From lars+lister.mailscanner at adventuras.no Wed Nov 1 00:24:24 2006 From: lars+lister.mailscanner at adventuras.no (Lars Kristiansen) Date: Wed Nov 1 00:24:54 2006 Subject: dcc logs In-Reply-To: <625385e30610311520w48b58dfcod6adca5e88e4a542@mail.gmail.com> References: <45422F22.7FBE.00FC.3@medicine.wisc.edu> <4545D649.7FBE.00FC.3@medicine.wisc.edu> <45479D75.5010809@ecs.soton.ac.uk> <625385e30610311520w48b58dfcod6adca5e88e4a542@mail.gmail.com> Message-ID: <4547E938.60607@adventuras.no> shuttlebox skrev: > On 10/31/06, Ugo Bellavance wrote: >> I'll try to do it if I can find some time. BTW I think this only >> happens when one uses dccifd. Correct me if I'm wrong but if you're >> only using dccproc, you don't have those logs... > > That's correct. > Does this apply? From http://www.rhyolite.com/anti-spam/dcc/dcc-tree/dccproc.html : " If dccproc is run more than 500 times in fewer than 5000 seconds, dccproc tries to start Dccifd(8). The attempt is made at most once per hour. Dccifd is significantly more efficient than dccproc. With luck, mecha-nisms such as SpamAssassin will notice when dccifd is running and switch to dccifd. " -- Regards, Lars From itdept at fractalweb.com Wed Nov 1 01:42:34 2006 From: itdept at fractalweb.com (Chris Yuzik) Date: Wed Nov 1 01:42:46 2006 Subject: Duplicate messages, first the full, then a blank Message-ID: <4547FB8A.7020503@fractalweb.com> Hi everyone, I'm stumped. Intermittently, but dozens of times a day, our system sends the full message and body to the recipient, then a few minutes later sends an empty message with the same message ID to the same recipient. I don't know where to start looking at this. We're running MailScanner with Sendmail. Thanks, Chris From drew at technologytiger.net Wed Nov 1 01:59:51 2006 From: drew at technologytiger.net (Drew Marshall) Date: Wed Nov 1 01:59:55 2006 Subject: Duplicate messages, first the full, then a blank In-Reply-To: <4547FB8A.7020503@fractalweb.com> References: <4547FB8A.7020503@fractalweb.com> Message-ID: <938A53F2-3B4C-4B24-AF64-CF9ED3326387@technologytiger.net> On 1 Nov 2006, at 01:42, Chris Yuzik wrote: > Hi everyone, > > I'm stumped. Intermittently, but dozens of times a day, our system > sends the full message and body to the recipient, then a few > minutes later sends an empty message with the same message ID to > the same recipient. I don't know where to start looking at this. You could try in the list archives :-) Then, try looking at the file locking in Sendmail and if you are running 8.13.x (From memory) you need to make sure you are not using flock in MailScanner.conf The exact details have been posted a good few times already. Drew From ugob at camo-route.com Wed Nov 1 02:47:47 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Wed Nov 1 02:49:24 2006 Subject: dcc logs In-Reply-To: <4547E938.60607@adventuras.no> References: <45422F22.7FBE.00FC.3@medicine.wisc.edu> <4545D649.7FBE.00FC.3@medicine.wisc.edu> <45479D75.5010809@ecs.soton.ac.uk> <625385e30610311520w48b58dfcod6adca5e88e4a542@mail.gmail.com> <4547E938.60607@adventuras.no> Message-ID: Lars Kristiansen wrote: > shuttlebox skrev: >> On 10/31/06, Ugo Bellavance wrote: >>> I'll try to do it if I can find some time. BTW I think this only >>> happens when one uses dccifd. Correct me if I'm wrong but if you're >>> only using dccproc, you don't have those logs... >> >> That's correct. >> > > Does this apply? > From http://www.rhyolite.com/anti-spam/dcc/dcc-tree/dccproc.html : > " > If dccproc is run more than 500 times in fewer than 5000 seconds, > dccproc tries to start Dccifd(8). The attempt is made at most once per > hour. Dccifd is significantly more efficient than dccproc. With luck, > mecha-nisms such as SpamAssassin will notice when dccifd is running and > switch to dccifd. > " Maybe it does, but is it fairly easy (see the wiki entry) to set up Dccifd, so I think it is worth setting it up. At worse, if Dccifd is not available, SpamAssassin falls back to dccproc. From itlist at gmail.com Wed Nov 1 03:58:48 2006 From: itlist at gmail.com (Cheng Bruce) Date: Wed Nov 1 03:58:52 2006 Subject: how to cache no-spam message shown its content in mailwatch In-Reply-To: <4547A142.5030204@ecs.soton.ac.uk> References: <4547A142.5030204@ecs.soton.ac.uk> Message-ID: Hi, Thank you for your hint. You are right. But how can I modified this to real pass it. Becuase I released it, user still needed me to copy from server. # file /var/spool/MailScanner/quarantine/20061030/EBCD82561BA.24CE5/SEA_SO.bpl /var/spool/MailScanner/quarantine/20061030/EBCD82561BA.24CE5/SEA_SO.bpl: MS-DOS executable (EXE), OS/2 or MS Windows 2006/11/1, Julian Field : > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Cheng Bruce wrote: > > Dear all, > > > > I am starting to use mailscanner with mailwatch, recently get a lot of > > spams going through my mail server which are treated as no-spam. > > They have legitimate helo, sender , domains and so on. And they passed > > the RBL which I set in "spam list" of mailcanner. > > If I can review the messages like SPAM, I can add some rules in my > > server to block them. > > > > by the way, is it possible to release the none-spam message as > > original messages to users but not included in the message ? > > > > When our vendor send the update file (*.bpl) to us, it was blocked. I > > don't know how to release this rule, because I only can do is remark > > "deny executable No executables No programs allowed" > > this line in "/etc/MailScanner/filetype.rules.conf". > > > > Would you please advise me how to do it ? > What does the "file" command output when given one of the *.bpl files? > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.0 (Build 1112) > Comment: Fetch my public key foot-print from www.mailscanner.info > Charset: ISO-8859-1 > > wj8DBQFFR6I7EfZZRxQVtlQRAjK1AJ9yQIwaD3DL9qjZaP3uHRI//FHzwQCg3L+G > ysz/3TXUmmGo1I2nSjqNwfI= > =MPAB > -----END PGP SIGNATURE----- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061101/51f279c1/attachment.html From daniel at danielf.ch Wed Nov 1 09:18:32 2006 From: daniel at danielf.ch (Daniel Fuhrer) Date: Wed Nov 1 09:18:39 2006 Subject: MCP Rules Message-ID: <96EF3FB3C374A64187CCB0D0DA716F244670@idefix.danielf.local> Hi all Is it possible that each user uses some default MPC rule sets and has an own rule set? Something like this. User1@domain.com uses "mcp.default.rule" & "mcp.user1.rule" User2@domain.com uses "mcp.default.rule" & "mcp.user2.rule" But the users doesent exist on mailscanner box. So he has no home directory. The own rule sets can be different files and don't has to correspondent with the username in the email address. If so, can someone give me an example? Thanks for your help. Cheers Daniel -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061101/000cd22f/attachment.html From glenn.steen at gmail.com Wed Nov 1 09:59:51 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 1 09:59:55 2006 Subject: how to cache no-spam message shown its content in mailwatch In-Reply-To: References: <4547A142.5030204@ecs.soton.ac.uk> Message-ID: <223f97700611010159y2b8e8af1u10d2ed480f9ef6eb@mail.gmail.com> On 01/11/06, Cheng Bruce wrote: > Hi, > > Thank you for your hint. You are right. But how can I modified this to real > pass it. > Becuase I released it, user still needed me to copy from server. > > # file > /var/spool/MailScanner/quarantine/20061030/EBCD82561BA.24CE5/SEA_SO.bpl > /var/spool/MailScanner/quarantine/20061030/EBCD82561BA.24CE5/SEA_SO.bpl: > MS-DOS executable (EXE), OS/2 or MS Windows > Some (linux) versions of file have a very "optimistic" detection of DOS executables. What to look for and where to edit (your magic file) has been covered before on this list... Try a search over at gman;-). Or just search your magic file for the detected string, it is likely very obvious what to do:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From richard.thomas at psysolutions.com Wed Nov 1 14:29:59 2006 From: richard.thomas at psysolutions.com (Richard Thomas) Date: Wed Nov 1 14:40:22 2006 Subject: Mailscanner- Quarantine to SQL DB instead of Filesystem? In-Reply-To: References: Message-ID: <4548AF67.8010307@psysolutions.com> falz wrote: > I'm curious if anyone's written a patch, or know of a trick to > quarantine a message to a SQL db INSTEAD OF a filesystem path. This is > in conjunction with Mailwatch, which would obviously have to be > patched to view this correctly. > > The reason for this is so that I can have multiple Mailscanner servers > with RRDNS or balanced with same weight MX records and have the > Mailwatch web interface and SQL database all be seperate. > > Any suggestions? > > --falz Ouch. The best place to store files is in the filesystem (except in very special cases). If you want to share between several computers, you might look into one of the several network file systems. Rich From richard.thomas at psysolutions.com Wed Nov 1 14:38:49 2006 From: richard.thomas at psysolutions.com (Richard Thomas) Date: Wed Nov 1 14:50:35 2006 Subject: two messages repeatedly processed In-Reply-To: References: <45464609.4010208@dalsemi.com> Message-ID: <4548B179.1090508@psysolutions.com> Scott Silva wrote: >> > Are there any thing common to these messages? TNEF? Mimetype? Encoding? > Are they overly large than average? > I have seen this in messages that failed the TNEF decoder in the past, but any > process that chokes on them could be leaving them un-processed. > > I have had similar. When I run MailScanner manually with debug on, it gives an error about a character (can't remember off the top of my head). It unfortunately causes the mail queue to back up quite a lot. Rich From andoni.auzmendi at robertwalters.com Wed Nov 1 15:29:15 2006 From: andoni.auzmendi at robertwalters.com (Andoni Auzmendi) Date: Wed Nov 1 15:29:44 2006 Subject: rejecting botnets with sendmail Message-ID: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> Experiencing the recent increase in spam from botnets, is there a way to reject (or discard) connections coming from servers containing their ip address within the hostname? I can see lots of connections from broadband or dialup addresses. Some of them even bypass greylilst as they resend the messages several times. We use Sendmail here and I guess there must be a milter which is capable of doing that. Andoni Auzmendi ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From richard.thomas at psysolutions.com Wed Nov 1 15:47:08 2006 From: richard.thomas at psysolutions.com (Richard Thomas) Date: Wed Nov 1 15:54:22 2006 Subject: Disarmed HTML -> Blank messages Message-ID: <4548C17C.5010608@psysolutions.com> We have the occasional issue of users complaining about receiving blank messages. Checking in the logs, it looks as if Mailscanner has "disarmed" the HTML (Unfortunately, it doesn't log the exact reason). For whatever reason, this breaks the HTML and the page is blank. This in itself wouldn't be so much of an issue but there is no explanatory message from MailScanner in the email and no way to recover the original email (it is not quarantined). So questions are: 1)Can I add an explanatory message 2)Can I make MailScanner keep a copy of the original message in quarantine? Thanks Rich From Denis.Beauchemin at USherbrooke.ca Wed Nov 1 16:06:34 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Nov 1 16:07:04 2006 Subject: rejecting botnets with sendmail In-Reply-To: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> References: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> Message-ID: <4548C60A.7000202@USherbrooke.ca> Andoni Auzmendi a ?crit : > Experiencing the recent increase in spam from botnets, is there a way to > reject (or discard) connections coming from servers containing their ip > address within the hostname? I can see lots of connections from > broadband or dialup addresses. Some of them even bypass greylilst as > they resend the messages several times. We use Sendmail here and I guess > there must be a milter which is capable of doing that. > > Andoni Auzmendi > Andoni, This saved us: FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} " found in safe.dnsbl.sorbs.net"')dnl Put it in your sendmail.mc and then make your sendmail.cf from it. Last step is to restart sendmail using MailScanner's script. I guess you can use other RBLs but I don't know which ones to recommend. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061101/d4536082/smime.bin From MailScanner at ecs.soton.ac.uk Wed Nov 1 16:11:15 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Nov 1 16:14:34 2006 Subject: MCP Rules In-Reply-To: <96EF3FB3C374A64187CCB0D0DA716F244670@idefix.danielf.local> References: <96EF3FB3C374A64187CCB0D0DA716F244670@idefix.danielf.local> Message-ID: <4548C723.6080005@ecs.soton.ac.uk> You cannot do this yet, but when I get time I will work on solving this problem completely. Matt Hampton ---- Please can you re-send me your contributions for solving this? Daniel Fuhrer wrote: > > Hi all > > Is it possible that each user uses some default MPC rule sets and has > an own rule set? > > Something like this. > > User1@domain.com uses ?mcp.default.rule? & > ?mcp.user1.rule? > > User2@domain.com uses ?mcp.default.rule? & > ?mcp.user2.rule? > > But the users doesent exist on mailscanner box. So he has no home > directory. The own rule sets can be different files and don?t has to > correspondent with the username in the email address. > > If so, can someone give me an example? > > Thanks for your help. > > Cheers Daniel > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Nov 1 16:16:39 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Nov 1 16:17:58 2006 Subject: two messages repeatedly processed In-Reply-To: <4548B179.1090508@psysolutions.com> References: <45464609.4010208@dalsemi.com> <4548B179.1090508@psysolutions.com> Message-ID: <4548C867.9030109@ecs.soton.ac.uk> Richard Thomas wrote: > Scott Silva wrote: >>> >> Are there any thing common to these messages? TNEF? Mimetype? Encoding? >> Are they overly large than average? >> I have seen this in messages that failed the TNEF decoder in the >> past, but any >> process that chokes on them could be leaving them un-processed. >> >> > I have had similar. When I run MailScanner manually with debug on, it > gives an error about a character (can't remember off the top of my > head). It unfortunately causes the mail queue to back up quite a lot. If it's of any use to you, the author of the tnef program recently produced a new version to solve a unicode problem with "foreign" characters appearing in the filenames. Upgrade to the latest version of the tnef program (which is already included in my distributions) and you may well find your TNEF problems go away. Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Nov 1 16:27:03 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Nov 1 16:29:33 2006 Subject: Disarmed HTML -> Blank messages In-Reply-To: <4548C17C.5010608@psysolutions.com> References: <4548C17C.5010608@psysolutions.com> Message-ID: <4548CAD7.9030207@ecs.soton.ac.uk> Richard Thomas wrote: > We have the occasional issue of users complaining about receiving > blank messages. Checking in the logs, it looks as if Mailscanner has > "disarmed" the HTML (Unfortunately, it doesn't log the exact reason). > For whatever reason, this breaks the HTML and the page is blank. This > in itself wouldn't be so much of an issue but there is no explanatory > message from MailScanner in the email and no way to recover the > original email (it is not quarantined). So questions are: > > 1)Can I add an explanatory message > 2)Can I make MailScanner keep a copy of the original message in > quarantine? Search MailScanner.conf for the word Quarantine. It pops up quite a bit... > > Thanks > > Rich Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From jrudd at ucsc.edu Wed Nov 1 16:33:55 2006 From: jrudd at ucsc.edu (John Rudd) Date: Wed Nov 1 16:37:10 2006 Subject: rejecting botnets with sendmail In-Reply-To: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> References: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> Message-ID: <4548CC73.7060508@ucsc.edu> Andoni Auzmendi wrote: > Experiencing the recent increase in spam from botnets, is there a way to > reject (or discard) connections coming from servers containing their ip > address within the hostname? I can see lots of connections from > broadband or dialup addresses. Some of them even bypass greylilst as > they resend the messages several times. We use Sendmail here and I guess > there must be a milter which is capable of doing that. > I have done it with mimedefang. It's pretty trivial to put the code into filter_sender in mimedefang. However, I've been asked to not talk about mimedefang widely on this list, so if you have more questions, you can probably look on that mailing list. (and I think my code might even be in their list archives; if not, go ahead and ask over there, and I'll post the code) From dave.list at pixelhammer.com Wed Nov 1 16:41:20 2006 From: dave.list at pixelhammer.com (DAve) Date: Wed Nov 1 16:41:36 2006 Subject: rejecting botnets with sendmail In-Reply-To: <4548C60A.7000202@USherbrooke.ca> References: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> <4548C60A.7000202@USherbrooke.ca> Message-ID: <4548CE30.7070005@pixelhammer.com> Denis Beauchemin wrote: > Andoni Auzmendi a ?crit : >> Experiencing the recent increase in spam from botnets, is there a way to >> reject (or discard) connections coming from servers containing their ip >> address within the hostname? I can see lots of connections from >> broadband or dialup addresses. Some of them even bypass greylilst as >> they resend the messages several times. We use Sendmail here and I guess >> there must be a milter which is capable of doing that. >> >> Andoni Auzmendi >> > Andoni, > > This saved us: > FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} > " found in safe.dnsbl.sorbs.net"')dnl What list is this? I don't see it on the sorbs.net website. I just lost my battle with the PHB over dul.dnsbl.sorbs.net and I had to remove it. Our VOIP provider (we are a reseller) has their VM server on the dul list. All VM wave files have been blocked since I started using dul last week to thwart a dictionary attack. I hate spammers, really, I wish them all constant pain and eternal agony. DAve > > Put it in your sendmail.mc and then make your sendmail.cf from it. Last > step is to restart sendmail using MailScanner's script. > > I guess you can use other RBLs but I don't know which ones to recommend. > > Denis > -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From martinh at solidstatelogic.com Wed Nov 1 16:47:56 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Nov 1 16:48:11 2006 Subject: rejecting botnets with sendmail In-Reply-To: <4548CE30.7070005@pixelhammer.com> References: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> <4548C60A.7000202@USherbrooke.ca> <4548CE30.7070005@pixelhammer.com> Message-ID: <4548CFBC.9080800@solidstatelogic.com> DAve wrote: > Denis Beauchemin wrote: >> Andoni Auzmendi a ?crit : >>> Experiencing the recent increase in spam from botnets, is there a way to >>> reject (or discard) connections coming from servers containing their ip >>> address within the hostname? I can see lots of connections from >>> broadband or dialup addresses. Some of them even bypass greylilst as >>> they resend the messages several times. We use Sendmail here and I guess >>> there must be a milter which is capable of doing that. >>> >>> Andoni Auzmendi >>> >> Andoni, >> >> This saved us: >> FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " >> $&{client_addr} " found in safe.dnsbl.sorbs.net"')dnl > > What list is this? I don't see it on the sorbs.net website. > > I just lost my battle with the PHB over dul.dnsbl.sorbs.net and I had to > remove it. Our VOIP provider (we are a reseller) has their VM server on > the dul list. All VM wave files have been blocked since I started using > dul last week to thwart a dictionary attack. I hate spammers, really, I > wish them all constant pain and eternal agony. > > DAve > >> >> Put it in your sendmail.mc and then make your sendmail.cf from it. >> Last step is to restart sendmail using MailScanner's script. >> >> I guess you can use other RBLs but I don't know which ones to recommend. >> >> Denis >> > > for me I find the DUL RBLs too sensitive and I don't run them.. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From rcooper at dwford.com Wed Nov 1 17:09:11 2006 From: rcooper at dwford.com (Rick Cooper) Date: Wed Nov 1 17:09:28 2006 Subject: A note about ClamAV 0.90rc2 Message-ID: <00ba01c6fdd8$751f8100$0301a8c0@SAHOMELT> I installed the 0.90rc2 release this morning, to test the internal unrar code mainly, and found it breaks the ClamAVModule in a big way. And MailScanner dies without explanation over and over. In debug mode you will find the error in the module. I did a manual compile on Mail::ClamAV and found the problem is in the CL_DISABLERAR section. Apparently the ClamAV maintainers did nothing to accommodate backward compatibility in this regard, so you cannot even compile the module (without doing some rewriting) with the 90rc2 (and probably RC1) version. If you use the rc2 version you will have to switch to the command line clam scanner. I did note that clamscan now detects rar files regardless of their extension (or lack there of) unlike the previous versions. I think, therefore, the --unrar= line for the clamscanners is no longer required but there would have to be some code to detect versions that are older than 0.90rc2 so the external rar switch is not passed. Or Julian will have to require the 0.9x versions once they are the standard release. Of course if the Mail::ClamAV author doesn't release a compatible version by then the module shouldn't be used, or some form of version clam check should automatically disable it. Rick Cooper -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jrudd at ucsc.edu Wed Nov 1 17:11:22 2006 From: jrudd at ucsc.edu (John Rudd) Date: Wed Nov 1 17:13:48 2006 Subject: rejecting botnets with sendmail In-Reply-To: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> References: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> Message-ID: <4548D53A.2030407@ucsc.edu> Andoni Auzmendi wrote: > Experiencing the recent increase in spam from botnets, is there a way to > reject (or discard) connections coming from servers containing their ip > address within the hostname? I can see lots of connections from > broadband or dialup addresses. Some of them even bypass greylilst as > they resend the messages several times. We use Sendmail here and I guess > there must be a milter which is capable of doing that. > By the way, if you wanted to just look at scoring them in spam assassin, instead of hard rejecting them, I'm actually moving my code from (a milter) to a Spam Assassin plugin. I've been discussing it over on the SA list. The thread subject is: Relay Checker Plugin (code review please?) By doing this in spam assassin, you can quarantine these messages instead of outright rejecting them. This helps you avoid rejecting any (difficult to detect) false positives. Though, honestly, I haven't been aware of any false positives from doing it at the milter level during the last 15 months. From andoni.auzmendi at robertwalters.com Wed Nov 1 17:25:00 2006 From: andoni.auzmendi at robertwalters.com (Andoni Auzmendi) Date: Wed Nov 1 17:25:42 2006 Subject: rejecting botnets with sendmail Message-ID: <5450254EC7E7B54193C8AEFD904AA36325E53A@PAT.internal.robertwalters.com> Currently we are using relays.orbs.org, sbl.spamhaus.org and dnsbl.njabl.org. I will also add safe.dnsbl.sorbs.net and see how it goes. Using the lists I rely on the lists maintainers to add those affected pcs. Is there a way I can use regular expressions to block hostnames containing ip addresses allowing at the same time a whitelist for small companies? I think mimedefang can do it, but I would rather install a sendmail milter to keep the set up simpler if possible. Thanks Andoni -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of DAve Sent: 01 November 2006 16:41 To: MailScanner discussion Subject: Re: rejecting botnets with sendmail Denis Beauchemin wrote: > Andoni Auzmendi a ?crit : >> Experiencing the recent increase in spam from botnets, is there a way to >> reject (or discard) connections coming from servers containing their ip >> address within the hostname? I can see lots of connections from >> broadband or dialup addresses. Some of them even bypass greylilst as >> they resend the messages several times. We use Sendmail here and I guess >> there must be a milter which is capable of doing that. >> >> Andoni Auzmendi >> > Andoni, > > This saved us: > FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} > " found in safe.dnsbl.sorbs.net"')dnl What list is this? I don't see it on the sorbs.net website. I just lost my battle with the PHB over dul.dnsbl.sorbs.net and I had to remove it. Our VOIP provider (we are a reseller) has their VM server on the dul list. All VM wave files have been blocked since I started using dul last week to thwart a dictionary attack. I hate spammers, really, I wish them all constant pain and eternal agony. DAve > > Put it in your sendmail.mc and then make your sendmail.cf from it. Last > step is to restart sendmail using MailScanner's script. > > I guess you can use other RBLs but I don't know which ones to recommend. > > Denis > -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From jrudd at ucsc.edu Wed Nov 1 17:32:05 2006 From: jrudd at ucsc.edu (John Rudd) Date: Wed Nov 1 17:36:57 2006 Subject: rejecting botnets with sendmail In-Reply-To: <5450254EC7E7B54193C8AEFD904AA36325E53A@PAT.internal.robertwalters.com> References: <5450254EC7E7B54193C8AEFD904AA36325E53A@PAT.internal.robertwalters.com> Message-ID: <4548DA15.9030901@ucsc.edu> Andoni Auzmendi wrote: > Currently we are using relays.orbs.org, sbl.spamhaus.org and dnsbl.njabl.org. I will also add safe.dnsbl.sorbs.net and see how it goes. > > Using the lists I rely on the lists maintainers to add those affected pcs. Is there a way I can use regular expressions to block hostnames containing ip addresses allowing at the same time a whitelist for small companies? > > I think mimedefang can do it, but I would rather install a sendmail milter to keep the set up simpler if possible. > Mimedefang _is_ a sendmail milter. > Thanks > > Andoni > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of DAve > Sent: 01 November 2006 16:41 > To: MailScanner discussion > Subject: Re: rejecting botnets with sendmail > > Denis Beauchemin wrote: >> Andoni Auzmendi a ?crit : >>> Experiencing the recent increase in spam from botnets, is there a way to >>> reject (or discard) connections coming from servers containing their ip >>> address within the hostname? I can see lots of connections from >>> broadband or dialup addresses. Some of them even bypass greylilst as >>> they resend the messages several times. We use Sendmail here and I guess >>> there must be a milter which is capable of doing that. >>> >>> Andoni Auzmendi >>> >> Andoni, >> >> This saved us: >> FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} > " found in safe.dnsbl.sorbs.net"')dnl > > What list is this? I don't see it on the sorbs.net website. > > I just lost my battle with the PHB over dul.dnsbl.sorbs.net and I had to > remove it. Our VOIP provider (we are a reseller) has their VM server on > the dul list. All VM wave files have been blocked since I started using > dul last week to thwart a dictionary attack. I hate spammers, really, I > wish them all constant pain and eternal agony. > > DAve > >> Put it in your sendmail.mc and then make your sendmail.cf from it. Last > step is to restart sendmail using MailScanner's script. >> >> I guess you can use other RBLs but I don't know which ones to recommend. >> >> Denis >> > > From Denis.Beauchemin at USherbrooke.ca Wed Nov 1 18:21:11 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Nov 1 18:21:38 2006 Subject: rejecting botnets with sendmail In-Reply-To: <4548CE30.7070005@pixelhammer.com> References: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> <4548C60A.7000202@USherbrooke.ca> <4548CE30.7070005@pixelhammer.com> Message-ID: <4548E597.7060009@USherbrooke.ca> DAve a ?crit : > Denis Beauchemin wrote: >> Andoni Auzmendi a ?crit : >>> Experiencing the recent increase in spam from botnets, is there a >>> way to >>> reject (or discard) connections coming from servers containing their ip >>> address within the hostname? I can see lots of connections from >>> broadband or dialup addresses. Some of them even bypass greylilst as >>> they resend the messages several times. We use Sendmail here and I >>> guess >>> there must be a milter which is capable of doing that. >>> >>> Andoni Auzmendi >>> >> Andoni, >> >> This saved us: >> FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " >> $&{client_addr} " found in safe.dnsbl.sorbs.net"')dnl > > What list is this? I don't see it on the sorbs.net website. Dave, It's an aggregate of: http.dnsbl.sorbs.net socks.dnsbl.sorbs.net misc.dnsbl.sorbs.net smtp.dnsbl.sorbs.net new.spam.dnsbl.sorbs.net web.dnsbl.sorbs.net block.dnsbl.sorbs.net zombie.dnsbl.sorbs.net dul.dnsbl.sorbs.net I really needed to block them at the MTA level because our hw wasn't able to cope with the big increase of spam we saw in the last weeks. Even though I had 3 equal priority MX servers, one was receiving twice as much as the other 2 combined. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061101/e3ee6194/smime.bin From dave.list at pixelhammer.com Wed Nov 1 18:31:25 2006 From: dave.list at pixelhammer.com (DAve) Date: Wed Nov 1 18:31:40 2006 Subject: rejecting botnets with sendmail In-Reply-To: <4548E597.7060009@USherbrooke.ca> References: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> <4548C60A.7000202@USherbrooke.ca> <4548CE30.7070005@pixelhammer.com> <4548E597.7060009@USherbrooke.ca> Message-ID: <4548E7FD.9010205@pixelhammer.com> Denis Beauchemin wrote: > DAve a ?crit : >> Denis Beauchemin wrote: >>> Andoni Auzmendi a ?crit : >>>> Experiencing the recent increase in spam from botnets, is there a >>>> way to >>>> reject (or discard) connections coming from servers containing their ip >>>> address within the hostname? I can see lots of connections from >>>> broadband or dialup addresses. Some of them even bypass greylilst as >>>> they resend the messages several times. We use Sendmail here and I >>>> guess >>>> there must be a milter which is capable of doing that. >>>> >>>> Andoni Auzmendi >>>> >>> Andoni, >>> >>> This saved us: >>> FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " >>> $&{client_addr} " found in safe.dnsbl.sorbs.net"')dnl >> >> What list is this? I don't see it on the sorbs.net website. > > Dave, > > It's an aggregate of: > > http.dnsbl.sorbs.net > socks.dnsbl.sorbs.net > misc.dnsbl.sorbs.net > smtp.dnsbl.sorbs.net > new.spam.dnsbl.sorbs.net > web.dnsbl.sorbs.net > block.dnsbl.sorbs.net > zombie.dnsbl.sorbs.net > dul.dnsbl.sorbs.net > > > I really needed to block them at the MTA level because our hw wasn't > able to cope with the big increase of spam we saw in the last weeks. > Even though I had 3 equal priority MX servers, one was receiving twice > as much as the other 2 combined. > > Denis > Ouch, I wouldn't call anything using dul safe ;^) I guess I'll just hold on and keep my pager batteries fresh. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From alex at nkpanama.com Wed Nov 1 18:54:32 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Wed Nov 1 18:55:11 2006 Subject: OT may be: how to limit size of FuzzyOcr.log? In-Reply-To: <4547A1AC.8020203@ecs.soton.ac.uk> References: <00f101c6fc77$bc3649a0$3701a8c0@lapxp> <454688F7.2090405@nkpanama.com> <4547A1AC.8020203@ecs.soton.ac.uk> Message-ID: <4548ED68.3090905@nkpanama.com> WOW! Thanks! Didn't know about that smiley thingy... Julian Field wrote: > A shorter command that achieves the same thing is the lovely smiley command > :> /path/to/your/fuzzyocr.log > ':' is the null command. It does nothing and produces null output. The > '>' redirects that null output to the following filename, so that > ':>file' wipes the contents of "file". > > Jules From itdept at fractalweb.com Wed Nov 1 18:57:36 2006 From: itdept at fractalweb.com (Chris Yuzik) Date: Wed Nov 1 18:57:52 2006 Subject: Duplicate messages, first the full, then a blank In-Reply-To: <938A53F2-3B4C-4B24-AF64-CF9ED3326387@technologytiger.net> References: <4547FB8A.7020503@fractalweb.com> <938A53F2-3B4C-4B24-AF64-CF9ED3326387@technologytiger.net> Message-ID: <4548EE20.20107@fractalweb.com> Drew Marshall wrote: > You could try in the list archives :-) > > Then, try looking at the file locking in Sendmail and if you are > running 8.13.x (From memory) you need to make sure you are not using > flock in MailScanner.conf The exact details have been posted a good > few times already. > Drew, Hit the nail on the head. I think that did it. It somehow got blanked out with the last update. Thanks for your help. Chris From alex at nkpanama.com Wed Nov 1 19:00:56 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Wed Nov 1 19:01:35 2006 Subject: rejecting botnets with sendmail In-Reply-To: <4548CE30.7070005@pixelhammer.com> References: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> <4548C60A.7000202@USherbrooke.ca> <4548CE30.7070005@pixelhammer.com> Message-ID: <4548EEE8.4020905@nkpanama.com> Couldn't you just have whitelisted the VM server? DAve wrote: > Denis Beauchemin wrote: >> Andoni Auzmendi a ?crit : >>> Experiencing the recent increase in spam from botnets, is there a way to >>> reject (or discard) connections coming from servers containing their ip >>> address within the hostname? I can see lots of connections from >>> broadband or dialup addresses. Some of them even bypass greylilst as >>> they resend the messages several times. We use Sendmail here and I guess >>> there must be a milter which is capable of doing that. >>> >>> Andoni Auzmendi >>> >> Andoni, >> >> This saved us: >> FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " >> $&{client_addr} " found in safe.dnsbl.sorbs.net"')dnl > > What list is this? I don't see it on the sorbs.net website. > > I just lost my battle with the PHB over dul.dnsbl.sorbs.net and I had to > remove it. Our VOIP provider (we are a reseller) has their VM server on > the dul list. All VM wave files have been blocked since I started using > dul last week to thwart a dictionary attack. I hate spammers, really, I > wish them all constant pain and eternal agony. > > DAve > >> >> Put it in your sendmail.mc and then make your sendmail.cf from it. >> Last step is to restart sendmail using MailScanner's script. >> >> I guess you can use other RBLs but I don't know which ones to recommend. >> >> Denis >> > > From max at assuredata.com Wed Nov 1 19:09:09 2006 From: max at assuredata.com (Max Kipness) Date: Wed Nov 1 19:09:22 2006 Subject: Stocks and P-R-O-F-I-T Message-ID: <11375BD8FE838A409E10DB32B9BFFE9B044D67@addc01.assuredata.local> Hello, I had recently tried what I thought was a good technique, and created a script that fed all email from every MailScanner white listed email address into sa-learn as ham nightly, without doing a check on the emails. This was obviously a bad choice as jokes and other spam like emails must have processed for months. Anyway, I scrapped the bayes database and started from scratch using the a sample bayes db from FSL (I think it's called). From there I've been feeding quite a bit of spam into sa-learn for about a week or two. I'd say I've fed about 400 spam mails thus far. However, as of today I'm still getting the p-r-o-f-i-t and stock spasm with bayes scores of anywhere from 10% to 50%. My question is how long or how many emails should it take bayes to figure out these spam emails? Is there a way of viewing the progress? With the other scores from DCC, Pyzor, Razor, the score is close to being tagged as spam, but sometimes it's not quite there because of the bayes score. Thanks, Max From rcooper at dwford.com Wed Nov 1 19:10:55 2006 From: rcooper at dwford.com (Rick Cooper) Date: Wed Nov 1 19:11:09 2006 Subject: rejecting botnets with sendmail In-Reply-To: <4548E7FD.9010205@pixelhammer.com> Message-ID: <010201c6fde9$755c7a40$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of DAve > Sent: Wednesday, November 01, 2006 1:31 PM > To: MailScanner discussion > Subject: Re: rejecting botnets with sendmail > [...] > >>> This saved us: > >>> FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " > >>> $&{client_addr} " found in safe.dnsbl.sorbs.net"')dnl > >> > >> What list is this? I don't see it on the sorbs.net website. > > > > Dave, > > > > It's an aggregate of: > > > > http.dnsbl.sorbs.net > > socks.dnsbl.sorbs.net > > misc.dnsbl.sorbs.net > > smtp.dnsbl.sorbs.net > > new.spam.dnsbl.sorbs.net > > web.dnsbl.sorbs.net > > block.dnsbl.sorbs.net > > zombie.dnsbl.sorbs.net > > dul.dnsbl.sorbs.net > > > > [...] > > Ouch, I wouldn't call anything using dul safe ;^) I guess > I'll just hold > on and keep my pager batteries fresh. > > DAve > > I use exim and it allows you to reject based on specific returns (such as 127.0.0.10) or anything but a specific return for rbls that return more than one possible address. I figured this is such a good idea perhaps sendmail had something similar so I hit google and found enhdnsbl, did a quick google on FEATURE(enhdnsbl, and found you could use something like FEATURE(`enhdnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} " found in safe.dnsbl.sorbs.net"', ,`127.0.0.2.',`127.0.0.3.', `127.0.0.4.', , `127.0.0.5.', , `127.0.0.6.', `127.0.0.7.', `127.0.0.8.', `127.0.0.9.') Which would reject on all the lists except dul. Or you could have multiple FEATURE(`dnsbl', entries, one for each of the lists you wanted to use (there are more too). Of course the single call and choose your reject addresses, would be more economical I would think. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From drew at technologytiger.net Wed Nov 1 19:39:06 2006 From: drew at technologytiger.net (Drew Marshall) Date: Wed Nov 1 19:39:15 2006 Subject: Duplicate messages, first the full, then a blank In-Reply-To: <4548EE20.20107@fractalweb.com> References: <4547FB8A.7020503@fractalweb.com> <938A53F2-3B4C-4B24-AF64-CF9ED3326387@technologytiger.net> <4548EE20.20107@fractalweb.com> Message-ID: <275735A6-D021-4AC7-91C9-D4E6623F5466@technologytiger.net> On 1 Nov 2006, at 18:57, Chris Yuzik wrote: > Drew Marshall wrote: >> You could try in the list archives :-) >> >> Then, try looking at the file locking in Sendmail and if you are >> running 8.13.x (From memory) you need to make sure you are not >> using flock in MailScanner.conf The exact details have been posted >> a good few times already. >> > Drew, > > Hit the nail on the head. I think that did it. It somehow got > blanked out with the last update. > > Thanks for your help. No worries. Always a pleasure :-) Drew From mkettler at evi-inc.com Wed Nov 1 19:39:20 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Nov 1 19:39:43 2006 Subject: Spam Detection Around 55% In-Reply-To: <45479D4C.8090107@ecs.soton.ac.uk> References: <4541F39F.61A4.0000.0@caspercollege.edu> <45424BF9.9000407@evi-inc.com> <4543780C.5010302@ecs.soton.ac.uk> <4546297C.5080502@evi-inc.com> <45479D4C.8090107@ecs.soton.ac.uk> Message-ID: <4548F7E8.7090107@evi-inc.com> Julian Field wrote: > But if you read the instructions printed at the end of the install, it > tells you to uncomment the DCC statement in init.pre. It doesn't do it > automatically as this would break the licence. You mean we're supposed to read the 6 miles of text spit out by your installer? :) That said, what if they don't have DCC at all on their system? Make em load the plugin anyway? Any chance you might consider adding an ifplugin statement to frame the dcc_path command? ifplugin Mail::SpamAssassin::Plugin::DCC dcc_path endif That might cause DCC to break for someone making a new setup using SA 3.0.x and the latest MailScanner, but who's going to get the latest MailScanner while using an old version of SA? >>> Which is of course, what triggered my reply in the first place. The dcc_path >>> statement was causing parse errors. That's bad. It breaks RDJ. >>> > And, as the RDJ setup instructions from www.fsl.com/support tell you to > do, you should run the RDJ once by hand to get the initial rulesets and > check everything's okay. Really? where? Inside the installer tarball? And what about the folks that don't go the the fsl.com website? I'm not a FSL user. I'm a MailScanner user. I don't go to fsl.com/support. I go to mailscanner.info/support.html Perhaps you might consider adding a link to fsl.com/support to that page? Right now it mentions FSL, but only as a commercial support option. It might be worth pointing to all the free good FAQs fsl has created from the MailScanner website. > If you didn't follow the earlier instructions, > this will highlight the dcc_path error for you, allowing you to either > comment out the dcc_path line or re-read the earlier instruction > printing by my install script. > > Maybe we should have a wiki page that lists all the things that you and > I disagree on :-) > Just I've never had a complaint sent to me by a user who's really had > problems figuring out my instructions and has been badly bitten by all > these things. Ok... I'd agree none have mentioned being badly bitten. However, some HAVE been bitten. After all, that's how this conversation started. Someone got bit by the dcc_path bit. I just put my feet in the shoes of a particular kind of > user, one that barely knows what they are doing, who runs a little box > for him/herself and a few customers/friends and who loves to have > instructions telling them what to do. I'd agree. It's just my perspective while in these shoes is a bit different. When I put my feet in those shoes, I think "what can I do to make this work for the broadest variety of scenarios?" ie: "works no matter what". You appear to think "What can I do to make this work best for the most common scenario?" ie: maximal performance and ease for the typical small-box user. Neither of these views is outright incorrect, it's just a different approach to what's important when dealing with the "less knowledgeable" > > Jules > From brian.duncan at kattenlaw.com Wed Nov 1 19:40:56 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Wed Nov 1 19:41:16 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x and MailScanner. Message-ID: <65234743FE1555428435CE39E6AC4078B38B26@CHI-US-EXCH-01.us.kmz.com> I never was aware of people have some issues back in August with flock and posix with sendmail 8.13.x and MailScanner. I have looked through the archives regarding this issue, after seeing mention of it in a recent posting. I have found people telling others to change it to Posix for fixing problem X. I have found at least 1 post where a person says we have no issues, but is told turn it to Posix or you will. We run Linux, we use Sendmail 8.13.x on 3 servers and MailScanner + SpamAssasin etc.. We dot NOT have anything specified in the Mailscanner.conf file regarding lock type. Based on the comments in the Mailscanner.conf it says it will default to using POSIX on Sendmail. (but says to change it to Posix if running 8.13.x Does that mean it ONLY auto detects and works properly with Sendmail 8.12.x and below? Because mine is defaulting to supposedly using flock. When I look in the maillog logs, it says it is using flock. When I run the command: sendmail -d0.1 -d0.4 -bt References: <11375BD8FE838A409E10DB32B9BFFE9B044D67@addc01.assuredata.local> Message-ID: <4548F8AC.50504@evi-inc.com> Max Kipness wrote: > Hello, > > I had recently tried what I thought was a good technique, and created a > script that fed all email from every MailScanner white listed email > address into sa-learn as ham nightly, without doing a check on the > emails. This was obviously a bad choice as jokes and other spam like > emails must have processed for months. > > Anyway, I scrapped the bayes database and started from scratch using the > a sample bayes db from FSL (I think it's called). From there I've been > feeding quite a bit of spam into sa-learn for about a week or two. I'd > say I've fed about 400 spam mails thus far. However, as of today I'm > still getting the p-r-o-f-i-t and stock spasm with bayes scores of > anywhere from 10% to 50%. My question is what kind of stock spams are they? Are they image based, or text based? If it's image, bayes won't help you much, as bayes doesn't understand images. > My question is how long or how many emails should it take bayes to > figure out these spam emails? Is there a way of viewing the progress? > With the other scores from DCC, Pyzor, Razor, the score is close to > being tagged as spam, but sometimes it's not quite there because of the > bayes score. for image spams, try adding the SARE stocks ruleset. From sandrews at andrewscompanies.com Wed Nov 1 19:56:03 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Wed Nov 1 19:56:11 2006 Subject: MS Config Question - outbound Message-ID: <1964AAFBC212F742958F9275BF63DBB04297C6@winchester.andrewscompanies.com> I'm currently using mailscanner to scan all inbound mail and that works great. Is there a way to use mailscanner to also be the outbound mail server and add a disclaimer/signature block to all outbound messages like it does for inbound scanned messages? Thanks, Steve From Denis.Beauchemin at USherbrooke.ca Wed Nov 1 20:07:02 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Nov 1 20:10:56 2006 Subject: rejecting botnets with sendmail In-Reply-To: <010201c6fde9$755c7a40$0301a8c0@SAHOMELT> References: <010201c6fde9$755c7a40$0301a8c0@SAHOMELT> Message-ID: <4548FE66.7010702@USherbrooke.ca> Rick Cooper a ?crit : > > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of DAve >> Sent: Wednesday, November 01, 2006 1:31 PM >> To: MailScanner discussion >> Subject: Re: rejecting botnets with sendmail >> >> > [...] > >>>>> This saved us: >>>>> FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " >>>>> $&{client_addr} " found in safe.dnsbl.sorbs.net"')dnl >>>>> >>>> What list is this? I don't see it on the sorbs.net website. >>>> >>> Dave, >>> >>> It's an aggregate of: >>> >>> http.dnsbl.sorbs.net >>> socks.dnsbl.sorbs.net >>> misc.dnsbl.sorbs.net >>> smtp.dnsbl.sorbs.net >>> new.spam.dnsbl.sorbs.net >>> web.dnsbl.sorbs.net >>> block.dnsbl.sorbs.net >>> zombie.dnsbl.sorbs.net >>> dul.dnsbl.sorbs.net >>> >>> >>> > > [...] > > >> Ouch, I wouldn't call anything using dul safe ;^) I guess >> I'll just hold >> on and keep my pager batteries fresh. >> >> DAve >> >> >> > > I use exim and it allows you to reject based on specific returns (such as > 127.0.0.10) or anything but a specific return for rbls that return more than > one possible address. I figured this is such a good idea perhaps sendmail > had something similar so I hit google and found enhdnsbl, did a quick google > on FEATURE(enhdnsbl, and found you could use something like > > FEATURE(`enhdnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " > $&{client_addr} " found in safe.dnsbl.sorbs.net"', > ,`127.0.0.2.',`127.0.0.3.', `127.0.0.4.', , `127.0.0.5.', , `127.0.0.6.', > `127.0.0.7.', `127.0.0.8.', `127.0.0.9.') > > Which would reject on all the lists except dul. Or you could have multiple > FEATURE(`dnsbl', entries, one for each of the lists you wanted to use (there > are more too). Of course the single call and choose your reject addresses, > would be more economical I would think. > > Rick > Rick, This is really interesting! My stats for yesterday are: 127.0.0.2 : 929 127.0.0.3 : 608 127.0.0.4 : 46 127.0.0.5 : 5 127.0.0.6 : 539 127.0.0.7 : 12587 127.0.0.9 : 2 127.0.0.10 : 97940 So if I omit dul.dnsbl.sorbs.net I will not block much... Any ideas on how I could whitelist some IP addresses or domain names if needed? Thanks! Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061101/c29bd8b6/smime.bin From alex at nkpanama.com Wed Nov 1 20:31:57 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Wed Nov 1 20:32:42 2006 Subject: MS Config Question - outbound In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04297C6@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB04297C6@winchester.andrewscompanies.com> Message-ID: <4549043D.2030006@nkpanama.com> You need to understand the architecture behind MailScanner. It's not a mail server. It sits between servers and does what you tell it to do. That being said, if your mail server is not the same computer where MailScanner is running, you need to tell your mail server to use the computer running MailScanner to be its "smart host"; this means that local e-mail won't be scanned but outbound e-mail will. In order to add a disclaimer you'd have to set up "Sign Clean Messages" to a ruleset saying: FromOrTo: default no To: *@yourdomain.com no From: *@yourdomain.com and To: *@yourdomain.com no From: *@yourdomain.com yes ... for example. sandrews@andrewscompanies.com wrote: > I'm currently using mailscanner to scan all inbound mail and that works > great. > > Is there a way to use mailscanner to also be the outbound mail server > and add a disclaimer/signature block to all outbound messages like it > does for inbound scanned messages? > > Thanks, > > Steve From evan at espphotography.com Wed Nov 1 20:39:57 2006 From: evan at espphotography.com (Evan Platt) Date: Wed Nov 1 20:39:40 2006 Subject: MS Config Question - outbound In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04297C6@winchester.andrewsc ompanies.com> References: <1964AAFBC212F742958F9275BF63DBB04297C6@winchester.andrewscompanies.com> Message-ID: <200611012022.MAA22346@partners7.yack.com> At 11:56 AM 11/1/2006, you wrote: >I'm currently using mailscanner to scan all inbound mail and that works >great. > >Is there a way to use mailscanner to also be the outbound mail server >and add a disclaimer/signature block to all outbound messages like it >does for inbound scanned messages? I've gotta ask.. Why? I know of no anti-virus program that looks for "This message was scanned and found to be clean" and then ignores scanning the message. What's the point? I've seen spam with a EXE virus attached ("Microsoft Security Patch! INSTALL NOW!") with a "This message was found to be virus clean." From ssilva at sgvwater.com Wed Nov 1 20:43:51 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Nov 1 20:44:21 2006 Subject: rejecting botnets with sendmail In-Reply-To: <4548E7FD.9010205@pixelhammer.com> References: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> <4548C60A.7000202@USherbrooke.ca> <4548CE30.7070005@pixelhammer.com> <4548E597.7060009@USherbrooke.ca> <4548E7FD.9010205@pixelhammer.com> Message-ID: DAve spake the following on 11/1/2006 10:31 AM: > Denis Beauchemin wrote: >> DAve a ?crit : >>> Denis Beauchemin wrote: >>>> Andoni Auzmendi a ?crit : >>>>> Experiencing the recent increase in spam from botnets, is there a >>>>> way to >>>>> reject (or discard) connections coming from servers containing >>>>> their ip >>>>> address within the hostname? I can see lots of connections from >>>>> broadband or dialup addresses. Some of them even bypass greylilst as >>>>> they resend the messages several times. We use Sendmail here and I >>>>> guess >>>>> there must be a milter which is capable of doing that. >>>>> >>>>> Andoni Auzmendi >>>>> >>>> Andoni, >>>> >>>> This saved us: >>>> FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " >>>> $&{client_addr} " found in safe.dnsbl.sorbs.net"')dnl >>> >>> What list is this? I don't see it on the sorbs.net website. >> >> Dave, >> >> It's an aggregate of: >> >> http.dnsbl.sorbs.net >> socks.dnsbl.sorbs.net >> misc.dnsbl.sorbs.net >> smtp.dnsbl.sorbs.net >> new.spam.dnsbl.sorbs.net >> web.dnsbl.sorbs.net >> block.dnsbl.sorbs.net >> zombie.dnsbl.sorbs.net >> dul.dnsbl.sorbs.net >> >> >> I really needed to block them at the MTA level because our hw wasn't >> able to cope with the big increase of spam we saw in the last weeks. >> Even though I had 3 equal priority MX servers, one was receiving twice >> as much as the other 2 combined. >> >> Denis >> > > Ouch, I wouldn't call anything using dul safe ;^) I guess I'll just hold > on and keep my pager batteries fresh. > > DAve > > Here are the other aggregate lists they have. A few don't include the dul list. SORBS also provides other aggregate zones as follows: Zone Name Zones Included ========= ============== dnsbl.sorbs.net http.dnsbl.sorbs.net socks.dnsbl.sorbs.net misc.dnsbl.sorbs.net smtp.dnsbl.sorbs.net new.spam.dnsbl.sorbs.net recent.spam.dnsbl.sorbs.net escalations.dnsbl.sorbs.net web.dnsbl.sorbs.net dul.dnsbl.sorbs.net block.dnsbl.sorbs.net zombie.dnsbl.sorbs.net safe.dnsbl.sorbs.net http.dnsbl.sorbs.net socks.dnsbl.sorbs.net misc.dnsbl.sorbs.net smtp.dnsbl.sorbs.net new.spam.dnsbl.sorbs.net web.dnsbl.sorbs.net block.dnsbl.sorbs.net zombie.dnsbl.sorbs.net dul.dnsbl.sorbs.net problems.dnsbl.sorbs.net http.dnsbl.sorbs.net socks.dnsbl.sorbs.net misc.dnsbl.sorbs.net smtp.dnsbl.sorbs.net new.spam.dnsbl.sorbs.net recent.spam.dnsbl.sorbs.net old.spam.dnsbl.sorbs.net escalations.dnsbl.sorbs.net web.dnsbl.sorbs.net block.dnsbl.sorbs.net zombie.dnsbl.sorbs.net relays.dnsbl.sorbs.net http.dnsbl.sorbs.net socks.dnsbl.sorbs.net misc.dnsbl.sorbs.net smtp.dnsbl.sorbs.net proxies.dnsbl.sorbs.net http.dnsbl.sorbs.net socks.dnsbl.sorbs.net misc.dnsbl.sorbs.net -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Wed Nov 1 20:50:45 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Nov 1 20:51:31 2006 Subject: rejecting botnets with sendmail In-Reply-To: <4548FE66.7010702@USherbrooke.ca> References: <010201c6fde9$755c7a40$0301a8c0@SAHOMELT> <4548FE66.7010702@USherbrooke.ca> Message-ID: Denis Beauchemin spake the following on 11/1/2006 12:07 PM: > Rick Cooper a ?crit : >> >> >> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of DAve >>> Sent: Wednesday, November 01, 2006 1:31 PM >>> To: MailScanner discussion >>> Subject: Re: rejecting botnets with sendmail >>> >>> >> [...] >> >>>>>> This saved us: >>>>>> FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " >>>>>> $&{client_addr} " found in safe.dnsbl.sorbs.net"')dnl >>>>>> >>>>> What list is this? I don't see it on the sorbs.net website. >>>>> >>>> Dave, >>>> >>>> It's an aggregate of: >>>> >>>> http.dnsbl.sorbs.net >>>> socks.dnsbl.sorbs.net >>>> misc.dnsbl.sorbs.net >>>> smtp.dnsbl.sorbs.net >>>> new.spam.dnsbl.sorbs.net >>>> web.dnsbl.sorbs.net >>>> block.dnsbl.sorbs.net >>>> zombie.dnsbl.sorbs.net >>>> dul.dnsbl.sorbs.net >>>> >>>> >>>> >> >> [...] >> >> >>> Ouch, I wouldn't call anything using dul safe ;^) I guess I'll just >>> hold on and keep my pager batteries fresh. >>> >>> DAve >>> >>> >>> >> >> I use exim and it allows you to reject based on specific returns (such as >> 127.0.0.10) or anything but a specific return for rbls that return >> more than >> one possible address. I figured this is such a good idea perhaps sendmail >> had something similar so I hit google and found enhdnsbl, did a quick >> google >> on FEATURE(enhdnsbl, and found you could use something like >> >> FEATURE(`enhdnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " >> $&{client_addr} " found in safe.dnsbl.sorbs.net"', >> ,`127.0.0.2.',`127.0.0.3.', `127.0.0.4.', , `127.0.0.5.', , `127.0.0.6.', >> `127.0.0.7.', `127.0.0.8.', `127.0.0.9.') >> >> Which would reject on all the lists except dul. Or you could have >> multiple >> FEATURE(`dnsbl', entries, one for each of the lists you wanted to use >> (there >> are more too). Of course the single call and choose your reject >> addresses, >> would be more economical I would think. >> >> Rick >> > Rick, > > This is really interesting! My stats for yesterday are: > 127.0.0.2 : 929 > 127.0.0.3 : 608 > 127.0.0.4 : 46 > 127.0.0.5 : 5 > 127.0.0.6 : 539 > 127.0.0.7 : 12587 > 127.0.0.9 : 2 > 127.0.0.10 : 97940 > > So if I omit dul.dnsbl.sorbs.net I will not block much... > > Any ideas on how I could whitelist some IP addresses or domain names if > needed? > > Thanks! > > Denis > You can add whitelisted entries in the access file if you use feature_delay_checks in sendmail. http://www.technoids.org/ Has a lot of good sendmail stuff. Are you using the new stuff in sendmail like greetpause, conncontrol, and ratecontrol? http://www.technoids.org/dossed.html -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From alex at nkpanama.com Wed Nov 1 21:24:49 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Wed Nov 1 21:26:30 2006 Subject: MS Config Question - outbound In-Reply-To: <200611012022.MAA22346@partners7.yack.com> References: <1964AAFBC212F742958F9275BF63DBB04297C6@winchester.andrewscompanies.com> <200611012022.MAA22346@partners7.yack.com> Message-ID: <454910A1.6000805@nkpanama.com> You must remember there still are (and will be for a long time) bosses like Dilbert's (or the boss in "The Office", UK or US, take your pick) that *require* these useless bits of fluff. Evan Platt wrote: > At 11:56 AM 11/1/2006, you wrote: >> I'm currently using mailscanner to scan all inbound mail and that works >> great. >> >> Is there a way to use mailscanner to also be the outbound mail server >> and add a disclaimer/signature block to all outbound messages like it >> does for inbound scanned messages? > > > I've gotta ask.. > > Why? > > I know of no anti-virus program that looks for "This message was scanned > and found to be clean" and then ignores scanning the message. > > What's the point? > > I've seen spam with a EXE virus attached ("Microsoft Security Patch! > INSTALL NOW!") with a "This message was found to be virus clean." > > > From ssilva at sgvwater.com Wed Nov 1 22:25:53 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Nov 1 22:26:54 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x and MailScanner. In-Reply-To: <65234743FE1555428435CE39E6AC4078B38B26@CHI-US-EXCH-01.us.kmz.com> References: <65234743FE1555428435CE39E6AC4078B38B26@CHI-US-EXCH-01.us.kmz.com> Message-ID: Duncan, Brian M. spake the following on 11/1/2006 11:40 AM: > I never was aware of people have some issues back in August with flock > and posix with sendmail 8.13.x and MailScanner. > > I have looked through the archives regarding this issue, after seeing > mention of it in a recent posting. I have found people telling others > to change it to Posix for fixing problem X. I have found at least 1 post > where a person says we have no issues, but is told turn it to Posix or > you will. > > We run Linux, we use Sendmail 8.13.x on 3 servers and MailScanner + > SpamAssasin etc.. We dot NOT have anything specified in the > > Mailscanner.conf file regarding lock type. > > Based on the comments in the Mailscanner.conf it says it will default to > using POSIX on Sendmail. (but says to change it to Posix if running > 8.13.x Does that mean it ONLY auto detects and works properly with > Sendmail 8.12.x and below? Because mine is defaulting to supposedly > using flock. > > When I look in the maillog logs, it says it is using flock. > > When I run the command: sendmail -d0.1 -d0.4 -bt > I DO NOT see flock in the compiled with field on ANY of my servers. > > I have not had any issues that I am aware of with any of my servers. We > have been using 8.13.x for awhile now, I would guess that > My primary server has probably passed close to 200 million messages with > flock on. The other 2 servers 5-10% percent of that. > > So I am hesitant to switch my settings to POSIX. > > > Are there any risks to Switching to Posix if I am not having any issues > with FLOCK? > > Thanks for any info. Posix is a "safer" method of locking, so you shouldn't have problems switching. There are risks of NOT switching to posix. There have been symptoms as benign as mail delivered more than once, to unmatched qf/df files being left behind. You have been lucky what you have not had any problem with flock, and you should not depend on MailScanner detecting the proper setting. In the current versions of MailScanner.conf you have the following comment; # How to lock spool files. # Don't set this unless you *know* you need to. # For sendmail, it defaults to "posix". # For sendmail 8.12 and older, you will probably need to change it to flock, # particularly on Linux systems. # For Exim, it defaults to "posix". # No other type is implemented. Lock Type = It does not mention any type of auto detection, I believe because Julian had too many problems with its function. Change it to posix with sendmail 8.13. MailScanner --lint will tell you what is currently running. