PM
>>
>>
>> -- 
>> No virus found in this outgoing message.
>> Checked by AVG Free Edition.
>> Version: 7.5.432 / Virus Database: 268.16.0/609 - Release Date:
> 12/29/2006
>> 4:48 PM
>>
>>
>> -- 
>> MailScanner mailing list
>> mailscanner@lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>> 
> 
> -- 
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website! 
> -- 
> MailScanner mailing list
> mailscanner@lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website! 
>
From ahodges at phenom-networks.com  Sun Dec 31 14:08:43 2006
From: ahodges at phenom-networks.com (Andrew Hodges)
Date: Sun Dec 31 13:09:40 2006
Subject: MS Archive to email issues
Message-ID: <3C7811E23EFFC14C8B76E79FEA50EC83DC1A@hodges01.hodges.local>

Hi,
 
Get this out the way first.....
 
My system is running on a non Sun OS RaQ550....
 
MailScanner version 4.56.8 - Compiled from source
ClamAV version 0.88.7 - Compiled from source.
SpamAssassin version 3.1.7 - Install via perl -MCPAN -e shell > install
Mail::SpamAssassin
O/S Strongbolt 1.4.0 (CentOS 4.4 and BlueQuartz) - Installed from
OSOffice.co.uk
 
Other packages installed just in case there are any known issues
 
NuOnce RaQBackup - From NuOnce Networks
NuOnce ModAuthExternal - From NuOnce Networks
Awstats - From WebMerch
Dincom sysgui - From Dincom
Dincom apcgui - From Dincom
 
 
I am fairly new to MailScanner and I have a confusing problem getting
the Archive Mail function to work as I would have expected....
 
I wish to archive all email to 2 email address's - bcc@domain1.test
<blocked::mailto:bcc@domain1.test>  and bcc@domain1.beta
<blocked::mailto:bcc@domain1.beta>  - this is to (domain1.test) test new
rules and scores and (domain1.beta) test new beta's of the various
software - these 2 domains reside on different boxes...
 
I have tried all the settings I can think of (listed below) but it only
seems to archive clean messages to the email address's.  If I set
Archive Mail = /var/spool/MailScanner/archive in MailScanner.conf then
*ALL* email is archived to the folder.
 
This is where I am getting stuck, I can only think that MailScanner is
stopping delivery of this archive email, or that I have yet to find the
magic configuration option that makes all this work.
 
In my attempts to find the solution to this I have tried the
following.....
Please note that there are other options in some of the rules files that
have been omitted as I do not believe that they have an impact on the
archive function and the errors that I am experiencing.  It saves my
fingers and your eyes/brain power......
 
######################################################
Archive Mail = 
 
I have set this to bcc@domain1.test <blocked::mailto:bcc@domain1.test>
in MailScanner.conf
I have set to a ruleset with just FromOrTo: default bcc@domain1.test
<blocked::mailto:bcc@domain1.test> 
I have set to a ruleset with To: xyz.com bcc@domain1.test
<blocked::mailto:bcc@domain1.test> 
I have set to a ruleset with To: *@xyz.com <blocked::mailto:*@xyz.com>
bcc@domain1.test <blocked::mailto:bcc@domain1.test> 
 
######################################################
Scan Messages = %rules-dir%/scan.messages.rules
scan.messages.rules contains
 
To: domain1.test no
FromOrTo: default yes
 
######################################################
Spam Actions = %rules-dir%/spamactions.rules
spamactions.rules contains 
 
To: domain1.test deliver
To: xyz.com store forward spam@xyz.com <blocked::mailto:spam@xyz.com> 
 
######################################################
High Scoring Spam Actions = %rules-dir%/high.spamactions.rules
high.spamactions.rules contains 
 
To: domain1.test deliver
To: xyz.com store delete
 
######################################################
Non Spam Actions = %rules-dir%/non.spamactions.rules
non.spamactions.rules contains 
 
To: domain1.test deliver
To: xyz.com store deliver header "X-Spam-Status: No"
######################################################
 
I have also done the following just in case...
 
MailWatch SQLWhiteList
 
I have added an entry  From: 127.0.0.1  To: default   Allow
 
 
I have also edited the filename, filetype and dangerous content scanning
rules 
 
To include 127.0.0.1 to bcc@domain1.test
<blocked::mailto:bcc@domain1.test>  allow all
 
This information was found in a MailWatch article relating to the
release of messages from quarantine, as I use MailWatch I though that
this would be a good idea anyway, but found it whilst searching for a
solution to the archive issue.
 
 
So that my system knows where domain1.test is I have created
mailtertable entries for domain1.test smtp:[IPAddress} I have also
created a DNS zone for domain1.test and created A and MX records...
 
If I do a sendmail bcc@domain1.test <blocked::mailto:bcc@domain1.test>
from the bash prompt and the enter some data followed by <cr> . <cr>
then the email is received by the domain1.test box and processed, so I
know my live box is talking to my test box.
 
Searching google has turned up a few clues but nothing that has
corrected the issue, I have also searched the mailing lists and just
about everyone is Archiving email to folders or mailbox files, no one is
archiving to email - should I take a big hint from this???
 
As stated at the beginning, the archive to email does work, only with
clean messages, and it is putting the headers in for MailScanner,
something that the book states it should not do.
 
Thanks in advance
 
Andy Hodges
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061231/deb5ea92/attachment.html
From ajos1 at onion.demon.co.uk  Sun Dec 31 13:13:18 2006
From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk)
Date: Sun Dec 31 13:14:24 2006
Subject: McAfee and lack of detection
Message-ID: <sentsun31dec2006131318gmtbstajos1@sonicbadger.com>

-

Eeek-a-rama!  I did not realise that it was all changing again.  Thanks for giving the deadlines...

Looks like I will have another mare trying to get the linux version.  Hertfordshire County Council do not supply the Linux versions... as they do not know what Linux is...

-----Original Message-----
From: mailscanner@lists.mailscanner.info
Subj: RE: McAfee and lack of detection
Date: Sun, 31 Dec 2006 10:59:19 -0000

You'll need to upgrade to the 5100 engine based scanner ASAP.  Support
for the 4400 engine ends on January 31st, 2007.

Phil

==
=====================================================================
=
=  Need help dealing with Parking Tickets, Bailiffs, Capita or NTL...
=  Call...    +44 8457 90 90 90    http://www.samaritans.org/
=
=====================================================================
From ahodges at phenom-networks.com  Sun Dec 31 14:33:37 2006
From: ahodges at phenom-networks.com (Andrew Hodges)
Date: Sun Dec 31 13:34:39 2006
Subject: Problem with archive email (reposted in plain text)
Message-ID: <3C7811E23EFFC14C8B76E79FEA50EC83DC1B@hodges01.hodges.local>

Hi,

Reposted in plain text as Outlook added entries to my post which may
confuse others.....
Sorry.


Get this out the way first.....

My system is running on a non Sun OS RaQ550....

MailScanner version 4.56.8 - Compiled from source
ClamAV version 0.88.7 - Compiled from source.
SpamAssassin version 3.1.7 - Install via perl -MCPAN -e shell > install
Mail::SpamAssassin
O/S Strongbolt 1.4.0 (CentOS 4.4 and BlueQuartz) - Installed from
OSOffice.co.uk

Other packages installed just in case there are any known issues

NuOnce RaQBackup - >From NuOnce Networks
NuOnce ModAuthExternal - From NuOnce Networks
Awstats - From WebMerch
Dincom sysgui - From Dincom
Dincom apcgui - From Dincom


I am fairly new to MailScanner and I have a confusing problem getting
the Archive Mail function to work as I would have expected....

I wish to archive all email to 2 email address's - bcc@domain1.test and
bcc@domain1.beta - this is to (domain1.test) test new rules and scores
and (domain1.beta) test new beta's of the various software - these 2
domains reside on different boxes...

I have tried all the settings I can think of (listed below) but it only
seems to archive clean messages to the email address's.  If I set
Archive Mail = /var/spool/MailScanner/archive in MailScanner.conf then
*ALL* email is archived to the folder.

This is where I am getting stuck, I can only think that MailScanner is
stopping delivery of this archive email, or that I have yet to find the
magic configuration option that makes all this work.