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From res at ausics.net Wed Nov 1 22:29:10 2006 From: res at ausics.net (Res) Date: Wed Nov 1 22:29:22 2006 Subject: rejecting botnets with sendmail In-Reply-To: <5450254EC7E7B54193C8AEFD904AA36325E53A@PAT.internal.robertwalters.com> References: <5450254EC7E7B54193C8AEFD904AA36325E53A@PAT.internal.robertwalters.com> Message-ID: On Wed, 1 Nov 2006, Andoni Auzmendi wrote: > dnsbl.njabl.org. I'd change this to combined.njabl.org ...far greater protection. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From MailScanner at ecs.soton.ac.uk Wed Nov 1 22:27:42 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Nov 1 22:30:18 2006 Subject: Spam Detection Around 55% In-Reply-To: <4548F7E8.7090107@evi-inc.com> References: <4541F39F.61A4.0000.0@caspercollege.edu> <45424BF9.9000407@evi-inc.com> <4543780C.5010302@ecs.soton.ac.uk> <4546297C.5080502@evi-inc.com> <45479D4C.8090107@ecs.soton.ac.uk> <4548F7E8.7090107@evi-inc.com> Message-ID: <45491F5E.2030200@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matt Kettler wrote: > Julian Field wrote: > > > >> But if you read the instructions printed at the end of the install, it >> tells you to uncomment the DCC statement in init.pre. It doesn't do it >> automatically as this would break the licence. >> > > You mean we're supposed to read the 6 miles of text spit out by your installer? :) > No, just the last bit. Mind you, the whole point of all my "sleep" statements in the installer is to give you a chance to read at least the end of what it just printed. Rather better than most autoconf installers which just spew out unintelligible text faster than you can see. At that rate, why bother printing it at all? > That said, what if they don't have DCC at all on their system? Make em load the > plugin anyway? > The end of the installer tells them where to get DCC, as they indeed won't have DCC on their system at that point. At that point, if they bother to read the licence and realise they can't use it without paying, I assume they have the brainpower to realise they don't want to enable support for it if they can't use it. > Any chance you might consider adding an ifplugin statement to frame the dcc_path > command? > > ifplugin Mail::SpamAssassin::Plugin::DCC > dcc_path > endif > As above, they won't have DCC installed yet. That's what reading the instructions tells them to do: go and install it. > That might cause DCC to break for someone making a new setup using SA 3.0.x and > the latest MailScanner, but who's going to get the latest MailScanner while > using an old version of SA? > But it's an installer for the latest version of SA. If they are running it at all, they won't have SA 3.0.x. So I don't need to handle SA 3.0.x. If they managed to run the whole installer and end up with 3.0.x installed, I would dearly like to know how, seeing as it installs 3.1.x !! > >>>> Which is of course, what triggered my reply in the first place. The dcc_path >>>> statement was causing parse errors. That's bad. It breaks RDJ. >>>> >>>> >> And, as the RDJ setup instructions from www.fsl.com/support tell you to >> do, you should run the RDJ once by hand to get the initial rulesets and >> check everything's okay. >> > > Really? where? Inside the installer tarball? > Ok, you got me there, I don't tell them to go and fetch RDJ from fsl.com. But other bits of the wiki etc do. I must add an instruction to the Clam+SA installer to fetch RDJ from fsl.com. > And what about the folks that don't go the the fsl.com website? > They will when I tell them to... > I'm not a FSL user. I'm a MailScanner user. I don't go to fsl.com/support. I go > to mailscanner.info/support.html > > Perhaps you might consider adding a link to fsl.com/support to that page? Right > now it mentions FSL, but only as a commercial support option. It might be worth > pointing to all the free good FAQs fsl has created from the MailScanner website. > Agreed. I have just added a line to the ClamAV+SA installer to go and install RDJ from fsl.com. I should add a link on support.html to point them to fsl.com/support as well. > > >> If you didn't follow the earlier instructions, >> this will highlight the dcc_path error for you, allowing you to either >> comment out the dcc_path line or re-read the earlier instruction >> printing by my install script. >> >> Maybe we should have a wiki page that lists all the things that you and >> I disagree on :-) >> Just I've never had a complaint sent to me by a user who's really had >> problems figuring out my instructions and has been badly bitten by all >> these things. >> > > Ok... I'd agree none have mentioned being badly bitten. However, some HAVE been > bitten. After all, that's how this conversation started. Someone got bit by the > dcc_path bit. > > I just put my feet in the shoes of a particular kind of > >> user, one that barely knows what they are doing, who runs a little box >> for him/herself and a few customers/friends and who loves to have >> instructions telling them what to do. >> > > I'd agree. It's just my perspective while in these shoes is a bit different. > When I put my feet in those shoes, I think "what can I do to make this work for > the broadest variety of scenarios?" ie: "works no matter what". You appear to > think "What can I do to make this work best for the most common scenario?" ie: > maximal performance and ease for the typical small-box user. > > Neither of these views is outright incorrect, it's just a different approach to > what's important when dealing with the "less knowledgeable" > Agreed. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFSR/uEfZZRxQVtlQRAvX+AJwMiSxoJOkyqEwYbhYwAHY93QXR6wCgytCR 0EgnFhejXvApaAHXfuUBq/Q= =l0wQ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From res at ausics.net Wed Nov 1 22:30:27 2006 From: res at ausics.net (Res) Date: Wed Nov 1 22:30:36 2006 Subject: rejecting botnets with sendmail In-Reply-To: <4548E597.7060009@USherbrooke.ca> References: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> <4548C60A.7000202@USherbrooke.ca> <4548CE30.7070005@pixelhammer.com> <4548E597.7060009@USherbrooke.ca> Message-ID: On Wed, 1 Nov 2006, Denis Beauchemin wrote: > DAve a écrit : >> Denis Beauchemin wrote: >>> Andoni Auzmendi a écrit : >>>> Experiencing the recent increase in spam from botnets, is there a way to >>>> reject (or discard) connections coming from servers containing their ip >>>> address within the hostname? I can see lots of connections from >>>> broadband or dialup addresses. Some of them even bypass greylilst as >>>> they resend the messages several times. We use Sendmail here and I guess >>>> there must be a milter which is capable of doing that. >>>> >>>> Andoni Auzmendi >>>> >>> Andoni, >>> >>> This saved us: >>> FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} " >>> found in safe.dnsbl.sorbs.net"')dnl >> >> What list is this? I don't see it on the sorbs.net website. > > Dave, > > It's an aggregate of: its equivelant to just using "dnsbl.sorbs.net" > -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Wed Nov 1 22:33:30 2006 From: res at ausics.net (Res) Date: Wed Nov 1 22:33:37 2006 Subject: rejecting botnets with sendmail In-Reply-To: <4548E7FD.9010205@pixelhammer.com> References: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> <4548C60A.7000202@USherbrooke.ca> <4548CE30.7070005@pixelhammer.com> <4548E597.7060009@USherbrooke.ca> <4548E7FD.9010205@pixelhammer.com> Message-ID: On Wed, 1 Nov 2006, DAve wrote: > Ouch, I wouldn't call anything using dul safe ;^) I guess I'll just hold on > and keep my pager batteries fresh. I would, reduced spam by a further %30 here. If you are a business on a static IP, most ISP's will ask the RBL to remove affected IP, and I've never known any of them to be unjustly denied. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Wed Nov 1 22:39:18 2006 From: res at ausics.net (Res) Date: Wed Nov 1 22:39:31 2006 Subject: rejecting botnets with sendmail In-Reply-To: <010201c6fde9$755c7a40$0301a8c0@SAHOMELT> References: <010201c6fde9$755c7a40$0301a8c0@SAHOMELT> Message-ID: On Wed, 1 Nov 2006, Rick Cooper wrote: > > I use exim and it allows you to reject based on specific returns (such as > 127.0.0.10) or anything but a specific return for rbls that return more than > one possible address. I figured this is such a good idea perhaps sendmail > had something similar so I hit google and found enhdnsbl, did a quick google > on FEATURE(enhdnsbl, and found you could use something like > > FEATURE(`enhdnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " > $&{client_addr} " found in safe.dnsbl.sorbs.net"', > ,`127.0.0.2.',`127.0.0.3.', `127.0.0.4.', , `127.0.0.5.', , `127.0.0.6.', > `127.0.0.7.', `127.0.0.8.', `127.0.0.9.') > > Which would reject on all the lists except dul. Or you could have multiple > FEATURE(`dnsbl', entries, one for each of the lists you wanted to use (there > are more too). Of course the single call and choose your reject addresses, > would be more economical I would think. Sendmail works the identical way, its an "enhanced dnsbl" feature -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From pete at enitech.com.au Wed Nov 1 22:49:22 2006 From: pete at enitech.com.au (Peter Russell) Date: Wed Nov 1 22:50:12 2006 Subject: # of messages per batch In-Reply-To: References: Message-ID: <45492472.6010801@enitech.com.au> Sven De Troch wrote: > Hello, > > how can I define how much files per batch MailScanner is handling? > According to the logfiles MailScanner is processing almost always 1 > message per batch, even if there are different messages waiting in the > queues? > > I have the impression that it takes longtime to process queues of 100 > messages (about 1 minute, av scanning with clamav and bitdefender > included). > > In my MailScanner.conf: > Max Children = 10 > > MTA: sendmail > Server: MS Virtual Machine 2GB Ram, 1cpu 2GHz > Network: 100mbps to the internet (not congested) > > Thanks for some mini tuning tips ;-) > > kind regards, > Sven > Is this in the wiki? It might be. Its certainly documented int he first 3rd of your MailScanner.conf file. Read that file, from start to finish, its choc a block with information on MailScanner settings. From mkettler at evi-inc.com Wed Nov 1 23:15:22 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Nov 1 23:15:41 2006 Subject: Spam Detection Around 55% In-Reply-To: <45491F5E.2030200@ecs.soton.ac.uk> References: <4541F39F.61A4.0000.0@caspercollege.edu> <45424BF9.9000407@evi-inc.com> <4543780C.5010302@ecs.soton.ac.uk> <4546297C.5080502@evi-inc.com> <45479D4C.8090107@ecs.soton.ac.uk> <4548F7E8.7090107@evi-inc.com> <45491F5E.2030200@ecs.soton.ac.uk> Message-ID: <45492A8A.3080901@evi-inc.com> Julian Field wrote: > >>> Any chance you might consider adding an ifplugin statement to frame the dcc_path >>> command? >>> >>> ifplugin Mail::SpamAssassin::Plugin::DCC >>> dcc_path >>> endif >>> > As above, they won't have DCC installed yet. That's what reading the > instructions tells them to do: go and install it. Yes, which is *EXACTLY* why you want the ifplugin. >>> That might cause DCC to break for someone making a new setup using SA 3.0.x and >>> the latest MailScanner, but who's going to get the latest MailScanner while >>> using an old version of SA? >>> > But it's an installer for the latest version of SA. If they are running > it at all, they won't have SA 3.0.x. So I don't need to handle SA 3.0.x. > If they managed to run the whole installer and end up with 3.0.x > installed, I would dearly like to know how, seeing as it installs 3.1.x !! What??? Look. Julian. We're clearly on a different page here. I'm talking about MailScanner here. So I'm talking about the MailScanner install process. I am not talking about your optional clamav/sa bundle pack. ie: http://www.mailscanner.info/files/4/rpm/MailScanner-4.56.8-1.rpm.tar.gz That does NOT install spamassassin as far as I know. So does the MailScanner install process even tell users to modify their v310.pre? From brian.duncan at kattenlaw.com Wed Nov 1 23:33:29 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Wed Nov 1 23:33:42 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x and MailScanner. Message-ID: <65234743FE1555428435CE39E6AC4078B38B2B@CHI-US-EXCH-01.us.kmz.com> > Posix is a "safer" method of locking, so you shouldn't have > problems switching. There are risks of NOT switching to > posix. There have been symptoms as benign as mail delivered > more than once, to unmatched qf/df files being left behind. > You have been lucky what you have not had any problem with > flock, and you should not depend on MailScanner detecting the > proper setting. In the current versions of MailScanner.conf > you have the following comment; OK Thanks, I am not familiar with different types of locking files under Unix/Linux. > > # How to lock spool files. > # Don't set this unless you *know* you need to. > # For sendmail, it defaults to "posix". > # For sendmail 8.12 and older, you will probably need to > change it to flock, # particularly on Linux systems. > # For Exim, it defaults to "posix". > # No other type is implemented. > Lock Type = > > It does not mention any type of auto detection, I believe > because Julian had too many problems with its function. > Change it to posix with sendmail 8.13. > MailScanner --lint will tell you what is currently running. I figured it was "auto detect" based on the For sendmail, it defaults to posix comment above. (Mine are using Sendmail, and it's blank it is defaulting to flock) I will be setting them all to Posix then specifically. Thanks > > > > -- > > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== From mike at vesol.com Wed Nov 1 23:36:01 2006 From: mike at vesol.com (Mike Kercher) Date: Wed Nov 1 23:37:07 2006 Subject: out of curiosity: reload and restart In-Reply-To: Message-ID: mailscanner-bounces@lists.mailscanner.info <> scribbled on : > Hello, > > no problem, but something I'd like to know ;) > > Are there any reasons to restart MS with > /etc/init.d/MailScanner restart (and not reload to read the > configfiles again)? > > i.e. if I change my sendmail access file, recompile it for > sendmail and 'reload' MS, eveything is working fine, ..., so > I wonder in which case a reload is not sufficient for > MailScanner and a restart is needed (I'm not talking about > Linux in general, but for MS specific)? > You only reload MS so that MS will read its config files again. You do not have to reload or restart MS (sendmail) after making changes to the access, virtusertable or mailertable. If you change your sendmail.mc/cf, you need to RESTART MS, but only because that will restart the sendmail processes. Mike From ssilva at sgvwater.com Thu Nov 2 00:18:43 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 2 00:18:54 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x and MailScanner. In-Reply-To: <65234743FE1555428435CE39E6AC4078B38B2B@CHI-US-EXCH-01.us.kmz.com> References: <65234743FE1555428435CE39E6AC4078B38B2B@CHI-US-EXCH-01.us.kmz.com> Message-ID: Duncan, Brian M. spake the following on 11/1/2006 3:33 PM: >> Posix is a "safer" method of locking, so you shouldn't have > >> problems switching. There are risks of NOT switching to > >> posix. There have been symptoms as benign as mail delivered > >> more than once, to unmatched qf/df files being left behind. > >> You have been lucky what you have not had any problem with > >> flock, and you should not depend on MailScanner detecting the > >> proper setting. In the current versions of MailScanner.conf > >> you have the following comment; > > OK Thanks, I am not familiar with different types of locking files under > Unix/Linux. > > > >> # How to lock spool files. >> # Don't set this unless you *know* you need to. >> # For sendmail, it defaults to "posix". >> # For sendmail 8.12 and older, you will probably need to > >> change it to flock, # particularly on Linux systems. >> # For Exim, it defaults to "posix". >> # No other type is implemented. >> Lock Type = >> > >> It does not mention any type of auto detection, I believe > >> because Julian had too many problems with its function. > >> Change it to posix with sendmail 8.13. >> MailScanner --lint will tell you what is currently running. > > I figured it was "auto detect" based on the For sendmail, it defaults to > posix comment above. (Mine are using Sendmail, and it's blank it is > defaulting to flock) > > I will be setting them all to Posix then specifically. > > Thanks That default changed in 4.50.15-1. Are you running something older? Does MailScanner -V work? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Nov 2 00:26:09 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 2 00:26:34 2006 Subject: # of messages per batch In-Reply-To: References: Message-ID: Sven De Troch spake the following on 11/1/2006 2:24 PM: > Hello, > > how can I define how much files per batch MailScanner is handling? > According to the logfiles MailScanner is processing almost always 1 > message per batch, even if there are different messages waiting in the > queues? > > I have the impression that it takes longtime to process queues of 100 > messages (about 1 minute, av scanning with clamav and bitdefender > included). > > In my MailScanner.conf: > Max Children = 10 > > MTA: sendmail > Server: MS Virtual Machine 2GB Ram, 1cpu 2GHz > Network: 100mbps to the internet (not congested) > > Thanks for some mini tuning tips ;-) > > kind regards, > Sven > There is a setting in the conf file for max messages per batch, but MailScanner will not sit and wait for messages to pile up. If you are running 10 children, and mailscanner is set to check the queue every 30 seconds, then you would have to get something like 600 messages per minute to fill the default batch size of 30. If you are getting 10 to 20 messages a minute, you will never even break a sweat with 10 children. That would be around 1-4 messages per batch. You could lower your max children and see if the system keeps up. The recommendation is for 5 children per REAL cpu ( not hyperthreaded cpu) and 1 gig per cpu. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From rcooper at dwford.com Thu Nov 2 00:48:53 2006 From: rcooper at dwford.com (Rick Cooper) Date: Thu Nov 2 00:49:13 2006 Subject: rejecting botnets with sendmail In-Reply-To: <4548FE66.7010702@USherbrooke.ca> Message-ID: <002f01c6fe18$ac133d10$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Denis Beauchemin > Sent: Wednesday, November 01, 2006 3:07 PM > To: MailScanner discussion > Subject: Re: rejecting botnets with sendmail [...] > > I use exim and it allows you to reject based on specific > returns (such as > > 127.0.0.10) or anything but a specific return for rbls that > return more than > > one possible address. I figured this is such a good idea > perhaps sendmail > > had something similar so I hit google and found enhdnsbl, > did a quick google > > on FEATURE(enhdnsbl, and found you could use something like > > > > FEATURE(`enhdnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " > > $&{client_addr} " found in safe.dnsbl.sorbs.net"', > > ,`127.0.0.2.',`127.0.0.3.', `127.0.0.4.', , `127.0.0.5.', , > `127.0.0.6.', > > `127.0.0.7.', `127.0.0.8.', `127.0.0.9.') > > [...] > This is really interesting! My stats for yesterday are: > 127.0.0.2 : 929 > 127.0.0.3 : 608 > 127.0.0.4 : 46 > 127.0.0.5 : 5 > 127.0.0.6 : 539 > 127.0.0.7 : 12587 > 127.0.0.9 : 2 > 127.0.0.10 : 97940 > > So if I omit dul.dnsbl.sorbs.net I will not block much... > > Any ideas on how I could whitelist some IP addresses or > domain names if > needed? > > Thanks! > > Denis I have not a clue how to do it with sendmail. An exim acl is pretty easy, I actually have whitelists that exclude some hosts from just about every part of the smtp process (most are news papers, ad agencies, etc). But I am sure a sendmail person on this list could certainly help you out. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Thu Nov 2 00:54:42 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 2 00:54:57 2006 Subject: out of curiosity: reload and restart In-Reply-To: <29fik2l7h03h7jfrltkgrscd18kse8g6vd@4ax.com> References: <29fik2l7h03h7jfrltkgrscd18kse8g6vd@4ax.com> Message-ID: Sven De Troch spake the following on 11/1/2006 4:37 PM: > On Wed, 1 Nov 2006 17:36:01 -0600, "Mike Kercher" > wrote: > >> mailscanner-bounces@lists.mailscanner.info <> scribbled on : >> >> You do not have to reload or restart MS (sendmail) after making changes >> to the access, virtusertable or mailertable. If you change your >> sendmail.mc/cf, you need to RESTART MS, but only because that will >> restart the sendmail processes. > > Mike, > > I thought as well that reloading MS is not sufficient to read new > sendmail configs (i.e. access file), but this seems to be working for > me and I don't find it logic neither (and because of this I raised my > question here). > > With only reloading MS, my MTA is accepting the new acces config (To: > domain RELAY) are am I dreaming ;-) > > If you are rebuilding the access file (makemap) sendmail will read it. It only seems to need a restart if you rebuild the cf file. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From brian.duncan at kattenlaw.com Thu Nov 2 00:56:16 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Thu Nov 2 00:56:21 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x and MailScanner. Message-ID: <65234743FE1555428435CE39E6AC4078B38B2C@CHI-US-EXCH-01.us.kmz.com> > That default changed in 4.50.15-1. Are you running something older? > Does MailScanner -V work? > Yes here is the output from one of my sendmail-8.13.8-1/MailScanner 4.54.6-1 boxes: Does anything look off? Running on Linux venus 2.6.17-1.2142_FC4smp #1 SMP Tue Jul 11 22:57:02 EDT 2006 i686 i686 i386 GNU/Linux This is Fedora Core release 4 (Stentz) This is Perl version 5.008006 (5.8.6) This is MailScanner version 4.54.6 Module versions are: 1.00 AnyDBM_File 1.16 Archive::Zip 1.03 Carp 1.119 Convert::BinHex 1.00 DirHandle 1.05 Fcntl 2.73 File::Basename 2.08 File::Copy 2.01 FileHandle 1.06 File::Path 0.14 File::Temp 0.90 Filesys::Df 1.35 HTML::Entities 3.54 HTML::Parser 2.37 HTML::TokeParser 1.21 IO 1.10 IO::File 1.123 IO::Pipe 1.74 Mail::Header 3.05 MIME::Base64 5.420 MIME::Decoder 5.420 MIME::Decoder::UU 5.420 MIME::Head 5.420 MIME::Parser 3.03 MIME::QuotedPrint 5.420 MIME::Tools 0.10 Net::CIDR 1.08 POSIX 1.77 Socket 0.08 Sys::Syslog 1.65 Time::HiRes 1.02 Time::localtime Optional module versions are: 0.17 Convert::TNEF 1.810 DB_File 1.11 DBD::SQLite 1.50 DBI 1.08 Digest 1.01 Digest::HMAC 2.33 Digest::MD5 2.10 Digest::SHA1 missing Inline missing Mail::ClamAV 3.001006 Mail::SpamAssassin 1.997 Mail::SPF::Query 0.15 Net::CIDR::Lite 1.24 Net::IP 0.49 Net::DNS 0.33 Net::LDAP missing Parse::RecDescent missing SAVI 1.2 Sys::Hostname::Long 2.42 Test::Harness 0.47 Test::Simple 1.95 Text::Balanced 1.35 URI =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== From rcooper at dwford.com Thu Nov 2 01:04:25 2006 From: rcooper at dwford.com (Rick Cooper) Date: Thu Nov 2 01:04:37 2006 Subject: rejecting botnets with sendmail In-Reply-To: Message-ID: <003301c6fe1a$d73ecde0$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Res > Sent: Wednesday, November 01, 2006 5:39 PM > To: MailScanner discussion > Subject: RE: rejecting botnets with sendmail > > On Wed, 1 Nov 2006, Rick Cooper wrote: > [...] > > FEATURE(`enhdnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " > > $&{client_addr} " found in safe.dnsbl.sorbs.net"', > > ,`127.0.0.2.',`127.0.0.3.', `127.0.0.4.', , `127.0.0.5.', , > `127.0.0.6.', > > `127.0.0.7.', `127.0.0.8.', `127.0.0.9.') > > > > Which would reject on all the lists except dul. Or you > could have multiple > > FEATURE(`dnsbl', entries, one for each of the lists you > wanted to use (there > > are more too). Of course the single call and choose your > reject addresses, > > would be more economical I would think. > > > Sendmail works the identical way, its an "enhanced dnsbl" feature That which I listed above (hopefully correct syntax) was from sendmail. In my exim configuration it looks like deny message = rejected because $sender_host_address is in a black list \ at $dnslist_domain $dnslist_text hosts = !/somedir/Mail_local_net:!/somedir/mail_relay_from_hosts senders = !/somedir/Mail_sender_white_list.conf dnslists = ${readfile{/somedir/mail_rbl_lists}{:}} Which says, basically, if the host is *not* in my local network list, and it's not a host I relay for and the sender is not in a special whitelist, then submit to the rbls listed in /somedir/mail_rbl_lists. If the host is already excluded the call is never made (wasted). The lists can be changed without having to do anything with exim, if the file changes exim reads it again, otherwise it's cached. /somedir/mail_rbl_lists contains entries like (several more than listed): safe.dnsbl.sorbs.net combined-HIB.dnsiplists.completewhois.com=127.0.0.2,127.0.0.3 Which says deny any thing returned from safe.dnsbl.sorbs.net, but only deny 127.0.0.2 or 127.0.0.3 from combined-HIB.dnsiplists.completewhois.com This would basically accomplish what Denis wanted but I have no clue as to how to do it with SendMail Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From brian.duncan at kattenlaw.com Thu Nov 2 01:10:15 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Thu Nov 2 01:10:22 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x andMailScanner. Message-ID: <65234743FE1555428435CE39E6AC4078B38B2D@CHI-US-EXCH-01.us.kmz.com> One other question, is it normal when using posix for it to note: Creating hardcoded struct_flock subroutine for linux (Linux-type) Every time after it says it's using posix as the locking method? > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Duncan, Brian M. > Sent: Wednesday, November 01, 2006 6:56 PM > To: MailScanner discussion > Subject: RE: Question regarding FLOCK or POSIX with Sendmail > 8.13.x andMailScanner. > > > > That default changed in 4.50.15-1. Are you running something older? > > Does MailScanner -V work? > > > > > Yes here is the output from one of my sendmail-8.13.8-1/MailScanner > 4.54.6-1 boxes: > > Does anything look off? > > Running on > Linux venus 2.6.17-1.2142_FC4smp #1 SMP Tue Jul 11 22:57:02 EDT 2006 > i686 i686 i386 GNU/Linux > This is Fedora Core release 4 (Stentz) > This is Perl version 5.008006 (5.8.6) > > This is MailScanner version 4.54.6 > Module versions are: > 1.00 AnyDBM_File > 1.16 Archive::Zip > 1.03 Carp > 1.119 Convert::BinHex > 1.00 DirHandle > 1.05 Fcntl > 2.73 File::Basename > 2.08 File::Copy > 2.01 FileHandle > 1.06 File::Path > 0.14 File::Temp > 0.90 Filesys::Df > 1.35 HTML::Entities > 3.54 HTML::Parser > 2.37 HTML::TokeParser > 1.21 IO > 1.10 IO::File > 1.123 IO::Pipe > 1.74 Mail::Header > 3.05 MIME::Base64 > 5.420 MIME::Decoder > 5.420 MIME::Decoder::UU > 5.420 MIME::Head > 5.420 MIME::Parser > 3.03 MIME::QuotedPrint > 5.420 MIME::Tools > 0.10 Net::CIDR > 1.08 POSIX > 1.77 Socket > 0.08 Sys::Syslog > 1.65 Time::HiRes > 1.02 Time::localtime > > Optional module versions are: > 0.17 Convert::TNEF > 1.810 DB_File > 1.11 DBD::SQLite > 1.50 DBI > 1.08 Digest > 1.01 Digest::HMAC > 2.33 Digest::MD5 > 2.10 Digest::SHA1 > missing Inline > missing Mail::ClamAV > 3.001006 Mail::SpamAssassin > 1.997 Mail::SPF::Query > 0.15 Net::CIDR::Lite > 1.24 Net::IP > 0.49 Net::DNS > 0.33 Net::LDAP > missing Parse::RecDescent > missing SAVI > 1.2 Sys::Hostname::Long > 2.42 Test::Harness > 0.47 Test::Simple > 1.95 Text::Balanced > 1.35 URI > > =========================================================== > CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing > Practice Before the Internal Revenue Service, any tax advice > contained herein is not intended or written to be used and > cannot be used by a taxpayer for the purpose of avoiding tax > penalties that may be imposed on the taxpayer. > =========================================================== > CONFIDENTIALITY NOTICE: > This electronic mail message and any attached files contain > information intended for the exclusive use of the individual > or entity to whom it is addressed and may contain information > that is proprietary, privileged, confidential and/or exempt > from disclosure under applicable law. If you are not the > intended recipient, you are hereby notified that any viewing, > copying, disclosure or distribution of this information may > be subject to legal restriction or sanction. Please notify > the sender, by electronic mail or telephone, of any > unintended recipients and delete the original message without > making any copies. > =========================================================== > NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois > limited liability partnership that has elected to be governed > by the Illinois Uniform Partnership Act (1997). > =========================================================== > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From max at assuredata.com Thu Nov 2 01:39:35 2006 From: max at assuredata.com (Max Kipness) Date: Thu Nov 2 01:39:44 2006 Subject: Stocks and P-R-O-F-I-T Message-ID: <11375BD8FE838A409E10DB32B9BFFE9B044D6A@addc01.assuredata.local> > Hello, > > I had recently tried what I thought was a good technique, and created a > script that fed all email from every MailScanner white listed email > address into sa-learn as ham nightly, without doing a check on the > emails. This was obviously a bad choice as jokes and other spam like > emails must have processed for months. > > Anyway, I scrapped the bayes database and started from scratch using the > a sample bayes db from FSL (I think it's called). From there I've been > feeding quite a bit of spam into sa-learn for about a week or two. I'd > say I've fed about 400 spam mails thus far. However, as of today I'm > still getting the p-r-o-f-i-t and stock spasm with bayes scores of > anywhere from 10% to 50%. >>My question is what kind of stock spams are they? >>Are they image based, or text based? >>If it's image, bayes won't help you much, as bayes doesn't understand >>images. > My question is how long or how many emails should it take bayes to > figure out these spam emails? Is there a way of viewing the progress? > With the other scores from DCC, Pyzor, Razor, the score is close to > being tagged as spam, but sometimes it's not quite there because of the > bayes score. >>for image spams, try adding the SARE stocks ruleset. Yes, they are partially or sometimes full images. I have the SARE Stock ruleset installed, the problem is that whether or not this ruleset is being triggered, bayes is sometimes giving a negative score. Are you saying bayes cannot be trained to score high on messages that have images? I would think it would examine the fact that it's an image and header information, but maybe I'm wrong. Thanks, Max From rich at mail.wvnet.edu Thu Nov 2 01:46:00 2006 From: rich at mail.wvnet.edu (Richard Lynch) Date: Thu Nov 2 01:46:16 2006 Subject: MS 4.55.9 not detecting Mail::ClamAV - fixed, but still too slow In-Reply-To: <45460BAB.8030103@tulsaconnect.com> References: <45422F1A.7080203@tulsaconnect.com> <454264B9.8090706@solidstatelogic.com> <454276D8.4000209@tulsaconnect.com> <454379B1.8040404@ecs.soton.ac.uk> <45437D9C.4060703@tulsaconnect.com> <45438C70.9000208@ecs.soton.ac.uk> <4543B3A8.5030600@tulsaconnect.com> <4543B518.9030001@tulsaconnect.com> <45460BAB.8030103@tulsaconnect.com> Message-ID: <45494DD8.90908@mail.wvnet.edu> TCIS List Acct wrote: > > > TCIS List Acct wrote: > >> The performance difference after just a few minutes is _very_ >> noticeable. It looks like the Mail::ClamAV module solved my >> performance issue with ClamAV. yay! >> >> I'll notify Jan-Peter Koopmann (the port maintainer) about the >> required fix to get the module to compile. >> > > I guess I spoke too soon. Even using the clamavmodule, ClamAV simply > can't keep up with the load on my boxes. I tried disabling f-prot and > using just clamavmodule, but over time the queue starts to pile up > much more noticeably that when I just have f-prot running. Oh well. > I think you've got something there. I've been struggling with the load on my MS boxes too. Until now, I was running with both F-Prot and ClamAV. The idea being that if one scanner was slow with a new virus update the other would catch it. After reading your message I turned off ClamAV. Today the queues were really short and keeping up with the load was easy. We process approx one million messages/day. Thanks for the tip! It was not apparent to me while monitoring the system that it was the virus scanning that was causing the delay. ~rich -- -------------- next part -------------- A non-text attachment was scrubbed... Name: rich.vcf Type: text/x-vcard Size: 299 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061101/f8fb871f/rich.vcf From mike at vesol.com Thu Nov 2 02:07:15 2006 From: mike at vesol.com (Mike Kercher) Date: Thu Nov 2 02:08:05 2006 Subject: out of curiosity: reload and restart In-Reply-To: Message-ID: mailscanner-bounces@lists.mailscanner.info <> scribbled on : > On Wed, 01 Nov 2006 16:54:42 -0800, Scott Silva > wrote: > > >>> With only reloading MS, my MTA is accepting the new acces > config (To: >>> domain RELAY) are am I dreaming ;-) >>> >>> >> If you are rebuilding the access file (makemap) sendmail > will read it. >> It only seems to need a restart if you rebuild the cf file. > > So if I understand you well, if I modify the access file > (something I need to do very often) and I do a 'make -C > /etc/mail' afterwards, I wouldn't have to restart sendmail > (and thus not MailScanner neither)? > > > -- > Met vriendelijke groeten, > Sven De Troch > > ----- Nood aan een degelijke hosting partner? ----- > -- Meer info op http://www.sitehosting.be -- That is correct. I modify my access file all the time and don't restart anything. Mike From res at ausics.net Thu Nov 2 05:02:17 2006 From: res at ausics.net (Res) Date: Thu Nov 2 05:02:28 2006 Subject: rejecting botnets with sendmail In-Reply-To: <003301c6fe1a$d73ecde0$0301a8c0@SAHOMELT> References: <003301c6fe1a$d73ecde0$0301a8c0@SAHOMELT> Message-ID: On Wed, 1 Nov 2006, Rick Cooper wrote: >> Sendmail works the identical way, its an "enhanced dnsbl" feature > > That which I listed above (hopefully correct syntax) was from sendmail. In > my exim configuration it looks like > > deny message = rejected because $sender_host_address is in a black list \ > at $dnslist_domain $dnslist_text > hosts = !/somedir/Mail_local_net:!/somedir/mail_relay_from_hosts > senders = !/somedir/Mail_sender_white_list.conf > dnslists = ${readfile{/somedir/mail_rbl_lists}{:}} > > Which says, basically, if the host is *not* in my local network list, and > it's not a host I relay for and the sender is not in a special whitelist, > then submit to the rbls listed in /somedir/mail_rbl_lists. If the host is > already excluded the call is never made (wasted). The lists can be changed > without having to do anything with exim, if the file changes exim reads it > again, otherwise it's cached. > 4 lines for what sendmail does by default compilation, whoa -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From daniel at danielf.ch Thu Nov 2 07:30:54 2006 From: daniel at danielf.ch (Daniel Fuhrer) Date: Thu Nov 2 07:31:01 2006 Subject: AW: MCP Rules In-Reply-To: <4548C723.6080005@ecs.soton.ac.uk> Message-ID: <96EF3FB3C374A64187CCB0D0DA716F244672@idefix.danielf.local> Hi Julian Thanks fort he answer. It's not so important. It was just a question from my boss. Thanks Daniel Julian Field wrote: > You cannot do this yet, but when I get time I will work on solving this > problem completely. > Matt Hampton ---- Please can you re-send me your contributions for > solving this? > Daniel Fuhrer wrote: >> >> Hi all >> >> Is it possible that each user uses some default MPC rule sets and has >> an own rule set? >> >> Something like this. >> >> User1@domain.com uses "mcp.default.rule" & >> "mcp.user1.rule" >> >> User2@domain.com uses "mcp.default.rule" & >> "mcp.user2.rule" >> >> But the users doesent exist on mailscanner box. So he has no home >> directory. The own rule sets can be different files and don't has to >> correspondent with the username in the email address. >> >> If so, can someone give me an example? >> >> Thanks for your help. >> >> Cheers Daniel >> > Jules > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From brent.addis at pronet.co.nz Thu Nov 2 08:17:10 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Thu Nov 2 08:18:23 2006 Subject: rejecting botnets with sendmail In-Reply-To: References: <003301c6fe1a$d73ecde0$0301a8c0@SAHOMELT> Message-ID: <4549A986.7010502@pronet.co.nz> >> >> >> Which says, basically, if the host is *not* in my local network list, >> and >> it's not a host I relay for and the sender is not in a special >> whitelist, >> then submit to the rbls listed in /somedir/mail_rbl_lists. If the >> host is >> already excluded the call is never made (wasted). The lists can be >> changed >> without having to do anything with exim, if the file changes exim >> reads it >> again, otherwise it's cached. >> > > 4 lines for what sendmail does by default compilation, whoa > > > Swings both ways that does. Exim does things by default, that you need to run milter-ahead for with sendmail. Each to their own. From t.d.lee at durham.ac.uk Thu Nov 2 10:07:20 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Thu Nov 2 10:07:33 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x and MailScanner. In-Reply-To: <65234743FE1555428435CE39E6AC4078B38B2C@CHI-US-EXCH-01.us.kmz.com> References: <65234743FE1555428435CE39E6AC4078B38B2C@CHI-US-EXCH-01.us.kmz.com> Message-ID: On Wed, 1 Nov 2006, Duncan, Brian M. wrote: > > > That default changed in 4.50.15-1. Are you running something older? > > Does MailScanner -V work? > > > > Yes here is the output from one of my sendmail-8.13.8-1/MailScanner > 4.54.6-1 boxes: > > Does anything look off? Yes, I think there is a problem... > [...] > This is MailScanner version 4.54.6 > [...] Earlier this year, there was an internal inconsistency within MS which I spotted at 4.54.6 . In "MailScanner.conf" the comments describing the default "Lock Type" (i.e. left blank) behaviour said 'it defaults to "posix"', but the actual behaviour (when left blank) was to set it to "flock". That is, the comments said MS would behave one way but its actual behaviour was the opposite. See threads starting at: http://lists.mailscanner.info/pipermail/mailscanner/2006-June/061887.html and Julian's acknowledgement and fix at: http://lists.mailscanner.info/pipermail/mailscanner/2006-June/061974.html So either upgrade to a more recent version (than 4.54.6) or if you need to stay back at 4.54.6 then explicitly state which lock type you want. Hope that helps. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From bgmahesh at gmail.com Thu Nov 2 11:19:03 2006 From: bgmahesh at gmail.com (BG Mahesh) Date: Thu Nov 2 11:19:05 2006 Subject: False alarm on possible fraud Message-ID: <5227ac5c0611020319p5d888fa1w7173a27f387806c5@mail.gmail.com> hi In the email we are using http://explore.oneindia.in/suggest.php MS is suspecting it to be a fraud.. --- If you have a link that you want listed, please submit it at http://explore.oneindia.in/suggest.php*MailScanner has detected a possible fraud attempt from "ex" claiming to be* ----- What could be wrong in that URL/sentence? -- -- B.G. Mahesh http://www.greynium.com/ http://www.oneindia.in/ http://www.click.in/ - Free Indian Classifieds -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061102/004a975c/attachment.html From t.d.lee at durham.ac.uk Thu Nov 2 12:22:04 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Thu Nov 2 12:22:17 2006 Subject: MS/SA: SA problem Message-ID: We've been running MS/SA on Fedora machines for a few years. Earlier this week, I set up yet another machine, expecting it to be straightforward. Clean OS install (FC5), clean install of MS (4.56.8) etc. All seems well, including "spamassassin --lint --debug". But when it starts to try to process email, MailScanner seems to take a very long time. Running it in debug mode shows: Use of uninitialized value in exists at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/URIDNSBL.pm line 718. Use of uninitialized value in exists at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/URIDNSBL.pm line 718. Use of uninitialized value in exists at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/URIDNSBL.pm line 718. dns: sendto() failed: Connection refused at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm line 339, line 67. dns: sendto() failed: Connection refused at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm line 339, line 67. dns: sendto() failed: Connection refused at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm line 339, line 67. dns: sendto() failed: Connection refused at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm line 339, line 67. and lots more similar lines (although the " line yy" varies). Any thoughts on this? Over the last couple of days I've tried various versions of SA (the above details are from 3.1.3) installed in various different ways, but all giving this set of errors. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From amsc at k1k2.com Thu Nov 2 12:32:37 2006 From: amsc at k1k2.com (Andrew) Date: Thu Nov 2 12:33:40 2006 Subject: Overriding SBL+XBL on a DHCP address Message-ID: <1162470757.30908.154.camel@and64.paige> Hi, I have a DHCP address at home (with a dns name I update if it changes ... using my own script ...) My server running MailScanner has a fixed IP so it's no problem. (I also have an auto update process running at home, on the server sendmail access file) What happened recently (and I need to get a new lease to fix) is that my DHCP IP address showed up in SBL+XBL My home server does smart forwarding to my mail server Because of this, all my email was being dumped by the spam filter. I guess there is a simple solution to this problem? How can I whitelist my DHCP IP address? I did try whitelisting the name, but couldn't seem to get it to work without specifying the IP address by number (which is of course not much use) I tried listing my internal IP subnet first but that didn't work coz the spam filter seems to only check the previous IP address in the path list? Also, I'm using an old version of MailScanner: 4.38.10 Here's the edited whitelist file. It didn't work until the last line was added. spam.whitelist.rules -------------------- # This is where you can build a Spam WhiteList # Addresses matching in here, with the value # "yes" will never be marked as spam. FromOrTo: default no From: /^192\.168\.ccc\./ yes From: nam1.nam2.nam3.com yes From: /^aaa\.bbb\.xxx\.yyy/ yes -Thanks for any help From res at ausics.net Thu Nov 2 13:02:43 2006 From: res at ausics.net (Res) Date: Thu Nov 2 13:02:53 2006 Subject: MS/SA: SA problem In-Reply-To: References: Message-ID: On Thu, 2 Nov 2006, David Lee wrote: > But when it starts to try to process email, MailScanner seems to take a > > Any thoughts on this? > have you enabled the log speed issue to see where it might be delaying? I was seeing this a while back, it was dcc, disabled it and everything fine since -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From martinh at solidstatelogic.com Thu Nov 2 13:05:13 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Thu Nov 2 13:05:48 2006 Subject: Stocks and P-R-O-F-I-T In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B044D67@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B044D67@addc01.assuredata.local> Message-ID: <4549ED09.7020909@solidstatelogic.com> Max Kipness wrote: > Hello, > > I had recently tried what I thought was a good technique, and created a > script that fed all email from every MailScanner white listed email > address into sa-learn as ham nightly, without doing a check on the > emails. This was obviously a bad choice as jokes and other spam like > emails must have processed for months. > > Anyway, I scrapped the bayes database and started from scratch using the > a sample bayes db from FSL (I think it's called). From there I've been > feeding quite a bit of spam into sa-learn for about a week or two. I'd > say I've fed about 400 spam mails thus far. However, as of today I'm > still getting the p-r-o-f-i-t and stock spasm with bayes scores of > anywhere from 10% to 50%. > > My question is how long or how many emails should it take bayes to > figure out these spam emails? Is there a way of viewing the progress? > With the other scores from DCC, Pyzor, Razor, the score is close to > being tagged as spam, but sometimes it's not quite there because of the > bayes score. > > Thanks, > Max > Max besides the SARE_Stock rules what others have you got. Also the SARE-stock got updated a couple of a weeks ago to help with this. Have a look at some of fred's and Jennifers rules listed in www.rulesemporium.com/other-rules.htm -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From marc at marcsnet.com Thu Nov 2 13:17:00 2006 From: marc at marcsnet.com (Marc Lucke) Date: Thu Nov 2 13:17:33 2006 Subject: MailScanner as mail proxy In-Reply-To: References: Message-ID: <4549EFCC.1090902@marcsnet.com> Jim Holland wrote: > On Tue, 31 Oct 2006, David Lee wrote: > > >> Date: Tue, 31 Oct 2006 11:47:35 +0000 (GMT) >> From: David Lee >> Reply-To: MailScanner discussion >> To: MailScanner discussion >> Subject: Re: MailScanner as mail proxy >> >> On Tue, 31 Oct 2006, Marc Lucke wrote: >> >> >>> I know this is getting off topic. I know enough about sendmail to be >>> 99% sure that this question should be on their list. But any help, >>> ideas or feedback would be welcome. I'm guessing the MailScanner >>> community would have come across my problem on more than 1 occasion. >>> >>> I run MailScanner on a remote machine to my actual mailserver. In other >>> words all mail is relayed via the Mailscanner box. This is to stop >>> viruses and spam on the mailserver I have to run which is very limited >>> in such defenses. It all works great, apart from one annoying problem: >>> if someone sends to an unknown email account (as oft occurs) the >>> MailScanner proxy (for want of a better way to describe it as I'm using >>> it) first accepts the email, attempts delivery, cannot deliver and then >>> tries to notify the sender who doesn't exist. So I'm lumbered with a >>> billion postmaster non-delivery emails. I'm keeping up with this quite >>> well, but I'm scared I'll miss a legitimate message because it's buried >>> in garbage. >>> >>> Is there anything I can do to get anything in MailScanner to check with >>> my destination email server that the actual account exists before >>> accepting the email in the first place? >>> >> Even MailScanner would be too late: your overall email system has already >> accepted the email. To confirm your last paragraph, for unknown >> usernames, you really need to refuse to accept the email in the first >> place. >> >> You need to do your "refuse to accept" on your Internet boundary: on the >> sendmail listener that runs on your remote (MailScanner) box. A route you >> probably want to investigate is the "virtuser" table in that remote >> sendmail listener, and having a maintenance procedure that regularly >> populates that table with the valid usernames (and other possible valid >> addresses) on your user-mailserver. >> > > That is the method that I used to use on MANGO, with a script to mail the > updated virtusertable to the gateway machine and then have it processed by > another script on arrival. It works, but is a rather messy approach. In > particular, the virtusertable entries redirect mail from one address to > another address, so you have to change the domain names and then have a > mailertable entry for the new domain. However I don't think that sendmail > itself offers any alternative approach to this problem. > > As Steve Freegard wrote: > > >> You can do this using a sendmail milter . . . >> there is a free alternative (I've never tried it though, so I can't >> comment on it's features) at http://smfs.sourceforge.net/smf-sav.html. >> > > I highly recommend it in its latest version, smf-sav v1.4.0. Not only can > it be used for recipient verification, it can also do sender verification. > Earlier versions had some significant drawbacks, but I now run this > version on a production server and find it extremely useful for SAV and > RAV. If you want any help offline, please feel free to contact me. The > developer, Eugene Kurmanin, is also extremely helpful and responsive (even > helping me get it running on an ancient RedHat 6.1 box that it was never > intended to be compiled on). > > Regards > > Jim Holland > System Administrator > MANGO - Zimbabwe's non-profit e-mail service > > I just have to say, Jim - smf-sav kicks ass. I've got it running on 2 Linux servers now & it saves SO much time in postmaster messages and spam - it's really incredible. It's given me a whole chunk of my life back. Thank you to all on list with suggestions. Marc -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061103/37706c21/attachment.html From brian.duncan at kattenlaw.com Thu Nov 2 14:05:32 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Thu Nov 2 14:05:42 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x and MailScanner. Message-ID: <65234743FE1555428435CE39E6AC4078B38B30@CHI-US-EXCH-01.us.kmz.com> > Earlier this year, there was an internal inconsistency within > MS which I spotted at 4.54.6 . > > In "MailScanner.conf" the comments describing the default "Lock Type" > (i.e. left blank) behaviour said 'it defaults to "posix"', > but the actual behaviour (when left blank) was to set it to "flock". > > That is, the comments said MS would behave one way but its > actual behaviour was the opposite. > > See threads starting at: > > http://lists.mailscanner.info/pipermail/mailscanner/2006-June/ > 061887.html > and Julian's acknowledgement and fix at: > > http://lists.mailscanner.info/pipermail/mailscanner/2006-June/ > 061974.html > > > So either upgrade to a more recent version (than 4.54.6) or > if you need to stay back at 4.54.6 then explicitly state > which lock type you want. > > Hope that helps. Thank you for the information. I found those this morning when doing further searches. I am hesitant to turn posix on, on my main server that has been using Sendmail 8.13.x and flock for months now without issue. I am starting with a lower load box first. I am afraid that it will cause a duplication issue. It seems to with some sendmail 8.12.x users, and when they show their compiled options I don't see flock listed. Here is one posting from a recent person with the duplicating message issue that was using Sendmail 8.12.11: >Yes I'm using sendmail. > >8.12.11-4.6 > ># sendmail -d0.1 >Version 8.12.11 > Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET >NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS USERDB USE_LDAP_INIT >Duncan Since he does not have FLOCK shown in his compiled options, shouldn't of Posix worked for him? (Everything was ok when he switched to flock) - I looked at an older box I have here with sendmail 8.12 on it and I don't have flock shown as a compiled option. I thought it was supposed to show you if flock support is compiled into sendmail. Can someone please explain to me how it is determined that with Sendmail 8.13.x + versions you have to use posix? Is there any way to determine 100% that your sendmail compile is already using Posix and NOT flock? Looking for flock in the compiled options does not look to be accurate based on the above post I included. (He had to switch to flock to make his work, yet flock does NOT show up in his compiled options) Thanks =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== From Denis.Beauchemin at USherbrooke.ca Thu Nov 2 14:21:02 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Nov 2 14:21:30 2006 Subject: rejecting botnets with sendmail In-Reply-To: References: <010201c6fde9$755c7a40$0301a8c0@SAHOMELT> <4548FE66.7010702@USherbrooke.ca> Message-ID: <4549FECE.9020503@USherbrooke.ca> Scott Silva a ?crit : >>> I use exim and it allows you to reject based on specific returns >>> (such as >>> 127.0.0.10) or anything but a specific return for rbls that return >>> more than >>> one possible address. I figured this is such a good idea perhaps sendmail >>> had something similar so I hit google and found enhdnsbl, did a quick >>> google >>> on FEATURE(enhdnsbl, and found you could use something like >>> >>> FEATURE(`enhdnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " >>> $&{client_addr} " found in safe.dnsbl.sorbs.net"', >>> ,`127.0.0.2.',`127.0.0.3.', `127.0.0.4.', , `127.0.0.5.', , `127.0.0.6.', >>> `127.0.0.7.', `127.0.0.8.', `127.0.0.9.') >>> >>> Which would reject on all the lists except dul. Or you could have >>> multiple >>> FEATURE(`dnsbl', entries, one for each of the lists you wanted to use >>> (there >>> are more too). Of course the single call and choose your reject >>> addresses, >>> would be more economical I would think. >>> >>> Rick >>> >>> >> Rick, >> >> This is really interesting! My stats for yesterday are: >> 127.0.0.2 : 929 >> 127.0.0.3 : 608 >> 127.0.0.4 : 46 >> 127.0.0.5 : 5 >> 127.0.0.6 : 539 >> 127.0.0.7 : 12587 >> 127.0.0.9 : 2 >> 127.0.0.10 : 97940 >> >> So if I omit dul.dnsbl.sorbs.net I will not block much... >> >> Any ideas on how I could whitelist some IP addresses or domain names if >> needed? >> >> Thanks! >> >> Denis >> >> > You can add whitelisted entries in the access file if you use > feature_delay_checks in sendmail. > http://www.technoids.org/ > Has a lot of good sendmail stuff. > Are you using the new stuff in sendmail like greetpause, conncontrol, and > ratecontrol? > http://www.technoids.org/dossed.html > Yes, I am using greetpause, conncontrol, and ratecontrol but they're not enough. I knew about http://www.technoids.org/dossed but not the rest of the site. It's quite interesting. However I'm not sure how to whitelist a remote site that appears on safe.dnsbl.sorbs.net. The examples I saw referred to email addresses... After some more reading on sendmail.org, I think I need the following in my access file: ip.of.remote.host: OK OK: "Accept mail even if other rules in the running ruleset would reject it, for example, if the domain name is unresolvable. "Accept" does not mean "relay", but at most acceptance for local recipients. That is, OK allows less than RELAY." Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061102/c72d9722/smime.bin From rcooper at dwford.com Thu Nov 2 14:23:51 2006 From: rcooper at dwford.com (Rick Cooper) Date: Thu Nov 2 14:24:00 2006 Subject: rejecting botnets with sendmail In-Reply-To: Message-ID: <000001c6fe8a$8573ab50$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Res > Sent: Thursday, November 02, 2006 12:02 AM > To: MailScanner discussion > Subject: RE: rejecting botnets with sendmail > > On Wed, 1 Nov 2006, Rick Cooper wrote: > > >> Sendmail works the identical way, its an "enhanced dnsbl" feature > > > > That which I listed above (hopefully correct syntax) was > from sendmail. In > > my exim configuration it looks like > > > > deny message = rejected because $sender_host_address is > in a black list \ > > at $dnslist_domain $dnslist_text > > hosts = !/somedir/Mail_local_net:!/somedir/mail_relay_from_hosts > > senders = !/somedir/Mail_sender_white_list.conf > > dnslists = ${readfile{/somedir/mail_rbl_lists}{:}} > > > > Which says, basically, if the host is *not* in my local > network list, and > > it's not a host I relay for and the sender is not in a > special whitelist, > > then submit to the rbls listed in /somedir/mail_rbl_lists. > If the host is > > already excluded the call is never made (wasted). The lists > can be changed > > without having to do anything with exim, if the file > changes exim reads it > > again, otherwise it's cached. > > > > 4 lines for what sendmail does by default compilation, whoa > That is inaccurate, I believe. If I just wanted to run the rbl it would be dnslists = ${readfile{/somedir/mail_rbl_lists}{:}}. And the rbl processing in sendmail is not default, anymore than it is in exim. The default config for exim doesn't assume you want rbl processing or what rbl you would like to use, niether does sendmail. And I don't have to use a separate file for the actual rbls and returned items either, it could be a list on one line with the same info. I choose to use the file because if I want to add, or change something I can do so without having to hup exim, or interrupt the mail for even a second. The additional lines are prefaces to the actual RBL. If mail is from a whitelisted host or sender why waste the resources to run the rbls when those hosts/senders are going to pass anyway? I do not believe, but I could be wrong, that sendmail by default makes assumptions as to what hosts, or senders have what action applied to them. And of course the deny/message line could be one line instead of wrapped for legibility in say, vi. It's not a knock against sendmail or people who use it but one reason I use exim is because there is (probably) nothing 3d party required to do anything. Virus scanning, SpamAssassin processing, virtually any method of storage for anything, any kind of verification. And I *never* have to so much as hup the daemon if I change something that would be internal to most mailers (I have tried sendmail, postfix, qmail, courier). You can , of course, use a monolithic config file, or break out any part of the config. You can specify lists within the config(s), which require a hup if you change them, or via external files which do not. Exim is virtually a smtp programming language and I have yet to find something I wanted it to do that could not be done. Heck you can even embed perl functions within the exim objects and extremely complex processing on what ever distinct item you wish, within any portion of the smtp process you wish from connection to delivery. In any event, if I wanted static rbls, which just run against every message from everyone on every host one short line would accomplish that. However by requirements are more flexible thus the additional lines. I used to actually use a configuration for one location that ran a different set of rbls based on the network from whence the host originated. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From sandrews at andrewscompanies.com Thu Nov 2 14:31:58 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Thu Nov 2 14:32:01 2006 Subject: MS Config Question - outbound Message-ID: <1964AAFBC212F742958F9275BF63DBB04297DB@winchester.andrewscompanies.com> Why? Because the customer asked that a default disclaimer/signature block be added to all his outbound emails. I figured using my mailscanner box as a smarthost and then using the rules to sign outbound messages would be easiest. All I was missing was the architecture of the rules to "sign" just the outbound messages from his domain. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Evan Platt Sent: Wednesday, November 01, 2006 3:40 PM To: MailScanner discussion Subject: Re: MS Config Question - outbound At 11:56 AM 11/1/2006, you wrote: >I'm currently using mailscanner to scan all inbound mail and that works >great. > >Is there a way to use mailscanner to also be the outbound mail server >and add a disclaimer/signature block to all outbound messages like it >does for inbound scanned messages? I've gotta ask.. Why? I know of no anti-virus program that looks for "This message was scanned and found to be clean" and then ignores scanning the message. What's the point? I've seen spam with a EXE virus attached ("Microsoft Security Patch! INSTALL NOW!") with a "This message was found to be virus clean." -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From sandrews at andrewscompanies.com Thu Nov 2 14:33:13 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Thu Nov 2 14:33:17 2006 Subject: MS Config Question - outbound Message-ID: <1964AAFBC212F742958F9275BF63DBB04297DC@winchester.andrewscompanies.com> In my field, we call them customers. Personally, I think the signature blocks are a waste, but the customer sends me money when I do work, so.... -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans Sent: Wednesday, November 01, 2006 4:25 PM To: MailScanner discussion Subject: Re: MS Config Question - outbound You must remember there still are (and will be for a long time) bosses like Dilbert's (or the boss in "The Office", UK or US, take your pick) that *require* these useless bits of fluff. Evan Platt wrote: > At 11:56 AM 11/1/2006, you wrote: >> I'm currently using mailscanner to scan all inbound mail and that >> works great. >> >> Is there a way to use mailscanner to also be the outbound mail server >> and add a disclaimer/signature block to all outbound messages like it >> does for inbound scanned messages? > > > I've gotta ask.. > > Why? > > I know of no anti-virus program that looks for "This message was > scanned and found to be clean" and then ignores scanning the message. > > What's the point? > > I've seen spam with a EXE virus attached ("Microsoft Security Patch! > INSTALL NOW!") with a "This message was found to be virus clean." > > > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From housey at sme-ecom.co.uk Thu Nov 2 14:57:01 2006 From: housey at sme-ecom.co.uk (Paul Houselander) Date: Thu Nov 2 14:57:06 2006 Subject: Could not analyze message Message-ID: Hi I have a customer who cant recieve an email from a certain domain, the message is quarantined with a quarantine report showing "Could not analyze message". The email is very basic, plain text with no attachments. I tried to get around this by using the Scan Messages ruleset Scan Messages = %rule-dir%/scan.messages.rules and set the following in scan.messages.rules FromOrTo: default no From: domaina.com no FromTo: mycustomer.com yes where domaina.com is the domain sending the email being blocked and mycustomer.com is the domain recieving. However the message is still being quarantined. Can anyone advise what can cause the "Could not analyze message"? or why my ruleset setup is not working? Kind Regards Paul From bpumphrey at woodmclaw.com Thu Nov 2 15:09:25 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Thu Nov 2 15:09:39 2006 Subject: MS Config Question - outbound In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04297C6@winchester.andrewscompanies.com> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501C1403E@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of sandrews@andrewscompanies.com > Sent: Wednesday, November 01, 2006 2:56 PM > To: mailscanner@lists.mailscanner.info > Subject: MS Config Question - outbound > > I'm currently using mailscanner to scan all inbound mail and that works > great. > > Is there a way to use mailscanner to also be the outbound mail server > and add a disclaimer/signature block to all outbound messages like it > does for inbound scanned messages? > > Thanks, > > Steve > -- To answer your question, yes. I just set mine up. I think I did it just for fun or something more than a need for it. Tracking is probably the reason I did it. My boss always ask me for email traces. Any way.. I use a exchange server and all that I had to do was have the exchange server forward outbound mail to the MailScanner machine. I believe in my setup I did not have to alter the MailScanner machine at all, not to say you will not have to. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at nkpanama.com Thu Nov 2 15:09:34 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Nov 2 15:10:37 2006 Subject: # of messages per batch In-Reply-To: References: Message-ID: <454A0A2E.50006@nkpanama.com> You can also increase the "queue scan interval", specially on lower-spec machines, to something higher. In that case your queues might actually fill up enough so that the 30-msg-per-batch default makes MailScanner pick up 30 messages out of, say, 100. On very low volume mail servers, you can even decrease that (I've set it to "1" on mine) so that processing is virtually instantaneous. Sven De Troch spake the following on 11/1/2006 2:24 PM: There is a setting in the conf file for max messages per batch, but MailScanner will not sit and wait for messages to pile up. If you are running 10 children, and mailscanner is set to check the queue every 30 seconds, then you would have to get something like 600 messages per minute to fill the default batch size of 30. If you are getting 10 to 20 messages a minute, you will never even break a sweat with 10 children. That would be around 1-4 messages per batch. You could lower your max children and see if the system keeps up. From alex at nkpanama.com Thu Nov 2 15:14:07 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Nov 2 15:14:52 2006 Subject: out of curiosity: reload and restart In-Reply-To: <29fik2l7h03h7jfrltkgrscd18kse8g6vd@4ax.com> References: <29fik2l7h03h7jfrltkgrscd18kse8g6vd@4ax.com> Message-ID: <454A0B3F.6090803@nkpanama.com> Sven De Troch wrote: > On Wed, 1 Nov 2006 17:36:01 -0600, "Mike Kercher" > wrote: > >> mailscanner-bounces@lists.mailscanner.info <> scribbled on : >> >> You do not have to reload or restart MS (sendmail) after making changes >> to the access, virtusertable or mailertable. If you change your >> sendmail.mc/cf, you need to RESTART MS, but only because that will >> restart the sendmail processes. > > Mike, > > I thought as well that reloading MS is not sufficient to read new > sendmail configs (i.e. access file), but this seems to be working for > me and I don't find it logic neither (and because of this I raised my > question here). > > With only reloading MS, my MTA is accepting the new acces config (To: > domain RELAY) are am I dreaming ;-) > > Sendmail doesn't need to be restarted for changes to the access file to "stick". Adding a milter or an rbl (or some other parameter) to sendmail.mc and recompiling sendmail.cf *does* require a restart (as opposed to a "reload"), although I don't know if it could be accomplished with a "killall -HUP sendmail" (haven't tried). From alex at nkpanama.com Thu Nov 2 15:20:51 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Nov 2 15:21:28 2006 Subject: MS Config Question - outbound In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04297DC@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB04297DC@winchester.andrewscompanies.com> Message-ID: <454A0CD3.5050009@nkpanama.com> I know... I have those too. You should try educating them. Educated customers are more efficient for you in the long run, since you can make more money off of them using less resources. It's almost like the difference between house training puppies and herding cats. sandrews@andrewscompanies.com wrote: > In my field, we call them customers. Personally, I think the signature > blocks are a waste, but the customer sends me money when I do work, > so.... > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex > Neuman van der Hans > Sent: Wednesday, November 01, 2006 4:25 PM > To: MailScanner discussion > Subject: Re: MS Config Question - outbound > > You must remember there still are (and will be for a long time) bosses > like Dilbert's (or the boss in "The Office", UK or US, take your pick) > that *require* these useless bits of fluff. > > Evan Platt wrote: >> At 11:56 AM 11/1/2006, you wrote: >>> I'm currently using mailscanner to scan all inbound mail and that >>> works great. >>> >>> Is there a way to use mailscanner to also be the outbound mail server > >>> and add a disclaimer/signature block to all outbound messages like it > >>> does for inbound scanned messages? >> >> I've gotta ask.. >> >> Why? >> >> I know of no anti-virus program that looks for "This message was >> scanned and found to be clean" and then ignores scanning the message. >> >> What's the point? >> >> I've seen spam with a EXE virus attached ("Microsoft Security Patch! >> INSTALL NOW!") with a "This message was found to be virus clean." >> >> >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From ugob at camo-route.com Thu Nov 2 15:30:39 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Thu Nov 2 15:31:59 2006 Subject: rejecting botnets with sendmail In-Reply-To: <4549FECE.9020503@USherbrooke.ca> References: <010201c6fde9$755c7a40$0301a8c0@SAHOMELT> <4548FE66.7010702@USherbrooke.ca> <4549FECE.9020503@USherbrooke.ca> Message-ID: Denis Beauchemin wrote: > Scott Silva a ?crit : >>> >> You can add whitelisted entries in the access file if you use >> feature_delay_checks in sendmail. >> http://www.technoids.org/ >> Has a lot of good sendmail stuff. >> Are you using the new stuff in sendmail like greetpause, conncontrol, and >> ratecontrol? >> http://www.technoids.org/dossed.html >> > Yes, I am using greetpause, conncontrol, and ratecontrol but they're not > enough. > > I knew about http://www.technoids.org/dossed but not the rest of the > site. It's quite interesting. However I'm not sure how to whitelist a > remote site that appears on safe.dnsbl.sorbs.net. The examples I saw > referred to email addresses... > > After some more reading on sendmail.org, I think I need the following in > my access file: > ip.of.remote.host: OK > > OK: "Accept mail even if other rules in the running ruleset would reject > it, for example, if the domain name is unresolvable. "Accept" does not > mean "relay", but at most acceptance for local recipients. That is, OK > allows less than RELAY." > > Denis > Here is what I use: # Temporary measure - skip relay tests for this server connect:**.110.223.185 OK connect:**.110.235.244 OK From sandrews at andrewscompanies.com Thu Nov 2 15:48:56 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Thu Nov 2 15:48:59 2006 Subject: MS Config Question - outbound Message-ID: <1964AAFBC212F742958F9275BF63DBB04297E6@winchester.andrewscompanies.com> The only thing outside of this I had to do was allow relay on the mailscanner from exchange. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Billy A. Pumphrey Sent: Thursday, November 02, 2006 10:09 AM To: MailScanner discussion Subject: RE: MS Config Question - outbound > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of sandrews@andrewscompanies.com > Sent: Wednesday, November 01, 2006 2:56 PM > To: mailscanner@lists.mailscanner.info > Subject: MS Config Question - outbound > > I'm currently using mailscanner to scan all inbound mail and that works > great. > > Is there a way to use mailscanner to also be the outbound mail server > and add a disclaimer/signature block to all outbound messages like it > does for inbound scanned messages? > > Thanks, > > Steve > -- To answer your question, yes. I just set mine up. I think I did it just for fun or something more than a need for it. Tracking is probably the reason I did it. My boss always ask me for email traces. Any way.. I use a exchange server and all that I had to do was have the exchange server forward outbound mail to the MailScanner machine. I believe in my setup I did not have to alter the MailScanner machine at all, not to say you will not have to. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From sandrews at andrewscompanies.com Thu Nov 2 15:50:29 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Thu Nov 2 15:50:38 2006 Subject: MS Config Question - outbound Message-ID: <1964AAFBC212F742958F9275BF63DBB04297E7@winchester.andrewscompanies.com> I did educate them; but the boss' daughter is into "marketing" and she assured everyone that this was necessary. I know what fights to pick. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans Sent: Thursday, November 02, 2006 10:21 AM To: MailScanner discussion Subject: Re: MS Config Question - outbound I know... I have those too. You should try educating them. Educated customers are more efficient for you in the long run, since you can make more money off of them using less resources. It's almost like the difference between house training puppies and herding cats. sandrews@andrewscompanies.com wrote: > In my field, we call them customers. Personally, I think the > signature blocks are a waste, but the customer sends me money when I > do work, so.... > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex > Neuman van der Hans > Sent: Wednesday, November 01, 2006 4:25 PM > To: MailScanner discussion > Subject: Re: MS Config Question - outbound > > You must remember there still are (and will be for a long time) bosses > like Dilbert's (or the boss in "The Office", UK or US, take your pick) > that *require* these useless bits of fluff. > > Evan Platt wrote: >> At 11:56 AM 11/1/2006, you wrote: >>> I'm currently using mailscanner to scan all inbound mail and that >>> works great. >>> >>> Is there a way to use mailscanner to also be the outbound mail >>> server > >>> and add a disclaimer/signature block to all outbound messages like >>> it > >>> does for inbound scanned messages? >> >> I've gotta ask.. >> >> Why? >> >> I know of no anti-virus program that looks for "This message was >> scanned and found to be clean" and then ignores scanning the message. >> >> What's the point? >> >> I've seen spam with a EXE virus attached ("Microsoft Security Patch! >> INSTALL NOW!") with a "This message was found to be virus clean." >> >> >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mike at vesol.com Thu Nov 2 15:58:00 2006 From: mike at vesol.com (Mike Kercher) Date: Thu Nov 2 15:58:55 2006 Subject: Could not analyze message In-Reply-To: Message-ID: mailscanner-bounces@lists.mailscanner.info <> scribbled on : > Hi > > I have a customer who cant recieve an email from a certain > domain, the message is quarantined with a quarantine report > showing "Could not analyze message". > > The email is very basic, plain text with no attachments. > > I tried to get around this by using the Scan Messages ruleset > > Scan Messages = %rule-dir%/scan.messages.rules > > and set the following in scan.messages.rules > > FromOrTo: default no > From: domaina.com no > FromTo: mycustomer.com yes > > where domaina.com is the domain sending the email being > blocked and mycustomer.com is the domain recieving. However > the message is still being quarantined. > > Can anyone advise what can cause the "Could not analyze > message"? or why my ruleset setup is not working? > > Kind Regards > > Paul Your ruleset should look like this: From: domaina.com no FromTo: mycustomer.com no FromOrTo: default yes The way your ruleset is currently, it is matching on the default entry FIRST Mike From alex at nkpanama.com Thu Nov 2 16:07:32 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Nov 2 16:09:05 2006 Subject: MS Config Question - outbound In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04297E7@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB04297E7@winchester.andrewscompanies.com> Message-ID: <454A17C4.1000909@nkpanama.com> I'm sure the boss's daughter is "into marketing" as are a few people "into firearms" or "into explosives"... ;) sandrews@andrewscompanies.com wrote: > I did educate them; but the boss' daughter is into "marketing" and she > assured everyone that this was necessary. I know what fights to pick. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex > Neuman van der Hans > Sent: Thursday, November 02, 2006 10:21 AM > To: MailScanner discussion > Subject: Re: MS Config Question - outbound > > I know... I have those too. You should try educating them. Educated > customers are more efficient for you in the long run, since you can make > more money off of them using less resources. It's almost like the > difference between house training puppies and herding cats. > > sandrews@andrewscompanies.com wrote: >> In my field, we call them customers. Personally, I think the >> signature blocks are a waste, but the customer sends me money when I >> do work, so.... >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex >> Neuman van der Hans >> Sent: Wednesday, November 01, 2006 4:25 PM >> To: MailScanner discussion >> Subject: Re: MS Config Question - outbound >> >> You must remember there still are (and will be for a long time) bosses > >> like Dilbert's (or the boss in "The Office", UK or US, take your pick) > >> that *require* these useless bits of fluff. >> >> Evan Platt wrote: >>> At 11:56 AM 11/1/2006, you wrote: >>>> I'm currently using mailscanner to scan all inbound mail and that >>>> works great. >>>> >>>> Is there a way to use mailscanner to also be the outbound mail >>>> server >>>> and add a disclaimer/signature block to all outbound messages like >>>> it >>>> does for inbound scanned messages? >>> I've gotta ask.. >>> >>> Why? >>> >>> I know of no anti-virus program that looks for "This message was >>> scanned and found to be clean" and then ignores scanning the message. >>> >>> What's the point? >>> >>> I've seen spam with a EXE virus attached ("Microsoft Security Patch! >>> INSTALL NOW!") with a "This message was found to be virus clean." >>> >>> >>> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From cobalt-users1 at fishnet.co.uk Thu Nov 2 16:15:27 2006 From: cobalt-users1 at fishnet.co.uk (Ian) Date: Thu Nov 2 16:15:32 2006 Subject: OT: RE: MS Config Question - outbound In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04297E7@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB04297E7@winchester.andrewscompanies.com> Message-ID: <454A199F.7506.506FEC9@cobalt-users1.fishnet.co.uk> On 2 Nov 2006 at 10:50, sandrews@andrewscompanies.com wrote: > I did educate them; but the boss' daughter is into "marketing" and she > assured everyone that this was necessary. I know what fights to pick. See if you can sneak this one in... it appeared in another mailling list and I use it in reply to anyone who sends me one. IMPORTANT: This email is intended for the use of the individual addressee (s) named above and may contain information that is confidential, privileged or unsuitable for overly sensitive persons with low self- esteem, no sense of humour or irrational religious beliefs. If you are not the intended recipient, any dissemination, distribution or copying of this email is not authorised (either explicitly or implicitly) and constitutes an Irritating social faux pas. Unless the word absquatulation has been used in its correct context somewhere other than in this warning, it does not have any legal or grammatical use and may be ignored. No animals were harmed in the transmission of this email, although the cat next door is living on borrowed time, let me tell you. Those of you with an overwhelming fear of the unknown will be gratified to learn that there is no hidden message revealed by reading this warning backwards, so just ignore that Alert Notice from Microsoft. However, by pouring a complete circle of salt around yourself and your computer you can ensure that no harm befalls you and your pets. If you have received this email in error, please place it in a warm oven for 40 minutes and add some nutmeg and egg whites. Whisk briefly and let it stand for 2 hours before icing. Ian -- From ssilva at sgvwater.com Thu Nov 2 17:10:48 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 2 17:12:02 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x and MailScanner. In-Reply-To: <65234743FE1555428435CE39E6AC4078B38B30@CHI-US-EXCH-01.us.kmz.com> References: <65234743FE1555428435CE39E6AC4078B38B30@CHI-US-EXCH-01.us.kmz.com> Message-ID: Duncan, Brian M. spake the following on 11/2/2006 6:05 AM: >> Earlier this year, there was an internal inconsistency within > >> MS which I spotted at 4.54.6 . >> > >> In "MailScanner.conf" the comments describing the default "Lock Type" >> (i.e. left blank) behaviour said 'it defaults to "posix"', > >> but the actual behaviour (when left blank) was to set it to "flock". >> > >> That is, the comments said MS would behave one way but its > >> actual behaviour was the opposite. >> > >> See threads starting at: >> > >> http://lists.mailscanner.info/pipermail/mailscanner/2006-June/ >> 061887.html >> and Julian's acknowledgement and fix at: >> > >> http://lists.mailscanner.info/pipermail/mailscanner/2006-June/ >> 061974.html >> > > >> So either upgrade to a more recent version (than 4.54.6) or > >> if you need to stay back at 4.54.6 then explicitly state > >> which lock type you want. >> > >> Hope that helps. > > Thank you for the information. I found those this morning when doing > further searches. > > I am hesitant to turn posix on, on my main server that has been using > Sendmail 8.13.x and flock for months now without issue. > > I am starting with a lower load box first. I am afraid that it will > cause a duplication issue. It seems to with some sendmail 8.12.x users, > and when they show their compiled options I don't see flock listed. > > Here is one posting from a recent person with the duplicating message > issue that was using Sendmail 8.12.11: > >> Yes I'm using sendmail. >> >> 8.12.11-4.6 >> >> # sendmail -d0.1 >> Version 8.12.11 >> Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX > MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET >> NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS > USERDB USE_LDAP_INIT >> Duncan > > > Since he does not have FLOCK shown in his compiled options, shouldn't of > Posix worked for him? (Everything was ok when he switched to flock) - I > looked at an older box I have here with sendmail 8.12 on it and I don't > have flock shown as a compiled option. I thought it was supposed to > show you if flock support is compiled into sendmail. > > Can someone please explain to me how it is determined that with Sendmail > 8.13.x + versions you have to use posix? Is there any way to determine > 100% that your sendmail compile is already using Posix and NOT flock? > Looking for flock in the compiled options does not look to be accurate > based on the above post I included. (He had to switch to flock to make > his work, yet flock does NOT show up in his compiled options) > > Thanks This note was posted with sendmail 8.12.5 in the announce; NOTE: Linux appears to have broken flock() again. Unless the bug is fixed before sendmail 8.13 is shipped, 8.13 will change the default locking method to fcntl() for Linux kernel 2.4 and later. You may want to do this in 8.12 by compiling with -DHASFLOCK=0. Be sure to update other sendmail related programs to match locking techniques. ( see http://www.sendmail.org/releases/8.12.5.html) I can't tell you why your version is different, maybe a custom compiled version to get around the Flock exploit that was posted about the time 8.12.11 came out. The consensus so far has been ; Linux and sendmail 8.12 = flock Linux and sendmail 8.13 = posix Also note that there have been some problems with dovecot if it is set to a different locking. I am still curious as to how you have been so lucky with no problems! Are you running on a filesystem other than ext2/ext3? Maybe Core 4 has a kernel that doesn't have the locking problem that the enterprise distros lack because of the conservative patching that is done. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Nov 2 17:16:22 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 2 17:20:16 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x andMailScanner. In-Reply-To: <65234743FE1555428435CE39E6AC4078B38B2D@CHI-US-EXCH-01.us.kmz.com> References: <65234743FE1555428435CE39E6AC4078B38B2D@CHI-US-EXCH-01.us.kmz.com> Message-ID: Duncan, Brian M. spake the following on 11/1/2006 5:10 PM: > One other question, is it normal when using posix for it to note: > > Creating hardcoded struct_flock subroutine for linux (Linux-type) > > Every time after it says it's using posix as the locking method? > > Yes. That is just the normal kernel noise from the posix locking; Nov 2 09:14:42 xxxx MailScanner[11571]: Using locktype = posix Nov 2 09:14:42 xxxx MailScanner[11571]: Creating hardcoded struct_flock subroutine for linux (Linux-type) -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Nov 2 17:19:42 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 2 17:25:24 2006 Subject: MS/SA: SA problem In-Reply-To: References: Message-ID: David Lee spake the following on 11/2/2006 4:22 AM: > We've been running MS/SA on Fedora machines for a few years. Earlier this > week, I set up yet another machine, expecting it to be straightforward. > Clean OS install (FC5), clean install of MS (4.56.8) etc. > > All seems well, including "spamassassin --lint --debug". > > But when it starts to try to process email, MailScanner seems to take a > very long time. Running it in debug mode shows: > > Use of uninitialized value in exists at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/URIDNSBL.pm line 718. > Use of uninitialized value in exists at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/URIDNSBL.pm line 718. > Use of uninitialized value in exists at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/URIDNSBL.pm line 718. > dns: sendto() failed: Connection refused at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm line 339, line 67. > dns: sendto() failed: Connection refused at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm line 339, line 67. > dns: sendto() failed: Connection refused at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm line 339, line 67. > dns: sendto() failed: Connection refused at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm line 339, line 67. > > and lots more similar lines (although the " line yy" varies). > > Any thoughts on this? > > Over the last couple of days I've tried various versions of SA (the above > details are from 3.1.3) installed in various different ways, but all > giving this set of errors. > > Did you try Julians install script for spamassassin and clam? It might toss in any perl modules that are lacking. And maybe remove the spamassassin rpm in core before you try. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Nov 2 17:27:21 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 2 17:30:15 2006 Subject: Overriding SBL+XBL on a DHCP address In-Reply-To: <1162470757.30908.154.camel@and64.paige> References: <1162470757.30908.154.camel@and64.paige> Message-ID: Andrew spake the following on 11/2/2006 4:32 AM: > Hi, > I have a DHCP address at home (with a dns name I update > if it changes ... using my own script ...) > My server running MailScanner has a fixed IP so it's no > problem. > (I also have an auto update process running at home, on > the server sendmail access file) > What happened recently (and I need to get a new lease to fix) > is that my DHCP IP address showed up in SBL+XBL > My home server does smart forwarding to my mail server > Because of this, all my email was being dumped by the spam > filter. > I guess there is a simple solution to this problem? > How can I whitelist my DHCP IP address? > I did try whitelisting the name, but couldn't seem to get it > to work without specifying the IP address by number (which is > of course not much use) > I tried listing my internal IP subnet first but that didn't > work coz the spam filter seems to only check the previous > IP address in the path list? > Also, I'm using an old version of MailScanner: 4.38.10 > > Here's the edited whitelist file. > It didn't work until the last line was added. > > spam.whitelist.rules > -------------------- > # This is where you can build a Spam WhiteList > # Addresses matching in here, with the value > # "yes" will never be marked as spam. > FromOrTo: default no > From: /^192\.168\.ccc\./ yes > From: nam1.nam2.nam3.com yes > From: /^aaa\.bbb\.xxx\.yyy/ yes > > > -Thanks for any help > Where are you using the blacklist? In MailScanner, spamassassin or the MTA. You could also use some magic with sed to change the ip address in the whitelist.rules and force a reload whenever the ip address changes. Or have your server come in on a different port that doesn't have MailScanner running. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Nov 2 17:31:30 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 2 17:35:28 2006 Subject: out of curiosity: reload and restart In-Reply-To: References: <29fik2l7h03h7jfrltkgrscd18kse8g6vd@4ax.com> Message-ID: Sven De Troch spake the following on 11/1/2006 5:23 PM: > On Wed, 01 Nov 2006 16:54:42 -0800, Scott Silva > wrote: > > >>> With only reloading MS, my MTA is accepting the new acces config (To: >>> domain RELAY) are am I dreaming ;-) >>> >>> >> If you are rebuilding the access file (makemap) sendmail will read it. It only >> seems to need a restart if you rebuild the cf file. > > So if I understand you well, if I modify the access file (something I > need to do very often) and I do a 'make -C /etc/mail' afterwards, I > wouldn't have to restart sendmail (and thus not MailScanner neither)? > > The access file is a db lookup, and not cached. So if the makemap is done, sendmail will see it on the next fork. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From brian.duncan at kattenlaw.com Thu Nov 2 17:39:19 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Thu Nov 2 17:39:38 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x and MailScanner. Message-ID: <65234743FE1555428435CE39E6AC4078B38B32@CHI-US-EXCH-01.us.kmz.com> > > I can't tell you why your version is different, maybe a > custom compiled version to get around the Flock exploit that > was posted about the time 8.12.11 came out. The consensus so > far has been ; Linux and sendmail 8.12 = flock Linux and > sendmail 8.13 = posix Also note that there have been some > problems with dovecot if it is set to a different locking. > > I am still curious as to how you have been so lucky with no problems! > Are you running on a filesystem other than ext2/ext3? > Maybe Core 4 has a kernel that doesn't have the locking > problem that the enterprise distros lack because of the > conservative patching that is done. > > I use Ext3 on all of my mail boxes. Maybe it is due to the kernel somehow, or the sendmail RPM's that I used. I am using the Fedora compiled kernels. I switched over to posix earlier on my servers and have not noticed any differences Yet. I have been keeping a close eye on the /var/spool/mqueue folders. I was more worried about having trouble switching to posix, since this one box has passed probably close to 200 million messages without issues with flock on. I was feeling like if it's not broke don't fix it type situation. Yet I see allot of people running into this problem. I have been trying to find a way to 100% determine what lock method sendmail uses. From scanning the mailing lists and searching allot of people tell others to check with sendmail -d0.1 -d0.4 -bt References: <65234743FE1555428435CE39E6AC4078B38B30@CHI-US-EXCH-01.us.kmz.com> Message-ID: <454A2C63.4000102@nkpanama.com> Scott Silva wrote: > Duncan, Brian M. spake the following on 11/2/2006 6:05 AM: >>> Earlier this year, there was an internal inconsistency within >>> MS which I spotted at 4.54.6 . >>> >>> In "MailScanner.conf" the comments describing the default "Lock Type" >>> (i.e. left blank) behaviour said 'it defaults to "posix"', >>> but the actual behaviour (when left blank) was to set it to "flock". >>> >>> That is, the comments said MS would behave one way but its >>> actual behaviour was the opposite. >>> >>> See threads starting at: >>> >>> http://lists.mailscanner.info/pipermail/mailscanner/2006-June/ >>> 061887.html >>> and Julian's acknowledgement and fix at: >>> >>> http://lists.mailscanner.info/pipermail/mailscanner/2006-June/ >>> 061974.html >>> >> >>> So either upgrade to a more recent version (than 4.54.6) or >>> if you need to stay back at 4.54.6 then explicitly state >>> which lock type you want. >>> >>> Hope that helps. >> Thank you for the information. I found those this morning when doing >> further searches. >> >> I am hesitant to turn posix on, on my main server that has been using >> Sendmail 8.13.x and flock for months now without issue. >> >> I am starting with a lower load box first. I am afraid that it will >> cause a duplication issue. It seems to with some sendmail 8.12.x users, >> and when they show their compiled options I don't see flock listed. >> >> Here is one posting from a recent person with the duplicating message >> issue that was using Sendmail 8.12.11: >> >>> Yes I'm using sendmail. >>> >>> 8.12.11-4.6 >>> >>> # sendmail -d0.1 >>> Version 8.12.11 >>> Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX >> MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET >>> NETINET6 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF STARTTLS TCPWRAPPERS >> USERDB USE_LDAP_INIT >>> Duncan >> >> Since he does not have FLOCK shown in his compiled options, shouldn't of >> Posix worked for him? (Everything was ok when he switched to flock) - I >> looked at an older box I have here with sendmail 8.12 on it and I don't >> have flock shown as a compiled option. I thought it was supposed to >> show you if flock support is compiled into sendmail. >> >> Can someone please explain to me how it is determined that with Sendmail >> 8.13.x + versions you have to use posix? Is there any way to determine >> 100% that your sendmail compile is already using Posix and NOT flock? >> Looking for flock in the compiled options does not look to be accurate >> based on the above post I included. (He had to switch to flock to make >> his work, yet flock does NOT show up in his compiled options) >> >> Thanks > This note was posted with sendmail 8.12.5 in the announce; > NOTE: Linux appears to have broken flock() again. Unless > the bug is fixed before sendmail 8.13 is shipped, > 8.13 will change the default locking method to > fcntl() for Linux kernel 2.4 and later. You may > want to do this in 8.12 by compiling with > -DHASFLOCK=0. Be sure to update other sendmail > related programs to match locking techniques. > ( see http://www.sendmail.org/releases/8.12.5.html) > > I can't tell you why your version is different, maybe a custom compiled > version to get around the Flock exploit that was posted about the time 8.12.11 > came out. The consensus so far has been ; > Linux and sendmail 8.12 = flock > Linux and sendmail 8.13 = posix > Also note that there have been some problems with dovecot if it is set to a > different locking. Can dovecot use posix? > > I am still curious as to how you have been so lucky with no problems! > Are you running on a filesystem other than ext2/ext3? > Maybe Core 4 has a kernel that doesn't have the locking problem that the > enterprise distros lack because of the conservative patching that is done. > > > From hkeasytech at gmail.com Thu Nov 2 17:44:06 2006 From: hkeasytech at gmail.com (Barry Kwok) Date: Thu Nov 2 17:44:17 2006 Subject: defendermx question Message-ID: <9d2057cc0611020944g12631e96sa51a6ae2953421e7@mail.gmail.com> Hi, I am testing the defendermx. Where can I change the "Required SpamAssassin Score" conf. I can't find it in the web interface nor in configuration stored in ldap. Regards, Barry -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061103/c862a2d0/attachment.html From ssilva at sgvwater.com Thu Nov 2 17:33:05 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 2 17:45:39 2006 Subject: out of curiosity: reload and restart In-Reply-To: <454A0B3F.6090803@nkpanama.com> References: <29fik2l7h03h7jfrltkgrscd18kse8g6vd@4ax.com> <454A0B3F.6090803@nkpanama.com> Message-ID: Alex Neuman van der Hans spake the following on 11/2/2006 7:14 AM: > Sven De Troch wrote: >> On Wed, 1 Nov 2006 17:36:01 -0600, "Mike Kercher" >> wrote: >> >>> mailscanner-bounces@lists.mailscanner.info <> scribbled on : >>> >>> You do not have to reload or restart MS (sendmail) after making changes >>> to the access, virtusertable or mailertable. If you change your >>> sendmail.mc/cf, you need to RESTART MS, but only because that will >>> restart the sendmail processes. >> >> Mike, >> >> I thought as well that reloading MS is not sufficient to read new >> sendmail configs (i.e. access file), but this seems to be working for >> me and I don't find it logic neither (and because of this I raised my >> question here). >> >> With only reloading MS, my MTA is accepting the new acces config (To: >> domain RELAY) are am I dreaming ;-) >> >> > Sendmail doesn't need to be restarted for changes to the access file to > "stick". Adding a milter or an rbl (or some other parameter) to > sendmail.mc and recompiling sendmail.cf *does* require a restart (as > opposed to a "reload"), although I don't know if it could be > accomplished with a "killall -HUP sendmail" (haven't tried). To further clarify, it only needs a restart if you want to see the changes immediately. If you don't care, it will be re-read when MailScanner does its restart every xxx code. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From MailScanner at ecs.soton.ac.uk Thu Nov 2 18:36:23 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Nov 2 18:41:15 2006 Subject: out of curiosity: reload and restart In-Reply-To: References: Message-ID: <454A3AA7.3020605@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sven De Troch wrote: > Hello, > > no problem, but something I'd like to know ;) > > Are there any reasons to restart MS with /etc/init.d/MailScanner > restart (and not reload to read the configfiles again)? > > i.e. if I change my sendmail access file, recompile it for sendmail > and 'reload' MS, eveything is working fine, ..., so I wonder in which > case a reload is not sufficient for MailScanner and a restart is > needed (I'm not talking about Linux in general, but for MS specific)? > One situation where you definitely need to restart is when you change the spam.assassin.prefs.conf or change the rules/settings you have in any other SpamAssassin *.cf or init.pre files (and its brethren of course). This is because it needs to recompile all the SpamAssassin rules, which can't be done without a MailScanner restart. There was also a bug in versions of MailScanner prior to 4.55.9 in which a reload would not have all the intended effects, so I would use restart if your MailScanner is older than 4.55.9 1st August 2006. Also, on a connected subject, I am going to speed up the re-spawning of the child processes as 11 seconds per child appears to be too long on systems with large numbers of child processes. 5 seconds should work okay, you won't get any overlap of timings until you have launched 12 children, so in reality this should not cause any harm. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFSju/EfZZRxQVtlQRAtISAKCxgIXkwXGQ+QSG8C1jaYa5jUeISwCeJPL5 mgWEr/5Jrv3Uo6KOXna6BEc= =ax3W -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From steve.swaney at fsl.com Thu Nov 2 18:54:18 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Thu Nov 2 18:54:25 2006 Subject: defendermx question In-Reply-To: <9d2057cc0611020944g12631e96sa51a6ae2953421e7@mail.gmail.com> Message-ID: <001201c6feb0$4ce12300$287ba8c0@office.fsl> Barry, Please send support requests for DefenderMX to support@fsl.com. Thanks, Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Barry Kwok Sent: Thursday, November 02, 2006 12:44 PM To: mailscanner@lists.mailscanner.info Subject: defendermx question Hi, I am testing the defendermx. Where can I change the "Required SpamAssassin Score" ?conf. I can't find it in the web interface nor in configuration stored in ldap. Regards, Barry From MailScanner at ecs.soton.ac.uk Thu Nov 2 18:57:05 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Nov 2 19:01:15 2006 Subject: Spam Detection Around 55% In-Reply-To: <45492A8A.3080901@evi-inc.com> References: <4541F39F.61A4.0000.0@caspercollege.edu> <45424BF9.9000407@evi-inc.com> <4543780C.5010302@ecs.soton.ac.uk> <4546297C.5080502@evi-inc.com> <45479D4C.8090107@ecs.soton.ac.uk> <4548F7E8.7090107@evi-inc.com> <45491F5E.2030200@ecs.soton.ac.uk> <45492A8A.3080901@evi-inc.com> Message-ID: <454A3F81.5070909@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matt Kettler wrote: > Julian Field wrote: > >>>> Any chance you might consider adding an ifplugin statement to frame the dcc_path >>>> command? >>>> >>>> ifplugin Mail::SpamAssassin::Plugin::DCC >>>> dcc_path >>>> endif >>>> >>>> >> As above, they won't have DCC installed yet. That's what reading the >> instructions tells them to do: go and install it. >> > > Yes, which is *EXACTLY* why you want the ifplugin. > Ah, I thought the "ifplugin" was some pseudo-code you were using to try to explain the problem. I didn't realise that "ifplugin" was a real piece of allowable syntax. I have added it to the DCC and Pyzor config lines. > > >>>> That might cause DCC to break for someone making a new setup using SA 3.0.x and >>>> the latest MailScanner, but who's going to get the latest MailScanner while >>>> using an old version of SA? >>>> >>>> >> But it's an installer for the latest version of SA. If they are running >> it at all, they won't have SA 3.0.x. So I don't need to handle SA 3.0.x. >> If they managed to run the whole installer and end up with 3.0.x >> installed, I would dearly like to know how, seeing as it installs 3.1.x !! >> > > What??? > > Look. Julian. We're clearly on a different page here. > > I'm talking about MailScanner here. So I'm talking about the MailScanner install > process. I am not talking about your optional clamav/sa bundle pack. > > ie: http://www.mailscanner.info/files/4/rpm/MailScanner-4.56.8-1.rpm.tar.gz > > That does NOT install spamassassin as far as I know. > > So does the MailScanner install process even tell users to modify their v310.pre? > No, it doesn't. The MailScanner process doesn't mention SpamAssassin in any of its output. Given that I think we both agree (for once! :-) what was it that you wanted me to do? Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFSkBvEfZZRxQVtlQRArnfAJ9IpRQdp8j5T/PTGALUKqUhg6MLtQCdH99a zSBMCNm6jZdyBSznC8PztMs= =FoxS -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From rpoe at plattesheriff.org Thu Nov 2 19:20:51 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Thu Nov 2 19:21:43 2006 Subject: OT : need to find some rack space In-Reply-To: <146f41cd0610240455q504bb7a9of83ec88e4edf8f31@mail.gmail.com> References: <02af01c6f683$7e9d6230$e3f31151@blacknight.local> <146f41cd0610240455q504bb7a9of83ec88e4edf8f31@mail.gmail.com> Message-ID: <4549F0B6.65ED.00A2.0@plattesheriff.org> I use NetStandard for my co-location needs. They have Data Centers in Kansas City and Chicago. http://netstandard.net/collocation.htm Super guys to work with, I'm not affiliated with them - just a happy customer. >>> "Colocation Colocation" 10/24/2006 6:55 AM >>> Rackspace are super-awesome, however they do not provide colocation, just managed dedicated servers. I have a couple of servers with them and i have not had a problem in two years, not one! On 24/10/06, Dave Strydom wrote: > > You serious? > > I've always found them to have the most awesome support levels i've > ever seen, and not many providers can brag about a 100% uptime. > > Dave > > On 10/23/06, Res wrote: > > On Mon, 23 Oct 2006, Dave Strydom wrote: > > > > > www.rackspace.com > > so long as u dont want urgent rectification of faults > > > > > the best there is in the world. > > lol countless would disagree > > > > -- > > Cheers > > Res > > > > "Just a world that we all must share, it's not enough just to stand and > > stare, is it only a dream that there'll be no more turning away" - Floyd > > > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From mkettler at evi-inc.com Thu Nov 2 19:38:18 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Nov 2 19:38:35 2006 Subject: Spam Detection Around 55% In-Reply-To: <454A3F81.5070909@ecs.soton.ac.uk> References: <4541F39F.61A4.0000.0@caspercollege.edu> <45424BF9.9000407@evi-inc.com> <4543780C.5010302@ecs.soton.ac.uk> <4546297C.5080502@evi-inc.com> <45479D4C.8090107@ecs.soton.ac.uk> <4548F7E8.7090107@evi-inc.com> <45491F5E.2030200@ecs.soton.ac.uk> <45492A8A.3080901@evi-inc.com> <454A3F81.5070909@ecs.soton.ac.uk> Message-ID: <454A492A.9050008@evi-inc.com> Julian Field wrote: > > > Matt Kettler wrote: >>> Julian Field wrote: >>> >>>>>> Any chance you might consider adding an ifplugin statement to frame the dcc_path >>>>>> command? >>>>>> >>>>>> ifplugin Mail::SpamAssassin::Plugin::DCC >>>>>> dcc_path >>>>>> endif >>>>>> >>>>>> >>>> As above, they won't have DCC installed yet. That's what reading the >>>> instructions tells them to do: go and install it. >>>> >>> Yes, which is *EXACTLY* why you want the ifplugin. >>> > Ah, I thought the "ifplugin" was some pseudo-code you were using to try > to explain the problem. I didn't realise that "ifplugin" was a real > piece of allowable syntax. I have added it to the DCC and Pyzor config > lines. > Given that I think we both agree (for once! :-) what was it that you > wanted me to do? Yes! Thanks J. From MailScanner at ecs.soton.ac.uk Thu Nov 2 19:42:15 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Nov 2 19:46:13 2006 Subject: MS Config Question - outbound In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04297DB@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB04297DB@winchester.andrewscompanies.com> Message-ID: <454A4A17.3080109@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sign Clean Messages = %rules-dir%/sign.clean.rules In /etc/MailScanner/rules/sign.clean.rules, put something like this: From: hisdomain.com yes FromOrTo: default no And then if you want to vary the signature per-domain for example, use this Inline HTML Signature = %rules-dir%/html.sig.rules Inline Text Signature = %rules-dir%/text.sig.rules and then in ..../rules/html.sig.rules From: hisdomain.com /etc/MailScanner/reports/hisdomain/inline.sig.html FromOrTo: default /etc/MailScanner/reports/en/inline.sig.html and in ..../rules/text.sig.rules From: hisdomain.com /etc/MailScanner/reports/hisdomain/inline.sig.txt FromOrTo: default /etc/MailScanner/reports/en/inline.sig.txt That should be enough to get you started. sandrews@andrewscompanies.com wrote: > Why? Because the customer asked that a default disclaimer/signature > block be added to all his outbound emails. I figured using my > mailscanner box as a smarthost and then using the rules to sign outbound > messages would be easiest. > > All I was missing was the architecture of the rules to "sign" just the > outbound messages from his domain. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Evan > Platt > Sent: Wednesday, November 01, 2006 3:40 PM > To: MailScanner discussion > Subject: Re: MS Config Question - outbound > > At 11:56 AM 11/1/2006, you wrote: > >> I'm currently using mailscanner to scan all inbound mail and that works >> > > >> great. >> >> Is there a way to use mailscanner to also be the outbound mail server >> and add a disclaimer/signature block to all outbound messages like it >> does for inbound scanned messages? >> > > > I've gotta ask.. > > Why? > > I know of no anti-virus program that looks for "This message was scanned > and found to be clean" and then ignores scanning the message. > > What's the point? > > I've seen spam with a EXE virus attached ("Microsoft Security Patch! > INSTALL NOW!") with a "This message was found to be virus clean." > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFSkr7EfZZRxQVtlQRAsjNAKD8N7APMfj/CBEpZvSu49ln77z9ygCg1bGq nj1kQu0GMaN0XeYBlsr63IA= =YKJP -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Thu Nov 2 19:46:45 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Nov 2 19:51:14 2006 Subject: Could not analyze message In-Reply-To: References: Message-ID: <454A4B25.5030009@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike Kercher wrote: > mailscanner-bounces@lists.mailscanner.info <> scribbled on : > > >> Hi >> >> I have a customer who cant recieve an email from a certain >> domain, the message is quarantined with a quarantine report >> showing "Could not analyze message". >> >> The email is very basic, plain text with no attachments. >> >> I tried to get around this by using the Scan Messages ruleset >> >> Scan Messages = %rule-dir%/scan.messages.rules >> >> and set the following in scan.messages.rules >> >> FromOrTo: default no >> From: domaina.com no >> FromTo: mycustomer.com yes >> >> where domaina.com is the domain sending the email being >> blocked and mycustomer.com is the domain recieving. However >> the message is still being quarantined. >> >> Can anyone advise what can cause the "Could not analyze >> message"? or why my ruleset setup is not working? >> >> Kind Regards >> >> Paul >> > > Your ruleset should look like this: > > From: domaina.com no > FromTo: mycustomer.com no > FromOrTo: default yes > > The way your ruleset is currently, it is matching on the default entry > FIRST > That won't help, it doesn't matter where the "default" rule is. I would suspect that the envelope sender address is something.domaina.com and not just domaina.com. Use the "Add Envelope From Header" and "Add Envelope To Header" to check the real sender and recipient addresses. You can't just use the From: and To: headers, as they often aren't the same as the real envelope details at all. > Mike > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFSkwnEfZZRxQVtlQRAnFoAJwJbGsliEOvSB6L4IZuV8ippJeqRwCfecoB r1SE+3sBCnd+JKONa1yrSjA= =1kMM -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Thu Nov 2 19:49:29 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Nov 2 19:51:25 2006 Subject: # of messages per batch In-Reply-To: <454A0A2E.50006@nkpanama.com> References: <454A0A2E.50006@nkpanama.com> Message-ID: <454A4BC9.3080106@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Neuman van der Hans wrote: > You can also increase the "queue scan interval", specially on > lower-spec machines, to something higher. In that case your queues > might actually fill up enough so that the 30-msg-per-batch default > makes MailScanner pick up 30 messages out of, say, 100. > > On very low volume mail servers, you can even decrease that (I've set > it to "1" on mine) so that processing is virtually instantaneous. Don't forget that this is a per-child scan interval. If you set it to 1 and have 5 children, then the queue will get checked, when the machine is quiet, every 0.2 seconds. Which is pretty frequent! > > Sven De Troch spake the following on 11/1/2006 2:24 PM: > There is a setting in the conf file for max messages per batch, but > MailScanner will not sit and wait for messages to pile up. If you are > running > 10 children, and mailscanner is set to check the queue every 30 > seconds, then > you would have to get something like 600 messages per minute to fill the > default batch size of 30. If you are getting 10 to 20 messages a > minute, you > will never even break a sweat with 10 children. That would be around 1-4 > messages per batch. You could lower your max children and see if the > system > keeps up. > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.0 (Build 1112) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFSkwoEfZZRxQVtlQRAq+LAKCHgFqWFGizrb7maCMKd5yHLgqoTQCfceYj q4Yk7IhTMoX6Ym587jiKykQ= =JTjH -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ssilva at sgvwater.com Thu Nov 2 20:23:21 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 2 20:24:05 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x and MailScanner. In-Reply-To: <454A2C63.4000102@nkpanama.com> References: <65234743FE1555428435CE39E6AC4078B38B30@CHI-US-EXCH-01.us.kmz.com> <454A2C63.4000102@nkpanama.com> Message-ID: >> 8.12.11 >> came out. The consensus so far has been ; >> Linux and sendmail 8.12 = flock >> Linux and sendmail 8.13 = posix >> Also note that there have been some problems with dovecot if it is set >> to a >> different locking. > Can dovecot use posix? Yes. It is called by fcntl in dovecot. > >> >> I am still curious as to how you have been so lucky with no problems! >> Are you running on a filesystem other than ext2/ext3? >> Maybe Core 4 has a kernel that doesn't have the locking problem that the >> enterprise distros lack because of the conservative patching that is >> done. >> >> >> > -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Nov 2 20:29:11 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 2 20:30:42 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x and MailScanner. In-Reply-To: <65234743FE1555428435CE39E6AC4078B38B32@CHI-US-EXCH-01.us.kmz.com> References: <65234743FE1555428435CE39E6AC4078B38B32@CHI-US-EXCH-01.us.kmz.com> Message-ID: Duncan, Brian M. spake the following on 11/2/2006 9:39 AM: > > > >> I can't tell you why your version is different, maybe a > >> custom compiled version to get around the Flock exploit that > >> was posted about the time 8.12.11 came out. The consensus so > >> far has been ; Linux and sendmail 8.12 = flock Linux and > >> sendmail 8.13 = posix Also note that there have been some > >> problems with dovecot if it is set to a different locking. >> > >> I am still curious as to how you have been so lucky with no problems! >> Are you running on a filesystem other than ext2/ext3? >> Maybe Core 4 has a kernel that doesn't have the locking > >> problem that the enterprise distros lack because of the > >> conservative patching that is done. >> > > > > I use Ext3 on all of my mail boxes. Maybe it is due to the kernel > somehow, or the sendmail RPM's that I used. I am using the Fedora > compiled kernels. I switched over to posix earlier on my servers and > have not noticed any differences Yet. I have been keeping a close eye > on the /var/spool/mqueue folders. > > I was more worried about having trouble switching to posix, since this > one box has passed probably close to 200 million messages without issues > with flock on. I was feeling like if it's not broke don't fix it type > situation. Yet I see allot of people running into this problem. > > > I have been trying to find a way to 100% determine what lock method > sendmail uses. From scanning the mailing lists and searching allot of > people tell others to check with sendmail -d0.1 -d0.4 -bt > If it lists flock in the compiled options then it's using flock. I have > NOT been able to confirm this. > > Here is one host of ours that just rejects messages. (It is a Sendmail > 8.12.x box, so it SHOULD be using flock from what I understand) > > It was compiled from RPM on 03/08/06, I checked the SPEC file and see > nothing specifying lock type. The only reason I updated this one was > due to an exploit at the time if I recall correctly. > > Version 8.12.11.20060308 > Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX > MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET > NETINET6 > NETUNIX NEWDB NIS PIPELINING SASL SCANF TCPWRAPPERS > USERDB > USE_LDAP_INIT > > > This is my 8.13 boxes: (same on all of them) > > Version 8.13.8 > Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX > MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET > NETINET6 > NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP > STARTTLS > TCPWRAPPERS USERDB USE_LDAP_INIT Definately not there or you would see HASFLOCK. Flock in sendmail is a compile-time option, and RedHat always seemed to turn it on in 8.12. It is a faster lock, but not safer. Your rpm must have been compiled without it, or compiled with "-DHASFLOCK=0" -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Nov 2 20:38:09 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 2 20:39:19 2006 Subject: OT: RE: MS Config Question - outbound In-Reply-To: <454A199F.7506.506FEC9@cobalt-users1.fishnet.co.uk> References: <1964AAFBC212F742958F9275BF63DBB04297E7@winchester.andrewscompanies.com> <454A199F.7506.506FEC9@cobalt-users1.fishnet.co.uk> Message-ID: Ian spake the following on 11/2/2006 8:15 AM: > On 2 Nov 2006 at 10:50, sandrews@andrewscompanies.com wrote: > >> I did educate them; but the boss' daughter is into "marketing" and she >> assured everyone that this was necessary. I know what fights to pick. > > See if you can sneak this one in... it appeared in another mailling list and I use it in reply to > anyone who sends me one. > > IMPORTANT: > This email is intended for the use of the individual addressee (s) > named above and may contain information that is confidential, > privileged or unsuitable for overly sensitive persons with low self- > esteem, no sense of humour or irrational religious beliefs. If you > are not the intended recipient, any dissemination, distribution or > copying of this email is not authorised (either explicitly or > implicitly) and constitutes an Irritating social faux pas. Unless the > word absquatulation has been used in its correct context somewhere > other than in this warning, it does not have any legal or grammatical > use and may be ignored. No animals were harmed in the transmission of > this email, although the cat next door is living on borrowed time, > let me tell you. Those of you with an overwhelming fear of the > unknown will be gratified to learn that there is no hidden message > revealed by reading this warning backwards, so just ignore that Alert > Notice from Microsoft. However, by pouring a complete circle of salt > around yourself and your computer you can ensure that no harm befalls > you and your pets. If you have received this email in error, please > place it in a warm oven for 40 minutes and add some nutmeg and egg > whites. Whisk briefly and let it stand for 2 hours before icing. > > Ian Finally! A useful disclaimer! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From daniel.maher at ubisoft.com Thu Nov 2 20:54:52 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Thu Nov 2 20:54:57 2006 Subject: ImageInfo config Message-ID: <1E293D3FF63A3740B10AD5AAD88535D20396BD53@UBIMAIL1.ubisoft.org> Hello all, For those of you that are using ImageInfo, I thought that it might be interesting to share configs - what sorts of modifications have you made to the default config that have helped in your organisation? -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061102/97269195/attachment.html From alex at nkpanama.com Thu Nov 2 20:56:40 2006 From: alex at nkpanama.com (Alex Neuman) Date: Thu Nov 2 21:11:25 2006 Subject: # of messages per batch In-Reply-To: <454A4BC9.3080106@ecs.soton.ac.uk> References: <454A0A2E.50006@nkpanama.com> <454A4BC9.3080106@ecs.soton.ac.uk> Message-ID: <454A5B88.4050908@nkpanama.com> Julian Field escribi?: > > Don't forget that this is a per-child scan interval. If you set it to 1 > and have 5 children, then the queue will get checked, when the machine > is quiet, every 0.2 seconds. Which is pretty frequent! > I have only one child running, which is perfect for me (low volume). From ralloway at winbeam.com Thu Nov 2 21:08:49 2006 From: ralloway at winbeam.com (Richard D Alloway) Date: Thu Nov 2 21:24:50 2006 Subject: Non-spam MailScanner score logging? Message-ID: Hi! I'd like MailScanner to log the SpamAssassin scores for messages that don't score above the "Required SpamAssassin Score" or "High SpamAssassin Score". An example: Nov 2 04:20:19 192.168.1.4 MailScanner[27161]: Message kA29K2Wt004173 from xx.xx.xx.xx (xxxxxx@xxxxxxx) to xxxxx.net is spam, SpamAssassin (not cached, score=4.531, required 4, BAYES_50 2.00, HTML_MESSAGE 0.00, MIME_HEADER_CTYPE_ONLY 0.00, MIME_HTML_ONLY 0.00, MSGID_FROM_MTA_HEADER 0.00, MSGID_FROM_MTA_ID 1.39, NORMAL_HTTP_TO_IP 0.17, NO_REAL_NAME 0.96) I'd like to see the same report for non-spam emails. Since only about 10% of our incoming email is legit, this should only incur a very slight increase in total system load. I've looked through the MailScanner.conf file and can't find a way to turn it on... am I missing something or is this a feature than can be added on a future release? Thanks! -Richard D Alloway Chief Technical Officer Winbeam Inc, A ClearWire Company From res at ausics.net Thu Nov 2 21:26:49 2006 From: res at ausics.net (Res) Date: Thu Nov 2 21:26:56 2006 Subject: rejecting botnets with sendmail In-Reply-To: <000001c6fe8a$8573ab50$0301a8c0@SAHOMELT> References: <000001c6fe8a$8573ab50$0301a8c0@SAHOMELT> Message-ID: On Thu, 2 Nov 2006, Rick Cooper wrote: >>> >>> deny message = rejected because $sender_host_address is >> in a black list \ >>> at $dnslist_domain $dnslist_text >>> hosts = !/somedir/Mail_local_net:!/somedir/mail_relay_from_hosts >>> senders = !/somedir/Mail_sender_white_list.conf >>> dnslists = ${readfile{/somedir/mail_rbl_lists}{:}} >>> >>> Which says, basically, if the host is *not* in my local >> network list, and >>> it's not a host I relay for and the sender is not in a >> special whitelist, >>> then submit to the rbls listed in /somedir/mail_rbl_lists. >> If the host is >>> already excluded the call is never made (wasted). The lists >> can be changed >>> without having to do anything with exim, if the file >> changes exim reads it >>> again, otherwise it's cached. >>> >> >> 4 lines for what sendmail does by default compilation, whoa >> > > That is inaccurate, I believe. If I just wanted to run the rbl it would be > dnslists = ${readfile{/somedir/mail_rbl_lists}{:}}. And the rbl processing we wernt talking about just RBL, we wer talkng filenames of exclusions as well, each to their own i guess -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Thu Nov 2 21:34:18 2006 From: res at ausics.net (Res) Date: Thu Nov 2 21:34:36 2006 Subject: out of curiosity: reload and restart In-Reply-To: <454A3AA7.3020605@ecs.soton.ac.uk> References: <454A3AA7.3020605@ecs.soton.ac.uk> Message-ID: On Thu, 2 Nov 2006, Julian Field wrote: > the child processes as 11 seconds per child appears to be too long on > systems with large numbers of child processes. 5 seconds should work > okay, you won't get any overlap of timings until you have launched 12 > children, so in reality this should not cause any harm. Jules, been running 5 seconds on ours for a long time, both sendmail and qmail servers with no problems, 10 processes and even 20 processes we saw no problems > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.0 (Build 1112) > Comment: Fetch my public key foot-print from www.mailscanner.info > Charset: ISO-8859-1 > > wj8DBQFFSju/EfZZRxQVtlQRAtISAKCxgIXkwXGQ+QSG8C1jaYa5jUeISwCeJPL5 > mgWEr/5Jrv3Uo6KOXna6BEc= > =ax3W > -----END PGP SIGNATURE----- > > -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From mkettler at evi-inc.com Thu Nov 2 21:35:44 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Nov 2 21:35:54 2006 Subject: Non-spam MailScanner score logging? In-Reply-To: References: Message-ID: <454A64B0.2090908@evi-inc.com> Richard D Alloway wrote: > > Hi! > > I'd like MailScanner to log the SpamAssassin scores for messages that > don't score above the "Required SpamAssassin Score" or "High > SpamAssassin Score". > > An example: > > Nov 2 04:20:19 192.168.1.4 MailScanner[27161]: Message kA29K2Wt004173 > from xx.xx.xx.xx (xxxxxx@xxxxxxx) to xxxxx.net is spam, SpamAssassin > (not cached, score=4.531, required 4, BAYES_50 2.00, HTML_MESSAGE 0.00, > MIME_HEADER_CTYPE_ONLY 0.00, MIME_HTML_ONLY 0.00, MSGID_FROM_MTA_HEADER > 0.00, MSGID_FROM_MTA_ID 1.39, NORMAL_HTTP_TO_IP 0.17, NO_REAL_NAME 0.96) > > I'd like to see the same report for non-spam emails. In MailScanner.conf find the "Log Non Spam" entry and change it to "yes". > Since only about 10% of our incoming email is legit, this should only > incur a very slight increase in total system load. Agree.. I keep it on myself. > I've looked through the MailScanner.conf file and can't find a way to > turn it on... am I missing something or is this a feature than can be > added on a future release? It's there, you just missed it. From bpumphrey at woodmclaw.com Thu Nov 2 21:45:25 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Thu Nov 2 21:45:39 2006 Subject: ImageInfo config In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20396BD53@UBIMAIL1.ubisoft.org> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501C1405C@woodenex.woodmaclaw.local> I have not changed anything on it. Billy Pumphrey IT Manager Wooden & McLaughlin ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Daniel Maher Sent: Thursday, November 02, 2006 3:55 PM To: MailScanner discussion Subject: ImageInfo config Hello all, For those of you that are using ImageInfo, I thought that it might be interesting to share configs - what sorts of modifications have you made to the default config that have helped in your organisation? -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. -- This message has been scanned for viruses and dangerous content by MailScanner , and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061102/3ba05aaf/attachment.html From pete at enitech.com.au Fri Nov 3 03:28:14 2006 From: pete at enitech.com.au (Peter Russell) Date: Fri Nov 3 03:28:24 2006 Subject: Python Script help (Harvesting Spam from Exchange) Message-ID: <454AB74E.5020003@enitech.com.au> Some one else on this list (i am sorry i dont recall who) let me use the attached python script to learn from spam (then delete it) from an Exchange public folder. I was going to add it all to the wiki but after some more thorough testing i notice the script doesnt always learn and delete all of the spam in the public folder on a single run - the script must be re run several times before all of the spam is learned and deleted. Is anyone here python proficient enough to have a look and see if there is a way of getting it to run a little more reliably? Once this is worked out i will write wiki doc on setting up exchange and the script. Many thanks in advance if anyone is able to help Pete -------------- next part -------------- #!/usr/bin/env python import commands, os, time import imaplib import sys, re import string, random import StringIO, rfc822 # Set required variables PREFS = "/etc/MailScanner/spam.assassin.prefs.conf" TMPFILE = "/var/tmp/salearn.tmp" SALEARN = "/usr/bin/sa-learn" SERVER = "x.x.x.x" USER = "someuserwithaccesstopublicfolder" PASSWORD = "somepassword" LOGFILE = "/var/log/learn.spam.log" log = file(LOGFILE, 'a+') log.write("\n\nTraining SpamAssassin on %s at %s\n" % (time.strftime("%Y-%m-%d"), time.strftime("%H:%M:%S"))) # connect to server server = imaplib.IMAP4(SERVER) # login server.login(USER, PASSWORD) server.select("Public Folders/Spam") # Get messages typ, data = server.search(None, 'ALL') for num in data[0].split(): typ, data = server.fetch(num, '(RFC822)') tmp = file(TMPFILE, 'w+') tmp.write(data[0][1]) tmp.close() log.write(commands.getoutput("%s --prefs-file=%s --spam %s" % \ (SALEARN, PREFS, TMPFILE))) log.write("\n") # Mark learned spam as "Deleted" server.store(num, '+FLAGS', '\\Deleted') # Delete messages marked as "Deleted" from server server.expunge() server.logout From jon.bates at summitmotors.com.au Fri Nov 3 05:29:03 2006 From: jon.bates at summitmotors.com.au (Jon Bates) Date: Fri Nov 3 05:29:28 2006 Subject: Not detecting some instances of viruses Message-ID: <200611030529.kA35TDic014240@summitmotors.com.au> I'm having trouble whereby only SOME instances of the same virus are being identified by ClamAV. The virus is exactly the same type every time, but only some get detected - the rest are sent on to the user! There is no pattern that I can see - Zip files (containing infected exe), and plain exe files have been allowed through. I've subsequently scanned the users mailbox on the server using clamscan, and it DOES detect the email! For some reason, when it is scanned when the message is received, it's not detected. Any help would be appreciated! - Jon Bates From glenn.steen at gmail.com Fri Nov 3 07:57:05 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 3 07:57:09 2006 Subject: how to cache no-spam message shown its content in mailwatch In-Reply-To: References: <4547A142.5030204@ecs.soton.ac.uk> <223f97700611010159y2b8e8af1u10d2ed480f9ef6eb@mail.gmail.com> Message-ID: <223f97700611022357w7744664dsd16ee4ab74b068af@mail.gmail.com> On 02/11/06, Cheng Bruce wrote: > Hi, > Thank you for your always kind help. > > By the way, would you please advise me how to cache the non-SPAM > messages in mailwatch ( Quarantine ) like SPAM messages ? due to a lot > of SPAMs treat as no-SPAM, I need more messages to block. > > Thank you again. If I read you right, you just need to add "store" to your "Non Spam Actions" (http://www.mailscanner.info/MailScanner.conf.index.html#Non%20Spam%20Actions). So if you have Non Spam Actions = deliver header "X-Spam-Status: No" in /etc/MailScanner/MailScanner.conf, you'd just change it to Non Spam Actions = store deliver header "X-Spam-Status: No" ... That way all messages will end up in the quarantine (in a "non-spam" subdirectory). You'll need make a script or somesuch that clears out this, after a few days, so that you don't fill your disks too fast:-), at least if you want this to be a permanent solution. If it is just a few hours (to actually get to look at the false negatives, and decide what to do about them....), you could just do that manually;-). If these are mostly image spam, look for the ImageInfo spamassassin plugin from www.rulesemporium.com ... It made a world of difference for me! (hope you don't mind me redirecting this back to the list, since this is actually "on-topic";-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From tgc at statsbiblioteket.dk Fri Nov 3 08:34:30 2006 From: tgc at statsbiblioteket.dk (Tom G. Christensen) Date: Fri Nov 3 08:34:35 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x and MailScanner. In-Reply-To: References: <65234743FE1555428435CE39E6AC4078B38B32@CHI-US-EXCH-01.us.kmz.com> Message-ID: <454AFF16.8060009@statsbiblioteket.dk> Scott Silva wrote: > Duncan, Brian M. spake the following on 11/2/2006 9:39 AM: >> >> >>> I can't tell you why your version is different, maybe a >>> custom compiled version to get around the Flock exploit that >>> was posted about the time 8.12.11 came out. The consensus so >>> far has been ; Linux and sendmail 8.12 = flock Linux and >>> sendmail 8.13 = posix Also note that there have been some >>> problems with dovecot if it is set to a different locking. >>> >>> I am still curious as to how you have been so lucky with no problems! >>> Are you running on a filesystem other than ext2/ext3? >>> Maybe Core 4 has a kernel that doesn't have the locking >>> problem that the enterprise distros lack because of the >>> conservative patching that is done. >>> >> >> >> I use Ext3 on all of my mail boxes. Maybe it is due to the kernel >> somehow, or the sendmail RPM's that I used. I am using the Fedora >> compiled kernels. I switched over to posix earlier on my servers and >> have not noticed any differences Yet. I have been keeping a close eye >> on the /var/spool/mqueue folders. >> >> I was more worried about having trouble switching to posix, since this >> one box has passed probably close to 200 million messages without issues >> with flock on. I was feeling like if it's not broke don't fix it type >> situation. Yet I see allot of people running into this problem. >> >> >> I have been trying to find a way to 100% determine what lock method >> sendmail uses. From scanning the mailing lists and searching allot of >> people tell others to check with sendmail -d0.1 -d0.4 -bt > >> If it lists flock in the compiled options then it's using flock. I have >> NOT been able to confirm this. >> >> Here is one host of ours that just rejects messages. (It is a Sendmail >> 8.12.x box, so it SHOULD be using flock from what I understand) >> >> It was compiled from RPM on 03/08/06, I checked the SPEC file and see >> nothing specifying lock type. The only reason I updated this one was >> due to an exploit at the time if I recall correctly. >> >> Version 8.12.11.20060308 >> Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX >> MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET >> NETINET6 >> NETUNIX NEWDB NIS PIPELINING SASL SCANF TCPWRAPPERS >> USERDB >> USE_LDAP_INIT >> >> >> This is my 8.13 boxes: (same on all of them) >> >> Version 8.13.8 >> Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX >> MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET >> NETINET6 >> NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP >> STARTTLS >> TCPWRAPPERS USERDB USE_LDAP_INIT > Definately not there or you would see HASFLOCK. Flock in sendmail is a > compile-time option, and RedHat always seemed to turn it on in 8.12. It is a > faster lock, but not safer. Your rpm must have been compiled without it, or > compiled with "-DHASFLOCK=0" > I looked into the sendmail 8.12.11 source as delivered in the RHEL 3 src.rpm. It has this snippet in the Linux section of include/sm/conf.h: # ifndef HASFLOCK # if LINUX_VERSION_CODE < 66399 # define HASFLOCK 0 /* flock(2) is broken after 0.99.13 */ # else /* LINUX_VERSION_CODE < 66399 */ # define HASFLOCK 1 /* flock(2) fixed after 1.3.95 */ # endif /* LINUX_VERSION_CODE < 66399 */ # endif /* ! HASFLOCK */ A quick grep reveals that HASFLOCK is not defined anywhere outside of include/sm/conf.h so I take it this means flock is the default for Linux in sendmail 8.12.11. Also grep -i flock on /usr/lib/sendmail gives a match. This type of default define is apparently not added to the Compiled with: output. I've run MailScanner on RHEL 2.1 for a long time, first with sendmail 8.11 and now with 8.12 (from RH errata). I've always used flock and I haven't seen any issues with it. It's not that I get all that much mail but my primary mx do process about 10-14K mails a day. -tgc From glenn.steen at gmail.com Fri Nov 3 08:34:37 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 3 08:34:42 2006 Subject: OT: RE: MS Config Question - outbound In-Reply-To: References: <1964AAFBC212F742958F9275BF63DBB04297E7@winchester.andrewscompanies.com> <454A199F.7506.506FEC9@cobalt-users1.fishnet.co.uk> Message-ID: <223f97700611030034r13db9433n22f49ae09a40f1c8@mail.gmail.com> On 02/11/06, Scott Silva wrote: > Ian spake the following on 11/2/2006 8:15 AM: > > On 2 Nov 2006 at 10:50, sandrews@andrewscompanies.com wrote: > > > >> I did educate them; but the boss' daughter is into "marketing" and she > >> assured everyone that this was necessary. I know what fights to pick. > > > > See if you can sneak this one in... it appeared in another mailling list and I use it in reply to > > anyone who sends me one. > > > > IMPORTANT: > > This email is intended for the use of the individual addressee (s) > > named above and may contain information that is confidential, > > privileged or unsuitable for overly sensitive persons with low self- > > esteem, no sense of humour or irrational religious beliefs. If you > > are not the intended recipient, any dissemination, distribution or > > copying of this email is not authorised (either explicitly or > > implicitly) and constitutes an Irritating social faux pas. Unless the > > word absquatulation has been used in its correct context somewhere > > other than in this warning, it does not have any legal or grammatical > > use and may be ignored. No animals were harmed in the transmission of > > this email, although the cat next door is living on borrowed time, > > let me tell you. Those of you with an overwhelming fear of the > > unknown will be gratified to learn that there is no hidden message > > revealed by reading this warning backwards, so just ignore that Alert > > Notice from Microsoft. However, by pouring a complete circle of salt > > around yourself and your computer you can ensure that no harm befalls > > you and your pets. If you have received this email in error, please > > place it in a warm oven for 40 minutes and add some nutmeg and egg > > whites. Whisk briefly and let it stand for 2 hours before icing. > > > > Ian > Finally! A useful disclaimer! > I wonder.... That reference to a salt circle.... Is that perhaps for the extra SLUG protection one needs so desperately?:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Nov 3 08:50:48 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 3 08:50:51 2006 Subject: Python Script help (Harvesting Spam from Exchange) In-Reply-To: <454AB74E.5020003@enitech.com.au> References: <454AB74E.5020003@enitech.com.au> Message-ID: <223f97700611030050p7ec004d7vccc504fa299c2af9@mail.gmail.com> On 03/11/06, Peter Russell wrote: > Some one else on this list (i am sorry i dont recall who) let me use the > attached python script to learn from spam (then delete it) from an > Exchange public folder. > > I was going to add it all to the wiki but after some more thorough > testing i notice the script doesnt always learn and delete all of the > spam in the public folder on a single run - the script must be re run > several times before all of the spam is learned and deleted. > > Is anyone here python proficient enough to have a look and see if there > is a way of getting it to run a little more reliably? > > Once this is worked out i will write wiki doc on setting up exchange and > the script. > > Many thanks in advance if anyone is able to help > Pete > > > #!/usr/bin/env python > import commands, os, time > import imaplib > import sys, re > import string, random > import StringIO, rfc822 > > # Set required variables > PREFS = "/etc/MailScanner/spam.assassin.prefs.conf" > TMPFILE = "/var/tmp/salearn.tmp" > SALEARN = "/usr/bin/sa-learn" > SERVER = "x.x.x.x" > USER = "someuserwithaccesstopublicfolder" > PASSWORD = "somepassword" > LOGFILE = "/var/log/learn.spam.log" > log = file(LOGFILE, 'a+') > log.write("\n\nTraining SpamAssassin on %s at %s\n" % (time.strftime("%Y-%m-%d"), time.strftime("%H:%M:%S"))) > > # connect to server > server = imaplib.IMAP4(SERVER) > > # login > server.login(USER, PASSWORD) > server.select("Public Folders/Spam") > > # Get messages > typ, data = server.search(None, 'ALL') > for num in data[0].split(): > typ, data = server.fetch(num, '(RFC822)') > tmp = file(TMPFILE, 'w+') > tmp.write(data[0][1]) > tmp.close() > log.write(commands.getoutput("%s --prefs-file=%s --spam %s" % \ > (SALEARN, PREFS, TMPFILE))) > log.write("\n") > # Mark learned spam as "Deleted" > server.store(num, '+FLAGS', '\\Deleted') > # Delete messages marked as "Deleted" from server > server.expunge() > server.logout > Not sure about anything (not really proficient in python:-), but try moving the expunge out of the for loop, and see if that helps (you'd just do one big expunge after you're done, thus preserving the "order" for the for loop). Haven't tested anything either:-):-). Another thought would be if the M-Sexchange IMAP service had some foolery going on, like "pagination".... Not returning more than X heads for you to operate on... -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From gordon at itnt.co.za Fri Nov 3 09:12:46 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Fri Nov 3 09:27:22 2006 Subject: Whitelist issue Message-ID: <003f01c6ff29$7c28d2b0$0a02a8c0@Gordon> ITNT Banner Campaign This email got through the MailScanner classified as whitelisted. The user has whitelisted from andreb@tcmwarehouse.com to sales@tcmwarehouse.com. Return-Path: Received: from sentinal2.itnt.co.za (sentinal2.itnt.co.za [196.37.112.91]) by angel.itnt.co.za (8.13.1/8.13.1) with ESMTP id kA24PI6D015145 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Thu, 2 Nov 2006 06:25:23 +0200 Received: from 190.40.232.116 ([190.40.232.116]) by sentinal2.itnt.co.za (8.13.4/8.13.4) with ESMTP id kA24O3vr027855 for ; Thu, 2 Nov 2006 06:24:14 +0200 Received: from mail.sugarloafproducts.com (port=15187 helo=ewregvtneyhik) by 190.40.232.116 with smtp id 3LxQg-rQaO8kf3-p7 for sales@tcmwarehouse.com; Tue, 02 Nov 2004 23:23:53 -0500 Message-ID: <000a01c4c15c$e4c78710$01feaa58@ewregvtneyhik> From: "Roy Freeman" To: andreb@tcmwarehouse.com Subject: break away as a sorrowful hundred reluctantly How can it be classified as whitelisted if the from addres is yqhsj@sugartime.net? It score 26. Thanks Regards Gordon Colyn InTheNet Technologies www.itnt.co.za MSN: gordoncolyn@hotmail.com SKYPE: gordoncolyn 086 123 ITNT (4868) 086 682 5204 (Fax) +27 (0)83 296 7534 Confidentiality: This e-mail including any attachments is intended for the above named addressee(s) only and contains confidential information. If you have received this email in error you must take no action based on its contents, nor must you reproduce or show the e-mail or any attachments or any part thereof or communicate the contents to anyone; please reply to the sender of this e-mail informing them of the error. Viruses: We recommend that in keeping with good computing practice the recipient should ensure that e-mails received are virus free before opening. From r.berber at computer.org Fri Nov 3 09:32:35 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Fri Nov 3 09:33:47 2006 Subject: Not detecting some instances of viruses In-Reply-To: <200611030529.kA35TDic014240@summitmotors.com.au> References: <200611030529.kA35TDic014240@summitmotors.com.au> Message-ID: Jon Bates wrote: > I'm having trouble whereby only SOME instances of the same virus are being > identified by ClamAV. > > The virus is exactly the same type every time, but only some get detected - > the rest are sent on to the user! > > There is no pattern that I can see - Zip files (containing infected exe), > and plain exe files have been allowed through. > > I've subsequently scanned the users mailbox on the server using clamscan, > and it DOES detect the email! For some reason, when it is scanned when the > message is received, it's not detected. Could be any of: 1. Timing. A virus signature that was just added to the DB. 2. Rules. If you have rules specifying what is virus scanned. 3. Size. Limits in MS configuration and also in the program/module doing the scanning. 4. Scan Parameters. clamscan has default parameters that are a little different that the perl module, for instance corrupt executable is detected by clamscan but I'm not sure if the module does detect it. 5. Encoding. There is a parameter in MS about scanning uuencoded parts, I'm not sure if this affects virus scanning. What does the log show? (does it say scanning for viruses ... clean ?) -- Ren? Berber From housey at sme-ecom.co.uk Fri Nov 3 09:58:33 2006 From: housey at sme-ecom.co.uk (Paul Houselander) Date: Fri Nov 3 09:58:44 2006 Subject: Could not analyze message Message-ID: Hi I have a customer who cant recieve an email from a certain domain, the message is quarantined with a quarantine report showing "Could not analyze message". The email is very basic, plain text with no attachments. I tried to get around this by using the Scan Messages ruleset Scan Messages = %rule-dir%/scan.messages.rules and set the following in scan.messages.rules FromOrTo: default no From: domaina.com no FromTo: mycustomer.com yes where domaina.com is the domain sending the email being blocked and mycustomer.com is the domain recieving. However the message is still being quarantined. Can anyone advise what can cause the "Could not analyze message"? or why my ruleset setup is not working? Kind Regards Paul From t.d.lee at durham.ac.uk Fri Nov 3 10:35:35 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Fri Nov 3 10:36:04 2006 Subject: MS/SA: SA problem In-Reply-To: References: Message-ID: On Thu, 2 Nov 2006, Scott Silva wrote: > David Lee spake the following on 11/2/2006 4:22 AM: > > We've been running MS/SA on Fedora machines for a few years. Earlier this > > week, I set up yet another machine, expecting it to be straightforward. > > Clean OS install (FC5), clean install of MS (4.56.8) etc. > > > > All seems well, including "spamassassin --lint --debug". > > > > But when it starts to try to process email, MailScanner seems to take a > > very long time. Running it in debug mode shows: > > > > Use of uninitialized value in exists at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/URIDNSBL.pm line 718. > > Use of uninitialized value in exists at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/URIDNSBL.pm line 718. > > Use of uninitialized value in exists at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/URIDNSBL.pm line 718. > > dns: sendto() failed: Connection refused at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm line 339, line 67. > > dns: sendto() failed: Connection refused at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm line 339, line 67. > > dns: sendto() failed: Connection refused at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm line 339, line 67. > > dns: sendto() failed: Connection refused at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm line 339, line 67. > > > > and lots more similar lines (although the " line yy" varies). > > > > Any thoughts on this? > > > > Over the last couple of days I've tried various versions of SA (the above > > details are from 3.1.3) installed in various different ways, but all > > giving this set of errors. > > > > > Did you try Julians install script for spamassassin and clam? It might toss in > any perl modules that are lacking. And maybe remove the spamassassin rpm in > core before you try. Yes, that's one of the "installed in various different ways" that I tried. And what was worrying me is that this is the first time I had ever tried Julian's Clam/SA package and is the only time I've had this problem. Coincidence? Well, actually, yes, coincidence. Nothing more. I have just tracked down the problem, and it was a subtle difference of our own making in the OS install, completely outside of MS/SA-type things. (That is, all the email-y-type things are innocent.) For various local reasons our local OS re-install had included 127.0.0.1 as the first line in "/etc/resolv.conf" but didn't set a local DNS server running. (The hint was staring me in the face all along from the reported error messages... sigh!) Anyway, I have resolved this inconsistency between resolv.conf and lack of local DNS server, and all now seems well. Thanks to both Scott and Res for their replies and thoughts. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From res at ausics.net Fri Nov 3 11:33:08 2006 From: res at ausics.net (Res) Date: Fri Nov 3 11:33:16 2006 Subject: Whitelist issue In-Reply-To: <003f01c6ff29$7c28d2b0$0a02a8c0@Gordon> References: <003f01c6ff29$7c28d2b0$0a02a8c0@Gordon> Message-ID: On Fri, 3 Nov 2006, Gordon Colyn wrote: > ITNT Banner Campaign > This email got through the MailScanner classified as whitelisted. The user > has whitelisted from andreb@tcmwarehouse.com to sales@tcmwarehouse.com. Can you show uo how you have written the rules > Received: from mail.sugarloafproducts.com (port=15187 helo=ewregvtneyhik) I'd suggest you grab the bad_helo HACK and use it as well people with legitimate mail dont throw crap like that in helos > How can it be classified as whitelisted if the from addres is > yqhsj@sugartime.net? It score 26. > Start using Envelope from in MailScanner -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From christo at it4africa.co.za Fri Nov 3 12:08:38 2006 From: christo at it4africa.co.za (Christo Bezuidenhout) Date: Fri Nov 3 12:02:11 2006 Subject: Could not analyze message {Virus Scanned} References: Message-ID: Move the Default phrase to the bottom. It reads it from the top. Christo ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Paul Houselander Sent: Fri 11/3/2006 11:58 AM To: MailScanner Mailing List Subject: Could not analyze message {Virus Scanned} Hi I have a customer who cant recieve an email from a certain domain, the message is quarantined with a quarantine report showing "Could not analyze message". The email is very basic, plain text with no attachments. I tried to get around this by using the Scan Messages ruleset Scan Messages = %rule-dir%/scan.messages.rules and set the following in scan.messages.rules FromOrTo: default no From: domaina.com no FromTo: mycustomer.com yes where domaina.com is the domain sending the email being blocked and mycustomer.com is the domain recieving. However the message is still being quarantined. Can anyone advise what can cause the "Could not analyze message"? or why my ruleset setup is not working? Kind Regards Paul -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From gordon at itnt.co.za Fri Nov 3 12:58:35 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Fri Nov 3 13:04:13 2006 Subject: Whitelist issue References: <003f01c6ff29$7c28d2b0$0a02a8c0@Gordon> Message-ID: <086501c6ff47$ca8d3310$0a02a8c0@Gordon> Thanks, 1) The rule was applied by using the mailwatch interface written to mysql 2) Where can I find the bad_helo HACK? 3) I have implemented the Envelope from in MailScanner. Regards Gordon ----- Original Message ----- From: "Res" To: "MailScanner discussion" Sent: Friday, November 03, 2006 1:33 PM Subject: Re: Whitelist issue On Fri, 3 Nov 2006, Gordon Colyn wrote: > ITNT Banner Campaign > This email got through the MailScanner classified as whitelisted. The > user > has whitelisted from andreb@tcmwarehouse.com to sales@tcmwarehouse.com. Can you show uo how you have written the rules > Received: from mail.sugarloafproducts.com (port=15187 helo=ewregvtneyhik) I'd suggest you grab the bad_helo HACK and use it as well people with legitimate mail dont throw crap like that in helos > How can it be classified as whitelisted if the from addres is > yqhsj@sugartime.net? It score 26. > Start using Envelope from in MailScanner -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Fri Nov 3 13:09:17 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 3 13:09:20 2006 Subject: Whitelist issue In-Reply-To: <003f01c6ff29$7c28d2b0$0a02a8c0@Gordon> References: <003f01c6ff29$7c28d2b0$0a02a8c0@Gordon> Message-ID: <223f97700611030509p61ea8d2ai30e7193010d0eb47@mail.gmail.com> On 03/11/06, Gordon Colyn wrote: > ITNT Banner Campaign > This email got through the MailScanner classified as whitelisted. The user > has whitelisted from andreb@tcmwarehouse.com to sales@tcmwarehouse.com. > > Return-Path: Hint #1... Pretty likely that this is actually the Envelope from (the address used in the SMTP conversation, which is the one MailScanner uses). > Received: from sentinal2.itnt.co.za (sentinal2.itnt.co.za [196.37.112.91]) > by angel.itnt.co.za (8.13.1/8.13.1) with ESMTP id kA24PI6D015145 > (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) > for ; Thu, 2 Nov 2006 06:25:23 +0200 > Received: from 190.40.232.116 ([190.40.232.116]) > by sentinal2.itnt.co.za (8.13.4/8.13.4) with ESMTP id kA24O3vr027855 > for ; Thu, 2 Nov 2006 06:24:14 +0200 > Received: from mail.sugarloafproducts.com (port=15187 helo=ewregvtneyhik) > by 190.40.232.116 with smtp > id 3LxQg-rQaO8kf3-p7 > for sales@tcmwarehouse.com; Tue, 02 Nov 2004 23:23:53 -0500 > Message-ID: <000a01c4c15c$e4c78710$01feaa58@ewregvtneyhik> > From: "Roy Freeman" > To: andreb@tcmwarehouse.com As with most headers, those two are very easily "forged". You supply them during the DATA stage of SMTP, so they are never used for actual delivery... That is the "job" of the Envelope from and to ... ("MAIL FROM:" and "RCPT TO:" respectively). So.... > Subject: break away as a sorrowful hundred reluctantly > > How can it be classified as whitelisted if the from addres is > yqhsj@sugartime.net? It score 26. As said, the headers From: and To: have little to no bearing on actual sender/recipient. You can instruct MailScanner to add those as "Envelope-From: ..." and "Envelope-To: ..." headers. The drawback with that is that you'd defeat BCC;-). If you use MailWatch, the reported From/To (on the details page, as well as the Recent Messages page) are the envelope ones, so ... it becomes very visible what the difference is between the two (er, four:-). Especially on the details page, since you'll see the headers there too (the envelope from/to are below the headers). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ugob at camo-route.com Fri Nov 3 13:13:23 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Nov 3 13:15:38 2006 Subject: Whitelist issue In-Reply-To: <086501c6ff47$ca8d3310$0a02a8c0@Gordon> References: <003f01c6ff29$7c28d2b0$0a02a8c0@Gordon> <086501c6ff47$ca8d3310$0a02a8c0@Gordon> Message-ID: Gordon Colyn wrote: > Thanks, > > 1) The rule was applied by using the mailwatch interface written to mysql Using the headers from or the enveloppe from? MailScanner's white/black list features are based on enveloppe address. > 2) Where can I find the bad_helo HACK? > 3) I have implemented the Envelope from in MailScanner. > > Regards > > Gordon > > ----- Original Message ----- > From: "Res" > To: "MailScanner discussion" > Sent: Friday, November 03, 2006 1:33 PM > Subject: Re: Whitelist issue > > > On Fri, 3 Nov 2006, Gordon Colyn wrote: > >> ITNT Banner Campaign >> This email got through the MailScanner classified as whitelisted. The >> user >> has whitelisted from andreb@tcmwarehouse.com to sales@tcmwarehouse.com. > > Can you show uo how you have written the rules > > >> Received: from mail.sugarloafproducts.com (port=15187 helo=ewregvtneyhik) > > I'd suggest you grab the bad_helo HACK and use it as well > people with legitimate mail dont throw crap like that in helos > > >> How can it be classified as whitelisted if the from addres is >> yqhsj@sugartime.net? It score 26. >> > > Start using Envelope from in MailScanner > > From ugob at camo-route.com Fri Nov 3 13:28:01 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Nov 3 13:29:00 2006 Subject: rejecting botnets with sendmail In-Reply-To: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> References: <5450254EC7E7B54193C8AEFD904AA36325E538@PAT.internal.robertwalters.com> Message-ID: Andoni Auzmendi wrote: > Experiencing the recent increase in spam from botnets, is there a way to > reject (or discard) connections coming from servers containing their ip > address within the hostname? I can see lots of connections from > broadband or dialup addresses. Some of them even bypass greylilst as > they resend the messages several times. We use Sendmail here and I guess > there must be a milter which is capable of doing that. Using the latest version of milter-greylist (3.0 RC6), you can impose greylisting based on DNSbl. If you're not ready to block at sendmail based on DNSbl, this might be a softer approach. Ugo From steve.swaney at fsl.com Fri Nov 3 13:28:55 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Fri Nov 3 13:29:03 2006 Subject: Not detecting some instances of viruses In-Reply-To: <200611030529.kA35TDic014240@summitmotors.com.au> Message-ID: <014601c6ff4c$02d94a70$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Jon Bates > Sent: Friday, November 03, 2006 12:29 AM > To: mailscanner@lists.mailscanner.info > Subject: Not detecting some instances of viruses > > > I'm having trouble whereby only SOME instances of the same virus are being > identified by ClamAV. > > The virus is exactly the same type every time, but only some get detected > - > the rest are sent on to the user! > > There is no pattern that I can see - Zip files (containing infected exe), > and plain exe files have been allowed through. > > I've subsequently scanned the users mailbox on the server using clamscan, > and it DOES detect the email! For some reason, when it is scanned when the > message is received, it's not detected. > > Any help would be appreciated! > > - Jon Bates > And the version of ClamAV that you are using is? Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From itlist at gmail.com Fri Nov 3 13:36:24 2006 From: itlist at gmail.com (Cheng Bruce) Date: Fri Nov 3 13:36:29 2006 Subject: how to cache no-spam message shown its content in mailwatch In-Reply-To: <223f97700611022357w7744664dsd16ee4ab74b068af@mail.gmail.com> References: <4547A142.5030204@ecs.soton.ac.uk> <223f97700611010159y2b8e8af1u10d2ed480f9ef6eb@mail.gmail.com> <223f97700611022357w7744664dsd16ee4ab74b068af@mail.gmail.com> Message-ID: Hi Glenn, Thank you so much. I thought it only can set one function (deliver or store or ...). Yes, I got a lot of spams. I have setup the FuzzyOCR tonight, and I test it via " spamassassin -t < corrupted-gif.eml" and get high scores more than 10, then do " spamassassin --lint" , restart mailscanner and run update SA in mailwatch (I can see the FuzzyOCR rules on screeen ). But it doesn't work, the spam with gif still comes through. I thought I need to add some words in FuzzyOcr.words, but I use that gif to test it by manual, my God, it got the 23.7 scores. I think there must be somewhere wrong in my Mailscanner.conf or spam.assassin.prefs.conf Would you please advise me how to solve it ? Please help me and thank you in advance. PS: I don't mind it, but this is my fault to send you not back to the list. 2006/11/3, Glenn Steen : > > On 02/11/06, Cheng Bruce wrote: > > Hi, > > Thank you for your always kind help. > > > > By the way, would you please advise me how to cache the non-SPAM > > messages in mailwatch ( Quarantine ) like SPAM messages ? due to a lot > > of SPAMs treat as no-SPAM, I need more messages to block. > > > > Thank you again. > > If I read you right, you just need to add "store" to your "Non Spam > Actions" ( > http://www.mailscanner.info/MailScanner.conf.index.html#Non%20Spam%20Actions > ). > So if you have > Non Spam Actions = deliver header "X-Spam-Status: No" > in /etc/MailScanner/MailScanner.conf, you'd just change it to > Non Spam Actions = store deliver header "X-Spam-Status: No" > ... That way all messages will end up in the quarantine (in a > "non-spam" subdirectory). > You'll need make a script or somesuch that clears out this, after a > few days, so that you don't fill your disks too fast:-), at least if > you want this to be a permanent solution. If it is just a few hours > (to actually get to look at the false negatives, and decide what to do > about them....), you could just do that manually;-). > > If these are mostly image spam, look for the ImageInfo spamassassin > plugin from www.rulesemporium.com ... It made a world of difference > for me! > > (hope you don't mind me redirecting this back to the list, since this > is actually "on-topic";-) > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061103/dba916ff/attachment.html From ugob at camo-route.com Fri Nov 3 13:38:48 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Nov 3 13:39:36 2006 Subject: Remove SpamAssasin report in 'attachment deliver' Message-ID: Hi, I'd like to know how to not have the report details in the body when using the 'attachment' action for delivering. I know there is an "Always include SpamAssassin Report" option, but I'm affraid I won't have it in the headers if I disable it. Thanks, Ugo From ugob at camo-route.com Fri Nov 3 13:42:47 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Nov 3 13:45:24 2006 Subject: from and to Message-ID: Hi, Sorry if this has been asked in the past, but I couldn't find the answers on the wiki or list. Is it possible to do a ruleset like this? From: toto@domain.com and To: domain.com yes Thanks, Ugo From brian.duncan at kattenlaw.com Fri Nov 3 13:52:51 2006 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Fri Nov 3 13:53:01 2006 Subject: Question regarding FLOCK or POSIX with Sendmail 8.13.x and MailScanner. Message-ID: <65234743FE1555428435CE39E6AC4078B38B37@CHI-US-EXCH-01.us.kmz.com> > # ifndef HASFLOCK > # if LINUX_VERSION_CODE < 66399 > # define HASFLOCK 0 /* flock(2) is broken after 0.99.13 */ > # else /* LINUX_VERSION_CODE < 66399 */ > # define HASFLOCK 1 /* flock(2) fixed after 1.3.95 */ > # endif /* LINUX_VERSION_CODE < 66399 */ > # endif /* ! HASFLOCK */ > > A quick grep reveals that HASFLOCK is not defined anywhere > outside of include/sm/conf.h so I take it this means flock is > the default for Linux in sendmail 8.12.11. > Also grep -i flock on /usr/lib/sendmail gives a match. > This type of default define is apparently not added to the Compiled > with: output. > > I've run MailScanner on RHEL 2.1 for a long time, first with sendmail > 8.11 and now with 8.12 (from RH errata). I've always used > flock and I haven't seen any issues with it. > It's not that I get all that much mail but my primary mx do > process about 10-14K mails a day. > > -tgc I looked and my 8.12.x box DOES NOT show hasflock in the compiled options but in the binary for sendmail it is indeed present (flock, cannot flock, HASFLOCK strings were all there) . The 8.13.x boxes DO NOT have flock anywhere in the binary. I also checked another 8.12 box and it also does not show in the compiled options but all the flock strings I listed above are present in the Sendmail ELF binary. Thanks for the info, it's great to be able to confirm without a doubt which of my boxes I should have posix set on. =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== From Denis.Beauchemin at USherbrooke.ca Fri Nov 3 14:07:23 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Nov 3 14:08:15 2006 Subject: Remove SpamAssasin report in 'attachment deliver' In-Reply-To: References: Message-ID: <454B4D1B.2000807@USherbrooke.ca> Ugo Bellavance a ?crit : > Hi, > > I'd like to know how to not have the report details in the body > when using the 'attachment' action for delivering. I know there is an > "Always include SpamAssassin Report" option, but I'm affraid I won't > have it in the headers if I disable it. > > Thanks, > > Ugo > Hi Ugo, I guess you could use the folloging in your spam.assassin.prefs.conf to clear the default report (from "man Mail::SpamAssassin::Conf"): clear_report_template Clear the report template. report ...some text for a report... Set the report template which is attached to spam mail messages. See the "10_misc.cf" configu- ration file in "/usr/share/spamassassin" for an example. If you change this, try to keep it under 78 columns. Each "report" line appends to the existing template, so use "clear_report_template" to restart. Tags can be included as explained above. I use a French-localized version here with: lang fr clear-report-template lang fr report ------------------ D?but de Rapport SpamAssassin --------------------- Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061103/a53547b0/smime.bin From matt at coders.co.uk Fri Nov 3 14:22:59 2006 From: matt at coders.co.uk (Matt Hampton) Date: Fri Nov 3 14:23:28 2006 Subject: Rules query Message-ID: <454B50C3.10308@coders.co.uk> Seems to be the day for it! A domain I filter for has asked me to setup the following for them: Email from anywhere to allowedexes@domain.com is virus/spam scanned and then delivered on to the address (it is an addressable public folder on exchange). They want no file type/file name checks. That's not a problem - however they also want to be notified to a different address (the help desk) when a message arrives (You have received an email to allowedexes from wibble@sender.com). This should not have the attachments. They then want any other recipient of blocked content to receive a notification whilst the email is sent to a separate account (otherblocked@domain.com) with the attachments still present. Any ideas? I don't think you can do this with the current configuration options so it looks like a module needs writing..... matt From mailscanner at yeticomputers.com Fri Nov 3 15:05:23 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Fri Nov 3 15:05:33 2006 Subject: Rules query In-Reply-To: <454B50C3.10308@coders.co.uk> References: <454B50C3.10308@coders.co.uk> Message-ID: <454B5AB3.6010101@yeticomputers.com> I admit to despising Exchange and avoiding it whenever possible, but I vaguely recall that Exchange itself can fire off messages according to rules when mail is received. The forwarding of the scanned stuff should be doable with Mailscanner, can you configure Exchange to send the notifications when mail hits the allowedexes and otherblocked mailboxes? Rick Matt Hampton wrote: > Seems to be the day for it! > > > A domain I filter for has asked me to setup the following for them: > > > Email from anywhere to allowedexes@domain.com is virus/spam scanned and > then delivered on to the address (it is an addressable public folder on > exchange). They want no file type/file name checks. > > That's not a problem - however they also want to be notified to a > different address (the help desk) when a message arrives (You have > received an email to allowedexes from wibble@sender.com). This should > not have the attachments. > > > They then want any other recipient of blocked content to receive a > notification whilst the email is sent to a separate account > (otherblocked@domain.com) with the attachments still present. > > > Any ideas? > > I don't think you can do this with the current configuration options so > it looks like a module needs writing..... > > > matt > > > From matt at coders.co.uk Fri Nov 3 15:20:58 2006 From: matt at coders.co.uk (Matt Hampton) Date: Fri Nov 3 15:21:24 2006 Subject: Rules query In-Reply-To: <454B5AB3.6010101@yeticomputers.com> References: <454B50C3.10308@coders.co.uk> <454B5AB3.6010101@yeticomputers.com> Message-ID: <454B5E5A.8090605@coders.co.uk> Rick Chadderdon wrote: > I admit to despising Exchange and avoiding it whenever possible. Join the large and friendly club :-) > , but I > vaguely recall that Exchange itself can fire off messages according to > rules when mail is received. The forwarding of the scanned stuff should > be doable with Mailscanner, can you configure Exchange to send the > notifications when mail hits the allowedexes and otherblocked mailboxes? Hadn't thought about that - that's a good idea. Thanks matt From jase at sensis.com Fri Nov 3 16:19:21 2006 From: jase at sensis.com (Desai, Jason) Date: Fri Nov 3 16:32:16 2006 Subject: DBD-SQLite install error? Message-ID: <1951DC816E1A9F469307B05FA183F4385FF524@corpatsmail1.corp.sensis.com> When I try to install MailScanner version 4.56.8 using the tar version, I get this: ============ Attempting to build and install DBD-SQLite-1.11 Unpacking perl-tar/DBD-SQLite-1.11.tar.gz Missing file perl-tar/DBD-SQLite-1.11.tar.gz . Are you in the right directory? Missing directory /tmp/DBD-SQLite-1.11 . Maybe it did not build correctly? ============ I notice that DBD-SQLite-1.12.tar.gz is in the perl-tar directory. Perhaps the install scripts needs to try to install DBD-SQLite-1.12 instead of DBD-SQLite-1.11? Jase -- Jason Desai Network Administrator Sensis Corporation jase@sensis.com http://www.sensis.com (315) 445-5811 From JeremyBlonde at grant.k12.ca.us Fri Nov 3 16:39:34 2006 From: JeremyBlonde at grant.k12.ca.us (Jeremy Blonde) Date: Fri Nov 3 16:56:37 2006 Subject: MailScanner 4.56.8 Message-ID: I've been running with AWL, Bayes, and Razor with 4.55.6. It's been running fine and it's tuned to the point that I'm not constantly keeping tabs on it. The other night I upgraded to 4.56.8 and the SpamAssassin scores were all over the place. I noticed that SpamAssassin was now adding a number of new flags (or perhaps that's due to MailScanner), but the scores were so divergent that I had to watch it at all times because it was catching a lot of false positives. Not all messages were getting an AWL score or Bayes score. The most problematic domains were yahoo.com, comcast.net, etc., any of the ones that have a mixture of legit and spam sources. I noticed that autolearn was working, I could see the message scores fluctuating as it learned but it was actually lowering the score on some messages that should have been learned as spam (although now that I think about it, I'll have to verify that it wasn't AWL that was lowering the score). Is there something I'm missing with the upgrade? Do I need to clear AWL or do some tweaking of the SpamAssassin scores in order to tune this? I haven't had to tweak the SpamAssassin scores very much in the past. Also, ALL_TRUSTED is turned off and I didn't run with Razor. Thanks, Jeremy Blonde Instructional Technology - Server Support Grant Joint Union High School District "The purpose of education is to free individuals from their personal limitations." From ecasarero at gmail.com Fri Nov 3 16:58:38 2006 From: ecasarero at gmail.com (Eduardo Casarero) Date: Fri Nov 3 16:58:39 2006 Subject: DBD-SQLite install error? In-Reply-To: <1951DC816E1A9F469307B05FA183F4385FF524@corpatsmail1.corp.sensis.com> References: <1951DC816E1A9F469307B05FA183F4385FF524@corpatsmail1.corp.sensis.com> Message-ID: <7d9b3cf20611030858i185d1583v3be7b811ba8d583d@mail.gmail.com> after install.sh finish install dbdsqlite by hand, it works. ~/paquetes/MailScanner-install-4.55.10/perl-tar/DBD-SQLite-1.12# :~/paquetes/MailScanner-install-4.55.10/perl-tar/DBD-SQLite-1.12# perl Makefile.PL :~/paquetes/MailScanner-install-4.55.10/perl-tar/DBD-SQLite-1.12# make :~/paquetes/MailScanner-install-4.55.10/perl-tar/DBD-SQLite-1.12# make install regards. eduardo 2006/11/3, Desai, Jason : > > When I try to install MailScanner version 4.56.8 using the tar version, > I get this: > > ============ > Attempting to build and install DBD-SQLite-1.11 > Unpacking perl-tar/DBD-SQLite-1.11.tar.gz > Missing file perl-tar/DBD-SQLite-1.11.tar.gz . Are you in the right > directory? > > Missing directory /tmp/DBD-SQLite-1.11 . > Maybe it did not build correctly? > ============ > > I notice that DBD-SQLite-1.12.tar.gz is in the perl-tar directory. > Perhaps the install scripts needs to try to install DBD-SQLite-1.12 > instead of DBD-SQLite-1.11? > > Jase > > -- > Jason Desai > Network Administrator > Sensis Corporation > jase@sensis.com > http://www.sensis.com > (315) 445-5811 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061103/43fe90c7/attachment.html From jase at sensis.com Fri Nov 3 18:06:07 2006 From: jase at sensis.com (Desai, Jason) Date: Fri Nov 3 18:07:06 2006 Subject: DBD-SQLite install error? Message-ID: <1951DC816E1A9F469307B05FA183F4385FF532@corpatsmail1.corp.sensis.com> Thanks for the info. I probably should have mentioned that I was able to unpack and install it manually. I just wanted to give Julian a heads up that the installer script may have a bug. Jase > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Eduardo Casarero > Sent: Friday, November 03, 2006 11:59 AM > To: MailScanner discussion > Subject: Re: DBD-SQLite install error? > > after install.sh finish install dbdsqlite by hand, it works. > > > ~/paquetes/MailScanner-install-4.55.10/perl-tar/DBD-SQLite-1.12# > > :~/paquetes/MailScanner-install-4.55.10/perl-tar/DBD-SQLite-1. 