In my attempts to find the solution to this I have tried the
following.....
Please note that there are other options in some of the rules files that
have been omitted as I do not believe that they have an impact on the
archive function and the errors that I am experiencing.  It saves my
fingers and your eyes/brain power......

######################################################
Archive Mail = 

I have set this to bcc@domain1.test in MailScanner.conf
I have set to a ruleset with just FromOrTo: default bcc@domain1.test
I have set to a ruleset with To: xyz.com bcc@domain1.test
I have set to a ruleset with To: *@xyz.com bcc@domain1.test

######################################################
Scan Messages = %rules-dir%/scan.messages.rules
scan.messages.rules contains

To: domain1.test no
FromOrTo: default yes

######################################################
Spam Actions = %rules-dir%/spamactions.rules
spamactions.rules contains 

To: domain1.test deliver
To: xyz.com store forward spam@xyz.com

######################################################
High Scoring Spam Actions = %rules-dir%/high.spamactions.rules
high.spamactions.rules contains 

To: domain1.test deliver
To: xyz.com store delete

######################################################
Non Spam Actions = %rules-dir%/non.spamactions.rules
non.spamactions.rules contains 

To: domain1.test deliver
To: xyz.com store deliver header "X-Spam-Status: No"
######################################################

I have also done the following just in case...

MailWatch SQLWhiteList

I have added an entry  From: 127.0.0.1  To: default   Allow


I have also edited the filename, filetype and dangerous content scanning
rules 

To include 127.0.0.1 to bcc@domain1.test allow all

This information was found in a MailWatch article relating to the
release of messages from quarantine, as I use MailWatch I though that
this would be a good idea anyway, but found it whilst searching for a
solution to the archive issue.


So that my system knows where domain1.test is I have created
mailtertable entries for domain1.test smtp:[IPAddress} I have also
created a DNS zone for domain1.test and created A and MX records...

If I do a sendmail bcc@domain1.test from the bash prompt and the enter
some data followed by <cr> . <cr> then the email is received by the
domain1.test box and processed, so I know my live box is talking to my
test box.

Searching google has turned up a few clues but nothing that has
corrected the issue, I have also searched the mailing lists and just
about everyone is Archiving email to folders or mailbox files, no one is
archiving to email - should I take a big hint from this???

As stated at the beginning, the archive to email does work, only with
clean messages, and it is putting the headers in for MailScanner,
something that the book states it should not do.

Thanks in advance

Andy Hodges
From res at ausics.net  Sun Dec 31 17:02:30 2006
From: res at ausics.net (Res)
Date: Sun Dec 31 16:03:36 2006
Subject: McAfee and lack of detection
In-Reply-To: <223f97700612310252s24e02a07xe407b87b8016f7d@mail.gmail.com>
References: <en69u3$7h6$1@sea.gmane.org> <000001c72c43$6f84beb0$4e8e3c10$@com>
	<Pine.LNX.4.64.0612310749370.13455@ebfjryy.nhfvpf.arg>
	<1167517989.6464.31.camel@upney.pergamentum.com>
	<Pine.LNX.4.64.0612310940290.14788@ebfjryy.nhfvpf.arg>
	<Pine.LNX.4.64.0612311150330.16240@ebfjryy.nhfvpf.arg>
	<223f97700612310252s24e02a07xe407b87b8016f7d@mail.gmail.com>
Message-ID: <Pine.LNX.4.64.0701010155560.14668@ebfjryy.nhfvpf.arg>

On Sun, 31 Dec 2006, Glenn Steen wrote:

> On 31/12/06, Res <res@ausics.net> wrote:
>> 
>> Just a follow up to this, for anyone using clamav following this thread.
>> 
>> On Sun, 31 Dec 2006, Res wrote:
>> 
>> > I'll paste a reply to this in pvt email to you, as in case it is still
>> > exploitable I don't wish to publicise the rootkits name and place those 
>> using
>> > clamav only at risk by some L-users who might be trolling through the 
>> lists
>> > archives.
>> 
>> Alisdair has tested this and confirms Clamav now catches the RK in
>> question, you can all sleep, an extra 40 winks more tonight :)
>> 
> Thanks for the vigilance Res&Alisdair! Those 40 winks were marvelous:-D

ahhhhhhhh thats nice to know, coz us f-proters always sleep in...
infact im glad i can sleep in coz im gunna need it today

Happy New YEAR!
and thanx to the bar staff at teh timeout bar, sheratan brisbane for 
putting up with us :P


-- 
Cheers
Res

"So, you think you can tell Heaven from Hell?" - Roger Waters


From res at ausics.net  Sun Dec 31 17:03:36 2006
From: res at ausics.net (Res)
Date: Sun Dec 31 16:04:39 2006
Subject: {MailScanner: Spam} RE: McAfee and lack of detection
In-Reply-To: <sentsun31dec2006131318gmtbstajos1@sonicbadger.com>
References: <sentsun31dec2006131318gmtbstajos1@sonicbadger.com>
Message-ID: <Pine.LNX.4.64.0701010202360.14668@ebfjryy.nhfvpf.arg>

On Sun, 31 Dec 2006, ajos1@onion.demon.co.uk wrote:

> -
>
> Eeek-a-rama!  I did not realise that it was all changing again.  Thanks for giving the deadlines...
>
> Looks like I will have another mare trying to get the linux version.  Hertfordshire County Council do not supply the Linux versions... as they do not know what Linux is...
>


If you are going to [ay for a commercial scnaner you mightn as well get a 
good linux supported one, f-prot, you wont be disapoiunted


> -----Original Message-----
> From: mailscanner@lists.mailscanner.info
> Subj: RE: McAfee and lack of detection
> Date: Sun, 31 Dec 2006 10:59:19 -0000
>
> You'll need to upgrade to the 5100 engine based scanner ASAP.  Support
> for the 4400 engine ends on January 31st, 2007.
>
> Phil
>
> ==
> =====================================================================
> =
> =  Need help dealing with Parking Tickets, Bailiffs, Capita or NTL...
> =  Call...    +44 8457 90 90 90    http://www.samaritans.org/
> =
> =====================================================================
>

-- 
Cheers
Res

"So, you think you can tell Heaven from Hell?" - Roger Waters


From marco at uNiXpSyChO.com  Sun Dec 31 20:29:29 2006
From: marco at uNiXpSyChO.com (uNiXpSyChO)
Date: Sun Dec 31 19:31:09 2006
Subject: whitelist_to getting exploited
In-Reply-To: <223f97700612301538t485efdd7o8f93dab3d3bfee96@mail.gmail.com>
References: <1167376585.1585.34.camel@darkstar.netcore.co.in>	<en4214$erb$2@sea.gmane.org>	<223f97700612300315k37980db4t2ef366f686eb79cd@mail.gmail.com>	<en69o7$72q$1@sea.gmane.org>
	<223f97700612301538t485efdd7o8f93dab3d3bfee96@mail.gmail.com>
Message-ID: <plfl64-m2q.ln1@web1.xssnet.com>

Glenn Steen wrote:
> On 30/12/06, Scott Silva <ssilva@sgvwater.com> wrote:
>> Glenn Steen spake the following on 12/30/2006 3:15 AM:
>> > On 29/12/06, Scott Silva <ssilva@sgvwater.com> wrote:
>> >> Ramprasad spake the following on 12/28/2006 11:16 PM:
>> >> > In our setup where we do email scanning for our clients we have a
>> >> > feature by which clients can opt-out some ids from spamscan
>> >> >
>> >> > So I use in Mailscanner.conf
>> >> >
>> >> > Spam Checks = spamcheck.rules
>> >> >
>> >> > This file has
>> >> >
>> >> > To: user-1 NO
>> >> > default YES
>> >> >
>> >> > Now a spammer marks a mail to multiple people with user-1  in BCC 
>> and
>> >> > the mail passes straight
>> >> > How can I get rid of this problem. If I use the user_in_whitelist_to
>> >> > feature at spamassassin then too I would have the same issue
>> >> >
>> >> You need to set up your MTA to split mails to multiple recipients,
>> >> although I
>> >> think it will break the concept of BCC's, as a new copy of the 
>> message is
>> >> generated for each recipient.. So recipient A will get his spam, and
>> >> recipient
>> >> B will get it filtered.
>> >
>> > Um, Scott... Why would splitting break BCC's? Do you mean that the MTA
>> > of your choice would "transform" the BCC to a normal (visible)
>> > recipient? Sounds a bit strange to me... The split should be very
>> > transparent... and the BCC should still be ... "invisible" to all the
>> > rest...
>> >
>> Won't the recipient show up if you have the envelope-to headers enabled?
>> I was just going on memory of past postings. I haven't split messages 
>> yet, as
>>   I haven't seen the need.
>>
> Yes, if you have that on, sure. But that happens _after_ the MTA has
> split them, so... Splitting actually helps there, since every message
> will have only one recipient;-).
> 

now i'm curious...  how are you splitting at the MTA?