12# perl Makefile.PL > > :~/paquetes/MailScanner-install-4.55.10/perl-tar/DBD-SQLite-1.12# make > > :~/paquetes/MailScanner-install-4.55.10/perl-tar/DBD-SQLite-1. 12# make install > > regards. > > eduardo > > > 2006/11/3, Desai, Jason : > > When I try to install MailScanner version 4.56.8 using > the tar version, > I get this: > > ============ > Attempting to build and install DBD-SQLite-1.11 > Unpacking perl-tar/DBD-SQLite-1.11.tar.gz > Missing file perl-tar/DBD- SQLite-1.11.tar.gz . Are you > in the right > directory? > > Missing directory /tmp/DBD-SQLite-1.11 . > Maybe it did not build correctly? > ============ > > I notice that DBD-SQLite-1.12.tar.gz is in the perl-tar > directory. > Perhaps the install scripts needs to try to install > DBD-SQLite-1.12 > instead of DBD-SQLite-1.11? > > Jase > > -- > Jason Desai > Network Administrator > Sensis Corporation > jase@sensis.com > http://www.sensis.com > (315) 445-5811 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > From glenn.steen at gmail.com Fri Nov 3 19:17:03 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 3 19:17:06 2006 Subject: how to cache no-spam message shown its content in mailwatch In-Reply-To: References: <4547A142.5030204@ecs.soton.ac.uk> <223f97700611010159y2b8e8af1u10d2ed480f9ef6eb@mail.gmail.com> <223f97700611022357w7744664dsd16ee4ab74b068af@mail.gmail.com> Message-ID: <223f97700611031117h7b408ebfye121c0584abe2074@mail.gmail.com> On 03/11/06, Cheng Bruce wrote: > Hi Glenn, > > Thank you so much. > I thought it only can set one function (deliver or store or ...). > > Yes, I got a lot of spams. > I have setup the FuzzyOCR tonight, and I test it via " spamassassin -t < > corrupted-gif.eml" and get high scores more than 10, then do " spamassassin > --lint" , restart mailscanner and run update SA in mailwatch (I can see the > FuzzyOCR rules on screeen ). > > But it doesn't work, the spam with gif still comes through. I thought I need > to add some words in FuzzyOcr.words, but I use that gif to test it by > manual, my God, it got the 23.7 scores. > I think there must be somewhere wrong in my Mailscanner.conf or > spam.assassin.prefs.conf > > Would you please advise me how to solve it ? > > Please help me and thank you in advance. There are at least a couple of things to check when it comes to FuzzyOcr... First is the size of the snippet MailScanner sends to SpamAssassin... Make it rather large (somewhere around 350-400 KiB should do). The second is to check that FuzzyOcr actually works with the user you are running MailScanner as (mostly important for Postfix, which usually run as an unpriviledged user) ... "su - postfix -s /bin/bash" and run the test there... If you are running Postfix, that is:-). ISTR there being some debate about similar situations on the list in the last few weeks/month or so, so you might benefit from searching the list a bit (gmane is very good for this). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Nov 3 19:22:45 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 3 19:22:49 2006 Subject: from and to In-Reply-To: References: Message-ID: <223f97700611031122j4bd04714jfaa4035cd9808311@mail.gmail.com> On 03/11/06, Ugo Bellavance wrote: > Hi, > > Sorry if this has been asked in the past, but I couldn't find the > answers on the wiki or list. > > Is it possible to do a ruleset like this? > > From: toto@domain.com and To: domain.com yes > > Thanks, > > Ugo > Yep. Don't remember where it is documented (book, example file or what) but that would definitely work. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ka at pacific.net Fri Nov 3 19:35:28 2006 From: ka at pacific.net (Ken A) Date: Fri Nov 3 19:33:21 2006 Subject: how to cache no-spam message shown its content in mailwatch In-Reply-To: <223f97700611031117h7b408ebfye121c0584abe2074@mail.gmail.com> References: <4547A142.5030204@ecs.soton.ac.uk> <223f97700611010159y2b8e8af1u10d2ed480f9ef6eb@mail.gmail.com> <223f97700611022357w7744664dsd16ee4ab74b068af@mail.gmail.com> <223f97700611031117h7b408ebfye121c0584abe2074@mail.gmail.com> Message-ID: <454B9A00.9040100@pacific.net> Glenn Steen wrote: > On 03/11/06, Cheng Bruce wrote: >> Hi Glenn, >> >> Thank you so much. >> I thought it only can set one function (deliver or store or ...). >> >> Yes, I got a lot of spams. >> I have setup the FuzzyOCR tonight, and I test it via " spamassassin -t < >> corrupted-gif.eml" and get high scores more than 10, then do " >> spamassassin >> --lint" , restart mailscanner and run update SA in mailwatch (I can >> see the >> FuzzyOCR rules on screeen ). >> >> But it doesn't work, the spam with gif still comes through. I thought >> I need >> to add some words in FuzzyOcr.words, but I use that gif to test it by >> manual, my God, it got the 23.7 scores. >> I think there must be somewhere wrong in my Mailscanner.conf or >> spam.assassin.prefs.conf >> >> Would you please advise me how to solve it ? >> >> Please help me and thank you in advance. > > There are at least a couple of things to check when it comes to > FuzzyOcr... First is the size of the snippet MailScanner sends to > SpamAssassin... Make it rather large (somewhere around 350-400 KiB > should do). Ouch! That sounds too high to me. I've never seen a spam image over 30 or 40k, add the text and html bits and maybe 200k for luck, then set "trackback" in MailScanner.conf Ken A Pacific.Net The second is to check that FuzzyOcr actually works with > the user you are running MailScanner as (mostly important for Postfix, > which usually run as an unpriviledged user) ... "su - postfix -s > /bin/bash" and run the test there... If you are running Postfix, that > is:-). > ISTR there being some debate about similar situations on the list in > the last few weeks/month or so, so you might benefit from searching > the list a bit (gmane is very good for this). > From rpoe at plattesheriff.org Fri Nov 3 19:44:50 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Fri Nov 3 19:45:49 2006 Subject: Greylisting .. nice .. Message-ID: <454B47D3020000A200003FA5@platteco-2.plattesheriff.org> I've installed greylisting on 2 mail servers. On my own personal one (that was getting hit pretty hard) first for a test period, then on a client's server (as they were getting 690+ emails that made it through SA + greet pause + rbls + country blocking (they have no legitimate business in Europe or Asia). My thoughts so far are this: Why didn't I do this sooner. I've only received 3 pieces of spam since, and those three were through a trusted route (i.e. forward I get from another server for admin messages) that greylisting wouldn't catch anyway.. I used smf-grey and the install went very smoothly. Their mail volume is 1/4 of what it was, and looking at MailWatch, is either legitimate advertising (things not sent from a zombie, and were signed up for) or actual, legitimate ham email. From glenn.steen at gmail.com Fri Nov 3 19:48:12 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 3 19:48:16 2006 Subject: how to cache no-spam message shown its content in mailwatch In-Reply-To: <454B9A00.9040100@pacific.net> References: <4547A142.5030204@ecs.soton.ac.uk> <223f97700611010159y2b8e8af1u10d2ed480f9ef6eb@mail.gmail.com> <223f97700611022357w7744664dsd16ee4ab74b068af@mail.gmail.com> <223f97700611031117h7b408ebfye121c0584abe2074@mail.gmail.com> <454B9A00.9040100@pacific.net> Message-ID: <223f97700611031148r673bb1b9r35d41de91cfc24d0@mail.gmail.com> On 03/11/06, Ken A wrote: '> Glenn Steen wrote: (snip) > > > > There are at least a couple of things to check when it comes to > > FuzzyOcr... First is the size of the snippet MailScanner sends to > > SpamAssassin... Make it rather large (somewhere around 350-400 KiB > > should do). > > Ouch! That sounds too high to me. I've never seen a spam image over 30 > or 40k, add the text and html bits and maybe 200k for luck, then set > "trackback" in MailScanner.conf > Ken A > Pacific.Net > I'll admit to being in my cups a bit (oh no, not again!:-), but the reason to be "silly-large" isn't _for the spams_, it is to make real images pass without truggering FuzzyOcr (and others) in error. Or perhaps I'm halucinating badly (shouldn't be, that was a nice Kiwi white ("Vicars choice", very nice, if a bit "fruity")). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ralloway at winbeam.com Fri Nov 3 21:27:16 2006 From: ralloway at winbeam.com (Richard D Alloway) Date: Fri Nov 3 21:29:51 2006 Subject: Non-spam MailScanner score logging? In-Reply-To: <454A64B0.2090908@evi-inc.com> References: <454A64B0.2090908@evi-inc.com> Message-ID: Boy is my face red! :) Thanks for pointing out where the option is in MailScanner.conf, Matt! -Rich On Thu, 2 Nov 2006, Matt Kettler wrote: > Richard D Alloway wrote: >> >> Hi! >> >> I'd like MailScanner to log the SpamAssassin scores for messages that >> don't score above the "Required SpamAssassin Score" or "High >> SpamAssassin Score". >> >> An example: >> >> Nov 2 04:20:19 192.168.1.4 MailScanner[27161]: Message kA29K2Wt004173 >> from xx.xx.xx.xx (xxxxxx@xxxxxxx) to xxxxx.net is spam, SpamAssassin >> (not cached, score=4.531, required 4, BAYES_50 2.00, HTML_MESSAGE 0.00, >> MIME_HEADER_CTYPE_ONLY 0.00, MIME_HTML_ONLY 0.00, MSGID_FROM_MTA_HEADER >> 0.00, MSGID_FROM_MTA_ID 1.39, NORMAL_HTTP_TO_IP 0.17, NO_REAL_NAME 0.96) >> >> I'd like to see the same report for non-spam emails. > > In MailScanner.conf find the "Log Non Spam" entry and change it to "yes". > > >> Since only about 10% of our incoming email is legit, this should only >> incur a very slight increase in total system load. > > Agree.. I keep it on myself. > > >> I've looked through the MailScanner.conf file and can't find a way to >> turn it on... am I missing something or is this a feature than can be >> added on a future release? > > It's there, you just missed it. > From mkettler at evi-inc.com Fri Nov 3 21:44:44 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Nov 3 21:44:56 2006 Subject: Non-spam MailScanner score logging? In-Reply-To: References: <454A64B0.2090908@evi-inc.com> Message-ID: <454BB84C.7010809@evi-inc.com> Richard D Alloway wrote: > > Boy is my face red! :) > > Thanks for pointing out where the option is in MailScanner.conf, Matt! > > -Rich Hey, that's an awfully big forest. It's not too shocking you missed one tree in there :) From jase at sensis.com Fri Nov 3 22:26:37 2006 From: jase at sensis.com (Desai, Jason) Date: Fri Nov 3 22:27:46 2006 Subject: MCP Issue Message-ID: <1951DC816E1A9F469307B05FA183F4385FF553@corpatsmail1.corp.sensis.com> > I'm running MS v 4.56.6 and just noticed a strange error > today. I have MCP setup to catch a few derogotary terms. More > for testing purposes then actually use. It rarely gets any > hits. But today it is consistently hitting one person. The > funny thing it is matching on rules in the spam rules and not > the MCP rules. The last message had the following from > MailWatch for Spam: [snip] > In the MCP section: > > MCP Score: 4.61 > MCP Report: Score Matching Rule Description > ALL_TRUSTED > FORGED_OUTLOOK_HTML > FORGED_OUTLOOK_TAGS > HTML_MESSAGE > MIME_HTML_ONLY > SUBJ_ALL_CAPS > > I'm confused how the MCP section is suddenly matching my SA > rules instead of the ones I created for MCP? I came across the same thing today. I think it has to do with sa-update and SpamAssassin Local State Dir setting. I did not have this problem until I ran sa-update. Running in debug mode, in the MCP section I see: [snip] [26038] dbg: config: using "/opt/MailScanner/etc/mcp" for site rules pre files [26038] dbg: config: using "/var/lib/spamassassin/3.001007" for sys rules pre files [26038] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org.pre [26038] dbg: config: using "/var/lib/spamassassin/3.001007" for default rules dir [26038] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org.cf [26038] dbg: config: using "/opt/MailScanner/etc/mcp" for site rules dir [26038] dbg: config: read file /opt/MailScanner/etc/mcp/10_example.cf [26038] dbg: config: using "/opt/MailScanner/etc/mcp/mcp.spam.assassin.prefs.conf" for user prefs file [26038] dbg: config: read file /opt/MailScanner/etc/mcp/mcp.spam.assassin.prefs.conf [26038] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/empty.pre [snip] So it looks like the MCP SpamAssassin run is pulling rules from the sa-update rules. Julian, should there be a "MCP SpamAssassin Local State Dir" setting so that we can disable this, or force it to another directory? Or is there another work around? For the time being, I have renamed /var/lib/spamassassin/3.001007 and stopped running sa-update. Jase From gdoris at rogers.com Sat Nov 4 00:03:21 2006 From: gdoris at rogers.com (Gerry Doris) Date: Sat Nov 4 00:03:39 2006 Subject: mailscanner-mrtg graph labels Message-ID: <000b01c6ffa4$a4794c10$670a000a@dorfam.ca> I upgraded my system from Fedora Core 4 to 6 last weekend. Surprisingly it went quite well. I thought everything was working properly until I noticed that two of the mailscanner-mrtg graphs have their labels messed up. The data looks correct. The two messed up graphs are Mail Transferred and Memory. It is the top level as well as the detail graphs. The vertical legend for each is showing the number scale followed by the letters M,G,T,P spread out into the graph area for each number. This has been working perfectly for ages...I think? Has anyone else noticed this? I'm using 0.10.00. I upgraded to the unstable version 11 but it didn't make a difference. From imiller at bsd.uchicago.edu Sat Nov 4 01:34:41 2006 From: imiller at bsd.uchicago.edu (Ian Miller) Date: Sat Nov 4 01:34:49 2006 Subject: Solaris errors Message-ID: <1162604081.454bee31bdbab@webemail.bsd.uchicago.edu> I am running solaris 9 with perl 5.8.8 and just upgraded to the latest MailScanner and I received this error on start # ./MailScanner Can't locate Sys/Hostname/Long.pm in @INC (@INC contains: /opt/MailScanner/lib /usr/local/lib/perl5/5.8.8/sun4-solaris /usr/local/lib/perl5/5.8.8 /usr/local/lib/perl5/site_perl/5.8.8/sun4-solaris /usr/local/lib/perl5/site_perl/5.8.8 /usr/local/lib/perl5/site_perl/5.8.5/sun4-solaris /usr/local/lib/perl5/site_perl/5.8.5 /usr/local/lib/perl5/site_perl . /opt/MailScanner/lib) at ./MailScanner line 67. BEGIN failed--compilation aborted at ./MailScanner line 67. Has anyone else run across this thanks -Ian This e-mail and any attachments may contain privileged and confidential information for use only by the intended recipient. If you have received this e-mail in error, please delete the e-mail and all copies thereof and notify us by e-mail or a collect call to our office; do not forward the e-mail. From res at ausics.net Sat Nov 4 01:44:37 2006 From: res at ausics.net (Res) Date: Sat Nov 4 01:44:45 2006 Subject: Whitelist issue In-Reply-To: <086501c6ff47$ca8d3310$0a02a8c0@Gordon> References: <003f01c6ff29$7c28d2b0$0a02a8c0@Gordon> <086501c6ff47$ca8d3310$0a02a8c0@Gordon> Message-ID: On Fri, 3 Nov 2006, Gordon Colyn wrote: > 1) The rule was applied by using the mailwatch interface written to mysql ok i cant help on this one dont use mailwatch > 2) Where can I find the bad_helo HACK? http://support.ausics.net/block_bad_helo.m4 > 3) I have implemented the Envelope from in MailScanner. OK, that sounds right, maybe thats what they were presenting. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Sat Nov 4 01:48:21 2006 From: res at ausics.net (Res) Date: Sat Nov 4 01:48:30 2006 Subject: Greylisting .. nice .. In-Reply-To: <454B47D3020000A200003FA5@platteco-2.plattesheriff.org> References: <454B47D3020000A200003FA5@platteco-2.plattesheriff.org> Message-ID: On Fri, 3 Nov 2006, Rob Poe wrote: > My thoughts so far are this: Why didn't I do this sooner. Its going to be pointless soon, problem is, as more and more people do this, it wont be long before the common garden variety spammers smtp engine will also retry on 4xx errors, id give it a year tops (if some of them are not already doing it) -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From csweeney at osubucks.org Sat Nov 4 01:51:49 2006 From: csweeney at osubucks.org (Chris Sweeney) Date: Sat Nov 4 01:52:03 2006 Subject: Greylisting .. nice .. In-Reply-To: References: <454B47D3020000A200003FA5@platteco-2.plattesheriff.org> Message-ID: <454BF235.3040406@osubucks.org> Yes but even when they do, it will still serve the purpose of slowing them down. They are only making good money sending millions of ads at a time, if we can make them wait, it puts a terrible burden on them. Res wrote: > On Fri, 3 Nov 2006, Rob Poe wrote: > >> My thoughts so far are this: Why didn't I do this sooner. > > Its going to be pointless soon, problem is, as more and more people do > this, it wont be long before the common garden variety spammers smtp > engine > will also retry on 4xx errors, id give it a year tops (if some of them > are not already doing it) > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5188 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061103/68207824/smime.bin From itlist at gmail.com Sat Nov 4 03:59:58 2006 From: itlist at gmail.com (Cheng Bruce) Date: Sat Nov 4 04:00:00 2006 Subject: how to cache no-spam message shown its content in mailwatch In-Reply-To: References: <4547A142.5030204@ecs.soton.ac.uk> <223f97700611010159y2b8e8af1u10d2ed480f9ef6eb@mail.gmail.com> <223f97700611022357w7744664dsd16ee4ab74b068af@mail.gmail.com> <223f97700611031117h7b408ebfye121c0584abe2074@mail.gmail.com> Message-ID: Hi Glenn, Sorry. I figure out it. and it runs fine. I have checked it. Everything works after I configured "SpamAssassin Local State Dir =" and removed "SpamAssassin Prefs File = %etc-dir%/spam.assassin.prefs.conf". Thank you for your always helping us. by the way, I don't see the FuzzyOcr.log generated by SA. Is there something wrong in setting ? I still can't understand these meanings, I will read the document again. I mis-understand these meaning as following SpamAssassin User State Dir = SpamAssassin Install Prefix = SpamAssassin Local Rules Dir = SpamAssassin Local State Dir = SpamAssassin Default Rules Dir = 2006/11/4, Cheng Bruce : > Hi Glenn, > > Sorry for sending to your private mailbox. > I know this is not right to send into your mailbox, but I really have > a big problem there, and I am still searching in Gname and Google. > > After I solve my problem, I will re-post what I did so that someone > meet the same problem like me could be solved. > > I have tried to increase the size into 100K, but before I did that, I > think that is not main reason, because I checked all spams with gif > (more than 2K messages in two days), the size belows under 30KB. From jrudd at ucsc.edu Sat Nov 4 05:12:54 2006 From: jrudd at ucsc.edu (John Rudd) Date: Sat Nov 4 05:16:44 2006 Subject: Greylisting .. nice .. In-Reply-To: References: <454B47D3020000A200003FA5@platteco-2.plattesheriff.org> Message-ID: <454C2156.6010902@ucsc.edu> Res wrote: > On Fri, 3 Nov 2006, Rob Poe wrote: > >> My thoughts so far are this: Why didn't I do this sooner. > > Its going to be pointless soon, problem is, as more and more people do > this, it wont be long before the common garden variety spammers smtp engine > will also retry on 4xx errors, id give it a year tops (if some of them > are not already doing it) > Defeating Greylisting is almost trivial. I even outlined how to do it on the SA list at one point (because I thought someone was trying to use it on me, even though I don't use greylisting). I'd be surprised if takes a full year to see it in the field. I'd be surprised if some botnets aren't already adapting to it. From jrudd at ucsc.edu Sat Nov 4 05:14:34 2006 From: jrudd at ucsc.edu (John Rudd) Date: Sat Nov 4 05:20:29 2006 Subject: Greylisting .. nice .. In-Reply-To: <454BF235.3040406@osubucks.org> References: <454B47D3020000A200003FA5@platteco-2.plattesheriff.org> <454BF235.3040406@osubucks.org> Message-ID: <454C21BA.7000607@ucsc.edu> They don't really have to do that much waiting. Esp. for all of you who are setting your retry time to mere seconds. Chris Sweeney wrote: > Yes but even when they do, it will still serve the purpose of slowing > them down. They are only making good money sending millions of ads at a > time, if we can make them wait, it puts a terrible burden on them. > > Res wrote: >> On Fri, 3 Nov 2006, Rob Poe wrote: >> >>> My thoughts so far are this: Why didn't I do this sooner. >> Its going to be pointless soon, problem is, as more and more people do >> this, it wont be long before the common garden variety spammers smtp >> engine >> will also retry on 4xx errors, id give it a year tops (if some of them >> are not already doing it) >> >> >> From gordon at itnt.co.za Sat Nov 4 05:44:43 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Sat Nov 4 05:50:12 2006 Subject: Whitelist issue References: <003f01c6ff29$7c28d2b0$0a02a8c0@Gordon><086501c6ff47$ca8d3310$0a02a8c0@Gordon> Message-ID: <00f101c6ffd4$55526290$0d02a8c0@Gordon> Excellent, thanks ----- Original Message ----- From: "Res" To: "MailScanner discussion" Sent: Saturday, November 04, 2006 3:44 AM Subject: Re: Whitelist issue On Fri, 3 Nov 2006, Gordon Colyn wrote: > 1) The rule was applied by using the mailwatch interface written to mysql ok i cant help on this one dont use mailwatch > 2) Where can I find the bad_helo HACK? http://support.ausics.net/block_bad_helo.m4 > 3) I have implemented the Envelope from in MailScanner. OK, that sounds right, maybe thats what they were presenting. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mailscanner at mango.zw Sat Nov 4 06:53:19 2006 From: mailscanner at mango.zw (Jim Holland) Date: Sat Nov 4 06:51:39 2006 Subject: Greylisting .. nice .. In-Reply-To: Message-ID: On Sat, 4 Nov 2006, Res wrote: > Date: Sat, 4 Nov 2006 11:48:21 +1000 (EST) > From: Res > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: Greylisting .. nice .. > > On Fri, 3 Nov 2006, Rob Poe wrote: > > > My thoughts so far are this: Why didn't I do this sooner. > > Its going to be pointless soon, problem is, as more and more people do > this, it wont be long before the common garden variety spammers smtp > engine will also retry on 4xx errors, id give it a year tops (if some of > them are not already doing it) My objection to it is not that it doesn't work, but that it makes all genuine mail servers work twice as hard to deliver mail. I like having an outgoing mail queue as clean as possible, and the greylisters mean multiple retry attempts before the mail can be delivered. The more people adopt it the harder it is going to get for the rest of us. And if the spammers adapt to it then we are all going to face a massive increase in the number of connection attempts they make on us to defeat greylisting, and Internet bandwidth will become even more congested than it is at the moment. It reminds me of the arguments for keeping a gun in the house - "I just want to make sure that I can protect my family against a dangerous world". But if everyone did just that the world would become an even more dangerous place. There are definitely no guns in my house. Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From mailscanner at mango.zw Sat Nov 4 07:27:13 2006 From: mailscanner at mango.zw (Jim Holland) Date: Sat Nov 4 07:25:33 2006 Subject: Greylisting .. nice .. In-Reply-To: Message-ID: On Sat, 4 Nov 2006, Jim Holland wrote: > My objection to it is not that it doesn't work, but that it makes all > genuine mail servers work twice as hard to deliver mail. I like having an > outgoing mail queue as clean as possible, and the greylisters mean > multiple retry attempts before the mail can be delivered. The more people > adopt it the harder it is going to get for the rest of us. And if the > spammers adapt to it then we are all going to face a massive increase in > the number of connection attempts they make on us to defeat greylisting, > and Internet bandwidth will become even more congested than it is at the > moment. > > It reminds me of the arguments for keeping a gun in the house - "I just > want to make sure that I can protect my family against a dangerous world". > But if everyone did just that the world would become an even more > dangerous place. > > There are definitely no guns in my house. I forgot to mention - we do have: Guards in the street outside (but no guns) A high wall protected by thorns An electric gate Guards inside the grounds (but no guns) Burglar bars on the windows Security grilles on the doors Motion sensors etc in critical places A siren in the roof A radio alarm connected to a security firm and A bullet hole in our front window from a raid by state security chasing my politically active wife But this is Zimbabwe after all . . . Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service From r.berber at computer.org Sat Nov 4 08:58:44 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Sat Nov 4 08:59:00 2006 Subject: Greylisting .. nice .. In-Reply-To: References: Message-ID: Jim Holland wrote: [snip] > My objection to it is not that it doesn't work, but that it makes all > genuine mail servers work twice as hard to deliver mail. I like having an > outgoing mail queue as clean as possible, and the greylisters mean > multiple retry attempts before the mail can be delivered.[snip] You are wrong, it is not twice as much work, not even near. Worst case is that you get greylisted once per recipient/sender pair, that's it. With milter-gris I use the option of only greylisting dynamic IPs and those that don't have a valid reverse. And bottom line: about 90% of the spam just disappeared. -- Ren? Berber From martinh at solidstatelogic.com Sat Nov 4 09:27:31 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Sat Nov 4 09:27:48 2006 Subject: MailScanner 4.56.8 In-Reply-To: References: Message-ID: <454C5D03.9020703@solidstatelogic.com> Jeremy Blonde wrote: > I've been running with AWL, Bayes, and Razor with 4.55.6. It's been > running fine and it's tuned to the point that I'm not constantly keeping > tabs on it. > > The other night I upgraded to 4.56.8 and the SpamAssassin scores were > all over the place. I noticed that SpamAssassin was now adding a number > of new flags (or perhaps that's due to MailScanner), but the scores were > so divergent that I had to watch it at all times because it was catching > a lot of false positives. Not all messages were getting an AWL score or > Bayes score. The most problematic domains were yahoo.com, comcast.net, > etc., any of the ones that have a mixture of legit and spam sources. I > noticed that autolearn was working, I could see the message scores > fluctuating as it learned but it was actually lowering the score on some > messages that should have been learned as spam (although now that I > think about it, I'll have to verify that it wasn't AWL that was lowering > the score). > > Is there something I'm missing with the upgrade? Do I need to clear AWL > or do some tweaking of the SpamAssassin scores in order to tune this? I > haven't had to tweak the SpamAssassin scores very much in the past. > Also, ALL_TRUSTED is turned off and I didn't run with Razor. > > Thanks, > Jeremy Blonde > Instructional Technology - Server Support > Grant Joint Union High School District > > > > > "The purpose of education is to free individuals from their personal limitations." Jeremy personnaly I find AWL a was of time and often leads to SA not spotting spam. Others find it works, but alot of people (like me) find it's only useful for small end-user populations (less than 10). I turn of off by disabling the plugin on init.pre. I'd check you're trusted_networks etc in spam.assassin.prefs.conf is OK, as that seems to be the cause of lots of AWL problems. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at solidstatelogic.com Sat Nov 4 09:28:28 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Sat Nov 4 09:28:36 2006 Subject: Not detecting some instances of viruses In-Reply-To: <200611030529.kA35TDic014240@summitmotors.com.au> References: <200611030529.kA35TDic014240@summitmotors.com.au> Message-ID: <454C5D3C.6090109@solidstatelogic.com> Jon Bates wrote: > I'm having trouble whereby only SOME instances of the same virus are being > identified by ClamAV. > > The virus is exactly the same type every time, but only some get detected - > the rest are sent on to the user! > > There is no pattern that I can see - Zip files (containing infected exe), > and plain exe files have been allowed through. > > I've subsequently scanned the users mailbox on the server using clamscan, > and it DOES detect the email! For some reason, when it is scanned when the > message is received, it's not detected. > > Any help would be appreciated! > > - Jon Bates > Jon do you 'archive' or quarantine these emails so you can replay then at a later date. If not I'd start doing this, so you can debug. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From res at ausics.net Sat Nov 4 10:23:05 2006 From: res at ausics.net (Res) Date: Sat Nov 4 10:23:13 2006 Subject: Greylisting .. nice .. In-Reply-To: <454C2156.6010902@ucsc.edu> References: <454B47D3020000A200003FA5@platteco-2.plattesheriff.org> <454C2156.6010902@ucsc.edu> Message-ID: On Fri, 3 Nov 2006, John Rudd wrote: > Defeating Greylisting is almost trivial. I even outlined how to do it on the > SA list at one point (because I thought someone was trying to use it on me, > even though I don't use greylisting). I'd be surprised if takes a full year > to see it in the field. I'd be surprised if some botnets aren't already > adapting to it. Exactly, which is why I honestly can not see the hype of it. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Sat Nov 4 10:30:04 2006 From: res at ausics.net (Res) Date: Sat Nov 4 10:30:10 2006 Subject: Greylisting .. nice .. In-Reply-To: References: Message-ID: On Sat, 4 Nov 2006, Jim Holland wrote: > My objection to it is not that it doesn't work, but that it makes all > genuine mail servers work twice as hard to deliver mail. I like having an > outgoing mail queue as clean as possible, and the greylisters mean This is the biggest point of it, the people trying to get everyone using greylisting obviously dont see much mail or don't have impatient whinging @!#$@#$'s as customers It seems to be a big thing with the postmix (intended pun) users for some reason. > multiple retry attempts before the mail can be delivered. The more people I also still see hotmail not resending on a 4xx errors as well. > There are definitely no guns in my house. nor here, just an attack trained anti social rottweiler :P -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Sat Nov 4 10:31:06 2006 From: res at ausics.net (Res) Date: Sat Nov 4 10:31:11 2006 Subject: Greylisting .. nice .. In-Reply-To: References: Message-ID: On Sat, 4 Nov 2006, Jim Holland wrote: > I forgot to mention - we do have: > > Guards in the street outside (but no guns) > A high wall protected by thorns > An electric gate > Guards inside the grounds (but no guns) > Burglar bars on the windows > Security grilles on the doors > Motion sensors etc in critical places > A siren in the roof > A radio alarm connected to a security firm > and > A bullet hole in our front window from a raid by state security > chasing my politically active wife > > But this is Zimbabwe after all . . . lol, looks ilke you got everything else BUT the guns :) -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From robert at ml.erje.net Sat Nov 4 10:42:49 2006 From: robert at ml.erje.net (Robert Joosten) Date: Sat Nov 4 10:43:46 2006 Subject: Greylisting .. nice .. In-Reply-To: References: <454B47D3020000A200003FA5@platteco-2.plattesheriff.org> <454C2156.6010902@ucsc.edu> Message-ID: <20061104104249.GA1082@iphouse.com> Hi, > >Defeating Greylisting is almost trivial. > >I'd be surprised if some botnets aren't already adapting to it. > Exactly, which is why I honestly can not see the hype of it. It's not a hype, it just works. Spamfighters develop one method, they counteract.... simple huh ? It goes on and on and on and on and ... Cheers, Robert From dhawal at netmagicsolutions.com Sat Nov 4 10:48:24 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Sat Nov 4 10:48:47 2006 Subject: Greylisting .. nice .. In-Reply-To: References: Message-ID: <454C6FF8.9000300@netmagicsolutions.com> Res wrote: > On Sat, 4 Nov 2006, Jim Holland wrote: > >> My objection to it is not that it doesn't work, but that it makes all >> genuine mail servers work twice as hard to deliver mail. I like >> having an >> outgoing mail queue as clean as possible, and the greylisters mean > > This is the biggest point of it, the people trying to get everyone using > greylisting obviously dont see much mail or don't have impatient > whinging @!#$@#$'s as customers > > It seems to be a big thing with the postmix (intended pun) users > for some reason. Us postmix users use selective greylisting ;-) See http://www.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_greylisting.shtml I kinda agree that simply greylisting is not as effective as before. However a combination of policyd-weight (rbl+rhsbl scoring) + selective greylisting still works wonders in my setup.. i would suggest separating out the incoming from the outgoing (logically if not physically) and add p0f support at the incoming iptables level to reject desktop OSes (thereby taking care of most botnets). See below links for a hint. http://www.snertsoft.com/sendmail/milter-p0f/ http://kmlinux.fjfi.cvut.cz/~vokac/activities/ppolicy/ - dhawal From res at ausics.net Sat Nov 4 12:32:33 2006 From: res at ausics.net (Res) Date: Sat Nov 4 12:32:42 2006 Subject: Greylisting .. nice .. In-Reply-To: <20061104104249.GA1082@iphouse.com> References: <454B47D3020000A200003FA5@platteco-2.plattesheriff.org> <454C2156.6010902@ucsc.edu> <20061104104249.GA1082@iphouse.com> Message-ID: On Sat, 4 Nov 2006, Robert Joosten wrote: > Hi, > >>> Defeating Greylisting is almost trivial. >>> I'd be surprised if some botnets aren't already adapting to it. >> Exactly, which is why I honestly can not see the hype of it. > > It's not a hype, it just works. > > Spamfighters develop one method, they counteract.... simple huh ? It goes > on and on and on and on and ... exactly my point, its all crud and not worth it, grey listing is hardly anti spam its just a nuisance delay for those whos servers already work their butts off -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Sat Nov 4 12:34:51 2006 From: res at ausics.net (Res) Date: Sat Nov 4 12:34:57 2006 Subject: Greylisting .. nice .. In-Reply-To: <454C6FF8.9000300@netmagicsolutions.com> References: <454C6FF8.9000300@netmagicsolutions.com> Message-ID: On Sat, 4 Nov 2006, Dhawal Doshy wrote: > Res wrote: >> On Sat, 4 Nov 2006, Jim Holland wrote: >> >>> My objection to it is not that it doesn't work, but that it makes all >>> genuine mail servers work twice as hard to deliver mail. I like having an >>> outgoing mail queue as clean as possible, and the greylisters mean >> >> This is the biggest point of it, the people trying to get everyone using >> greylisting obviously dont see much mail or don't have impatient whinging >> @!#$@#$'s as customers >> >> It seems to be a big thing with the postmix (intended pun) users >> for some reason. > > Us postmix users use selective greylisting ;-) See > http://www.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_greylisting.shtml > > I kinda agree that simply greylisting is not as effective as before. However > a combination of policyd-weight (rbl+rhsbl scoring) + selective greylisting > still works wonders in my setup.. I use RBL's in MTA rather than score them, if its trash the less resource sof mine I allow them to use the better :) > > i would suggest separating out the incoming from the outgoing (logically if > not physically) and add p0f support at the incoming iptables level to reject > desktop OSes (thereby taking care of most botnets). See below links for a > hint. > http://www.snertsoft.com/sendmail/milter-p0f/ > http://kmlinux.fjfi.cvut.cz/~vokac/activities/ppolicy/ > > - dhawal > -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From tenderby at mailwash.com.au Sat Nov 4 13:17:13 2006 From: tenderby at mailwash.com.au (Tony Enderby) Date: Sat Nov 4 13:17:48 2006 Subject: out of curiosity: reload and restart In-Reply-To: References: Message-ID: <454C92D9.5070308@mailwash.com.au> Sven De Troch wrote: >On Wed, 1 Nov 2006 20:07:15 -0600, "Mike Kercher" >wrote: > > > >>>So if I understand you well, if I modify the access file >>>(something I need to do very often) and I do a 'make -C >>>/etc/mail' afterwards, I wouldn't have to restart sendmail >>>(and thus not MailScanner neither)? >>> >>> >>>-- >>>Met vriendelijke groeten, >>>Sven De Troch >>> >>>----- Nood aan een degelijke hosting partner? ----- >>> -- Meer info op http://www.sitehosting.be -- >>> >>> >>That is correct. I modify my access file all the time and don't restart >>anything. >> >>Mike >> >> > >Thanks for all answers! >A little extra question for the people using the access file on a >daily base. > >We need to add domains to this file almost every day and I'd like to >give this task to people without ssh access to the server. I would >like to give them some kind of webinterface where they can add (or >remove) a line in the access file. Anyone has already build something >like this (I'm not a developper myself) of is there something freely >available somewhere? > > > http://www.webmin.com/ Has a sendmail module with web frontend for the access.db file. ----------------------------------------------------------------------------------- Scanned by MailWash Australia - http://www.mailwash.com.au ----------------------------------------------------------------------------------- From alex at nkpanama.com Sat Nov 4 14:21:12 2006 From: alex at nkpanama.com (Alex Neuman) Date: Sat Nov 4 14:21:56 2006 Subject: Not detecting some instances of viruses In-Reply-To: <200611030529.kA35TDic014240@summitmotors.com.au> References: <200611030529.kA35TDic014240@summitmotors.com.au> Message-ID: <454CA1D8.3080004@nkpanama.com> Jon Bates wrote: > I'm having trouble whereby only SOME instances of the same virus are being > identified by ClamAV. > > The virus is exactly the same type every time, but only some get detected - > the rest are sent on to the user! > > There is no pattern that I can see - Zip files (containing infected exe), > and plain exe files have been allowed through. > > I've subsequently scanned the users mailbox on the server using clamscan, > and it DOES detect the email! For some reason, when it is scanned when the > message is received, it's not detected. > > Any help would be appreciated! > > - Jon Bates > > You shouldn't be allowing EXEs in the first place, I think. From martinh at solidstatelogic.com Sat Nov 4 16:04:02 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Sat Nov 4 16:04:20 2006 Subject: Not detecting some instances of viruses In-Reply-To: <454CA1D8.3080004@nkpanama.com> References: <200611030529.kA35TDic014240@summitmotors.com.au> <454CA1D8.3080004@nkpanama.com> Message-ID: <454CB9F2.60505@solidstatelogic.com> Alex Neuman wrote: > Jon Bates wrote: >> I'm having trouble whereby only SOME instances of the same virus are >> being >> identified by ClamAV. >> >> The virus is exactly the same type every time, but only some get >> detected - >> the rest are sent on to the user! >> >> There is no pattern that I can see - Zip files (containing infected exe), >> and plain exe files have been allowed through. >> >> I've subsequently scanned the users mailbox on the server using clamscan, >> and it DOES detect the email! For some reason, when it is scanned when >> the >> message is received, it's not detected. >> Any help would be appreciated! >> >> - Jon Bates >> >> > You shouldn't be allowing EXEs in the first place, I think. if you work with Windows developers then I'm afraid you have to! We do this selectively of course! -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From imiller at bsd.uchicago.edu Sat Nov 4 16:58:20 2006 From: imiller at bsd.uchicago.edu (Ian Miller) Date: Sat Nov 4 16:58:39 2006 Subject: Solaris errors In-Reply-To: <1162604081.454bee31bdbab@webemail.bsd.uchicago.edu> References: <1162604081.454bee31bdbab@webemail.bsd.uchicago.edu> Message-ID: <1162659500.454cc6acd99cf@webemail.bsd.uchicago.edu> Does anyone have any insight into this error? I have three sendmail/solaris 9 systems that need upgrading and I need some kind of solution .. I am willing to work with someone on the problem... (give them ssh access on a test system) just to work it out. Please help if time permits .. thanks -i Quoting Ian Miller : > I am running solaris 9 with perl 5.8.8 and just upgraded to the latest > MailScanner and I received this error on start > > # ./MailScanner > Can't locate Sys/Hostname/Long.pm in @INC (@INC contains: > /opt/MailScanner/lib > /usr/local/lib/perl5/5.8.8/sun4-solaris /usr/local/lib/perl5/5.8.8 > /usr/local/lib/perl5/site_perl/5.8.8/sun4-solaris > /usr/local/lib/perl5/site_perl/5.8.8 > /usr/local/lib/perl5/site_perl/5.8.5/sun4-solaris > /usr/local/lib/perl5/site_perl/5.8.5 /usr/local/lib/perl5/site_perl . > /opt/MailScanner/lib) at ./MailScanner line 67. > BEGIN failed--compilation aborted at ./MailScanner line 67. > > Has anyone else run across this > thanks > -Ian > > > > This e-mail and any attachments may contain privileged and > confidential information for use only by the intended recipient. If > you have received this e-mail in error, please delete the e-mail and > all copies thereof and notify us by e-mail or a collect call to our > office; do not forward the e-mail. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Ian Miller Sr. Systems Engineer University of Chicago 929 E 57th St. W342 Chicago, IL 60637 773-834-3191 imiller@bsd.uchicago.edu This e-mail and any attachments may contain privileged and confidential information for use only by the intended recipient. If you have received this e-mail in error, please delete the e-mail and all copies thereof and notify us by e-mail or a collect call to our office; do not forward the e-mail. From ugob at camo-route.com Sat Nov 4 17:54:59 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Sat Nov 4 17:55:17 2006 Subject: Solaris errors In-Reply-To: <1162659500.454cc6acd99cf@webemail.bsd.uchicago.edu> References: <1162604081.454bee31bdbab@webemail.bsd.uchicago.edu> <1162659500.454cc6acd99cf@webemail.bsd.uchicago.edu> Message-ID: Ian Miller wrote: > Does anyone have any insight into this error? I have three sendmail/solaris 9 > systems that need upgrading and I need some kind of solution .. > I am willing to work with someone on the problem... > (give them ssh access on a test system) just to work it out. > Please help if time permits .. > thanks > -i > Quoting Ian Miller : > >> I am running solaris 9 with perl 5.8.8 and just upgraded to the latest >> MailScanner and I received this error on start >> >> # ./MailScanner >> Can't locate Sys/Hostname/Long.pm in @INC (@INC contains: >> /opt/MailScanner/lib >> /usr/local/lib/perl5/5.8.8/sun4-solaris /usr/local/lib/perl5/5.8.8 >> /usr/local/lib/perl5/site_perl/5.8.8/sun4-solaris >> /usr/local/lib/perl5/site_perl/5.8.8 >> /usr/local/lib/perl5/site_perl/5.8.5/sun4-solaris >> /usr/local/lib/perl5/site_perl/5.8.5 /usr/local/lib/perl5/site_perl . >> /opt/MailScanner/lib) at ./MailScanner line 67. >> BEGIN failed--compilation aborted at ./MailScanner line 67. This probably means that the perl module Sys::Hostname::Long is not installed. From develop at in-tech.us Sat Nov 4 18:37:45 2006 From: develop at in-tech.us (Integrated Technologies) Date: Sat Nov 4 18:32:09 2006 Subject: Mail Log Error Message Message-ID: <000001c70040$57b62410$c8fea8c0@intech.us> My complete install was going fine.no errors, no snags. I check my logs this morning and received the following error (I had a power failure and it rebooted)r: MailScanner[2906]: MailScanner E-Mail Virus Scanner version 4.56.8 starting. MailScanner[2906]: Syntax error(s) in configuration file: MailScanner[2906]: Unrecognized keyword "spamassassinprefsfile" at line 2213 MailScanner[2906]: Aborting due to syntax errors in /etc/MailScanner/NailScanner.conf I went to my MailScanner.conf configuration file and these are the lines before and after line 2213 (this is actually the very last line in my MailScanner.conf file): 2209 # READ and UNDERSTAND the above text BEFORE changing this. 2210 # 2211 Minimum Code Status = supported 2212 2213 SpamAssassin Prefs File = /etc/MailScanner/spam.assassin.prefs.conf 2214 There is NOTHING that I have touched within these last few lines..and ideas? My gratitude ahead of time for your patience and assistance SRB, Integrated Technologies Owner/Senior Developer -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061104/73a2f8ab/attachment.html From imiller at bsd.uchicago.edu Sat Nov 4 19:07:15 2006 From: imiller at bsd.uchicago.edu (Ian Miller) Date: Sat Nov 4 19:07:44 2006 Subject: Solaris errors In-Reply-To: References: <1162604081.454bee31bdbab@webemail.bsd.uchicago.edu> <1162659500.454cc6acd99cf@webemail.bsd.uchicago.edu> Message-ID: <1162667235.454ce4e39f058@webemail.bsd.uchicago.edu> That was it I had to manually install it and now it works thanks Quoting Ugo Bellavance : > Ian Miller wrote: > > Does anyone have any insight into this error? I have three sendmail/solaris > 9 > > systems that need upgrading and I need some kind of solution .. > > I am willing to work with someone on the problem... > > (give them ssh access on a test system) just to work it out. > > Please help if time permits .. > > thanks > > -i > > Quoting Ian Miller : > > > >> I am running solaris 9 with perl 5.8.8 and just upgraded to the latest > >> MailScanner and I received this error on start > >> > >> # ./MailScanner > >> Can't locate Sys/Hostname/Long.pm in @INC (@INC contains: > >> /opt/MailScanner/lib > >> /usr/local/lib/perl5/5.8.8/sun4-solaris /usr/local/lib/perl5/5.8.8 > >> /usr/local/lib/perl5/site_perl/5.8.8/sun4-solaris > >> /usr/local/lib/perl5/site_perl/5.8.8 > >> /usr/local/lib/perl5/site_perl/5.8.5/sun4-solaris > >> /usr/local/lib/perl5/site_perl/5.8.5 /usr/local/lib/perl5/site_perl . > >> /opt/MailScanner/lib) at ./MailScanner line 67. > >> BEGIN failed--compilation aborted at ./MailScanner line 67. > > This probably means that the perl module Sys::Hostname::Long is not > installed. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Ian Miller Sr. Systems Engineer University of Chicago 929 E 57th St. W342 Chicago, IL 60637 773-834-3191 imiller@bsd.uchicago.edu This e-mail and any attachments may contain privileged and confidential information for use only by the intended recipient. If you have received this e-mail in error, please delete the e-mail and all copies thereof and notify us by e-mail or a collect call to our office; do not forward the e-mail. From ssilva at sgvwater.com Sat Nov 4 19:22:07 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Nov 4 19:22:35 2006 Subject: Not detecting some instances of viruses In-Reply-To: <454CB9F2.60505@solidstatelogic.com> References: <200611030529.kA35TDic014240@summitmotors.com.au> <454CA1D8.3080004@nkpanama.com> <454CB9F2.60505@solidstatelogic.com> Message-ID: Martin Hepworth spake the following on 11/4/2006 8:04 AM: > Alex Neuman wrote: >> Jon Bates wrote: >>> I'm having trouble whereby only SOME instances of the same virus are >>> being >>> identified by ClamAV. >>> >>> The virus is exactly the same type every time, but only some get >>> detected - >>> the rest are sent on to the user! >>> >>> There is no pattern that I can see - Zip files (containing infected >>> exe), >>> and plain exe files have been allowed through. >>> >>> I've subsequently scanned the users mailbox on the server using >>> clamscan, >>> and it DOES detect the email! For some reason, when it is scanned >>> when the >>> message is received, it's not detected. >>> Any help would be appreciated! >>> >>> - Jon Bates >>> >>> >> You shouldn't be allowing EXEs in the first place, I think. > > if you work with Windows developers then I'm afraid you have to! We do > this selectively of course! > Even Windows developers can learn to zip up an exe! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Sat Nov 4 19:39:11 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Nov 4 19:39:43 2006 Subject: Greylisting .. nice .. In-Reply-To: References: Message-ID: Jim Holland spake the following on 11/3/2006 10:53 PM: > On Sat, 4 Nov 2006, Res wrote: > >> Date: Sat, 4 Nov 2006 11:48:21 +1000 (EST) >> From: Res >> Reply-To: MailScanner discussion >> To: MailScanner discussion >> Subject: Re: Greylisting .. nice .. >> >> On Fri, 3 Nov 2006, Rob Poe wrote: >> >>> My thoughts so far are this: Why didn't I do this sooner. >> Its going to be pointless soon, problem is, as more and more people do >> this, it wont be long before the common garden variety spammers smtp >> engine will also retry on 4xx errors, id give it a year tops (if some of >> them are not already doing it) > > My objection to it is not that it doesn't work, but that it makes all > genuine mail servers work twice as hard to deliver mail. I like having an > outgoing mail queue as clean as possible, and the greylisters mean > multiple retry attempts before the mail can be delivered. The more people > adopt it the harder it is going to get for the rest of us. And if the > spammers adapt to it then we are all going to face a massive increase in > the number of connection attempts they make on us to defeat greylisting, > and Internet bandwidth will become even more congested than it is at the > moment. > > It reminds me of the arguments for keeping a gun in the house - "I just > want to make sure that I can protect my family against a dangerous world". > But if everyone did just that the world would become an even more > dangerous place. > > There are definitely no guns in my house. I sure don't want to get into the gun/no gun debate! Probably more heated then the postfix/sendmail/exim debate! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Sat Nov 4 19:41:53 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Nov 4 19:45:09 2006 Subject: Greylisting .. nice .. In-Reply-To: References: <454C6FF8.9000300@netmagicsolutions.com> Message-ID: Res spake the following on 11/4/2006 4:34 AM: > On Sat, 4 Nov 2006, Dhawal Doshy wrote: > >> Res wrote: >>> On Sat, 4 Nov 2006, Jim Holland wrote: >>> >>>> My objection to it is not that it doesn't work, but that it makes all >>>> genuine mail servers work twice as hard to deliver mail. I like >>>> having an >>>> outgoing mail queue as clean as possible, and the greylisters mean >>> >>> This is the biggest point of it, the people trying to get everyone >>> using greylisting obviously dont see much mail or don't have >>> impatient whinging @!#$@#$'s as customers >>> >>> It seems to be a big thing with the postmix (intended pun) users >>> for some reason. >> >> Us postmix users use selective greylisting ;-) See >> http://www.