From CSmith at intersoftcorp.com  Sun Dec 31 20:49:03 2006
From: CSmith at intersoftcorp.com (Carlyle Smith)
Date: Sun Dec 31 19:49:58 2006
Subject: How to interpret MailScanner stats
Message-ID: <BEBD57969B0C4348B473FBB1B5B03FF80C15D4@05mail.intersoft.local>

I am trying to put together reports for my clients to impress them with
how good a job our filtering system is working, but I don't understand
the statistics well enough to explain it to them.  For my domain for
December, I get the following totals:

 

   Mail                     33,878        Are these "ham"?

   Virus                    124

   Spam                   6,261

   MCP                    0.0  

   Volume                618.9 Mb

   Unknown Users    433,489

   Can't Resolve       66,282

   RBL                     1,624,822

 

Ultimately, the most basic stats of interest are:

 

   a) What is the total number of messages processed?

   b) How many were filtered out? (i.e. how much time/money did this
save them?)

 

I can't figure out how I should add the totals above together to get
this information.  My guess would be:

 

   Filtered out = Virus + Spam + MCP + UnknownUsers + Can'tResolve + RBL
= 2,130,978

   Messages getting through = "Mail" = 33,878

   Total processed = "Filtered Out" + " Messages getting though" =
2,164,856

 

However, this would indicate 98% of the messages are getting blocked...
This seems a bit extreme, so I think I'm missing something here.

 

Can someone enlighten me on how this works?

 

Thanks,

Carlyle

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061231/1ca93e85/attachment.html
From ahodges at phenom-networks.com  Sun Dec 31 22:20:08 2006
From: ahodges at phenom-networks.com (Andrew Hodges)
Date: Sun Dec 31 21:21:13 2006
Subject: How to interpret MailScanner stats
In-Reply-To: <BEBD57969B0C4348B473FBB1B5B03FF80C15D4@05mail.intersoft.local>
Message-ID: <3C7811E23EFFC14C8B76E79FEA50EC83DC1C@hodges01.hodges.local>

Hi,
 
My spam levels seem to be in the region of 92% to 96% daily.  Your 98%,
although it seems a bit high, taking account the xmas break where no
alot of genuine email, I presume, would have been sent, therefore alot
more spam vs ham.
 
 
Hope this helps
Andrew Hodges

________________________________

From: mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Carlyle
Smith
Sent: 31 December 2006 19:49
To: mailscanner@lists.mailscanner.info
Subject: How to interpret MailScanner stats



I am trying to put together reports for my clients to impress them with
how good a job our filtering system is working, but I don't understand
the statistics well enough to explain it to them.  For my domain for
December, I get the following totals:

 

   Mail                     33,878        Are these "ham"?

   Virus                    124

   Spam                   6,261

   MCP                    0.0  

   Volume                618.9 Mb

   Unknown Users    433,489

   Can't Resolve       66,282

   RBL                     1,624,822

 

Ultimately, the most basic stats of interest are:

 

   a) What is the total number of messages processed?

   b) How many were filtered out? (i.e. how much time/money did this
save them?)

 

I can't figure out how I should add the totals above together to get
this information.  My guess would be:

 

   Filtered out = Virus + Spam + MCP + UnknownUsers + Can'tResolve + RBL
= 2,130,978

   Messages getting through = "Mail" = 33,878

   Total processed = "Filtered Out" + " Messages getting though" =
2,164,856

 

However, this would indicate 98% of the messages are getting blocked...
This seems a bit extreme, so I think I'm missing something here.

 

Can someone enlighten me on how this works?

 

Thanks,

Carlyle

 

 

 


-- 
This message has been scanned for viruses and 
dangerous content by MailScanner, and is 
believed to be clean. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061231/57304593/attachment.html
From ahodges at phenom-networks.com  Sun Dec 31 22:23:49 2006
From: ahodges at phenom-networks.com (Andrew Hodges)
Date: Sun Dec 31 21:24:54 2006
Subject: whitelist_to getting exploited
In-Reply-To: <plfl64-m2q.ln1@web1.xssnet.com>
Message-ID: <3C7811E23EFFC14C8B76E79FEA50EC83DC1D@hodges01.hodges.local>

Hi,

Try the following link, if you use sendmail that is......

http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta
:sendmail:how_to:split_mails_per_recipient

Thanks
Andrew Hodges 

-----Original Message-----
From: mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of
uNiXpSyChO
Sent: 31 December 2006 19:29
To: mailscanner@lists.mailscanner.info
Subject: Re: whitelist_to getting exploited

Glenn Steen wrote:
> On 30/12/06, Scott Silva <ssilva@sgvwater.com> wrote:
>> Glenn Steen spake the following on 12/30/2006 3:15 AM:
>> > On 29/12/06, Scott Silva <ssilva@sgvwater.com> wrote:
>> >> Ramprasad spake the following on 12/28/2006 11:16 PM:
>> >> > In our setup where we do email scanning for our clients we have 
>> >> > a feature by which clients can opt-out some ids from spamscan
>> >> >
>> >> > So I use in Mailscanner.conf
>> >> >
>> >> > Spam Checks = spamcheck.rules
>> >> >
>> >> > This file has
>> >> >
>> >> > To: user-1 NO
>> >> > default YES
>> >> >
>> >> > Now a spammer marks a mail to multiple people with user-1  in 
>> >> > BCC
>> and
>> >> > the mail passes straight
>> >> > How can I get rid of this problem. If I use the 
>> >> > user_in_whitelist_to feature at spamassassin then too I would 
>> >> > have the same issue
>> >> >
>> >> You need to set up your MTA to split mails to multiple recipients,

>> >> although I think it will break the concept of BCC's, as a new copy

>> >> of the
>> message is
>> >> generated for each recipient.. So recipient A will get his spam, 
>> >> and recipient B will get it filtered.
>> >
>> > Um, Scott... Why would splitting break BCC's? Do you mean that the 
>> > MTA of your choice would "transform" the BCC to a normal (visible) 
>> > recipient? Sounds a bit strange to me... The split should be very 
>> > transparent... and the BCC should still be ... "invisible" to all 
>> > the rest...
>> >
>> Won't the recipient show up if you have the envelope-to headers
enabled?
>> I was just going on memory of past postings. I haven't split messages

>> yet, as
>>   I haven't seen the need.
>>
> Yes, if you have that on, sure. But that happens _after_ the MTA has 
> split them, so... Splitting actually helps there, since every message 
> will have only one recipient;-).
> 

now i'm curious...  how are you splitting at the MTA?


--
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.

From denis at croombs.org  Sun Dec 31 22:27:46 2006
From: denis at croombs.org (Denis Croombs)
Date: Sun Dec 31 21:29:05 2006
Subject: How to interpret MailScanner stats
In-Reply-To: <3C7811E23EFFC14C8B76E79FEA50EC83DC1C@hodges01.hodges.local>
Message-ID: <200612312129.kBVLTiie000933@rack2.justlinux1.net>

>  Hi,
>
>My spam levels seem to be in the region of 92% to 96% daily.  Your 98%,
although it seems a bit high, taking account the >xmas break where no alot
of genuine email, I presume, would have been sent, therefore alot more spam
vs ham.
>	 
>	 
>	Hope this helps
>	Andrew Hodges
Whats stats package are you using to generate these ?
I have been looking for something to do this.

Thanks

Denis
	 
	 
	
	
	 


From ahodges at phenom-networks.com  Sun Dec 31 22:33:55 2006
From: ahodges at phenom-networks.com (Andrew Hodges)
Date: Sun Dec 31 21:35:01 2006
Subject: How to interpret MailScanner stats
In-Reply-To: <200612312129.kBVLTiie000933@rack2.justlinux1.net>
Message-ID: <3C7811E23EFFC14C8B76E79FEA50EC83DC1E@hodges01.hodges.local>

Hi,

After days of trying to get it running (bit of a noobie) I am using
MailWatch, and I like what I see......

Have a look at  http://mailwatch.sourceforge.net/doku.php 

In specifics look at the first screen shot.  When opened look at the top
right hand corner, there are the daily stats including the % calculated
for you.

Thanks
Andy



-----Original Message-----
From: mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Denis
Croombs
Sent: 31 December 2006 21:28
To: 'MailScanner discussion'
Subject: RE: How to interpret MailScanner stats

>  Hi,
>
>My spam levels seem to be in the region of 92% to 96% daily.  Your 98%,
although it seems a bit high, taking account the >xmas break where no
alot of genuine email, I presume, would have been sent, therefore alot
more spam vs ham.
>	 
>	 
>	Hope this helps
>	Andrew Hodges
Whats stats package are you using to generate these ?
I have been looking for something to do this.

Thanks

Denis
	 
	 
	
	
	 


--
MailScanner mailing list
mailscanner@lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.

From ka at pacific.net  Sun Dec 31 23:25:56 2006
From: ka at pacific.net (Ken A)
Date: Sun Dec 31 22:27:42 2006
Subject: McAfee and lack of detection
In-Reply-To: <000001c72c43$6f84beb0$4e8e3c10$@com>
References: <en69u3$7h6$1@sea.gmane.org> <000001c72c43$6f84beb0$4e8e3c10$@com>
Message-ID: <459838F4.6000806@pacific.net>

Rob Freeman wrote:
> We used to use mcafee but stopped using it as it did not detected nearly the
> amount of virus's that clamav and f-prot were getting.  Just added overhead.
> 

My experience with Mcafee is that they don't update dats on weekends. 
This just plain sucks. I work on weekends, and virus writers do too!

> drwxr-xr-x    2 root root 4096 Dec 29 10:09 4929
> lrwxrwxrwx    1 root root    4 Dec 29 10:09 current -> 4929
> drwxr-xr-x    2 root root 4096 Dec 28 09:11 4928
> drwxr-xr-x    2 root root 4096 Dec 27 09:06 4927
> drwxr-xr-x    2 root root 4096 Dec 26 09:03 4926
> drwxr-xr-x    2 root root 4096 Dec 22 09:04 4925
> drwxr-xr-x    2 root root 4096 Dec 21 10:08 4924
> drwxr-xr-x    2 root root 4096 Dec 20 09:03 4923
> drwxr-xr-x    2 root root 4096 Dec 19 09:04 4922
> drwxr-xr-x    2 root root 4096 Dec 18 11:11 4921
> drwxr-xr-x    2 root root 4096 Dec 15 09:05 4920

:-(

Ken A
Pacific.Net

> 
> -----Original Message-----
> From: mailscanner-bounces@lists.mailscanner.info
> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva
> Sent: Saturday, December 30, 2006 12:08 PM
> To: mailscanner@lists.mailscanner.info
> Subject: McAfee and lack of detection
> 
> Is any one else using McAfee with the 5100 engine seen a lack of detection
> lately? Maybe a month or so. I just had some time to look back through logs
> and noticed that McAfee isn't hitting, and a mail test today missed all but
> a
> straight eicar.com test.

From marco at uNiXpSyChO.com  Sun Dec 31 23:28:47 2006
From: marco at uNiXpSyChO.com (uNiXpSyChO)
Date: Sun Dec 31 22:31:29 2006
Subject: whitelist_to getting exploited
In-Reply-To: <3C7811E23EFFC14C8B76E79FEA50EC83DC1D@hodges01.hodges.local>
References: <plfl64-m2q.ln1@web1.xssnet.com>
	<3C7811E23EFFC14C8B76E79FEA50EC83DC1D@hodges01.hodges.local>
Message-ID: <06ql64-58q.ln1@web1.xssnet.com>

Andrew Hodges wrote:
> Hi,
> 
> Try the following link, if you use sendmail that is......
> 
> http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta
> :sendmail:how_to:split_mails_per_recipient
> 

aha!  i was thinking of Sendmail param SMTP_MAILER_MAXRCPTS (not 
confMAX_RCPTS_PER_MESSAGE)

thanx for the link.