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_greylisting.shtml >> >> I kinda agree that simply greylisting is not as effective as before. >> However a combination of policyd-weight (rbl+rhsbl scoring) + >> selective greylisting still works wonders in my setup.. > > I use RBL's in MTA rather than score them, if its trash the less > resource sof mine I allow them to use the better :) > I like scoring the more aggressive ones first. Then if I see no false positives over a period of time, I can move them to the MTA. I am preparing moving the njabl_dul to the MTA because I have had a 100% spam rate with its hits. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ajos1 at onion.demon.co.uk Sun Nov 5 00:53:03 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Sun Nov 5 00:53:19 2006 Subject: MS - MailWatch Question... Message-ID: - I am installing the MailWatch web package... and I have a question... ---------- In /etc/MailScanner/MailScanner.conf it has the line: Quarantine Whole Messages As Queue Files = no ---------- ---------- In "http://mailwatch.sourceforge.net/doku.php?id=mailwatch:documentation:install" it says i need: Quarantine Whole Message As Queue Files = no ---------- Which one is right... "Messages" or "Message" ? From ssilva at sgvwater.com Sun Nov 5 05:14:04 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Sun Nov 5 05:14:23 2006 Subject: MS - MailWatch Question... In-Reply-To: References: Message-ID: ajos1@onion.demon.co.uk spake the following on 11/4/2006 4:53 PM: > - > > I am installing the MailWatch web package... and I have a question... > > ---------- > In /etc/MailScanner/MailScanner.conf it has the line: > > Quarantine Whole Messages As Queue Files = no > ---------- > > ---------- > In "http://mailwatch.sourceforge.net/doku.php?id=mailwatch:documentation:install" it says i need: > > Quarantine Whole Message As Queue Files = no > ---------- > > Which one is right... "Messages" or "Message" ? Don't change the option names in the conf file. You just need to change the "yes"'s to "no"s and vice versa. If it says messages in the conf file, assume that the Mailwatch docs have a typo. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From james at grayonline.id.au Sun Nov 5 10:40:27 2006 From: james at grayonline.id.au (James Gray) Date: Sun Nov 5 10:41:00 2006 Subject: ClamAV Problem Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As of yesterday, I've started seeing the following in the mail log, being dumped by MailScanner: ClamAVModule::LibClamAV Warning: ******************************************************** ClamAVModule::LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** ClamAVModule::LibClamAV Warning: *** DON'T PANIC! Read http:// www.clamav.net/faq.html *** ClamAVModule::LibClamAV Warning: ******************************************************** Virus Scanning: ClamAV Module found 4 infections Virus Scanning: Found 4 viruses However, running "freshclam" says: ClamAV update process started at Sun Nov 5 21:33:52 2006 main.cvd is up to date (version: 41, sigs: 73809, f-level: 10, builder: tkojm) WARNING: Your ClamAV installation is OUTDATED! WARNING: Current functionality level = 9, recommended = 10 DON'T PANIC! Read http://www.clamav.net/faq.html daily.cvd is up to date (version: 2162, sigs: 1601, f-level: 9, builder: arnaud) So at least THAT bit jives with MailScanner's interpretation of the situation. Now to the weird part: $ clamscan --version ClamAV 0.88.5/2162/Sun Nov 5 19:14:36 2006 Erm, 0.88.5 is the *latest* STABLE (ie, "non-RC") build available for ClamAV. So how do I fix this? It's seriously playing havoc with my stats and the logs are as messy as hell :( Any help appreciated :) Cheers, James -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFFTb+lwBHpdJO7b9ERAic5AKCB4H0jn/H0P5ZwSS51oxzvy7bsGwCg3BnU cu9p/t/iOvkR6NkBiMzRu9c= =W7iG -----END PGP SIGNATURE----- From raymond at prolocation.net Sun Nov 5 11:06:25 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Sun Nov 5 11:06:26 2006 Subject: ClamAV Problem In-Reply-To: References: Message-ID: Hi! > Now to the weird part: > > $ clamscan --version > ClamAV 0.88.5/2162/Sun Nov 5 19:14:36 2006 And you are suer you dont have multiple instances of clam installed? Bye, Raymond. From arturs at netvision.net.il Sun Nov 5 11:16:45 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Sun Nov 5 11:19:12 2006 Subject: ClamAV Problem In-Reply-To: Message-ID: <009401c700cb$e14735d0$3701a8c0@lapxp> There is a thread in ClamAV ML reg. this. Devs say sorry: one of mirrors outdated/broken Best, -- Arthur Sherman +972-52-4878851 CPTeam > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of James Gray > Sent: Sunday, November 05, 2006 12:40 PM > To: MailScanner Discussion List > Subject: ClamAV Problem > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > As of yesterday, I've started seeing the following in the mail log, > being dumped by MailScanner: > > ClamAVModule::LibClamAV Warning: > ******************************************************** > ClamAVModule::LibClamAV Warning: *** This version of the ClamAV > engine is outdated. *** > ClamAVModule::LibClamAV Warning: *** DON'T PANIC! Read http:// > www.clamav.net/faq.html *** > ClamAVModule::LibClamAV Warning: > ******************************************************** > Virus Scanning: ClamAV Module found 4 infections > Virus Scanning: Found 4 viruses > > However, running "freshclam" says: > > ClamAV update process started at Sun Nov 5 21:33:52 2006 > main.cvd is up to date (version: 41, sigs: 73809, f-level: 10, > builder: tkojm) > WARNING: Your ClamAV installation is OUTDATED! > WARNING: Current functionality level = 9, recommended = 10 > DON'T PANIC! Read http://www.clamav.net/faq.html > daily.cvd is up to date (version: 2162, sigs: 1601, f-level: 9, > builder: arnaud) > > So at least THAT bit jives with MailScanner's interpretation of the > situation. > > Now to the weird part: > > $ clamscan --version > ClamAV 0.88.5/2162/Sun Nov 5 19:14:36 2006 > > Erm, 0.88.5 is the *latest* STABLE (ie, "non-RC") build > available for > ClamAV. So how do I fix this? It's seriously playing havoc with my > stats and the logs are as messy as hell :( > > Any help appreciated :) > > Cheers, > > James > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.3 (Darwin) > > iD8DBQFFTb+lwBHpdJO7b9ERAic5AKCB4H0jn/H0P5ZwSS51oxzvy7bsGwCg3BnU > cu9p/t/iOvkR6NkBiMzRu9c= > =W7iG > -----END PGP SIGNATURE----- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From james at grayonline.id.au Sun Nov 5 11:52:16 2006 From: james at grayonline.id.au (James Gray) Date: Sun Nov 5 11:52:37 2006 Subject: ClamAV Problem In-Reply-To: References: Message-ID: <750F557A-FCDC-4CA4-8900-7E1058AA30DD@grayonline.id.au> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/11/2006, at 10:06 PM, Raymond Dijkxhoorn wrote: > Hi! > >> Now to the weird part: >> >> $ clamscan --version >> ClamAV 0.88.5/2162/Sun Nov 5 19:14:36 2006 > > And you are suer you dont have multiple instances of clam installed? Hi Ray, Yup - absolutely positive. Did a sudo find / -name "*clam*" -type f ...and sure enough, only the stuff in /usr/local was returned. So only one instance :P Thanks for the suggestio though, it was a good check. My MailScanner runs on Mac OSX machine and at one point I had ClamAV installed from "fink" but removed it in favour of Julian's ClamAV+SpamAssassin bundle. I did some fink updates the other day and didn't pay that much attention...so ClamAV could very well have been installed twice, as fink puts all it's fru-fru under /sw. Thanks for the pointer! :) Cheers, James -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFFTdBzwBHpdJO7b9ERAmeZAKCYSAv2aMTb2gw2NI0q4scNs8ekPwCgrybp Dd2AGXiuK2SDFqJeubatuxE= =Qivf -----END PGP SIGNATURE----- From james at grayonline.id.au Sun Nov 5 12:05:56 2006 From: james at grayonline.id.au (James Gray) Date: Sun Nov 5 12:06:13 2006 Subject: ClamAV Problem In-Reply-To: <009401c700cb$e14735d0$3701a8c0@lapxp> References: <009401c700cb$e14735d0$3701a8c0@lapxp> Message-ID: <16C22854-6F0A-4489-8678-EA12DA6EED7C@grayonline.id.au> On 05/11/2006, at 10:16 PM, Arthur Sherman wrote: > There is a thread in ClamAV ML reg. this. > Devs say sorry: one of mirrors outdated/broken Thanks Arthur - I really should subscribe to that list shouldn't I? :P For the others here, the thread on the ClamAV Users List is available here: http://lurker.clamav.net/thread/20061103.221240.b49f234b.en.html Cheers, James From ugob at camo-route.com Sun Nov 5 14:36:50 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Sun Nov 5 14:40:48 2006 Subject: Remove SpamAssasin report in 'attachment deliver' In-Reply-To: <454B4D1B.2000807@USherbrooke.ca> References: <454B4D1B.2000807@USherbrooke.ca> Message-ID: Denis Beauchemin wrote: > Ugo Bellavance a ?crit : >> Hi, >> >> I'd like to know how to not have the report details in the body >> when using the 'attachment' action for delivering. I know there is an >> "Always include SpamAssassin Report" option, but I'm affraid I won't >> have it in the headers if I disable it. >> >> Thanks, >> >> Ugo >> > Hi Ugo, > > I guess you could use the folloging in your spam.assassin.prefs.conf to > clear the default report (from "man Mail::SpamAssassin::Conf"): > clear_report_template > Clear the report template. > report ...some text for a report... > Set the report template which is attached to spam mail > messages. See the "10_misc.cf" configu- > ration file in "/usr/share/spamassassin" for an example. > > If you change this, try to keep it under 78 columns. Each > "report" line appends to the existing > template, so use "clear_report_template" to restart. > > Tags can be included as explained above. > > I use a French-localized version here with: > lang fr clear-report-template > lang fr report ------------------ D?but de Rapport SpamAssassin > --------------------- I don't want to change it, I only want it to be blank, nothing... is is sufficient to just put 'clear_report_template' into the spam.assassin.prefs.conf? Thanks From prandal at herefordshire.gov.uk Sun Nov 5 14:53:36 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Sun Nov 5 14:53:58 2006 Subject: ClamAV Problem Message-ID: <86144ED6CE5B004DA23E1EAC0B569B58017681D6@isabella.herefordshire.gov.uk> It looks like the main.cvd file has one or more level 10 signatures in it. The ClamAV team are aware of it, and working on it. I guess they're going to have to rebuild main.cvd and reissue it. Cheers, Phil -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of James Gray Sent: Sunday, November 05, 2006 10:40 AM To: MailScanner Discussion List Subject: ClamAV Problem -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As of yesterday, I've started seeing the following in the mail log, being dumped by MailScanner: ClamAVModule::LibClamAV Warning: ******************************************************** ClamAVModule::LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** ClamAVModule::LibClamAV Warning: *** DON'T PANIC! Read http:// www.clamav.net/faq.html *** ClamAVModule::LibClamAV Warning: ******************************************************** Virus Scanning: ClamAV Module found 4 infections Virus Scanning: Found 4 viruses However, running "freshclam" says: ClamAV update process started at Sun Nov 5 21:33:52 2006 main.cvd is up to date (version: 41, sigs: 73809, f-level: 10, builder: tkojm) WARNING: Your ClamAV installation is OUTDATED! WARNING: Current functionality level = 9, recommended = 10 DON'T PANIC! Read http://www.clamav.net/faq.html daily.cvd is up to date (version: 2162, sigs: 1601, f-level: 9, builder: arnaud) So at least THAT bit jives with MailScanner's interpretation of the situation. Now to the weird part: $ clamscan --version ClamAV 0.88.5/2162/Sun Nov 5 19:14:36 2006 Erm, 0.88.5 is the *latest* STABLE (ie, "non-RC") build available for ClamAV. So how do I fix this? It's seriously playing havoc with my stats and the logs are as messy as hell :( Any help appreciated :) Cheers, James -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFFTb+lwBHpdJO7b9ERAic5AKCB4H0jn/H0P5ZwSS51oxzvy7bsGwCg3BnU cu9p/t/iOvkR6NkBiMzRu9c= =W7iG -----END PGP SIGNATURE----- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Sun Nov 5 15:57:37 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Nov 5 15:57:40 2006 Subject: Mail Log Error Message In-Reply-To: <000001c70040$57b62410$c8fea8c0@intech.us> References: <000001c70040$57b62410$c8fea8c0@intech.us> Message-ID: <223f97700611050757x2d17c791v1fa1499a96bb9a9@mail.gmail.com> On 04/11/06, Integrated Technologies wrote: > > > > > My complete install was going fine?no errors, no snags. I check my logs this > morning and received the following error (I had a power failure and it > rebooted)r: > > > > MailScanner[2906]: MailScanner E-Mail Virus Scanner version 4.56.8 starting? > > MailScanner[2906]: Syntax error(s) in configuration file: > > MailScanner[2906]: Unrecognized keyword "spamassassinprefsfile" at line 2213 > > MailScanner[2906]: Aborting due to syntax errors in > /etc/MailScanner/NailScanner.conf > > > > I went to my MailScanner.conf configuration file and these are the lines > before and after line 2213 (this is actually the very last line in my > MailScanner.conf file): > > > > 2209 # READ and UNDERSTAND the above text BEFORE changing this. > > 2210 # > > 2211 Minimum Code Status = supported > > 2212 > > 2213 SpamAssassin Prefs File = > /etc/MailScanner/spam.assassin.prefs.conf > > 2214 > > > > There is NOTHING that I have touched within these last few lines?.and ideas? > > > > My gratitude ahead of time for your patience and assistance > > > > SRB, Integrated Technologies > > Owner/Senior Developer > Was this an update or a fresh install? If the former, I suspect you forgot to run upgrade_MailScanner_conf (just run it wothout any arguments to get some intructions on how to use it). If not, then well... Try just commenting that line out. ISTR that one "going out the window" some versions back. Use MailScanner --lint and MailScanner --changed as well as MailScanner --debug to determine that all is well (after appropriate changes:-). HtH -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From raymond at prolocation.net Sun Nov 5 18:57:20 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Sun Nov 5 18:57:18 2006 Subject: ClamAV Problem In-Reply-To: References: Message-ID: Hi! >> Now to the weird part: >> >> $ clamscan --version >> ClamAV 0.88.5/2162/Sun Nov 5 19:14:36 2006 > > And you are suer you dont have multiple instances of clam installed? [Clamav-announce] announcing ClamAV 0.88.6 You can fix it now ;) Bye, Raymond. From MailScanner at ecs.soton.ac.uk Sun Nov 5 19:19:51 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Nov 5 19:22:43 2006 Subject: DBD-SQLite install error? In-Reply-To: <1951DC816E1A9F469307B05FA183F4385FF532@corpatsmail1.corp.sensis.com> References: <1951DC816E1A9F469307B05FA183F4385FF532@corpatsmail1.corp.sensis.com> Message-ID: <454E3957.6060506@ecs.soton.ac.uk> Thanks for that. The installer now point to 1.12, which should be right. Desai, Jason wrote: > Thanks for the info. I probably should have mentioned that I was able to > unpack and install it manually. I just wanted to give Julian a heads up > that the installer script may have a bug. > > Jase > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Eduardo Casarero >> Sent: Friday, November 03, 2006 11:59 AM >> To: MailScanner discussion >> Subject: Re: DBD-SQLite install error? >> >> after install.sh finish install dbdsqlite by hand, it works. >> >> >> ~/paquetes/MailScanner-install-4.55.10/perl-tar/DBD-SQLite-1.12# >> >> :~/paquetes/MailScanner-install-4.55.10/perl-tar/DBD-SQLite-1. >> > 12# perl Makefile.PL > >> :~/paquetes/MailScanner-install-4.55.10/perl-tar/DBD-SQLite-1.12# make >> >> :~/paquetes/MailScanner-install-4.55.10/perl-tar/DBD-SQLite-1. >> > 12# make install > >> regards. >> >> eduardo >> >> >> 2006/11/3, Desai, Jason : >> >> When I try to install MailScanner version 4.56.8 using >> the tar version, >> I get this: >> >> ============ >> Attempting to build and install DBD-SQLite-1.11 >> Unpacking perl-tar/DBD-SQLite-1.11.tar.gz >> Missing file perl-tar/DBD- SQLite-1.11.tar.gz . Are you >> in the right >> directory? >> >> Missing directory /tmp/DBD-SQLite-1.11 . >> Maybe it did not build correctly? >> ============ >> >> I notice that DBD-SQLite-1.12.tar.gz is in the perl-tar >> directory. >> Perhaps the install scripts needs to try to install >> DBD-SQLite-1.12 >> instead of DBD-SQLite-1.11? >> >> Jase >> >> -- >> Jason Desai >> Network Administrator >> Sensis Corporation >> jase@sensis.com >> http://www.sensis.com >> (315) 445-5811 >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> >> >> Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From prandal at herefordshire.gov.uk Sun Nov 5 20:48:17 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Sun Nov 5 20:48:34 2006 Subject: FW: [Clamav-announce] announcing ClamAV 0.88.6 Message-ID: <86144ED6CE5B004DA23E1EAC0B569B58017681D7@isabella.herefordshire.gov.uk> FYI -----Original Message----- From: clamav-announce-bounces@lists.clamav.net [mailto:clamav-announce-bounces@lists.clamav.net] On Behalf Of Luca Gibelli Sent: Sunday, November 05, 2006 6:34 PM To: ClamAV Announce Subject: [Clamav-announce] announcing ClamAV 0.88.6 Dear ClamAV users, Changes in this release include better handling of network problems in freshclam and other minor bugfixes. The ClamAV developers encourage all users to give a try to the latest beta version of 0.90! -- The ClamAV team (http://www.clamav.net/team.html) -- Luca Gibelli (luca _at_ clamav.net) - ClamAV, a GPL anti-virus toolkit [Tel] +44 2081239239 [Fax] +39 0187015046 [IM] nervous/jabber.linux.it PGP key id 5EFC5582 @ key server || http://www.clamav.net/gpg/luca.gpg _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-announce From develop at in-tech.us Sun Nov 5 21:19:11 2006 From: develop at in-tech.us (Integrated Technologies) Date: Sun Nov 5 21:13:58 2006 Subject: [Clamav-announce] announcing ClamAV 0.88.6 In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B58017681D7@isabella.herefordshire.gov.uk> Message-ID: <000301c70120$0ff76040$c8fea8c0@intech.us> Funny thing is, on the downloads page of ClamAV, of you click on the latest stable (0.8x.x or something) it takes you to the 0.90rc2 download on SourceForge... -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Sunday, November 05, 2006 2:48 PM To: MailScanner (mailscanner@lists.mailscanner.info) Subject: FW: [Clamav-announce] announcing ClamAV 0.88.6 FYI -----Original Message----- From: clamav-announce-bounces@lists.clamav.net [mailto:clamav-announce-bounces@lists.clamav.net] On Behalf Of Luca Gibelli Sent: Sunday, November 05, 2006 6:34 PM To: ClamAV Announce Subject: [Clamav-announce] announcing ClamAV 0.88.6 Dear ClamAV users, Changes in this release include better handling of network problems in freshclam and other minor bugfixes. The ClamAV developers encourage all users to give a try to the latest beta version of 0.90! -- The ClamAV team (http://www.clamav.net/team.html) -- Luca Gibelli (luca _at_ clamav.net) - ClamAV, a GPL anti-virus toolkit [Tel] +44 2081239239 [Fax] +39 0187015046 [IM] nervous/jabber.linux.it PGP key id 5EFC5582 @ key server || http://www.clamav.net/gpg/luca.gpg _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-announce -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------------- Integrated Technologies has scanned this message for viruses with MailScanner and is believed to be clean. -------------------- Integrated Technologies has scanned this message for viruses with MailScanner and is believed to be clean. From develop at in-tech.us Mon Nov 6 05:29:35 2006 From: develop at in-tech.us (Integrated Technologies) Date: Mon Nov 6 05:24:16 2006 Subject: MailScanner.conf parameter question Message-ID: <000001c70164$918d1c50$c8fea8c0@intech.us> Just a little confused on one setting in the MailScanner.conf file: Sign Message Already Processed = yes If I set the above to "no", will it still scan a reply returned to me and just not append it with another footer sig? Or will this completely allow the returned message to bypass MailScanner altogether? I can see the value of not signing the message numerous times; especially if it was a business email (for example) that requires multiple replies.But then again, if this allows the replied to message to completely bypass MailScanner then I'll have to rethink my strategy. Please advise. My gratitude for your time and patience SRB, Integrated Technologies Owner/Senior Developer -------------------- Integrated Technologies has scanned this message for viruses with MailScanner and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061105/5ac2591d/attachment.html From jon.bates at summitmotors.com.au Mon Nov 6 06:10:30 2006 From: jon.bates at summitmotors.com.au (Jon Bates) Date: Mon Nov 6 06:10:57 2006 Subject: Not detecting some instances of viruses In-Reply-To: <200611031200.kA3C0Hht010238@bkserver.blacknight.ie> Message-ID: <200611060610.kA66AeXw006899@summitmotors.com.au> Reni Berber Wrote: > Could be any of: > 1. Timing. A virus signature that was just added to the DB. > 2. Rules. If you have rules specifying what is virus scanned. > 3. Size. Limits in MS configuration and also in the program/module doing the > scanning. > 4. Scan Parameters. clamscan has default parameters that are a little different > that the perl module, for instance corrupt executable is detected by clamscan > but I'm not sure if the module does detect it. > 5. Encoding. There is a parameter in MS about scanning uuencoded parts, I'm not > sure if this affects virus scanning. > What does the log show? (does it say scanning for viruses ... clean ?) > -- > Reni Berber First of all, thanks to those others who replied to my initial email - I think I've found a resolution (see below). Martin, Yes, I quarantine a copy of every email that comes through, this helped me diagnose the issue - Thanks! Reni, 1. Timing - I think this is the cause of the issue; attempts to release the email from the quarantine showed that the infected email was being caught straight away! This would lead me to believe that ClamAV simply didn't know about the type of virus when the initial copy of it came through. I didn't realise previously, but they werent all exactly the same virus. They were the same subject and size, but different variants of the same virus kept coming through! (Worm.Stration.XX - in case you're interested!) I havent got the log from when it came through initially, but I assume that it would have been scanned and deemed "clean" as I havent seen any other errors in there at all that would lead to some sort of scanning error. Luckily my spam countermeasures are trained pretty well so nearly all instances of the virus were actually quarantined as spam, and the rest under content filtering (no exe files allowed). The only users who actually received the virus were power users who are allowed to receive executable files - Luckily they were smart enough not to be tempted to "increase the size of their wang" by opening an exe file - lol ---- I checked your other points anyway: 2. Rules - I'm not running a ruleset on "Virus Scanning".. I AM running a ruleset on Dangerous Content Scanning, but as I understand that this doesn't exclude Virus scanning for it's matches anyway. I cant see any other rulesets that could cause this behaviour. 3. Size - The emails are all roughly 30kb in size. 4. Scan Parameters - Is there a way that you know of that I can test scanning mbox files with the perl module instead? Sorry I'm relatively new to linux so I didn't bother with this one :P 5. Encoding - Find UU-Encoded Files was set to NO. Have changed this to yes to be safe. From glenn.steen at gmail.com Mon Nov 6 11:53:22 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Nov 6 11:53:24 2006 Subject: MailScanner.conf parameter question In-Reply-To: <000001c70164$918d1c50$c8fea8c0@intech.us> References: <000001c70164$918d1c50$c8fea8c0@intech.us> Message-ID: <223f97700611060353y5d227b2dm5d4d6fcb7ca6b4ed@mail.gmail.com> On 06/11/06, Integrated Technologies wrote: > Just a little confused on one setting in the MailScanner.conf file: > > Sign Message Already Processed = yes > > If I set the above to "no", will it still scan a reply returned to me and > just not append it with another footer sig? Or will this completely allow > the returned message to bypass MailScanner altogether? > > I can see the value of not signing the message numerous times; especially if > it was a business email (for example) that requires multiple replies?But > then again, if this allows the replied to message to completely bypass > MailScanner then I'll have to rethink my strategy? > > Please advise. > > My gratitude for your time and patience > IIRC, this does exactly what it says on the tin... It will prevent the signing of a message detected to have passed through MS already (on another host), so that if you have several MailScanners "chained together" (think secondary MX palming things off to a primary MX after a stop, type of things) only the first get to leave a visible mark in the body. AFAIR that is it... Both instances will scan as normal. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From pascal.maes at elec.ucl.ac.be Mon Nov 6 14:40:26 2006 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Mon Nov 6 14:40:29 2006 Subject: Problem with SORBS-SPAM ? Message-ID: Hello, Today, from 14h11 until I suppress SORPBS-SPAM from the RBL list, we have seen the following lines in our maillog file: Nov 6 14:11:27 smtp-3 MailScanner[23222]: RBL checks: AFAA613E46.CAEC5 found in SORBS-SPAM Nov 6 14:11:31 smtp-3 MailScanner[22778]: RBL checks: 53CF913F42.84D1B found in SORBS-SPAM Nov 6 14:11:34 smtp-3 MailScanner[25704]: RBL checks: 78BE513F42.B7EB5 found in SORBS-SPAM Nov 6 14:11:37 smtp-3 MailScanner[25704]: RBL checks: 0313713E60.D1B8E found in SORBS-SPAM And some details for the last one : Nov 6 14:11:37 smtp-3 postfix/smtpd[28567]: 0313713E60: client=linux1.sia.ucl.ac.be[130.104.1.142] Nov 6 14:11:37 smtp-3 MailScanner[25704]: RBL checks: 0313713E60.D1B8E found in SORBS-SPAM Nov 6 14:11:39 smtp-3 MailScanner[25704]: Message 0313713E60.D1B8E from 127.0.0.1 (from_address) to to_domain_address is - we are using Postfix 2.3.3 - 130.104.1.142 is not on the Black list - the RBL checks come after an HOLD with postfix. So, it seems to come from 127.0.0.1 - the message from MailScannet is truncated. Why ? Any idea of the problem ? Thanks -- Pascal From hooperism at gmail.com Mon Nov 6 15:57:31 2006 From: hooperism at gmail.com (Alex Hooper) Date: Mon Nov 6 15:57:36 2006 Subject: f-prot output problem Message-ID: Hi, Ive been running MailScanner on my linux gateway at home for over two years without problem. A couple of days ago, though, I started seeing this in the logs: Nov 6 15:14:41 ******* MailScanner[1180]: Either you've found a bug in MailSc anner's F-Prot output parser, or F-Prot's output format has changed! F-Prot said this "/var/spool/MailScanner/incoming/1180/kA34x7j14493/msg-1180-50.html->1teMN l". Please mail the author of MailScanner I don't believe anything has changed on my machine. I've now got over 10K messages waiting to scan... Has anyone any idea how I might resolve this? Cheers, -- Alex Hooper From MailScanner at ecs.soton.ac.uk Mon Nov 6 18:44:06 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Nov 6 18:47:24 2006 Subject: [Clamav-announce] announcing ClamAV 0.88.6 In-Reply-To: <000301c70120$0ff76040$c8fea8c0@intech.us> References: <000301c70120$0ff76040$c8fea8c0@intech.us> Message-ID: <454F8276.4060103@ecs.soton.ac.uk> Can someone let me know when they fix this distribution bug please? I can't update a "production" system to a Release Candidate. Integrated Technologies wrote: > Funny thing is, on the downloads page of ClamAV, of you click on the latest > stable (0.8x.x or something) it takes you to the 0.90rc2 download on > SourceForge... > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, > Phil > Sent: Sunday, November 05, 2006 2:48 PM > To: MailScanner (mailscanner@lists.mailscanner.info) > Subject: FW: [Clamav-announce] announcing ClamAV 0.88.6 > > FYI > > -----Original Message----- > From: clamav-announce-bounces@lists.clamav.net > [mailto:clamav-announce-bounces@lists.clamav.net] On Behalf Of Luca > Gibelli > Sent: Sunday, November 05, 2006 6:34 PM > To: ClamAV Announce > Subject: [Clamav-announce] announcing ClamAV 0.88.6 > > Dear ClamAV users, > > Changes in this release include better handling of network problems in > freshclam and other minor bugfixes. > > The ClamAV developers encourage all users to give a try to the latest > beta version of 0.90! > > -- > The ClamAV team (http://www.clamav.net/team.html) > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Mon Nov 6 18:47:10 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Nov 6 18:47:30 2006 Subject: f-prot output problem In-Reply-To: References: Message-ID: <454F832E.8090805@ecs.soton.ac.uk> I would suspect your F-Prot edition has been updated. Alex Hooper wrote: > Hi, > > Ive been running MailScanner on my linux gateway at home for over two > years without problem. A couple of days ago, though, I started seeing > this in the logs: > > Nov 6 15:14:41 ******* MailScanner[1180]: Either you've found a bug > in MailSc > anner's F-Prot output parser, or F-Prot's output format has changed! > F-Prot said > this > "/var/spool/MailScanner/incoming/1180/kA34x7j14493/msg-1180-50.html->1teMN > > l". Please mail the author of MailScanner > > I don't believe anything has changed on my machine. I've now got over > 10K messages waiting to scan... Has anyone any idea how I might > resolve this? > > Cheers, Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Mon Nov 6 18:45:05 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Nov 6 18:47:34 2006 Subject: MailScanner.conf parameter question In-Reply-To: <000001c70164$918d1c50$c8fea8c0@intech.us> References: <000001c70164$918d1c50$c8fea8c0@intech.us> Message-ID: <454F82B1.3030609@ecs.soton.ac.uk> Integrated Technologies wrote: > > Just a little confused on one setting in the MailScanner.conf file: > > Sign Message Already Processed = yes > > If I set the above to ?no?, will it still scan a reply returned to me > and just not append it with another footer sig? Or will this > completely allow the returned message to bypass MailScanner altogether? > No, it does exactly what it says. It will still scan it, I ain't that dumb :-) > I can see the value of not signing the message numerous times; > especially if it was a business email (for example) that requires > multiple replies?But then again, if this allows the replied to message > to completely bypass MailScanner then I?ll have to rethink my strategy? > > Please advise. > > My gratitude for your time and patience > > SRB, Integrated Technologies > > Owner/Senior Developer > > > -------------------- > /Integrated Technologies/ has scanned this > message for viruses > with MailScanner and it is believed to be clean. Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From prandal at herefordshire.gov.uk Mon Nov 6 18:59:45 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Mon Nov 6 18:59:52 2006 Subject: [Clamav-announce] announcing ClamAV 0.88.6 Message-ID: <86144ED6CE5B004DA23E1EAC0B569B581057B675@isabella.herefordshire.gov.uk> Works for me. Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: 06 November 2006 18:44 > To: MailScanner discussion > Subject: Re: [Clamav-announce] announcing ClamAV 0.88.6 > > Can someone let me know when they fix this distribution bug please? > I can't update a "production" system to a Release Candidate. > > Integrated Technologies wrote: > > Funny thing is, on the downloads page of ClamAV, of you > click on the latest > > stable (0.8x.x or something) it takes you to the 0.90rc2 download on > > SourceForge... > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Randal, > > Phil > > Sent: Sunday, November 05, 2006 2:48 PM > > To: MailScanner (mailscanner@lists.mailscanner.info) > > Subject: FW: [Clamav-announce] announcing ClamAV 0.88.6 > > > > FYI > > > > -----Original Message----- > > From: clamav-announce-bounces@lists.clamav.net > > [mailto:clamav-announce-bounces@lists.clamav.net] On Behalf Of Luca > > Gibelli > > Sent: Sunday, November 05, 2006 6:34 PM > > To: ClamAV Announce > > Subject: [Clamav-announce] announcing ClamAV 0.88.6 > > > > Dear ClamAV users, > > > > Changes in this release include better handling of network > problems in > > freshclam and other minor bugfixes. > > > > The ClamAV developers encourage all users to give a try to > the latest > > beta version of 0.90! > > > > -- > > The ClamAV team (http://www.clamav.net/team.html) > > > > > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From mkettler at evi-inc.com Mon Nov 6 19:04:28 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Nov 6 19:04:40 2006 Subject: Problem with SORBS-SPAM ? In-Reply-To: References: Message-ID: <454F873C.4030002@evi-inc.com> Pascal Maes wrote: > Hello, > > > Today, from 14h11 until I suppress SORPBS-SPAM from the RBL list, we > have seen the following lines in our maillog file: > > Nov 6 14:11:27 smtp-3 MailScanner[23222]: RBL checks: AFAA613E46.CAEC5 > found in SORBS-SPAM > Nov 6 14:11:31 smtp-3 MailScanner[22778]: RBL checks: 53CF913F42.84D1B > found in SORBS-SPAM > Nov 6 14:11:34 smtp-3 MailScanner[25704]: RBL checks: 78BE513F42.B7EB5 > found in SORBS-SPAM > Nov 6 14:11:37 smtp-3 MailScanner[25704]: RBL checks: 0313713E60.D1B8E > found in SORBS-SPAM > > And some details for the last one : > > Nov 6 14:11:37 smtp-3 postfix/smtpd[28567]: 0313713E60: > client=linux1.sia.ucl.ac.be[130.104.1.142] > Nov 6 14:11:37 smtp-3 MailScanner[25704]: RBL checks: 0313713E60.D1B8E > found in SORBS-SPAM > Nov 6 14:11:39 smtp-3 MailScanner[25704]: Message 0313713E60.D1B8E from > 127.0.0.1 (from_address) to to_domain_address is > > - we are using Postfix 2.3.3 > - 130.104.1.142 is not on the Black list > - the RBL checks come after an HOLD with postfix. > So, it seems to come from 127.0.0.1 > - the message from MailScannet is truncated. Why ? > > > Any idea of the problem ? Looks like 127.0.0.1 was listed in sorbs-spam recently, but has been pulled. From ssilva at sgvwater.com Mon Nov 6 18:55:59 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Nov 6 19:29:28 2006 Subject: Not detecting some instances of viruses In-Reply-To: <200611060610.kA66AeXw006899@summitmotors.com.au> References: <200611031200.kA3C0Hht010238@bkserver.blacknight.ie> <200611060610.kA66AeXw006899@summitmotors.com.au> Message-ID: Jon Bates spake the following on 11/5/2006 10:10 PM: > Reni Berber Wrote: > >> Could be any of: > >> 1. Timing. A virus signature that was just added to the DB. > >> 2. Rules. If you have rules specifying what is virus scanned. > >> 3. Size. Limits in MS configuration and also in the program/module doing > the >> scanning. > >> 4. Scan Parameters. clamscan has default parameters that are a little > different >> that the perl module, for instance corrupt executable is detected by > clamscan >> but I'm not sure if the module does detect it. > >> 5. Encoding. There is a parameter in MS about scanning uuencoded parts, > I'm not >> sure if this affects virus scanning. > >> What does the log show? (does it say scanning for viruses ... clean ?) >> -- >> Reni Berber > > > First of all, thanks to those others who replied to my initial email - I > think I've found a resolution (see below). > > Martin, > > Yes, I quarantine a copy of every email that comes through, this helped me > diagnose the issue - Thanks! > > Reni, > > 1. Timing - I think this is the cause of the issue; attempts to release the > email from the quarantine showed that the infected email was being caught > straight away! This would lead me to believe that ClamAV simply didn't know > about the type of virus when the initial copy of it came through. I didn't > realise previously, but they werent all exactly the same virus. They were > the same subject and size, but different variants of the same virus kept > coming through! (Worm.Stration.XX - in case you're interested!) > I havent got the log from when it came through initially, but I assume that > it would have been scanned and deemed "clean" as I havent seen any other > errors in there at all that would lead to some sort of scanning error. > > Luckily my spam countermeasures are trained pretty well so nearly all > instances of the virus were actually quarantined as spam, and the rest under > content filtering (no exe files allowed). The only users who actually > received the virus were power users who are allowed to receive executable > files - Luckily they were smart enough not to be tempted to "increase the > size of their wang" by opening an exe file - lol > > ---- I checked your other points anyway: > > 2. Rules - I'm not running a ruleset on "Virus Scanning".. I AM running a > ruleset on Dangerous Content Scanning, but as I understand that this doesn't > exclude Virus scanning for it's matches anyway. I cant see any other > rulesets that could cause this behaviour. > > 3. Size - The emails are all roughly 30kb in size. > > 4. Scan Parameters - Is there a way that you know of that I can test > scanning mbox files with the perl module instead? Sorry I'm relatively new > to linux so I didn't bother with this one :P > > 5. Encoding - Find UU-Encoded Files was set to NO. Have changed this to yes > to be safe. > > > I have caught most 0day strains of Worm.Stration.XX with filetype checks when the signatures were behind. If you don't allow unzipped executables you will catch many 0day baddies. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From raymond at prolocation.net Mon Nov 6 19:43:34 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Mon Nov 6 19:43:32 2006 Subject: [Clamav-announce] announcing ClamAV 0.88.6 In-Reply-To: <454F8276.4060103@ecs.soton.ac.uk> References: <000301c70120$0ff76040$c8fea8c0@intech.us> <454F8276.4060103@ecs.soton.ac.uk> Message-ID: Hi! > Can someone let me know when they fix this distribution bug please? > I can't update a "production" system to a Release Candidate. This should be fixed in 88.6 Bye, Raymond. From ssilva at sgvwater.com Mon Nov 6 19:25:50 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Nov 6 19:45:46 2006 Subject: [Clamav-announce] announcing ClamAV 0.88.6 In-Reply-To: <454F8276.4060103@ecs.soton.ac.uk> References: <000301c70120$0ff76040$c8fea8c0@intech.us> <454F8276.4060103@ecs.soton.ac.uk> Message-ID: Julian Field spake the following on 11/6/2006 10:44 AM: > Can someone let me know when they fix this distribution bug please? > I can't update a "production" system to a Release Candidate. > I had no problems, but it will depend on your local sourceforge mirror, and if it has synced. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From jfagan at firstlightnetworks.com Mon Nov 6 20:08:05 2006 From: jfagan at firstlightnetworks.com (James Fagan) Date: Mon Nov 6 20:06:27 2006 Subject: [Clamav-announce] announcing ClamAV 0.88.6 In-Reply-To: <454F8276.4060103@ecs.soton.ac.uk> Message-ID: <59E4A3A1069C2640959AD0F7518C4812064D02@FLN1.fln.local> http://superb-west.dl.sourceforge.net/sourceforge/clamav/clamav-0.88.6.t ar.gz Just installed this and seems to be fine. From max at assuredata.com Mon Nov 6 20:23:12 2006 From: max at assuredata.com (Max Kipness) Date: Mon Nov 6 20:23:20 2006 Subject: Rule for DNS MX Check Message-ID: <11375BD8FE838A409E10DB32B9BFFE9B044D88@addc01.assuredata.local> Hello, I'm still having issues with receiving large image stock spam, which is not being hit by Razor, Pyzor or DCC, SARES stock, or any of the others except the SARES gif attach. It gets a low bayes score that brings the score negative at times. One thing I have noticed is that even though the sender IP does resolve, it's usually to a dynamically generated host by a DSL company etc. Most of the time the sender address does not match this IP. So after doing some research I'm wondering if there is a way either through Sendmail, MailScanner or SpamAssassin to either check the MX record of the sender header or match the From and Sender headers. I'd prefer this to be a SpamAssassin rule so that I could release from quarantine if there turns out to be FPs. I have a customer that deals with a lot of foreign customers that might not have DNS setup. Here is an example of a spam header received today (with my server names/ips replaced with myserver.com). What I mean is that the From header shows from byerconsulting.com, but it was actually received from dsl.pipex.com. If you did an mx check on byerconsulting.com you definitely would not get the dsl.pipex.com IP address. But simply trying to match the Received domain to the sender domain would show something is wrong. Is there any way of scoring this stuff? --------------------------------------------------------------- Microsoft Mail Internet Headers Version 2.0 Received: from myserver.com ([192.168.1.4]) by myserver.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 6 Nov 2006 08:02:29 -0600 Received: from DESKTOP (81-179-145-240.dsl.pipex.com [81.179.145.240]) by myserver.com with ESMTP idkA6E235h002990 for ; Mon, 6 Nov 2006 08:02:14 -0600 Received: from 65.254.254.52 (HELO mail.byerconsulting.com) by myserver.com with esmtp (2ST5N97RVEZ G4NVD) id O7FKEF-XTPYT5-6N for mkipness@myserver.com; Mon, 6 Nov 2006 14:02:22 +0000 From: "Joel Lambert" To: Subject: hi Joel Date: Mon, 6 Nov 2006 14:02:22 +0000 Message-ID: <01c701ac$2e3fbc00$6c822ecf@deborahstoryhn> MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_000A_01C701AC.2E3FBC00" X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4963.1700 Thread-Index: Aca6Q0YSVIA1BXARN9IQGMR9L98LID== X-MailScanner-MailScanner-Information: Please email support@myserver.com for more information. X-MailScanner-MailScanner: Found to be clean X-MailScanner-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.752, required 5.5, BAYES_50 0.00, HTML_MESSAGE 0.00, SARE_GIF_ATTACH 0.75) X-MailScanner-MailScanner-From: deborahstoryhn@byerconsulting.com Return-Path: deborahstoryhn@byerconsulting.com X-OriginalArrivalTime: 06 Nov 2006 14:02:29.0968 (UTC) FILETIME=[32AEFD00:01C701AC] Thanks, Max From mkettler at evi-inc.com Mon Nov 6 20:40:32 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Nov 6 20:40:54 2006 Subject: Rule for DNS MX Check In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B044D88@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B044D88@addc01.assuredata.local> Message-ID: <454F9DC0.5090108@evi-inc.com> Max Kipness wrote: > Hello, > > I'm still having issues with receiving large image stock spam, which is > not being hit by Razor, Pyzor or DCC, SARES stock, or any of the others > except the SARES gif attach. It gets a low bayes score that brings the > score negative at times. > > One thing I have noticed is that even though the sender IP does resolve, > it's usually to a dynamically generated host by a DSL company etc. Most > of the time the sender address does not match this IP. > > So after doing some research I'm wondering if there is a way either > through Sendmail, MailScanner or SpamAssassin to either check the MX > record of the sender header or match the From and Sender headers. Yes, but that makes the bogus assumption the site uses the same server for outbound as inbound mail. An MX record is not a valid check as to what servers should be sending mail. It''s a list of inbound servers. Most larger sites have separate servers for outbound and inbound mail, mostly as a simple way of splitting the load. What you really want is SPF, something SA does support. That DOES list what severs are valid to send mail. And more to the point, byerconsulting.com does support SPF, but unfortunately posts their record with a ?all. That means the owners of byerconsulting.com are not willing to declare any IP addresses as invalid for their domain. > Received: from myserver.com ([192.168.1.4]) by myserver.com with > Microsoft SMTPSVC(6.0.3790.1830); > Mon, 6 Nov 2006 08:02:29 -0600 > Received: from DESKTOP (81-179-145-240.dsl.pipex.com [81.179.145.240]) > by myserver.com with ESMTP idkA6E235h002990 > for ; Mon, 6 Nov 2006 08:02:14 -0600 > Received: from 65.254.254.52 (HELO mail.byerconsulting.com) > by myserver.com with esmtp (2ST5N97RVEZ G4NVD) Another thing you should do, based on the above, is to declare trusted_networks manually. Since your MX is NATed, SA will not be able to correctly detect what hosts are a part of your network on it's own. Finally, enable RBL checks in SpamAssassin. That message should have hit RCVD_IN_SORBS_DUL, since 81.179.145.240 is listed, and has been since October 2004. From ajos1 at onion.demon.co.uk Mon Nov 6 20:47:29 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Mon Nov 6 20:47:38 2006 Subject: MailScanner.conf parameter question Message-ID: - Hmmm... another one to S or not S... My conf says: Sign Messages Already Processed = no You have "Message"... I assume you mean "Messages" Integrated Technologies wrote: > > Just a little confused on one setting in the MailScanner.conf file: > > Sign Message Already Processed = yes > > If I set the above to “no”, will it still scan a reply returned to me > and just not append it with another footer sig? Or will this > completely allow the returned message to bypass MailScanner altogether? > From mkettler at evi-inc.com Mon Nov 6 21:01:15 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Nov 6 21:01:40 2006 Subject: Rule for DNS MX Check In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B044D88@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B044D88@addc01.assuredata.local> Message-ID: <454FA29B.7080403@evi-inc.com> Side note for Max: While you're at it, you might want fix your own DNS records: Received: from mail.assuredata.com (assuredata.com [69.15.149.129] (may be forged)) 69.15.149.129 reverse DNS resolves as "assuredata.com", but that name has no forward resolution. This is strictly invalid, as all records returned by resolving a PTR MUST resolve back to the same IP. (note: this is different than making assuptions about HELO strings) # host 69.15.149.129 129.149.15.69.in-addr.arpa domain name pointer assuredata.com. 129.149.15.69.in-addr.arpa domain name pointer writeontime.us. # host assuredata.com # Furthermore, the other record does resolve, but to a different IP address: # host writeontime.us writeontime.us has address 216.21.229.197 Ouch. See RFC 1912 section 2.1 http://www.ietf.org/rfc/rfc1912.txt From gdoris at rogers.com Mon Nov 6 21:11:14 2006 From: gdoris at rogers.com (Gerry) Date: Mon Nov 6 21:11:48 2006 Subject: ClamAV messed up Message-ID: <000d01c701e8$17dbf500$780a000a@northamerica.stortek.com> I upgraded from FC 4 to FC 6 a short time ago. I thought everything was working until I ran into problems with ClamAV and MailScanner: 1. MailScanner was continually restarting until I changed "clamavmodule" to "clamav" in MailScanner.conf 2. Running MailScanner --lint indicates that I have "clamav" in the conf file but MailScanner finds "clamavmodule" instead 3. Doing an upgrade_virus_scanners checks ClamAV but also generic. I don't have generic listed anywhere 4. Running MailScanner -v shows that Mail::ClamAv is installed 5. Using CPAN to reinstall Mail::ClamAV says it is already installed. Doing a forced install fails at the make Inspite of all this ClamAV is scanning messages. I'm using MailScanner 4.56.8-1 and ClamAV of rc2-99. I know that's a rc level but I had the same problem with 0.88.5 and thought I'd try something different. I haven't a clue where to start on this. From MailScanner at ecs.soton.ac.uk Mon Nov 6 21:28:01 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Nov 6 21:31:02 2006 Subject: ClamAV+SA package upgrade Message-ID: <454FA8E1.2000006@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just upgraded the ClamAV & SpamAssassin easy-to-install package to ClamAV 0.88.6 (NEW!) SpamAssassin 3.1.7 Download and install from www.mailscanner.info as usual. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.1 (Build 1557) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFT6mJEfZZRxQVtlQRAp66AKCfVe1udkq8vJLBaimN/g/LKCpOugCdETSm ZBri8JfHlqYAD6Ia+myQiq8= =n0Jm -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mike at vesol.com Mon Nov 6 21:35:23 2006 From: mike at vesol.com (Mike Kercher) Date: Mon Nov 6 21:36:23 2006 Subject: ClamAV messed up In-Reply-To: <000d01c701e8$17dbf500$780a000a@northamerica.stortek.com> Message-ID: mailscanner-bounces@lists.mailscanner.info <> scribbled on Monday, November 06, 2006 3:11 PM: > I upgraded from FC 4 to FC 6 a short time ago. I thought > everything was working until I ran into problems with ClamAV > and MailScanner: > > 1. MailScanner was continually restarting until I changed > "clamavmodule" to "clamav" in MailScanner.conf > > 2. Running MailScanner --lint indicates that I have "clamav" > in the conf file but MailScanner finds "clamavmodule" instead > > 3. Doing an upgrade_virus_scanners checks ClamAV but also > generic. I don't have generic listed anywhere > > 4. Running MailScanner -v shows that Mail::ClamAv is installed > > 5. Using CPAN to reinstall Mail::ClamAV says it is already > installed. Doing a forced install fails at the make > > > Inspite of all this ClamAV is scanning messages. I'm using > MailScanner > 4.56.8-1 and ClamAV of rc2-99. I know that's a rc level but > I had the same problem with 0.88.5 and thought I'd try > something different. > > I haven't a clue where to start on this. I wouldn't say ClanAV messed up...why did you "fix what wasn't broken"? Personally, I use an enterprise class OS for servers rather than bleeding edge. Mike From gdoris at rogers.com Mon Nov 6 21:57:15 2006 From: gdoris at rogers.com (Gerry) Date: Mon Nov 6 21:58:08 2006 Subject: ClamAV messed up In-Reply-To: Message-ID: <000f01c701ee$883cd200$780a000a@northamerica.stortek.com> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mike Kercher Sent: November 6, 2006 16:35 To: MailScanner discussion Subject: RE: ClamAV messed up mailscanner-bounces@lists.mailscanner.info <> scribbled on Monday, November 06, 2006 3:11 PM: > I upgraded from FC 4 to FC 6 a short time ago. I thought everything > was working until I ran into problems with ClamAV and MailScanner: > > 1. MailScanner was continually restarting until I changed > "clamavmodule" to "clamav" in MailScanner.conf > > 2. Running MailScanner --lint indicates that I have "clamav" > in the conf file but MailScanner finds "clamavmodule" instead > > 3. Doing an upgrade_virus_scanners checks ClamAV but also generic. I > don't have generic listed anywhere > > 4. Running MailScanner -v shows that Mail::ClamAv is installed > > 5. Using CPAN to reinstall Mail::ClamAV says it is already installed. > Doing a forced install fails at the make > > > Inspite of all this ClamAV is scanning messages. I'm using > MailScanner > 4.56.8-1 and ClamAV of rc2-99. I know that's a rc level but I had the > same problem with 0.88.5 and thought I'd try something different. > > I haven't a clue where to start on this. I wouldn't say ClanAV messed up...why did you "fix what wasn't broken"? Personally, I use an enterprise class OS for servers rather than bleeding edge. Mike This a home server used for testing stuff. It's the place I try and figure out what works and what doesn't. As I mentioned, it is actually working but messed up. I can always reload the old image and start again if things really go bad. Perhaps "ClamAV messed up" is not what was I intended to say...my system is messed up. From derek at adcatanzaro.com Mon Nov 6 22:11:02 2006 From: derek at adcatanzaro.com (Derek Catanzaro) Date: Mon Nov 6 22:11:34 2006 Subject: OT: Commercial Content Filtering Products Message-ID: <454FB2F6.8060702@adcatanzaro.com> I'm trying to get an idea of the cost on commercial products that will basically do what MailScanner is doing for free. The reason is because some vp's would like to know the cost of the commercial products. Ultimately I think MailScanner does a great job with the proper configs and I would be willing to bet that it does a lot better job than a lot of the commercial products you have to pay for. Does anyone out there have any product names and annual costs they can provide? I've got roughly 3,000 mail users and we are getting about 100,000 emails per day. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Mon Nov 6 23:40:22 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Nov 6 23:41:42 2006 Subject: OT: Commercial Content Filtering Products In-Reply-To: <454FB2F6.8060702@adcatanzaro.com> References: <454FB2F6.8060702@adcatanzaro.com> Message-ID: Derek Catanzaro spake the following on 11/6/2006 2:11 PM: > I'm trying to get an idea of the cost on commercial products that will > basically do what MailScanner is doing for free. The reason is because > some vp's would like to know the cost of the commercial products. > Ultimately I think MailScanner does a great job with the proper configs > and I would be willing to bet that it does a lot better job than a lot > of the commercial products you have to pay for. Does anyone out there > have any product names and annual costs they can provide? I've got > roughly 3,000 mail users and we are getting about 100,000 emails per day. DefenderMX (www.fsl.com) They have what could be called the commercial big brother of mailscanner. It has more features, and comes in several versions, including an "appliance". You will have to contact them as to pricing. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From prandal at herefordshire.gov.uk Tue Nov 7 00:33:52 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Nov 7 00:34:14 2006 Subject: Commercial Content Filtering Products Message-ID: <86144ED6CE5B004DA23E1EAC0B569B58017681D8@isabella.herefordshire.gov.uk> I saw on another mailing list today someone boasting what a good job their Barracuda was doing - getting 87% of their incoming spam. I can probably get 87% by the use of sendmail's GreetPause, the zen.spamhaus.org RBL at MTA level, and milter-greylist 3.0rc greylisting a handful of RBLS, without even getting anywhere near spamassassin. MailScanner gets over 99% of all incoming spam here. Cheers, Phil -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Derek Catanzaro Sent: Monday, November 06, 2006 10:11 PM To: MailScanner discussion Subject: OT: Commercial Content Filtering Products I'm trying to get an idea of the cost on commercial products that will basically do what MailScanner is doing for free. The reason is because some vp's would like to know the cost of the commercial products. Ultimately I think MailScanner does a great job with the proper configs and I would be willing to bet that it does a lot better job than a lot of the commercial products you have to pay for. Does anyone out there have any product names and annual costs they can provide? I've got roughly 3,000 mail users and we are getting about 100,000 emails per day. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From res at ausics.net Tue Nov 7 00:44:15 2006 From: res at ausics.net (Res) Date: Tue Nov 7 00:44:21 2006 Subject: ClamAV messed up In-Reply-To: <000d01c701e8$17dbf500$780a000a@northamerica.stortek.com> References: <000d01c701e8$17dbf500$780a000a@northamerica.stortek.com> Message-ID: On Mon, 6 Nov 2006, Gerry wrote: > I upgraded from FC 4 to FC 6 a short time ago. I thought everything was > working until I ran into problems with ClamAV and MailScanner: > > 1. MailScanner was continually restarting until I changed "clamavmodule" to > "clamav" in MailScanner.conf > > 2. Running MailScanner --lint indicates that I have "clamav" in the conf > file but MailScanner finds "clamavmodule" instead > > 3. Doing an upgrade_virus_scanners checks ClamAV but also generic. I don't > have generic listed anywhere > > 4. Running MailScanner -v shows that Mail::ClamAv is installed > > 5. Using CPAN to reinstall Mail::ClamAV says it is already installed. Doing > a forced install fails at the make > > > Inspite of all this ClamAV is scanning messages. I'm using MailScanner > 4.56.8-1 and ClamAV of rc2-99. I know that's a rc level but I had the same > problem with 0.88.5 and thought I'd try something different. > > I haven't a clue where to start on this. Seen this a trillion times in upgrades, its not related to Fedora, its RHES, suse, slackware and probably all others. It will be a perl version conflict problem. its ugly but run it all manually, can you paste the output where perl bails? -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Tue Nov 7 00:51:44 2006 From: res at ausics.net (Res) Date: Tue Nov 7 00:51:54 2006 Subject: f-prot output problem In-Reply-To: References: Message-ID: On Mon, 6 Nov 2006, Alex Hooper wrote: > Hi, > > Ive been running MailScanner on my linux gateway at home for over two > years without problem. A couple of days ago, though, I started seeing > this in the logs: > > Nov 6 15:14:41 ******* MailScanner[1180]: Either you've found a bug in > MailSc > anner's F-Prot output parser, or F-Prot's output format has changed! F-Prot > said > this > "/var/spool/MailScanner/incoming/1180/kA34x7j14493/msg-1180-50.html->1teMN > l". Please mail the author of MailScanner > > I don't believe anything has changed on my machine. I've now got over > 10K messages waiting to scan... Has anyone any idea how I might > resolve this? Are you running engine 4.6.6? It's been out for a few months now so you probably are, does MailScanner --lint show anything more? Set debug on in the conf file for a whil;e, there was a simialr problem many months ago but it was related to sys::syslog and the MS wrapper was ammended so it wouldnt bail. > > Cheers, > -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From gdoris at rogers.com Tue Nov 7 01:10:17 2006 From: gdoris at rogers.com (Gerry) Date: Tue Nov 7 01:11:00 2006 Subject: ClamAV messed up In-Reply-To: Message-ID: <000001c70209$818d22a0$780a000a@northamerica.stortek.com> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Res Sent: November 6, 2006 19:44 To: MailScanner discussion Subject: Re: ClamAV messed up On Mon, 6 Nov 2006, Gerry wrote: > I upgraded from FC 4 to FC 6 a short time ago. I thought everything > was working until I ran into problems with ClamAV and MailScanner: > > 1. MailScanner was continually restarting until I changed > "clamavmodule" to "clamav" in MailScanner.conf > > 2. Running MailScanner --lint indicates that I have "clamav" in the > conf file but MailScanner finds "clamavmodule" instead > > 3. Doing an upgrade_virus_scanners checks ClamAV but also generic. I > don't have generic listed anywhere > > 4. Running MailScanner -v shows that Mail::ClamAv is installed > > 5. Using CPAN to reinstall Mail::ClamAV says it is already installed. > Doing a forced install fails at the make > > > Inspite of all this ClamAV is scanning messages. I'm using > MailScanner > 4.56.8-1 and ClamAV of rc2-99. I know that's a rc level but I had the > same problem with 0.88.5 and thought I'd try something different. > > I haven't a clue where to start on this. Seen this a trillion times in upgrades, its not related to Fedora, its RHES, suse, slackware and probably all others. It will be a perl version conflict problem. its ugly but run it all manually, can you paste the output where perl bails? -- Cheers Res I got it working! I removed ClamAV rc0.99 totally including the libclamav files. I then installed the latest release 0.88.6. Once I had that installed I went back and tried to reinstall Mail::ClamAV. This time it worked. I have now enabled clamavmodule in MailScanner.conf and am back to normal...well, nearly. For some reason update_virus_scanners still thinks there is a generic virus scanner installed but I can live with that! From rcooper at dwford.com Tue Nov 7 04:03:22 2006 From: rcooper at dwford.com (Rick Cooper) Date: Tue Nov 7 04:03:49 2006 Subject: ClamAV messed up In-Reply-To: <000d01c701e8$17dbf500$780a000a@northamerica.stortek.com> Message-ID: <029801c70221$ac1852c0$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Gerry > Sent: Monday, November 06, 2006 4:11 PM > To: mailscanner@lists.mailscanner.info > Subject: ClamAV messed up > > I upgraded from FC 4 to FC 6 a short time ago. I thought > everything was > working until I ran into problems with ClamAV and MailScanner: > > 1. MailScanner was continually restarting until I changed > "clamavmodule" to > "clamav" in MailScanner.conf > > 2. Running MailScanner --lint indicates that I have "clamav" > in the conf > file but MailScanner finds "clamavmodule" instead > > 3. Doing an upgrade_virus_scanners checks ClamAV but also > generic. I don't > have generic listed anywhere > > 4. Running MailScanner -v shows that Mail::ClamAv is installed > > 5. Using CPAN to reinstall Mail::ClamAV says it is already > installed. Doing > a forced install fails at the make > > > Inspite of all this ClamAV is scanning messages. I'm using > MailScanner > 4.56.8-1 and ClamAV of rc2-99. I know that's a rc level but > I had the same > problem with 0.88.5 and thought I'd try something different. > > I haven't a clue where to start on this. > > I can tell you (posted this last week) that the 0.90rc2 version is not compatible with the Mail::ClamAV module. They took out some key rar related exports when they incorporated their own unrar engine (which seems to work great). Even if you uncomment the obvious problem (I believe it was CL-DISABLERAR) there are a couple of other items I just didn't have the time to track down. Just stick with the command line scanner until the author releases a compatible version, which took weeks the last time the clam developers messed around with the exports and did not retain backward compatible stubs. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Tue Nov 7 08:57:09 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Nov 7 08:57:12 2006 Subject: OT: Commercial Content Filtering Products In-Reply-To: <454FB2F6.8060702@adcatanzaro.com> References: <454FB2F6.8060702@adcatanzaro.com> Message-ID: <223f97700611070057o2f48eae9nd2323790d291bae1@mail.gmail.com> On 06/11/06, Derek Catanzaro wrote: > I'm trying to get an idea of the cost on commercial products that will > basically do what MailScanner is doing for free. The reason is because > some vp's would like to know the cost of the commercial products. > Ultimately I think MailScanner does a great job with the proper configs > and I would be willing to bet that it does a lot better job than a lot > of the commercial products you have to pay for. Does anyone out there > have any product names and annual costs they can provide? I've got > roughly 3,000 mail users and we are getting about 100,000 emails per day. > IMO, the competition is a dime-a-dozen... And you get what you pay for:-). Seriously though: - Every AV company has their own product and/or appliance. These generally have the basic "flaw" that they only support one AV-scanner. Most have thrown in a more or less recognizable SpamAssassin too... But usually without more than the most basic "knobs" to turn. - There is a "healthy" market for this type of appliance (everything from firewall makers like WatchGuard and Fortinet to more specialized companies). Generally speaking, most of these appliances didn't start life as AV or spam-fighting tools, and as such aren't particularly good at it. - (Just to contradict my flippant first remark:-) Generally speaking, they're usually rather steeply priced. Compare that to the effectiveness (usually not that great), and you have ... an easy answer:-). If one wants to buy MailScanner (management often wants to put a pricetag on things like support:-), then DefenderMX is the thing (http://www.fsl.com). Last I looked (quite some time ago:-) it had some really nice featires (AD integration etc) that (although possible to achieve, to some extent) isn't part of a standard MailScanner/MailWatch combo. Since MailScanner is such a nice and configurable "product", I often find it hard to make real comparisions with commercial gear though. Most come off as toy cars compared to a LandCruiser;-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From res at ausics.net Tue Nov 7 09:25:39 2006 From: res at ausics.net (Res) Date: Tue Nov 7 09:25:47 2006 Subject: ClamAV messed up In-Reply-To: <000001c70209$818d22a0$780a000a@northamerica.stortek.com> References: <000001c70209$818d22a0$780a000a@northamerica.stortek.com> Message-ID: On Mon, 6 Nov 2006, Gerry wrote: > > I got it working! > > I removed ClamAV rc0.99 totally including the libclamav files. I then > installed the latest release 0.88.6. Once I had that installed I went back > and tried to reinstall Mail::ClamAV. This time it worked. > > I have now enabled clamavmodule in MailScanner.conf and am back to > normal...well, nearly. For some reason update_virus_scanners still thinks > there is a generic virus scanner installed but I can live with that! This is OK, if it bothers you, in your mailscanner etc directory, virus_scanners.conf, just hash out generic :) > > > -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From martinh at solidstatelogic.com Tue Nov 7 09:29:25 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Nov 7 09:29:32 2006 Subject: ClamAV messed up In-Reply-To: <000d01c701e8$17dbf500$780a000a@northamerica.stortek.com> References: <000d01c701e8$17dbf500$780a000a@northamerica.stortek.com> Message-ID: <455051F5.4050304@solidstatelogic.com> Gerry wrote: > I upgraded from FC 4 to FC 6 a short time ago. I thought everything was > working until I ran into problems with ClamAV and MailScanner: > > 1. MailScanner was continually restarting until I changed "clamavmodule" to > "clamav" in MailScanner.conf > > 2. Running MailScanner --lint indicates that I have "clamav" in the conf > file but MailScanner finds "clamavmodule" instead > > 3. Doing an upgrade_virus_scanners checks ClamAV but also generic. I don't > have generic listed anywhere > > 4. Running MailScanner -v shows that Mail::ClamAv is installed > > 5. Using CPAN to reinstall Mail::ClamAV says it is already installed. Doing > a forced install fails at the make > > > Inspite of all this ClamAV is scanning messages. I'm using MailScanner > 4.56.8-1 and ClamAV of rc2-99. I know that's a rc level but I had the same > problem with 0.88.5 and thought I'd try something different. > > I haven't a clue where to start on this. > > Gerry Known issue with mail::ClamAV and the 0.90 code, basically they are not compatible.... -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From MailScanner at ecs.soton.ac.uk Tue Nov 7 11:39:05 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Nov 7 11:41:31 2006 Subject: OT: Commercial Content Filtering Products In-Reply-To: <454FB2F6.8060702@adcatanzaro.com> References: <454FB2F6.8060702@adcatanzaro.com> Message-ID: <45507059.9040105@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Try to sell them DefenderMX from Fort Systems Ltd. This is based around MailScanner, but with a very good management and reporting system attached, it's a lot more than just MailWatch. It is under constant active development, and is available with commercial support contracts so we can be sure you won't be left high and dry if anything goes bang in the night. And of course, if you decide to go with a straightforward standard version of MailScanner, I'm always available to install it for you :-) Derek Catanzaro wrote: > I'm trying to get an idea of the cost on commercial products that will > basically do what MailScanner is doing for free. The reason is > because some vp's would like to know the cost of the commercial > products. Ultimately I think MailScanner does a great job with the > proper configs and I would be willing to bet that it does a lot better > job than a lot of the commercial products you have to pay for. Does > anyone out there have any product names and annual costs they can > provide? I've got roughly 3,000 mail users and we are getting about > 100,000 emails per day. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.1 (Build 1557) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFUHDDEfZZRxQVtlQRAgNUAJ9mdH3YxwqL9/IQMX8bTKWj2fsWlgCgwpP1 TEoLmn0sAGUSZIncWU8vLfc= =66D8 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From matt at coders.co.uk Tue Nov 7 11:46:30 2006 From: matt at coders.co.uk (Matt Hampton) Date: Tue Nov 7 11:47:34 2006 Subject: Commercial Content Filtering Products In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B58017681D8@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B58017681D8@isabella.herefordshire.gov.uk> Message-ID: <45507216.40206@coders.co.uk> Randal, Phil wrote: > I saw on another mailing list today someone boasting what a good job > their Barracuda was doing - getting 87% of their incoming spam. Upfront: I work for a reseller of a number of products including a managed MailScanner solution but this is my opinion. Barracuda are just SpamAssassin with RBLs. Which they do not provide licenses for use see http://www.spamhaus.org/faq/answers.lasso?section=Data%20Feed#87 (the bottom section). An interesting one I have seen recently is I-Critical but that doesn't have all of the features that MailScanner has (although they are adding some new stuff in the near future but won't give the details). The offer a managed service, appliance or a CD but the offer remote management of all of the boxes. MIME-Sweeper (from Clearswift) is well known but people have historically had issues with the support. For the "Biggies" get a quote from MessageLabs (or Black Spider). What I will say is this - when you are comparing prices you need to take into account the proportion of your time to keep the system up to date. You will also need to account for when you aren't around - another person needs training. These take a significant chunk out of the high prices that appliances seem and can actually be more expensive. The flexibility that MailScanner (and from I have seen and heard about DefenderMX) far exceeds that of other commercial products. So the balance to consider is: MailScanner: Pros: Flexibility and you are in control Low set up cost and on going Cons: Your + another's time setting up and the ongoing managing and keeping it up to date. Appliance: Pros: It's a black box Someone else supports it Cons: It's a black box Someone else supports it Tied to feature set High Setup cost Recurring license costs Increased throughput requires new box Managed Service Pros: Someone else manages keeps it up to date It's a black box Per user fee so easily scalable Distributed facilities Cons: It's a black box Initial per user cost is high Tied feature set > I can probably get 87% by the use of sendmail's GreetPause, the > zen.spamhaus.org RBL at MTA level, and milter-greylist 3.0rc greylisting > a handful of RBLS, without even getting anywhere near spamassassin. I am getting slightly higher than this: I use smf-sav (for both sender and recipient verification), smf-grey (patched to only do grey listing on sending systems on 1 or more RBL's), GreetPause, IP->Host->IP checks on client IP and milter-link and milter-null. Of the mail that gets through this - 19% is tagged as spam of which just over half is marked as High Spam. I am getting about 0.01% False Negative rate from MailScanner/SpamAssassin and about 0.2% FP from the Client IP checks. I have had no reported FP from MailScanner/SpamAssassin since the beginning of the month. matt From martinh at solidstatelogic.com Tue Nov 7 12:55:27 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Nov 7 12:55:39 2006 Subject: Commercial Content Filtering Products In-Reply-To: <45507216.40206@coders.co.uk> References: <86144ED6CE5B004DA23E1EAC0B569B58017681D8@isabella.herefordshire.gov.uk> <45507216.40206@coders.co.uk> Message-ID: <4550823F.4030504@solidstatelogic.com> Matt Hampton wrote: > Randal, Phil wrote: >> I saw on another mailing list today someone boasting what a good job >> their Barracuda was doing - getting 87% of their incoming spam. > > Upfront: I work for a reseller of a number of products including a > managed MailScanner solution but this is my opinion. > > Barracuda are just SpamAssassin with RBLs. Which they do not provide > licenses for use see > > http://www.spamhaus.org/faq/answers.lasso?section=Data%20Feed#87 (the > bottom section). > > An interesting one I have seen recently is I-Critical but that doesn't > have all of the features that MailScanner has (although they are adding > some new stuff in the near future but won't give the details). The offer > a managed service, appliance or a CD but the offer remote management of > all of the boxes. > > MIME-Sweeper (from Clearswift) is well known but people have > historically had issues with the support. > eww no arg thud... I moved from Mimesweeper to MS due to too many false positives and a complete sod to support (tied up a complete PIII 933mhx 2GB ram, 100% cpui all the time - moved to mailScanner/mailwatch, no FP on a 600 mhz celeron 512mB ram and lots of free resource). Allegedly it's much better now, but I like MS too move away - ie it just works ;-) -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From housey at sme-ecom.co.uk Tue Nov 7 12:59:08 2006 From: housey at sme-ecom.co.uk (Paul Houselander) Date: Tue Nov 7 12:59:12 2006 Subject: Could not analyze message Message-ID: Hi I dont think my messages last week regarding this made it to the list, ive just noticed that they got flagged as spam on my system :-) I have a message being sent to one of my customers which keeps getting quarantined with "Could not analyze message", its a plain text email with no attachments. I tried setting up a ruleset so any messages from this paticular address did not get scanned (using the Scan Messages ruleset). Ive done this quite a few times before so am confident the syntax im using is correct. Despire this the message still gets quarantined, Julian mentioned the envelope from/to addresses might be different to the ones ive got in my ruleset - I used the "Add Envelope From Header" and "Add Envelope To Header" and was able to see from the headers that my ruleset addresses were correct. Ive also tried using using the Scan Messages ruleset to just not scan incomming email for this paticular email address - again the message still gets quarantined. Any hints/tips etc.. as to what can cause "Could not analyze message) the server processes plenty of other email exactly as I would expect and it only seems to be this one paticular message. Cheers Paul From martinh at solidstatelogic.com Tue Nov 7 13:26:58 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Nov 7 13:27:18 2006 Subject: Could not analyze message In-Reply-To: References: Message-ID: <455089A2.2070702@solidstatelogic.com> Paul Houselander wrote: > Hi > > I dont think my messages last week regarding this made it to the list, ive > just noticed that they got flagged as spam on my system :-) > If you're using Tim's Bogus virus rules for Spamassassin you need to zero score the mailScanner ones (from back in the day when mailScanner used to 'bounce' spam' and viruses by default) > I have a message being sent to one of my customers which keeps getting > quarantined with "Could not analyze message", its a plain text email with no > attachments. > I see you're using Outlook - could it be the TNEF expander isn't working properly... What I do is don't scan via SA for outgoing, only virus scan. I do this by the 'from' ip-address range which can't be spoofed quite as easily as the email address. > I tried setting up a ruleset so any messages from this paticular address did > not get scanned (using the Scan Messages ruleset). Ive done this quite a few > times before so am confident the syntax im using is correct. > > Despire this the message still gets quarantined, Julian mentioned the > envelope from/to addresses might be different to the ones ive got in my > ruleset - I used the "Add Envelope From Header" and "Add Envelope To Header" > and was able to see from the headers that my ruleset addresses were correct. > > Ive also tried using using the Scan Messages ruleset to just not scan > incomming email for this paticular email address - again the message still > gets quarantined. > > Any hints/tips etc.. as to what can cause "Could not analyze message) the > server processes plenty of other email exactly as I would expect and it only > seems to be this one paticular message. > > Cheers > > Paul > -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From housey at sme-ecom.co.uk Tue Nov 7 13:54:08 2006 From: housey at sme-ecom.co.uk (Paul Houselander) Date: Tue Nov 7 13:54:12 2006 Subject: Could not analyze message In-Reply-To: <455089A2.2070702@solidstatelogic.com> Message-ID: Hi Martin The situation is my customer has his incomming email scanned, the email which is being quarantined is comming from one of his suppliers (i.e. they dont smtp out via me). I dont really want to whitelist the IP as the email comes via BT. I was thinking along the lines of winmail.dat as the message comes via an MS Exchange server, but the message is all just plain text. Heres the headers (ive blanked out various addresses) Return-Path: Delivered-To: 2-xxxxxxxxxxxxx Received: (qmail 21307 invoked by uid 110); 3 Nov 2006 13:33:11 +0000 Delivered-To: 129-xxxxxxxxxxx Received: (qmail 21301 invoked from network); 3 Nov 2006 13:33:11 +0000 Received: from xxxxxxxxxxx (HELO xxxxxxxxxxx) (xxxxxxxxxxxx) by xxxxxxxxxxxx with (DHE-RSA-AES256-SHA encrypted) SMTP; 3 Nov 2006 13:33:11 +0000 Received: from c2bthomr10.btconnect.com (c2bthomr10.btconnect.com [194.73.73.226]) by xxxxxxxxxxxxxxxxxx (8.13.1/8.13.1) with ESMTP id kA3DWXX9018872 for ; Fri, 3 Nov 2006 13:32:38 GMT Received: from xxxxxxxxxxxx (xxxxxxxxxxxxxxxx.in-addr.btopenworld.com [xxxxxxxx]) by xxxxxxxxxxxxxxxxx (MOS 3.7.4b-GA) with ESMTP id BVA31885; Fri, 3 Nov 2006 13:27:07 GMT Received: from goldmaster ([192.168.0.10]) by xxxxxxxxxxxxxxxxxx with Microsoft SMTPSVC(6.0.3790.1830); Fri, 3 Nov 2006 13:32:29 +0000 From: "xxxxxxxxxxxxxxx" Subject: Proof of Delivery To: xxxxxxxxxxxxxxxx Content-type: text/plain; charset="ISO-8859-1" Date: Fri, 3 Nov 2006 13:32:29 +0000 Message-ID: X-OriginalArrivalTime: 03 Nov 2006 13:32:29.0639 (UTC) FILETIME=[825D5570:01C6FF4C] Any other ideals? Cheers Paul -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Martin Hepworth Sent: 07 November 2006 13:27 To: MailScanner discussion Subject: Re: Could not analyze message Paul Houselander wrote: > Hi > > I dont think my messages last week regarding this made it to the list, ive > just noticed that they got flagged as spam on my system :-) > If you're using Tim's Bogus virus rules for Spamassassin you need to zero score the mailScanner ones (from back in the day when mailScanner used to 'bounce' spam' and viruses by default) > I have a message being sent to one of my customers which keeps getting > quarantined with "Could not analyze message", its a plain text email with no > attachments. > I see you're using Outlook - could it be the TNEF expander isn't working properly... What I do is don't scan via SA for outgoing, only virus scan. I do this by the 'from' ip-address range which can't be spoofed quite as easily as the email address. > I tried setting up a ruleset so any messages from this paticular address did > not get scanned (using the Scan Messages ruleset). Ive done this quite a few > times before so am confident the syntax im using is correct. > > Despire this the message still gets quarantined, Julian mentioned the > envelope from/to addresses might be different to the ones ive got in my > ruleset - I used the "Add Envelope From Header" and "Add Envelope To Header" > and was able to see from the headers that my ruleset addresses were correct. > > Ive also tried using using the Scan Messages ruleset to just not scan > incomming email for this paticular email address - again the message still > gets quarantined. > > Any hints/tips etc.. as to what can cause "Could not analyze message) the > server processes plenty of other email exactly as I would expect and it only > seems to be this one paticular message. > > Cheers > > Paul > -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From martinh at solidstatelogic.com Tue Nov 7 14:00:25 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Nov 7 14:00:35 2006 Subject: Could not analyze message In-Reply-To: References: Message-ID: <45509179.5060600@solidstatelogic.com> Paul Houselander wrote: > Hi Martin > > The situation is my customer has his incomming email scanned, the email > which is being quarantined is comming from one of his suppliers (i.e. they > dont smtp out via me). I dont really want to whitelist the IP as the email > comes via BT. > > I was thinking along the lines of winmail.dat as the message comes via an MS > Exchange server, but the message is all just plain text. Heres the headers > (ive blanked out various addresses) > > Received: (qmail 21301 invoked from network); 3 Nov 2006 13:33:11 +0000 > Received: from xxxxxxxxxxx (HELO xxxxxxxxxxx) (xxxxxxxxxxxx) > by xxxxxxxxxxxx with (DHE-RSA-AES256-SHA encrypted) SMTP; 3 Nov 2006 > 13:33:11 +0000 encrypted SMTP!! and qmail....hmm I wonder if it's not decrypted before it's dropping into MailScanner????? -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From Denis.Beauchemin at USherbrooke.ca Tue Nov 7 14:38:06 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Tue Nov 7 14:38:28 2006 Subject: mailscanner-mrtg graph labels In-Reply-To: <000b01c6ffa4$a4794c10$670a000a@dorfam.ca> References: <000b01c6ffa4$a4794c10$670a000a@dorfam.ca> Message-ID: <45509A4E.7090303@USherbrooke.ca> Gerry Doris a ?crit : > I upgraded my system from Fedora Core 4 to 6 last weekend. > Surprisingly it went quite well. I thought everything was working > properly until I noticed that two of the mailscanner-mrtg graphs have > their labels messed up. The data looks correct. > > The two messed up graphs are Mail Transferred and Memory. It is the > top level as well as the detail graphs. The vertical legend for each > is showing the number scale followed by the letters M,G,T,P spread out > into the graph area for each number. > > This has been working perfectly for ages...I think? Has anyone else > noticed this? I'm using 0.10.00. I upgraded to the unstable version > 11 but it didn't make a difference. Gerry, This looks more like an MRTG problem than a MailScanner-MRTG one because the 2 graphs that you are having problems with come from different sources: your log files for MTA and SNMP for memory. Are you sure you didn't mess up the /etc/mrtg/mailscanner-mrtg.cfg file for these 2 graphs? This is what I have for the MTA: YLegend[mailbytes]: Bytes ShortLegend[mailbytes]: bytes     Legend1[mailbytes]: Average Bytes Legend2[mailbytes]: Legend3[mailbytes]: Maximum Bytes Legend4[mailbytes]: LegendI[mailbytes]: : LegendO[mailbytes]: kilo[mailbytes]: 1024 kMG[mailbytes]: k,M,G,T,P If all is OK, then maybe something changed in FC6 and the last 2 lines (kilo and kMG) are not having the same effect as they did before. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061107/1cde83fc/smime.bin From housey at sme-ecom.co.uk Tue Nov 7 14:41:51 2006 From: housey at sme-ecom.co.uk (Paul Houselander) Date: Tue Nov 7 14:41:53 2006 Subject: Could not analyze message In-Reply-To: <45509179.5060600@solidstatelogic.com> Message-ID: Nope I dont think thats the problem, ive just realised I gave the headers from the released email (i have a little script that releases an email from quarantine), below is the raw qf file data:- Any other ideals, I just cant get this email through unscanned or better still understand why MailScanner cant analyze the message. Cheers Paul V8 T1162560758 K0 N0 P31610 F8bs $_c2bthomr10.btconnect.com [194.73.73.226] $rESMTP $sc2bthomr10.btconnect.com ${daemon_flags} ${if_addr}xxxxxxxxxx S rRFC822; xxxxxxxxxxxxxx RPFD: H?P?Return-Path: H??Received: from c2bthomr10.btconnect.com (c2bthomr10.btconnect.com [194.73.73.226]) by xxxxxxxxxxxxxx (8.13.1/8.13.1) with ESMTP id kA3DWXX9018872 for ; Fri, 3 Nov 2006 13:32:38 GMT H??Received: from goldmaster.gold01.com (xxxxxxxxx.in-addr.btopenworld.com [xxxxxxxxxxxxx]) by c2bthomr10.btconnect.com (MOS 3.7.4b-GA) with ESMTP id BVA31885; Fri, 3 Nov 2006 13:27:07 GMT H??Received: from goldmaster ([192.168.0.10]) by goldmaster.gold01.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 3 Nov 2006 13:32:29 +0000 H??From: "xxxxxxxxxxxxx" H??Subject: Proof of Delivery H??To: xxxxxxxxxxxxx H??Content-Type: multipart/mixed H??Date: Fri, 3 Nov 2006 13:32:29 +0000 H??Message-ID: H??X-OriginalArrivalTime: 03 Nov 2006 13:32:29.0639 (UTC) FILETIME=[825D5570:01C6FF4C] -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Martin Hepworth Sent: 07 November 2006 14:00 To: MailScanner discussion Subject: Re: Could not analyze message Paul Houselander wrote: > Hi Martin > > The situation is my customer has his incomming email scanned, the email > which is being quarantined is comming from one of his suppliers (i.e. they > dont smtp out via me). I dont really want to whitelist the IP as the email > comes via BT. > > I was thinking along the lines of winmail.dat as the message comes via an MS > Exchange server, but the message is all just plain text. Heres the headers > (ive blanked out various addresses) > > Received: (qmail 21301 invoked from network); 3 Nov 2006 13:33:11 +0000 > Received: from xxxxxxxxxxx (HELO xxxxxxxxxxx) (xxxxxxxxxxxx) > by xxxxxxxxxxxx with (DHE-RSA-AES256-SHA encrypted) SMTP; 3 Nov 2006 > 13:33:11 +0000 encrypted SMTP!! and qmail....hmm I wonder if it's not decrypted before it's dropping into MailScanner????? -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Denis.Beauchemin at USherbrooke.ca Tue Nov 7 14:48:37 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Tue Nov 7 14:48:53 2006 Subject: Remove SpamAssasin report in 'attachment deliver' In-Reply-To: References: <454B4D1B.2000807@USherbrooke.ca> Message-ID: <45509CC5.7050302@USherbrooke.ca> Ugo Bellavance a ?crit : > Denis Beauchemin wrote: >> Ugo Bellavance a ?crit : >>> Hi, >>> >>> I'd like to know how to not have the report details in the body >>> when using the 'attachment' action for delivering. I know there is >>> an "Always include SpamAssassin Report" option, but I'm affraid I >>> won't have it in the headers if I disable it. >>> >>> Thanks, >>> >>> Ugo >>> >> Hi Ugo, >> >> I guess you could use the folloging in your spam.assassin.prefs.conf >> to clear the default report (from "man Mail::SpamAssassin::Conf"): >> clear_report_template >> Clear the report template. >> report ...some text for a report... >> Set the report template which is attached to spam mail >> messages. See the "10_misc.cf" configu- >> ration file in "/usr/share/spamassassin" for an example. >> >> If you change this, try to keep it under 78 columns. Each >> "report" line appends to the existing >> template, so use "clear_report_template" to restart. >> >> Tags can be included as explained above. >> >> I use a French-localized version here with: >> lang fr clear-report-template >> lang fr report ------------------ D?but de Rapport SpamAssassin >> --------------------- > > I don't want to change it, I only want it to be blank, nothing... is > is sufficient to just put 'clear_report_template' into the > spam.assassin.prefs.conf? > > Thanks > > I would think it would work but I didn't test it... Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061107/2749bf44/smime.bin From martinh at solidstatelogic.com Tue Nov 7 15:01:47 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Nov 7 15:02:03 2006 Subject: Could not analyze message In-Reply-To: References: Message-ID: <45509FDB.1040003@solidstatelogic.com> Paul Houselander wrote: > Nope I dont think thats the problem, ive just realised I gave the headers > from the released email (i have a little script that releases an email from > quarantine), below is the raw qf file data:- > > Any other ideals, I just cant get this email through unscanned or better > still understand why MailScanner cant analyze the message. > > Cheers > > Paul can you drop this back into the queue and run mailScanner/Spamassassin in debug mode? You may then be able to spot whats going awry. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From Dominique.Marant at univ-lille1.fr Tue Nov 7 15:07:07 2006 From: Dominique.Marant at univ-lille1.fr (Dominique Marant) Date: Tue Nov 7 15:09:14 2006 Subject: ClamAV update In-Reply-To: <455051F5.4050304@solidstatelogic.com> References: <000d01c701e8$17dbf500$780a000a@northamerica.stortek.com> <455051F5.4050304@solidstatelogic.com> Message-ID: <4550A11B.6000002@univ-lille1.fr> I installed install-Clam-0.88.6-SA-3.1.7 In virus.scanners.conf : clamav /usr/lib/MailScanner/clamav-wrapper /usr/local clamavmodule /bin/false /tmp In MailScanner.conf : Virus Scanners = clamavmodule Monitors for ClamAV Updates = /usr/local/share/clamav/*.cvd It seems that clamav is not automaticaly updated because I don't see any change in /usr/local/share/clamav/ and I don't see clamav in update.virus.scanners lines in the log. How to configure MailScanner to update ClamAV every day ? Could you say me if I have to perform a freshclam by the crontab ? In the MailScanner log, how to see the version of ClamAv using by MailScanner ? In the MailScanner log, how to see the version of Spamassassin using by MailScanner ? In the MailScanner log, how to see if ClamAV version is OUTDATED ? Thanks in advance Dominique From ugob at camo-route.com Tue Nov 7 15:59:38 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Tue Nov 7 16:00:14 2006 Subject: Outbound scanning checklist Message-ID: Hi, I will start filtering outbound traffic soon, and here is my checklist, to share with you guys, and if someone has something to add, I'd be glad to add it. I'll post it on the wiki afterwards. 1- Get the list of IP addresses from which we'll receive outgoing e-mails 2- Allow relaying for these IP addresses 3- Disable DNSBL checks for theses IP addresses (if necessary) 4- Make sure your RDNS matches your HELO and that there is an A record that matches the RDNS, matching the IP address 5- Check the SPF records for domains that will be used outbound 6- Create ruleset as desired/needed: filetype, filenaye, spam checks (and always include SA report), content, virus Did I forget anything? Regards, ugo From ugob at camo-route.com Tue Nov 7 16:06:44 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Tue Nov 7 16:08:15 2006 Subject: ClamAV update In-Reply-To: <4550A11B.6000002@univ-lille1.fr> References: <000d01c701e8$17dbf500$780a000a@northamerica.stortek.com> <455051F5.4050304@solidstatelogic.com> <4550A11B.6000002@univ-lille1.fr> Message-ID: Dominique Marant wrote: > I installed install-Clam-0.88.6-SA-3.1.7 > > In virus.scanners.conf : > clamav /usr/lib/MailScanner/clamav-wrapper /usr/local > clamavmodule /bin/false /tmp > > In MailScanner.conf : > Virus Scanners = clamavmodule > Monitors for ClamAV Updates = /usr/local/share/clamav/*.cvd > > It seems that clamav is not automaticaly updated because I don't see any > change in /usr/local/share/clamav/ and I don't see clamav in > update.virus.scanners lines in the log. > > How to configure MailScanner to update ClamAV every day ? This should be done hourly, automatically. > Could you say me if I have to perform a freshclam by the crontab ? No, you don't. > In the MailScanner log, how to see the version of ClamAv using by > MailScanner ? This info is not present in MailScanner's log. > In the MailScanner log, how to see the version of Spamassassin using by > MailScanner ? This info is not present in MailScanner's log. > In the MailScanner log, how to see if ClamAV version is OUTDATED ? This info is not present in MailScanner's log. See /tmp/ClamAV.update.log > > Thanks in advance > > Dominique > > From dhawal at netmagicsolutions.com Tue Nov 7 16:11:05 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Tue Nov 7 16:11:20 2006 Subject: Outbound scanning checklist In-Reply-To: References: Message-ID: <4550B019.1030302@netmagicsolutions.com> Ugo Bellavance wrote: > Hi, > > I will start filtering outbound traffic soon, and here is my > checklist, to share with you guys, and if someone has something to add, > I'd be glad to add it. I'll post it on the wiki afterwards. > > > > 1- Get the list of IP addresses from which we'll receive outgoing e-mails > > 2- Allow relaying for these IP addresses > > 3- Disable DNSBL checks for theses IP addresses (if necessary) > > 4- Make sure your RDNS matches your HELO and that there is an A record > that matches the RDNS, matching the IP address > > 5- Check the SPF records for domains that will be used outbound > > 6- Create ruleset as desired/needed: filetype, filenaye, spam checks > (and always include SA report), content, virus > > Did I forget anything? 7. smtp-auth (preferably over SSL) 8. prevent id spoofing over smtp-auth 9. volume / rate based throttling for authenticated users 10. also server side DK/DKIM signing From kevind at go2.ie Tue Nov 7 16:14:59 2006 From: kevind at go2.ie (Kevin Dermody) Date: Tue Nov 7 16:13:23 2006 Subject: Outbound scanning checklist In-Reply-To: References: Message-ID: <4550B103.4020702@go2.ie> Ugo Bellavance wrote: > Hi, > > I will start filtering outbound traffic soon, and here is my > checklist, to share with you guys, and if someone has something to add, > I'd be glad to add it. I'll post it on the wiki afterwards. > > > > 1- Get the list of IP addresses from which we'll receive outgoing e-mails > > 2- Allow relaying for these IP addresses > this is a really bad idea if you dont control the systems on those ip addresses. use smtp authentication if you can. > 3- Disable DNSBL checks for theses IP addresses (if necessary) > > 4- Make sure your RDNS matches your HELO and that there is an A record > that matches the RDNS, matching the IP address > > 5- Check the SPF records for domains that will be used outbound > > 6- Create ruleset as desired/needed: filetype, filenaye, spam checks > (and always include SA report), content, virus > > Did I forget anything? > > Regards, > > ugo > From housey at sme-ecom.co.uk Tue Nov 7 17:01:32 2006 From: housey at sme-ecom.co.uk (Paul Houselander) Date: Tue Nov 7 17:01:36 2006 Subject: Could not analyze message In-Reply-To: <45509FDB.1040003@solidstatelogic.com> Message-ID: Hi Martin Thanks for the debug tip forgot all about that! I set Debug = yes Debig SpamAssassin = no and copied the qf/qf pair back into /var/spool/mqueue.in I started up MailScanner MailScanner: In Debugging mode, not forking.... The message got quarantined but the debug info didnt really show anything - I got a message saying format error: can't find EOCD signature at /usr/sbin/MailScanner line 820 But I put some other messages in and got exactly the same problem. Any other tips :-) Paul -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Martin Hepworth Sent: 07 November 2006 15:02 To: MailScanner discussion Subject: Re: Could not analyze message Paul Houselander wrote: > Nope I dont think thats the problem, ive just realised I gave the headers > from the released email (i have a little script that releases an email from > quarantine), below is the raw qf file data:- > > Any other ideals, I just cant get this email through unscanned or better > still understand why MailScanner cant analyze the message. > > Cheers > > Paul can you drop this back into the queue and run mailScanner/Spamassassin in debug mode? You may then be able to spot whats going awry. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This message has been scanned by the Allteks Mailsafe Service From martinh at solidstatelogic.com Tue Nov 7 17:09:27 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Nov 7 17:09:37 2006 Subject: Could not analyze message In-Reply-To: References: Message-ID: <4550BDC7.4050302@solidstatelogic.com> Paul Houselander wrote: > Hi Martin > > Thanks for the debug tip forgot all about that! > > I set > > Debug = yes > Debig SpamAssassin = no > > and copied the qf/qf pair back into /var/spool/mqueue.in > > I started up MailScanner > > MailScanner: In Debugging mode, not forking.... > > The message got quarantined but the debug info didnt really show anything - > I got a message saying > > format error: can't find EOCD signature > at /usr/sbin/MailScanner line 820 > > But I put some other messages in and got exactly the same problem. > > Any other tips :-) > > Paul > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Martin > Hepworth > Sent: 07 November 2006 15:02 > To: MailScanner discussion > Subject: Re: Could not analyze message > > > Paul Houselander wrote: >> Nope I dont think thats the problem, ive just realised I gave the headers >> from the released email (i have a little script that releases an email > from >> quarantine), below is the raw qf file data:- >> >> Any other ideals, I just cant get this email through unscanned or better >> still understand why MailScanner cant analyze the message. >> >> Cheers >> > > Paul > > can you drop this back into the queue and run mailScanner/Spamassassin > in debug mode? You may then be able to spot whats going awry. > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > This message has been scanned by the Allteks Mailsafe Service > > > Paul set both options to debug - also check the maillog file -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From alex at nkpanama.com Tue Nov 7 18:03:23 2006 From: alex at nkpanama.com (Alex Neuman) Date: Tue Nov 7 18:04:02 2006 Subject: Outbound scanning checklist In-Reply-To: <4550B103.4020702@go2.ie> References: <4550B103.4020702@go2.ie> Message-ID: <4550CA6B.8010300@nkpanama.com> Kevin Dermody wrote: > Ugo Bellavance wrote: >> Hi, >> >> I will start filtering outbound traffic soon, and here is my >> checklist, to share with you guys, and if someone has something to >> add, I'd be glad to add it. I'll post it on the wiki afterwards. >> >> >> >> 1- Get the list of IP addresses from which we'll receive outgoing >> e-mails >> >> 2- Allow relaying for these IP addresses >> > > this is a really bad idea if you dont control the systems on those ip > addresses. use smtp authentication if you can. > This is really bad idea, period. :D > >> 3- Disable DNSBL checks for theses IP addresses (if necessary) >> >> 4- Make sure your RDNS matches your HELO and that there is an A >> record that matches the RDNS, matching the IP address >> >> 5- Check the SPF records for domains that will be used outbound >> >> 6- Create ruleset as desired/needed: filetype, filenaye, spam checks >> (and always include SA report), content, virus >> >> Did I forget anything? >> >> Regards, >> >> ugo >> From rpoe at plattesheriff.org Tue Nov 7 19:26:28 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Tue Nov 7 19:29:25 2006 Subject: Greylisting .. nice .. In-Reply-To: References: Message-ID: <45508986.65ED.00A2.0@plattesheriff.org> >> > My thoughts so far are this: Why didn't I do this sooner. > >> Its going to be pointless soon, problem is, as more and more people do >> this, it wont be long before the common garden variety spammers smtp >> engine will also retry on 4xx errors, id give it a year tops (if some of >> them are not already doing it) >My objection to it is not that it doesn't work, but that it makes all >genuine mail servers work twice as hard to deliver mail. I like having an I agree, that the spammers MIGHT try to adapt to this, but at THIS MOMENT, it works. Computer tech is moment based. Since when have we used virus scanners on Microsoft OS'es that only scan on demand (real time scanning). Why? Because the virus writers adapted. The viruses are far nastier. Spam will get far, far nastier. I have a mailserver I admin that gets the following in spam statistics .. for yesterday at midnight. 1040 blocked yesterday due to sendmail access.db blocks (the worst subnet offenders from foreign countries) 20,000 blocked for invalid recipient 124 blocked by RBLs, of which I cannot use all of because their clients host email servers on DSL / Cable modem connections. 68 blocked by spamassassin for high spam score 2000 greylist 1st attempts 204 greylist passes They STILL get spam .. but it's blocked almost ALL of the image based spams, and almost ALL of the pharmaceutical messages, and most of the nasty porn stuff. And with the bayes poisioning they get, SA wasn't touching it .. I agree, greylisting isn't the best thing since sliced bread .. but with the wild state of things on the Internet, it sure comes close IMO. Not everyone has a 2.8ghz dual xeon with 4 gigs of ram to dedicate to spamassassin with OCR recognition. This email domain name is 10 years old. It used to run Groupwise 5.2 (ok, so maybe it still does) which the GWIA is so horribly broken that it will accept email to ANY user (doesn't relay it, but DOES accept it even if invalid). So the spammers have dictionary attacked it for SO long that they all think that asuidewiuwer@thatdomainname is a vaild recipient, while it is not. Rob From rpoe at plattesheriff.org Tue Nov 7 19:31:06 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Tue Nov 7 19:33:42 2006 Subject: Dictionary Attacks In-Reply-To: <6.2.3.4.2.20061024170822.0262e660@mail.tireswing.net> References: <453E5310.3050601@pixelhammer.com> <453E5A99.4030400@solidstatelogic.com> <453E5E6C.2070408@nkpanama.com> <7.0.1.0.0.20061024150124.08445848@1bigthink.com> <453E72D3.4090600@pixelhammer.com> <6.2.3.4.2.20061024170822.0262e660@mail.tireswing.net> Message-ID: <45508A9C.65ED.00A2.0@plattesheriff.org> >My frustration with the deluge of spam of late has gotten to the >point that I'm fairly convinced I will stop the spam filtering on the >domain of the next user that bitches to me about the spam they're >getting. Then they can see what spam they've *not* been getting. Did that for someone. They then complained about the deluge of new spam. It didn't work. From mikea at mikea.ath.cx Tue Nov 7 20:12:18 2006 From: mikea at mikea.ath.cx (mikea) Date: Tue Nov 7 20:12:23 2006 Subject: Greylisting .. nice .. In-Reply-To: <45508986.65ED.00A2.0@plattesheriff.org>; from rpoe@plattesheriff.org on Tue, Nov 07, 2006 at 01:26:28PM -0600 References: <45508986.65ED.00A2.0@plattesheriff.org> Message-ID: <20061107141218.D5240@mikea.ath.cx> On Tue, Nov 07, 2006 at 01:26:28PM -0600, Rob Poe wrote: > >> > My thoughts so far are this: Why didn't I do this sooner. > > > >> Its going to be pointless soon, problem is, as more and more people > do > >> this, it wont be long before the common garden variety spammers > smtp > >> engine will also retry on 4xx errors, id give it a year tops (if > some of > >> them are not already doing it) > > >My objection to it is not that it doesn't work, but that it makes all > >genuine mail servers work twice as hard to deliver mail. I like > having an > > I agree, that the spammers MIGHT try to adapt to this, but at THIS > MOMENT, it works. Computer tech is moment based. Since when have we > used virus scanners on Microsoft OS'es that only scan on demand (real > time scanning). Why? Because the virus writers adapted. The viruses > are far nastier. Spam will get far, far nastier. > > I have a mailserver I admin that gets the following in spam statistics > .. for yesterday at midnight. > > 1040 blocked yesterday due to sendmail access.db blocks (the worst > subnet offenders from foreign countries) > 20,000 blocked for invalid recipient > 124 blocked by RBLs, of which I cannot use all of because their clients > host email servers on DSL / Cable modem connections. > 68 blocked by spamassassin for high spam score > 2000 greylist 1st attempts > 204 greylist passes > > They STILL get spam .. but it's blocked almost ALL of the image based > spams, and almost ALL of the pharmaceutical messages, and most of the > nasty porn stuff. And with the bayes poisioning they get, SA wasn't > touching it .. > > I agree, greylisting isn't the best thing since sliced bread .. but > with the wild state of things on the Internet, it sure comes close IMO. > Not everyone has a 2.8ghz dual xeon with 4 gigs of ram to dedicate to > spamassassin with OCR recognition. > > This email domain name is 10 years old. It used to run Groupwise 5.2 > (ok, so maybe it still does) which the GWIA is so horribly broken that > it will accept email to ANY user (doesn't relay it, but DOES accept it > even if invalid). > > So the spammers have dictionary attacked it for SO long that they all > think that asuidewiuwer@thatdomainname is a vaild recipient, while it is > not. >From my inbound mailfilter's logs, about 1030 local: $ grep graylist /var/log/maillog | wc -l 2807 $ grep "accepted for delivery" /var/log/maillog | wc -l 2308 Just now, at 1409 local: grep "accepted for delivery" /var/log/maillog | wc -l && grep graylist /var/log/maillog | wc -l 2642 3115 That's 500 or so mails that graylisting stopped at 10:30, minus the ones still in the graylisting delay when I pulled the sample. Probably about 480 mails actually had been stopped then. The difference still is about 500-ish, and that's mails that the later stages of the filter (MailScanner, SpamAssassin, and ClamAV) don't have to spend CPU on. That's in addition to extensive blacklists, a regular-expression-match milter, and some other stuff, and before the sendmail access database, MailScanner, SpamAssassin, and ClamAV. Some days I'm more than a bit amazed that *anything* gets through. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From jwilliams at courtesymortgage.com Tue Nov 7 20:35:19 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Tue Nov 7 20:35:23 2006 Subject: Have a problem here...need some quick advice Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FD179@cmexchange01.CourtesyMortgage.local> I'll get right to it. I lost part of my mailscaner today. Still doing the research, but I suspect hardware failure. in the meantime, while I am rebuilding mailscanner, I need some suggestions to get postfix working with clamav back. I have a quick postfix box up and running, but I am not sure how to get clamav setup to scan the messages. I am in a little panic mode here so I apologize for the rush sounding and not doing a thorough search for this. Thank you for your help. -Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061107/cfdb4741/attachment.html From dave.list at pixelhammer.com Tue Nov 7 20:51:25 2006 From: dave.list at pixelhammer.com (DAve) Date: Tue Nov 7 20:51:38 2006 Subject: Greylisting .. nice .. In-Reply-To: <20061107141218.D5240@mikea.ath.cx> References: <45508986.65ED.00A2.0@plattesheriff.org> <20061107141218.D5240@mikea.ath.cx> Message-ID: <4550F1CD.9060708@pixelhammer.com> mikea wrote: > On Tue, Nov 07, 2006 at 01:26:28PM -0600, Rob Poe wrote: >>>>> My thoughts so far are this: Why didn't I do this sooner. >>>> Its going to be pointless soon, problem is, as more and more people >> do >>>> this, it wont be long before the common garden variety spammers >> smtp >>>> engine will also retry on 4xx errors, id give it a year tops (if >> some of >>>> them are not already doing it) >>> My objection to it is not that it doesn't work, but that it makes all >>> genuine mail servers work twice as hard to deliver mail. I like >> having an >> >> I agree, that the spammers MIGHT try to adapt to this, but at THIS >> MOMENT, it works. Computer tech is moment based. Since when have we >> used virus scanners on Microsoft OS'es that only scan on demand (real >> time scanning). Why? Because the virus writers adapted. The viruses >> are far nastier. Spam will get far, far nastier. >> >> I have a mailserver I admin that gets the following in spam statistics >> .. for yesterday at midnight. >> >> 1040 blocked yesterday due to sendmail access.db blocks (the worst >> subnet offenders from foreign countries) >> 20,000 blocked for invalid recipient >> 124 blocked by RBLs, of which I cannot use all of because their clients >> host email servers on DSL / Cable modem connections. >> 68 blocked by spamassassin for high spam score >> 2000 greylist 1st attempts >> 204 greylist passes >> >> They STILL get spam .. but it's blocked almost ALL of the image based >> spams, and almost ALL of the pharmaceutical messages, and most of the >> nasty porn stuff. And with the bayes poisioning they get, SA wasn't >> touching it .. >> >> I agree, greylisting isn't the best thing since sliced bread .. but >> with the wild state of things on the Internet, it sure comes close IMO. >> Not everyone has a 2.8ghz dual xeon with 4 gigs of ram to dedicate to >> spamassassin with OCR recognition. >> >> This email domain name is 10 years old. It used to run Groupwise 5.2 >> (ok, so maybe it still does) which the GWIA is so horribly broken that >> it will accept email to ANY user (doesn't relay it, but DOES accept it >> even if invalid). >> >> So the spammers have dictionary attacked it for SO long that they all >> think that asuidewiuwer@thatdomainname is a vaild recipient, while it is >> not. > >>From my inbound mailfilter's logs, about 1030 local: > $ grep graylist /var/log/maillog | wc -l > 2807 > $ grep "accepted for delivery" /var/log/maillog | wc -l > 2308 > > Just now, at 1409 local: > grep "accepted for delivery" /var/log/maillog | wc -l && grep graylist /var/log/maillog | wc -l > 2642 > 3115 > > That's 500 or so mails that graylisting stopped at 10:30, minus the > ones still in the graylisting delay when I pulled the sample. Probably > about 480 mails actually had been stopped then. The difference still > is about 500-ish, and that's mails that the later stages of the filter > (MailScanner, SpamAssassin, and ClamAV) don't have to spend CPU on. > > That's in addition to extensive blacklists, a regular-expression-match > milter, and some other stuff, and before the sendmail access database, > MailScanner, SpamAssassin, and ClamAV. > > Some days I'm more than a bit amazed that *anything* gets through. > bash# cat /var/log/maillogs/maillog | grep 'stat=queued' | wc -l 33384 bash# cat /var/log/maillogs/maillog | grep 'reject=451' | wc -l 89036 bash# cat /var/log/maillogs/maillog | grep 'auto-whitelisted' | wc -l 8833 That is just one server. I would be buried without Milter-Greylist, I would be looking for a job without MailScanner. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From jwilliams at courtesymortgage.com Tue Nov 7 20:51:37 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Tue Nov 7 20:51:41 2006 Subject: Have a problem here...need some quick advice Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FD17B@cmexchange01.CourtesyMortgage.local> Anothe quick note: I was able to backup all my config files for MailScanner and postfix. I was running 4.46-6 and postfix 2.2.6 I know there are changes, but anything significant? I am just trying to get this back up ASAP. -Jason ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jason Williams Sent: Tuesday, November 07, 2006 12:35 PM To: mailscanner@lists.mailscanner.info Subject: Have a problem here...need some quick advice I'll get right to it. I lost part of my mailscaner today. Still doing the research, but I suspect hardware failure. in the meantime, while I am rebuilding mailscanner, I need some suggestions to get postfix working with clamav back. I have a quick postfix box up and running, but I am not sure how to get clamav setup to scan the messages. I am in a little panic mode here so I apologize for the rush sounding and not doing a thorough search for this. Thank you for your help. -Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061107/c829c7d8/attachment-0001.html From mikej at rogers.com Tue Nov 7 21:19:33 2006 From: mikej at rogers.com (Mike Jakubik) Date: Tue Nov 7 21:19:21 2006 Subject: OT: Commercial Content Filtering Products In-Reply-To: <454FB2F6.8060702@adcatanzaro.com> References: <454FB2F6.8060702@adcatanzaro.com> Message-ID: <4550F865.4070503@rogers.com> Derek Catanzaro wrote: > I'm trying to get an idea of the cost on commercial products that will > basically do what MailScanner is doing for free. The reason is > because some vp's would like to know the cost of the commercial > products. Ultimately I think MailScanner does a great job with the > proper configs and I would be willing to bet that it does a lot better > job than a lot of the commercial products you have to pay for. Does > anyone out there have any product names and annual costs they can > provide? I've got roughly 3,000 mail users and we are getting about > 100,000 emails per day. I am working on such a product myself. It is based on MailScanner and all the other popular Open Source spam software and runs of FreeBSD. The difference from a self made OSS product is that it is an all-in-one, self managed appliance. It features a web interface that lets you tweak most of the important MS options, as well as some extras not found in MS such as; Automatic user detection (for custom login to view reports, manage quarantine and black/white lists). Daily quarantine reports sent to users via email. Active Directory integration, to download local recipient lists and reject unknown users at the MTA level. RAID and hardware monitoring. Automatic updates and upgrades. While the product is not feature complete yet, i have a number of clients using it as a test, and they are all happy with it so far. Price wise, i am shooting for somewhere around $1700 CDN for the product, and $30/Month for updates. This is however a small/medium version, and is designed for lower loads (roughly half of what you specified). A higher end version will simply require better hardware, on which i can not give you an accurate estimate at this point (my best guess is about $800 more). The hardware is all quality SuperMicro components, no cheap desktop components. If anyone wants more information or screenshots of the interface, feel free to email me in private. Also, if anyone is brave enough and willing, i could provide the current product for free (minus hardware and shipping costs) on a test and feedback basis. You can keep using the product when/if a final version is released, and if you are not happy with it for some reason, you can use the hardware for some other function. It is a stable product, but is not feature complete and ready for mass production yet. From steve.roy.wojciechowski at gmail.com Tue Nov 7 23:57:03 2006 From: steve.roy.wojciechowski at gmail.com (Steve Roy-Wojciechowski) Date: Tue Nov 7 23:57:06 2006 Subject: MailScanner and Exchange 5.5 Message-ID: I am setting up a MailScanner system that will sit infront of an Exchange 5.5 server. I had hoped to use milter-ahead but exchange 5.5 blindly accepts mail for the domain without first checking the user. I was wanting incoming mail to the mailscanner machine to be checked by exchange and dropped at the incoming point if the user/mailbox doesn't exist. I am using sendmail on the Linux/MS machine with mail being forwarded via a mailertable rule. Is there another way of accomplishing this with either sendmail or mailscanner or even on exchange? There are approx 100 email addresses. My client will be upgrading to exchange 2003 sometime, but not in the near future. Thanks Steve From jwilliams at courtesymortgage.com Wed Nov 8 00:01:59 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Wed Nov 8 00:02:03 2006 Subject: Quick help on getting FreeBSD mailscanner backup Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FD180@cmexchange01.CourtesyMortgage.local> Almost have the box back up, but I am missing something. After rebuilding the entire box, starting it up, I see this in my logs: Nov 7 17:29:27 gammaflux2 MailScanner[779]: MailScanner E-Mail Virus Scanner version 4.55.10 starting... Nov 7 17:29:27 gammaflux2 MailScanner[779]: Read 748 hostnames from the phishing whitelist Nov 7 17:29:27 gammaflux2 MailScanner[779]: User's home directory /var/spool/postfix is not writable Nov 7 17:29:27 gammaflux2 MailScanner[779]: You need to set the "SpamAssassin User State Dir" to a directory that the "Run As User" can write to Nov 7 17:29:28 gammaflux2 MailScanner[779]: Using SpamAssassin results cache Nov 7 17:29:28 gammaflux2 MailScanner[779]: Could not create SpamAssassin cache database /var/spool/MailScanner/incoming/SpamAssassin.cache.db I know it is something very simple, but I am missing it. I know I am rushing and missing easy things. Here are some settings in my configs: Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming Incoming Work Dir = /var/spool/postfix/hold Quarantine Dir = /var/spool/MailScanner/quarantine Appreciate the quick help. -Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061107/39eb02ee/attachment.html From jwilliams at courtesymortgage.com Wed Nov 8 00:10:43 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Wed Nov 8 00:10:47 2006 Subject: Quick help on getting FreeBSD mailscanner backup Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FD182@cmexchange01.CourtesyMortgage.local> Nevermind. Figured it out. Spoke to quickly. ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jason Williams Sent: Tuesday, November 07, 2006 4:02 PM To: MailScanner discussion Subject: Quick help on getting FreeBSD mailscanner backup Almost have the box back up, but I am missing something. After rebuilding the entire box, starting it up, I see this in my logs: Nov 7 17:29:27 gammaflux2 MailScanner[779]: MailScanner E-Mail Virus Scanner version 4.55.10 starting... Nov 7 17:29:27 gammaflux2 MailScanner[779]: Read 748 hostnames from the phishing whitelist Nov 7 17:29:27 gammaflux2 MailScanner[779]: User's home directory /var/spool/postfix is not writable Nov 7 17:29:27 gammaflux2 MailScanner[779]: You need to set the "SpamAssassin User State Dir" to a directory that the "Run As User" can write to Nov 7 17:29:28 gammaflux2 MailScanner[779]: Using SpamAssassin results cache Nov 7 17:29:28 gammaflux2 MailScanner[779]: Could not create SpamAssassin cache database /var/spool/MailScanner/incoming/SpamAssassin.cache.db I know it is something very simple, but I am missing it. I know I am rushing and missing easy things. Here are some settings in my configs: Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming Incoming Work Dir = /var/spool/postfix/hold Quarantine Dir = /var/spool/MailScanner/quarantine Appreciate the quick help. -Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061107/315c8fc4/attachment.html From KGoods at AIAInsurance.com Wed Nov 8 00:04:36 2006 From: KGoods at AIAInsurance.com (Ken Goods) Date: Wed Nov 8 00:11:42 2006 Subject: MailScanner and Exchange 5.5 Message-ID: <13C0059880FDD3118DC600508B6D4A6D013D8D3C@aiainsurance.com> Steve Roy-Wojciechowski wrote: > I am setting up a MailScanner system that will sit infront of an > Exchange 5.5 server. I had hoped to use milter-ahead but exchange 5.5 > blindly accepts mail for the domain without first checking the user. > I was wanting incoming mail to the mailscanner machine to be checked > by exchange and dropped at the incoming point if the user/mailbox > doesn't exist. I am using sendmail on the Linux/MS machine with mail > being forwarded via a mailertable rule. Is there another way of > accomplishing this with either sendmail or mailscanner or even on > exchange? > There are approx 100 email addresses. My client will be upgrading to > exchange 2003 sometime, but not in the near future. > Thanks > > Steve Hi Steve, Easily doable with sendmail's virtusertable. I use it here and it works a charm. Since I've only got about two hundred email addresses that don't change that often I usually do it manually. I did however export the mailboxes form Exchange (5.5) and wrote a little visual basic program to initially build the list. If you'd like to know more details contact me off list since this is a little off topic. HTH! Kind regards, Ken Ken Goods Network Administrator AIA/CropUSA Insurance, Inc. From Jeff.Mills at versacold.com.au Wed Nov 8 00:13:53 2006 From: Jeff.Mills at versacold.com.au (Jeff Mills) Date: Wed Nov 8 00:12:36 2006 Subject: MailScanner and Exchange 5.5 Message-ID: <197F21E06E4D2A478519EA9078D6AA1C0466D032@poclexch.AU.POCOLD.POCL> Is there another way of > accomplishing this with either sendmail or mailscanner or even on > exchange? I'm using postfix/mailscanner in front of exchange, and I use a pearl script to pull valid email addresses from AD and populate a file for hashing in postfix. Some info here: http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:reject_non_existent_users#ms_exchange Postix's relay_recipient_maps points to this file, and invalid email addresses are immediately rejected. *** "This company is now part of the Versacold Holdings Corp. and is no longer owned by or affiliated with the P&O Group" *** Please update your address books: Was: firstname.lastname@pocold.com.au Now: firstname.lastname@versacold.com.au ************** www.versacold.com ************** From james at grayonline.id.au Wed Nov 8 00:14:10 2006 From: james at grayonline.id.au (James Gray) Date: Wed Nov 8 00:14:29 2006 Subject: Greylisting .. nice .. In-Reply-To: <20061107141218.D5240@mikea.ath.cx> References: <45508986.65ED.00A2.0@plattesheriff.org> <20061107141218.D5240@mikea.ath.cx> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/11/2006, at 7:12 AM, mikea wrote: > $ grep graylist /var/log/maillog | wc -l > 2807 > $ grep "accepted for delivery" /var/log/maillog | wc -l > 2308 > > Just now, at 1409 local: > grep "accepted for delivery" /var/log/maillog | wc -l && grep > graylist /var/log/maillog | wc -l > 2642 > 3115 Just a quick observation that has nothing to do with grey listing :) Most *nix admins I know have broken old habits and no longer do the old (and unnecessary) "cat | less" in lieu of the more terse "less " along with other redundant pipes. Similarly "grep" can count matching lines without the need of piping through "wc" (at least I can confirm this with Gnu grep...not sure of the others). grep | wc -l is effectively the same as grep -c "man grep" reveals: - -c, --count Suppress normal output; instead print a count of matching lines for each input file. With the -v, --invert-match option (see below), count non-matching lines. Not sure how BSD/Solaris/AIX/etc grep does things, but the "-c" option has been around for ages in Gnu-land and gnu-grep is the standard on Mac OSX along with all the Linuxes. Usual disclaimers apply and YYMV :) Cheers, James -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFFUSFWwBHpdJO7b9ERApL5AKDC6PDIvvkmvveQ5/EuPgIZ/mJGfACdGI7S JfLQ8xiN8e9g5qNy6veecQ0= =tRr0 -----END PGP SIGNATURE----- From jwilliams at courtesymortgage.com Wed Nov 8 00:17:06 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Wed Nov 8 00:17:09 2006 Subject: MailScanner users using latest Postfix Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FD183@cmexchange01.CourtesyMortgage.local> Just a quick question. Any major changes I need to be aware that might not work with my new setup? I have noticed a few different things and wasn't sure if it would affect MailScanner or MTA transactions at all. I appreciate the help. -Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061107/2ec6ca09/attachment.html From jwilliams at courtesymortgage.com Wed Nov 8 00:43:03 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Wed Nov 8 00:43:13 2006 Subject: MailScanner users using latest Postfix Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FD186@cmexchange01.CourtesyMortgage.local> Ok...I am back up, for the most part, but have a question. I see this in my maillog file: Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/957: uid 125: not a regular file Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/992: uid 125: not a regular file Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/1026: uid 125: not a regular file Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/1060: uid 125: not a regular file Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/1094: uid 125: not a regular file That happens after I type: "mailq" at the command line. I'm sure something is boogered up on my end. At this point, I am extremely tired and am starting to overlook and make mistakes. Anyone have a idea? This is probably more directed towards postfix, but wasn't sure if I missed a config setting somewhere for MS. Thanks. -Jason ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jason Williams Sent: Tuesday, November 07, 2006 4:17 PM To: MailScanner discussion Subject: MailScanner users using latest Postfix Just a quick question. Any major changes I need to be aware that might not work with my new setup? I have noticed a few different things and wasn't sure if it would affect MailScanner or MTA transactions at all. I appreciate the help. -Jason -- This message has been scanned for viruses and dangerous content by MailScanner , and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061107/42c406fa/attachment.html From drew at technologytiger.net Wed Nov 8 00:44:42 2006 From: drew at technologytiger.net (Drew Marshall) Date: Wed Nov 8 00:44:46 2006 Subject: MailScanner users using latest Postfix In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD183@cmexchange01.CourtesyMortgage.local> References: <01BCE961CD5E4146B83F920FC6A4F2353FD183@cmexchange01.CourtesyMortgage.local> Message-ID: <4115A05E-6D1D-41E9-B30F-CF1B42EE9A73@technologytiger.net> On 8 Nov 2006, at 00:17, Jason Williams wrote: > Just a quick question. > > Any major changes I need to be aware that might not work with my > new setup? > I have noticed a few different things and wasn't sure if it would > affect MailScanner or MTA transactions at all. Don't think so from the top of my head. There are a few extras that you can play with in your own time (Like milter support in PF) but providing you have set your queue depths correctly (You will know if you haven't, it won't work!) both sides of MailScanner nothing much else has changed really. Drew -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061108/9e7f3e16/attachment.html From jwilliams at courtesymortgage.com Wed Nov 8 01:13:04 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Wed Nov 8 01:13:12 2006 Subject: MailScanner users using latest Postfix Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FD18B@cmexchange01.CourtesyMortgage.local> > Don't think so from the top of my head. There are a few extras that you can play with in your own time (Like milter support in PF) but providing you have set your queue depths correctly You will > know if you haven't, it won't work!) both sides of MailScanner nothing much else has changed really. Drew -------- Thanks. I appreciate. Well, it is accepting and delivering mail, so that is a good thing. Looks like I need to go through a just comb through the config file again and set all my settings as needed. I was not planning on this today, so I apologize for sounding and being very rushed. If I can ask a quick question. Is this correct, for settings in MailScanner.conf? Should: Incoming Work Dir = /var/spool/MailScanner/incoming Thar right? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061107/b603e9a7/attachment.html From jwilliams at courtesymortgage.com Wed Nov 8 01:28:35 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Wed Nov 8 01:28:43 2006 Subject: Notify Senders question Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FD191@cmexchange01.CourtesyMortgage.local> Something that is odd right now. I have setup MS to NOT notify any senders if they send a virus, blocked files, blocked content, basically everything. In a quick test, I sent it from my account to a outside account and noticed that it did not notify me (the sender) which is great. However, it notified the recipient. Is there a way to disable that? Or is that built in and should it be that way? -Thanks -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061107/d9f489f3/attachment.html From Dominique.Marant at univ-lille1.fr Wed Nov 8 08:12:47 2006 From: Dominique.Marant at univ-lille1.fr (Dominique Marant) Date: Wed Nov 8 08:13:23 2006 Subject: ClamAV update In-Reply-To: References: <000d01c701e8$17dbf500$780a000a@northamerica.stortek.com> <455051F5.4050304@solidstatelogic.com> <4550A11B.6000002@univ-lille1.fr> Message-ID: <4551917F.2010800@univ-lille1.fr> Ugo Bellavance a ?crit : > Dominique Marant wrote: >> I installed install-Clam-0.88.6-SA-3.1.7 >> >> In virus.scanners.conf : >> clamav /usr/lib/MailScanner/clamav-wrapper /usr/local >> clamavmodule /bin/false /tmp >> >> In MailScanner.conf : >> Virus Scanners = clamavmodule >> Monitors for ClamAV Updates = /usr/local/share/clamav/*.cvd >> >> It seems that clamav is not automaticaly updated because I don't see >> any change in /usr/local/share/clamav/ and I don't see clamav in >> update.virus.scanners lines in the log. >> >> How to configure MailScanner to update ClamAV every day ? > > This should be done hourly, automatically. No, I installed install-Clam-0.88.6-SA-3.1.7 and I ran freshclam yesterday. And no update since yesterday : # ls -l /usr/local/share/clamav total 7000 -rw-r--r-- 1 mail mail 221948 Nov 7 15:00 daily.cvd -rw-r--r-- 1 mail mail 6924820 Nov 7 15:00 main.cvd > >> Could you say me if I have to perform a freshclam by the crontab ? > > No, you don't. > >> In the MailScanner log, how to see the version of ClamAv using by >> MailScanner ? > > This info is not present in MailScanner's log. > >> In the MailScanner log, how to see the version of Spamassassin using >> by MailScanner ? > > This info is not present in MailScanner's log. > >> In the MailScanner log, how to see if ClamAV version is OUTDATED ? > > This info is not present in MailScanner's log. > > See /tmp/ClamAV.update.log > >> >> Thanks in advance >> >> Dominique >> >> > From martinh at solidstatelogic.com Wed Nov 8 09:15:02 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Nov 8 09:15:15 2006 Subject: MailScanner users using latest Postfix In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD186@cmexchange01.CourtesyMortgage.local> References: <01BCE961CD5E4146B83F920FC6A4F2353FD186@cmexchange01.CourtesyMortgage.local> Message-ID: <4551A016.2010402@solidstatelogic.com> Jason Williams wrote: > Ok...I am back up, for the most part, but have a question. > > I see this in my maillog file: > > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/957: uid > 125: not a regular file > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/992: uid > 125: not a regular file > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/1026: uid > 125: not a regular file > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/1060: uid > 125: not a regular file > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/1094: uid > 125: not a regular file > > That happens after I type: "mailq" at the command line. > > I'm sure something is boogered up on my end. > At this point, I am extremely tired and am starting to overlook and make > mistakes. > > Anyone have a idea? This is probably more directed towards postfix, but > wasn't sure if I missed a config setting somewhere for MS. > > Thanks. > > -Jason > > > ------------------------------------------------------------------------ > *From:* mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Jason > Williams > *Sent:* Tuesday, November 07, 2006 4:17 PM > *To:* MailScanner discussion > *Subject:* MailScanner users using latest Postfix > > Just a quick question. > > Any major changes I need to be aware that might not work with my new setup? > I have noticed a few different things and wasn't sure if it would affect > MailScanner or MTA transactions at all. > > I appreciate the help. > > -Jason Jason If you've just gone to PF 2.3 from 2.2 or previous that major change is that PF no longer does split spool directories by default. Hence why you see 'old' directories in the spool and you've not told PF to do split spool in the main.cf. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From glenn.steen at gmail.com Wed Nov 8 09:26:12 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 8 09:26:16 2006 Subject: MailScanner users using latest Postfix In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD18B@cmexchange01.CourtesyMortgage.local> References: <01BCE961CD5E4146B83F920FC6A4F2353FD18B@cmexchange01.CourtesyMortgage.local> Message-ID: <223f97700611080126j15935c41tf95d6012fc3209c4@mail.gmail.com> On 08/11/06, Jason Williams wrote: > > > > Don't think so from the top of my head. There are a few extras that you > can play with in your own time (Like milter support in PF) but providing you > have set your queue depths correctly You will > know if you haven't, it > won't work!) both sides of MailScanner nothing much else has changed really. > > > Drew > -------- > > Thanks. I appreciate. > Well, it is accepting and delivering mail, so that is a good thing. > > Looks like I need to go through a just comb through the config file again > and set all my settings as needed. > I was not planning on this today, so I apologize for sounding and being very > rushed. > If I can ask a quick question. Is this correct, for settings in > MailScanner.conf? > > Should: > Incoming Work Dir = /var/spool/MailScanner/incoming > > > Thar right? Jason, from am earlier mail by you, I couldn't help noticing that you had set the Incoming Work Dir to the postfiox hold queue directory... This is, simply put, wrong. Set it to something like /var/spool/MailScanner/incoming ... This is the directory where the MailScanner children "plays" all by their lonesome selves... There will be a subdirectory/process ID (with the PID as name). These subdirectories could potentially confuise the hell out of things, if placed in an active postfix queue. As it is now, when set to the hold queue, the only postfix commands that are affected are postqueue -p (mailq for short:-) and postsuper, and probably rather mildly. Simply stop MailScanner, adjust MailScanner.conf and fire it up again. So the quick answer is "yes":-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Nov 8 09:36:02 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 8 09:36:05 2006 Subject: Notify Senders question In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD191@cmexchange01.CourtesyMortgage.local> References: <01BCE961CD5E4146B83F920FC6A4F2353FD191@cmexchange01.CourtesyMortgage.local> Message-ID: <223f97700611080136l79831846ud0a50275b1196b30@mail.gmail.com> On 08/11/06, Jason Williams wrote: > > > > Something that is odd right now. > > I have setup MS to NOT notify any senders if they send a virus, blocked > files, blocked content, basically everything. > > In a quick test, I sent it from my account to a outside account and noticed > that it did not notify me (the sender) which is great. However, it notified > the recipient. > > Is there a way to disable that? > Or is that built in and should it be that way? > Check your settings for Silent Viruses Still Deliver Silent Viruses and possibly some others like Deliver Disinfected Files Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Nov 8 09:41:09 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 8 09:41:13 2006 Subject: ClamAV update In-Reply-To: <4551917F.2010800@univ-lille1.fr> References: <000d01c701e8$17dbf500$780a000a@northamerica.stortek.com> <455051F5.4050304@solidstatelogic.com> <4550A11B.6000002@univ-lille1.fr> <4551917F.2010800@univ-lille1.fr> Message-ID: <223f97700611080141u1b3d6950v2bde81189e722803@mail.gmail.com> On 08/11/06, Dominique Marant wrote: > Ugo Bellavance a ?crit : > > Dominique Marant wrote: > >> I installed install-Clam-0.88.6-SA-3.1.7 > >> > >> In virus.scanners.conf : > >> clamav /usr/lib/MailScanner/clamav-wrapper /usr/local > >> clamavmodule /bin/false /tmp > >> > >> In MailScanner.conf : > >> Virus Scanners = clamavmodule > >> Monitors for ClamAV Updates = /usr/local/share/clamav/*.cvd > >> > >> It seems that clamav is not automaticaly updated because I don't see > >> any change in /usr/local/share/clamav/ and I don't see clamav in > >> update.virus.scanners lines in the log. > >> > >> How to configure MailScanner to update ClamAV every day ? > > > > This should be done hourly, automatically. > > No, I installed install-Clam-0.88.6-SA-3.1.7 and I ran freshclam yesterday. > And no update since yesterday : > > # ls -l /usr/local/share/clamav > total 7000 > -rw-r--r-- 1 mail mail 221948 Nov 7 15:00 daily.cvd > -rw-r--r-- 1 mail mail 6924820 Nov 7 15:00 main.cvd > (snip) > > This info is not present in MailScanner's log. > > > > See /tmp/ClamAV.update.log This is the part of Ugos advice you should pay attention to. Run update_virus_scanners by hand, then check the mail log (to see which scanners it has detected, and tried to update... For this to work with clamavmodule, you need a correct entry for clamav in virus.scanners.conf), as well as the file /tmp/ClamAV.update.log (which holds the output from any, possibly failed, freshclam runs). Look at that, and report any errors... if you still need help with this;-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From housey at sme-ecom.co.uk Wed Nov 8 09:42:58 2006 From: housey at sme-ecom.co.uk (Paul Houselander) Date: Wed Nov 8 09:43:15 2006 Subject: Could not analyze message In-Reply-To: <4550BDC7.4050302@solidstatelogic.com> Message-ID: Hi Martin Ive set both Debug = yes and Debug SpamAssassin = yes nothing in the logs of any note. New Batch: Scanning 1 messages, 2080 bytes Created attachment dirs for 1 messages SpamAssassin returned 0 Virus and Content Scanning: Starting Commencing scanning by clamavmodule... Completed scanning by clamavmodule Completed checking by /usr/bin/file Saved entire message to /var/spool/MailScanner/quarantine/20061107/kA3DWXX9018872 Ive tried this now with a fresh install of the latest stable version of MailScanner and get the same "Could not analyze message", so I believe the problem is easily reproducible. I can send someone offlist the qf/df pair? Thanks for your help so far. Kind Regards Paul -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Martin Hepworth Sent: 07 November 2006 17:09 To: MailScanner discussion Subject: Re: Could not analyze message Paul Houselander wrote: > Hi Martin > > Thanks for the debug tip forgot all about that! > > I set > > Debug = yes > Debig SpamAssassin = no > > and copied the qf/qf pair back into /var/spool/mqueue.in > > I started up MailScanner > > MailScanner: In Debugging mode, not forking.... > > The message got quarantined but the debug info didnt really show anything - > I got a message saying > > format error: can't find EOCD signature > at /usr/sbin/MailScanner line 820 > > But I put some other messages in and got exactly the same problem. > > Any other tips :-) > > Paul > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Martin > Hepworth > Sent: 07 November 2006 15:02 > To: MailScanner discussion > Subject: Re: Could not analyze message > > > Paul Houselander wrote: >> Nope I dont think thats the problem, ive just realised I gave the headers >> from the released email (i have a little script that releases an email > from >> quarantine), below is the raw qf file data:- >> >> Any other ideals, I just cant get this email through unscanned or better >> still understand why MailScanner cant analyze the message. >> >> Cheers >> > > Paul > > can you drop this back into the queue and run mailScanner/Spamassassin > in debug mode? You may then be able to spot whats going awry. > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > This message has been scanned by the Allteks Mailsafe Service > > > Paul set both options to debug - also check the maillog file -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This message has been scanned by the Allteks Mailsafe Service From glenn.steen at gmail.com Wed Nov 8 09:45:27 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 8 09:45:30 2006 Subject: MailScanner users using latest Postfix In-Reply-To: <4551A016.2010402@solidstatelogic.com> References: <01BCE961CD5E4146B83F920FC6A4F2353FD186@cmexchange01.CourtesyMortgage.local> <4551A016.2010402@solidstatelogic.com> Message-ID: <223f97700611080145r4040131cs282a0551250f89b8@mail.gmail.com> On 08/11/06, Martin Hepworth wrote: (snip) > > Jason > If you've just gone to PF 2.3 from 2.2 or previous that major change is > that PF no longer does split spool directories by default. > > Hence why you see 'old' directories in the spool and you've not told PF > to do split spool in the main.cf. > Nope. The problem is a simple Miss Config in MS...:-D See my other answer in this thread for details (if you're really interrested:). Good guess though, even if it isn't right;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From housey at sme-ecom.co.uk Wed Nov 8 10:11:14 2006 From: housey at sme-ecom.co.uk (Paul Houselander) Date: Wed Nov 8 10:11:18 2006 Subject: Could not analyze message In-Reply-To: Message-ID: Emmm, I was just trying a few things and tried changing the following line in the qf file H??Content-Type: multipart/mixed to H??Content-Type: text/plain; charset="iso-8859-1";format=flowed (i copied from another plain text email I had) and the message was not quarantined, so it must be this that is causing MailScanner to throw up the "Could not analyze message", the message is just plain text, I dont imagine this is a MailScanner prob as this is the only message that I get with this problem. Can anyone shed any light on this? could it be a badly written mail client? do you need some other headers when Content-Type: is multipart/mixed? This is the complete bit of the qf file (after all the recived lines) H??From: "xxxxxxxxxxxxx" H??Subject: Proof of Delivery H??To: xxxxxxxxxxxxx H??Content-Type: multipart/mixed H??Date: Fri, 3 Nov 2006 13:32:29 +0000 H??Message-ID: H??X-OriginalArrivalTime: 03 Nov 2006 13:32:29.0639 (UTC) FILETIME=[825D5570:01C6FF4C] Ive just taken a look at another message that is multipart/mixed and it has Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_1920_10465405.1162980009645" Which the message that Could not be analyzed does not Cheers Paul -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Paul Houselander Sent: 08 November 2006 09:43 To: MailScanner discussion Subject: RE: Could not analyze message Hi Martin Ive set both Debug = yes and Debug SpamAssassin = yes nothing in the logs of any note. New Batch: Scanning 1 messages, 2080 bytes Created attachment dirs for 1 messages SpamAssassin returned 0 Virus and Content Scanning: Starting Commencing scanning by clamavmodule... Completed scanning by clamavmodule Completed checking by /usr/bin/file Saved entire message to /var/spool/MailScanner/quarantine/20061107/kA3DWXX9018872 Ive tried this now with a fresh install of the latest stable version of MailScanner and get the same "Could not analyze message", so I believe the problem is easily reproducible. I can send someone offlist the qf/df pair? Thanks for your help so far. Kind Regards Paul -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Martin Hepworth Sent: 07 November 2006 17:09 To: MailScanner discussion Subject: Re: Could not analyze message Paul Houselander wrote: > Hi Martin > > Thanks for the debug tip forgot all about that! > > I set > > Debug = yes > Debig SpamAssassin = no > > and copied the qf/qf pair back into /var/spool/mqueue.in > > I started up MailScanner > > MailScanner: In Debugging mode, not forking.... > > The message got quarantined but the debug info didnt really show anything - > I got a message saying > > format error: can't find EOCD signature > at /usr/sbin/MailScanner line 820 > > But I put some other messages in and got exactly the same problem. > > Any other tips :-) > > Paul > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Martin > Hepworth > Sent: 07 November 2006 15:02 > To: MailScanner discussion > Subject: Re: Could not analyze message > > > Paul Houselander wrote: >> Nope I dont think thats the problem, ive just realised I gave the headers >> from the released email (i have a little script that releases an email > from >> quarantine), below is the raw qf file data:- >> >> Any other ideals, I just cant get this email through unscanned or better >> still understand why MailScanner cant analyze the message. >> >> Cheers >> > > Paul > > can you drop this back into the queue and run mailScanner/Spamassassin > in debug mode? You may then be able to spot whats going awry. > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > This message has been scanned by the Allteks Mailsafe Service > > > Paul set both options to debug - also check the maillog file -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This message has been scanned by the Allteks Mailsafe Service -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This message has been scanned by the Allteks Mailsafe Service From martinh at solidstatelogic.com Wed Nov 8 10:13:52 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Nov 8 10:14:20 2006 Subject: Could not analyze message In-Reply-To: References: Message-ID: <4551ADE0.6060102@solidstatelogic.com> Paul Houselander wrote: > Hi Martin > > Ive set both Debug = yes and Debug SpamAssassin = yes nothing in the logs of > any note. > > New Batch: Scanning 1 messages, 2080 bytes > Created attachment dirs for 1 messages > SpamAssassin returned 0 > Virus and Content Scanning: Starting > Commencing scanning by clamavmodule... > Completed scanning by clamavmodule > Completed checking by /usr/bin/file > Saved entire message to > /var/spool/MailScanner/quarantine/20061107/kA3DWXX9018872 > > Ive tried this now with a fresh install of the latest stable version of > MailScanner and get the same "Could not analyze message", so I believe the > problem is easily reproducible. I can send someone offlist the qf/df pair? > > Thanks for your help so far. > > Kind Regards > > Paul > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Martin > Hepworth > Sent: 07 November 2006 17:09 > To: MailScanner discussion > Subject: Re: Could not analyze message > > > Paul Houselander wrote: >> Hi Martin >> >> Thanks for the debug tip forgot all about that! >> >> I set >> >> Debug = yes >> Debig SpamAssassin = no >> >> and copied the qf/qf pair back into /var/spool/mqueue.in >> >> I started up MailScanner >> >> MailScanner: In Debugging mode, not forking.... >> >> The message got quarantined but the debug info didnt really show > anything - >> I got a message saying >> >> format error: can't find EOCD signature >> at /usr/sbin/MailScanner line 820 >> >> But I put some other messages in and got exactly the same problem. >> >> Any other tips :-) >> >> Paul >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Martin >> Hepworth >> Sent: 07 November 2006 15:02 >> To: MailScanner discussion >> Subject: Re: Could not analyze message >> >> >> Paul Houselander wrote: >>> Nope I dont think thats the problem, ive just realised I gave the headers >>> from the released email (i have a little script that releases an email >> from >>> quarantine), below is the raw qf file data:- >>> >>> Any other ideals, I just cant get this email through unscanned or better >>> still understand why MailScanner cant analyze the message. >>> >>> Cheers >>> >> >> Paul >> >> can you drop this back into the queue and run mailScanner/Spamassassin >> in debug mode? You may then be able to spot whats going awry. >> >> -- >> Martin Hepworth >> Senior Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> >> ********************************************************************** >> >> This email and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom they >> are addressed. If you have received this email in error please notify >> the system manager. >> >> This footnote confirms that this email message has been swept >> for the presence of computer viruses and is believed to be clean. >> >> ********************************************************************** >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> This message has been scanned by the Allteks Mailsafe Service >> >> >> > Paul > set both options to debug - also check the maillog file > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > This message has been scanned by the Allteks Mailsafe Service > > > Paul Send it to Jules - who must be busy with his day job..He also may need remote access to the machine.. mailscanner@ecs.soton.ac.uk one point can you do a MailScanner -v to see if theres any issues with perl modules?? -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at solidstatelogic.com Wed Nov 8 10:21:13 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Nov 8 10:21:28 2006 Subject: Could not analyze message In-Reply-To: References: Message-ID: <4551AF99.8050003@solidstatelogic.com> Paul Houselander wrote: > Emmm, I was just trying a few things and tried changing the following line > in the qf file > > H??Content-Type: multipart/mixed > > to > > H??Content-Type: text/plain; charset="iso-8859-1";format=flowed (i copied > from another plain text email I had) > > and the message was not quarantined, so it must be this that is causing > MailScanner to throw up the "Could not analyze message", the message is just > plain text, I dont imagine this is a MailScanner prob as this is the only > message that I get with this problem. > > Can anyone shed any light on this? could it be a badly written mail client? > do you need some other headers when Content-Type: is multipart/mixed? > > This is the complete bit of the qf file (after all the recived lines) > > H??From: "xxxxxxxxxxxxx" > H??Subject: Proof of Delivery > H??To: xxxxxxxxxxxxx > H??Content-Type: multipart/mixed > H??Date: Fri, 3 Nov 2006 13:32:29 +0000 > H??Message-ID: > H??X-OriginalArrivalTime: 03 Nov 2006 13:32:29.0639 (UTC) > FILETIME=[825D5570:01C6FF4C] > > Ive just taken a look at another message that is multipart/mixed and it has > > Mime-Version: 1.0 > Content-Type: multipart/mixed; > boundary="----=_Part_1920_10465405.1162980009645" > > Which the message that Could not be analyzed does not > > Cheers > > Paul > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Paul > Houselander > Sent: 08 November 2006 09:43 > To: MailScanner discussion > Subject: RE: Could not analyze message > > > Hi Martin > > Ive set both Debug = yes and Debug SpamAssassin = yes nothing in the logs of > any note. > > New Batch: Scanning 1 messages, 2080 bytes > Created attachment dirs for 1 messages > SpamAssassin returned 0 > Virus and Content Scanning: Starting > Commencing scanning by clamavmodule... > Completed scanning by clamavmodule > Completed checking by /usr/bin/file > Saved entire message to > /var/spool/MailScanner/quarantine/20061107/kA3DWXX9018872 > > Ive tried this now with a fresh install of the latest stable version of > MailScanner and get the same "Could not analyze message", so I believe the > problem is easily reproducible. I can send someone offlist the qf/df pair? > > Thanks for your help so far. > > Kind Regards > > Paul > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Martin > Hepworth > Sent: 07 November 2006 17:09 > To: MailScanner discussion > Subject: Re: Could not analyze message > > > Paul Houselander wrote: >> Hi Martin >> >> Thanks for the debug tip forgot all about that! >> >> I set >> >> Debug = yes >> Debig SpamAssassin = no >> >> and copied the qf/qf pair back into /var/spool/mqueue.in >> >> I started up MailScanner >> >> MailScanner: In Debugging mode, not forking.... >> >> The message got quarantined but the debug info didnt really show > anything - >> I got a message saying >> >> format error: can't find EOCD signature >> at /usr/sbin/MailScanner line 820 >> >> But I put some other messages in and got exactly the same problem. >> >> Any other tips :-) >> >> Paul >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Martin >> Hepworth >> Sent: 07 November 2006 15:02 >> To: MailScanner discussion >> Subject: Re: Could not analyze message >> >> >> Paul Houselander wrote: >>> Nope I dont think thats the problem, ive just realised I gave the headers >>> from the released email (i have a little script that releases an email >> from >>> quarantine), below is the raw qf file data:- >>> >>> Any other ideals, I just cant get this email through unscanned or better >>> still understand why MailScanner cant analyze the message. >>> >>> Cheers >>> >> >> Paul >> >> can you drop this back into the queue and run mailScanner/Spamassassin >> in debug mode? You may then be able to spot whats going awry. >> >> -- >> Martin Hepworth >> Senior Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> >> ********************************************************************** >> >> This email and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom they >> are addressed. If you have received this email in error please notify >> the system manager. >> >> This footnote confirms that this email message has been swept >> for the presence of computer viruses and is believed to be clean. >> >> ********************************************************************** >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> This message has been scanned by the Allteks Mailsafe Service >> >> >> > Paul > set both options to debug - also check the maillog file > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > This message has been scanned by the Allteks Mailsafe Service > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > This message has been scanned by the Allteks Mailsafe Service > > > Paul looking at RFC2387 which describes all this, I'd say the client is broke. You should get some idea of the client in the headers. I'd drop Jules an email..he's mroe used to dealing with rfc stuff and readign them than me..;-) -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From shuttlebox at gmail.com Wed Nov 8 13:14:43 2006 From: shuttlebox at gmail.com (shuttlebox) Date: Wed Nov 8 13:14:47 2006 Subject: Greylisting .. nice .. In-Reply-To: References: <45508986.65ED.00A2.0@plattesheriff.org> <20061107141218.D5240@mikea.ath.cx> Message-ID: <625385e30611080514j15781a5cp51dbb7cb9e45fb13@mail.gmail.com> On 11/8/06, James Gray wrote: > Not sure how BSD/Solaris/AIX/etc grep does things, but the "-c" > option has been around for ages in Gnu-land and gnu-grep is the > standard on Mac OSX along with all the Linuxes. Standard Solaris has it: -c Prints only a count of the lines that contain the pat- tern. -- /peter From Dominique.Marant at univ-lille1.fr Wed Nov 8 13:15:38 2006 From: Dominique.Marant at univ-lille1.fr (Dominique Marant) Date: Wed Nov 8 13:16:12 2006 Subject: ClamAV update In-Reply-To: <223f97700611080141u1b3d6950v2bde81189e722803@mail.gmail.com> References: <000d01c701e8$17dbf500$780a000a@northamerica.stortek.com> <455051F5.4050304@solidstatelogic.com> <4550A11B.6000002@univ-lille1.fr> <4551917F.2010800@univ-lille1.fr> <223f97700611080141u1b3d6950v2bde81189e722803@mail.gmail.com> Message-ID: <4551D87A.2080602@univ-lille1.fr> I see the problem ! By default, the install doesn't replace the files in /usr/lib/MailScanner !! So, in /usr/lib/MailScanner, the files was too old : -rwxr-xr-x 1 root root 1077 Dec 3 2002 clamav-autoupdate -rwxr-xr-x 1 root root 2104 Apr 1 2006 clamav-autoupdate.dpkg-dist -rwxr-xr-x 1 root root 1437 Dec 3 2002 clamav-wrapper -rwxr-xr-x 1 root root 6157 May 27 21:19 clamav-wrapper.dpkg-dist and so on for all Virus Scanning ... Now, it's running successfully and I see the updates in the log. FOR THE NEXT RELEASES : I think it would be interesting to replace all the files in /usr/lib/MailScanner by default. Thanks for all Dominique Glenn Steen a ?crit : > On 08/11/06, Dominique Marant wrote: >> Ugo Bellavance a ?crit : >> > Dominique Marant wrote: >> >> I installed install-Clam-0.88.6-SA-3.1.7 >> >> >> >> In virus.scanners.conf : >> >> clamav /usr/lib/MailScanner/clamav-wrapper /usr/local >> >> clamavmodule /bin/false /tmp >> >> >> >> In MailScanner.conf : >> >> Virus Scanners = clamavmodule >> >> Monitors for ClamAV Updates = /usr/local/share/clamav/*.cvd >> >> >> >> It seems that clamav is not automaticaly updated because I don't see >> >> any change in /usr/local/share/clamav/ and I don't see clamav in >> >> update.virus.scanners lines in the log. >> >> >> >> How to configure MailScanner to update ClamAV every day ? >> > >> > This should be done hourly, automatically. >> >> No, I installed install-Clam-0.88.6-SA-3.1.7 and I ran freshclam >> yesterday. >> And no update since yesterday : >> >> # ls -l /usr/local/share/clamav >> total 7000 >> -rw-r--r-- 1 mail mail 221948 Nov 7 15:00 daily.cvd >> -rw-r--r-- 1 mail mail 6924820 Nov 7 15:00 main.cvd >> > (snip) >> > This info is not present in MailScanner's log. >> > >> > See /tmp/ClamAV.update.log > This is the part of Ugos advice you should pay attention to. > Run > update_virus_scanners > by hand, then check the mail log (to see which scanners it has > detected, and tried to update... For this to work with clamavmodule, > you need a correct entry for clamav in virus.scanners.conf), as well > as the file /tmp/ClamAV.update.log (which holds the output from any, > possibly failed, freshclam runs). > > Look at that, and report any errors... if you still need help with > this;-) From jeremy.henty at nec.ac.uk Wed Nov 8 13:25:40 2006 From: jeremy.henty at nec.ac.uk (Jeremy Henty) Date: Wed Nov 8 13:31:12 2006 Subject: Mailscanner UDP connections Message-ID: <1098353490jeremy.henty@nec.ac.uk> Running lsof on a Mailscanner box (an ancient RH7) I see every few seconds a batch of entries like this: MailScann 19062 postfix 7u IPv4 22883898 UDP *:58004 MailScann 19062 postfix 9u IPv4 22883899 UDP *:58005 MailScann 19062 postfix 10u IPv4 22883900 UDP *:58006 MailScann 19062 postfix 11u IPv4 22883901 UDP *:58007 MailScann 19062 postfix 12u IPv4 22883902 UDP *:58008 MailScann 19062 postfix 13u IPv4 22883903 UDP *:58009 MailScann 19062 postfix 14u IPv4 22883904 UDP *:58010 MailScann 19062 postfix 15u IPv4 22883905 UDP *:58011 MailScann 19062 postfix 16u IPv4 22883906 UDP *:58012 MailScann 19062 postfix 17u IPv4 22883907 UDP *:58013 What is Mailscanner doing that requires these connections? RBL checks? Regards, Jeremy Henty From drew at technologytiger.net Wed Nov 8 14:02:42 2006 From: drew at technologytiger.net (Drew Marshall) Date: Wed Nov 8 14:02:53 2006 Subject: MailScanner users using latest Postfix In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD186@cmexchange01.CourtesyMortgage. local> References: <01BCE961CD5E4146B83F920FC6A4F2353FD186@cmexchange01.CourtesyMortgage.local> Message-ID: <53026.194.70.180.170.1162994562.squirrel@www.technologytiger.net> On Wed, November 8, 2006 00:43, Jason Williams wrote: > Ok...I am back up, for the most part, but have a question. > > I see this in my maillog file: > > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/957: uid > 125: not a regular file > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/992: uid > 125: not a regular file > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/1026: uid > 125: not a regular file > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/1060: uid > 125: not a regular file > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/1094: uid > 125: not a regular file > > > That happens after I type: "mailq" at the command line. > > I'm sure something is boogered up on my end. > At this point, I am extremely tired and am starting to overlook and make > mistakes. > > Anyone have a idea? This is probably more directed towards postfix, but > wasn't sure if I missed a config setting somewhere for MS. I would suggest there is a razor config file in the hold queue. Just ls -al /var/spool/postfix/hold and have a look. If there is you need to do a little tweaking of your config so SA stops putting the log file there, then delete the file. Drew From glenn.steen at gmail.com Wed Nov 8 14:16:37 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 8 14:16:40 2006 Subject: ClamAV update In-Reply-To: <4551D87A.2080602@univ-lille1.fr> References: <000d01c701e8$17dbf500$780a000a@northamerica.stortek.com> <455051F5.4050304@solidstatelogic.com> <4550A11B.6000002@univ-lille1.fr> <4551917F.2010800@univ-lille1.fr> <223f97700611080141u1b3d6950v2bde81189e722803@mail.gmail.com> <4551D87A.2080602@univ-lille1.fr> Message-ID: <223f97700611080616y74dcec19gcb82b6fd64fa37da@mail.gmail.com> On 08/11/06, Dominique Marant wrote: > I see the problem ! > By default, the install doesn't replace the files in /usr/lib/MailScanner !! > > So, in /usr/lib/MailScanner, the files was too old : > -rwxr-xr-x 1 root root 1077 Dec 3 2002 clamav-autoupdate > -rwxr-xr-x 1 root root 2104 Apr 1 2006 > clamav-autoupdate.dpkg-dist > -rwxr-xr-x 1 root root 1437 Dec 3 2002 clamav-wrapper > -rwxr-xr-x 1 root root 6157 May 27 21:19 > clamav-wrapper.dpkg-dist > > and so on for all Virus Scanning ... > > Now, it's running successfully and I see the updates in the log. > > FOR THE NEXT RELEASES : > I think it would be interesting to replace all the files in > /usr/lib/MailScanner by default. > > Thanks for all > Dominique Great that you found it. I Don't rightly know who maintains the Debian package, but this error report should go to that/those person(s)... We'll just hope s/he/they are listening in:-). One could say that it is an analogous problem to the usual .rpmasve/.rpmnew one:-). Oh well. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Nov 8 14:42:05 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 8 14:42:11 2006 Subject: MailScanner users using latest Postfix In-Reply-To: <53026.194.70.180.170.1162994562.squirrel@www.technologytiger.net> References: <01BCE961CD5E4146B83F920FC6A4F2353FD186@cmexchange01.CourtesyMortgage.local> <53026.194.70.180.170.1162994562.squirrel@www.technologytiger.net> Message-ID: <223f97700611080642x64608e8cw2a3dca5b5c8e9437@mail.gmail.com> On 08/11/06, Drew Marshall wrote: > On Wed, November 8, 2006 00:43, Jason Williams wrote: > > Ok...I am back up, for the most part, but have a question. > > > > I see this in my maillog file: > > > > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/957: uid > > 125: not a regular file > > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/992: uid > > 125: not a regular file > > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/1026: uid > > 125: not a regular file > > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/1060: uid > > 125: not a regular file > > Nov 7 18:15:59 gammaflux2 postfix/showq[1159]: warning: hold/1094: uid > > 125: not a regular file > > > > > > That happens after I type: "mailq" at the command line. > > > > I'm sure something is boogered up on my end. > > At this point, I am extremely tired and am starting to overlook and make > > mistakes. > > > > Anyone have a idea? This is probably more directed towards postfix, but > > wasn't sure if I missed a config setting somewhere for MS. > > I would suggest there is a razor config file in the hold queue. Just ls > -al /var/spool/postfix/hold and have a look. If there is you need to do a > little tweaking of your config so SA stops putting the log file there, > then delete the file. > > Drew Usually I'd agree, but (clued in from another thread by Jason) this time it is because he set the (MailScanner) Incoming Work Dir to be the hold queue... So those errors are due to MailScanner writing one directory/child (childs PID as name) into the hold queue, nothing more "sinister" than that:-). Then again, with the speed and ... precision... Jason had while setting this up, the usual problems with bayes, razor etc isn't unlikely, I'll readily agree to that:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From drew at technologytiger.net Wed Nov 8 15:27:05 2006 From: drew at technologytiger.net (Drew Marshall) Date: Wed Nov 8 15:27:19 2006 Subject: MailScanner users using latest Postfix In-Reply-To: <223f97700611080642x64608e8cw2a3dca5b5c8e9437@mail.gmail.com> References: <01BCE961CD5E4146B83F920FC6A4F2353FD186@cmexchange01.CourtesyMortgage.local> <53026.194.70.180.170.1162994562.squirrel@www.technologytiger.net> <223f97700611080642x64608e8cw2a3dca5b5c8e9437@mail.gmail.com> Message-ID: <53362.194.70.180.170.1162999625.squirrel@www.technologytiger.net> On Wed, November 8, 2006 14:42, Glenn Steen wrote: > > Usually I'd agree, but (clued in from another thread by Jason) this > time it is because he set the (MailScanner) Incoming Work Dir to be > the hold queue... So those errors are due to MailScanner writing one > directory/child (childs PID as name) into the hold queue, nothing more > "sinister" than that:-). Ahh yes, just read that one. Agreed. > > Then again, with the speed and ... precision... Jason had while > setting this up, the usual problems with bayes, razor etc isn't > unlikely, I'll readily agree to that:-). But I suspect in Jason's instance that is some where further down the work stack. It works, time for bed, fix fine details later :-) Now I wonder how many of us have have done that? ;-) Drew From rpoe at plattesheriff.org Wed Nov 8 16:19:12 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Wed Nov 8 16:19:54 2006 Subject: MailScanner and Exchange 5.5 In-Reply-To: References: Message-ID: <4551AF20.65ED.00A2.0@plattesheriff.org> Same problem with a Groupwise 5.2 system. I used sendmail's access.db user@domain OK user2@domain OK @domain 550 Invalid Recipient >>> "Steve Roy-Wojciechowski" 11/7/2006 5:57 PM >>> I am setting up a MailScanner system that will sit infront of an Exchange 5.5 server. I had hoped to use milter-ahead but exchange 5.5 blindly accepts mail for the domain without first checking the user. I was wanting incoming mail to the mailscanner machine to be checked by exchange and dropped at the incoming point if the user/mailbox doesn't exist. I am using sendmail on the Linux/MS machine with mail being forwarded via a mailertable rule. Is there another way of accomplishing this with either sendmail or mailscanner or even on exchange? There are approx 100 email addresses. My client will be upgrading to exchange 2003 sometime, but not in the near future. Thanks Steve -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Wed Nov 8 16:30:40 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 8 16:30:43 2006 Subject: MailScanner users using latest Postfix In-Reply-To: <53362.194.70.180.170.1162999625.squirrel@www.technologytiger.net> References: <01BCE961CD5E4146B83F920FC6A4F2353FD186@cmexchange01.CourtesyMortgage.local> <53026.194.70.180.170.1162994562.squirrel@www.technologytiger.net> <223f97700611080642x64608e8cw2a3dca5b5c8e9437@mail.gmail.com> <53362.194.70.180.170.1162999625.squirrel@www.technologytiger.net> Message-ID: <223f97700611080830i25b555fbg2bbe47bcc40475f0@mail.gmail.com> On 08/11/06, Drew Marshall wrote: > On Wed, November 8, 2006 14:42, Glenn Steen wrote: > > > > Usually I'd agree, but (clued in from another thread by Jason) this > > time it is because he set the (MailScanner) Incoming Work Dir to be > > the hold queue... So those errors are due to MailScanner writing one > > directory/child (childs PID as name) into the hold queue, nothing more > > "sinister" than that:-). > > Ahh yes, just read that one. Agreed. > > > > > Then again, with the speed and ... precision... Jason had while > > setting this up, the usual problems with bayes, razor etc isn't > > unlikely, I'll readily agree to that:-). > > But I suspect in Jason's instance that is some where further down the work > stack. It works, time for bed, fix fine details later :-) Likely true, yes:). > Now I wonder how many of us have have done that? ;-) Are you suggesting that any of us would be in any way fallible? Naaah.... Or wait....:-D (I wonder what it's going to take to completely erase the memory of me fat-fingering the Non Spam Actions (when I rewrote it for the header "X-Spam..." thingy) so that I delivered quite a few messages directly into the bitbucket... Jules "idiot-proofed" it after that... I still blush, just thinking of it) Or just making do with "working" instead of "working extremely well"... Daily happening... Sigh. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Nov 8 16:35:11 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 8 16:35:16 2006 Subject: MailScanner and Exchange 5.5 In-Reply-To: <4551AF20.65ED.00A2.0@plattesheriff.org> References: <4551AF20.65ED.00A2.0@plattesheriff.org> Message-ID: <223f97700611080835u9a7b809t29ce42872f107ac0@mail.gmail.com> On 08/11/06, Rob Poe wrote: > Same problem with a Groupwise 5.2 system. I used sendmail's access.db > > user@domain OK > user2@domain OK > @domain 550 Invalid Recipient > > One could likely very easily modify the "postfix perl script" to do this... and ISTR someone having scripted this already (perhaps using a slightly different method) for sendmail, so a search of the list might just turn something up. Best would, of course, be if the one(s) who did that scripting... updated the relevant wiki page with that info. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From binaryflow at gmail.com Wed Nov 8 16:38:43 2006 From: binaryflow at gmail.com (Douglas Ward) Date: Wed Nov 8 16:38:51 2006 Subject: Is razor working? Message-ID: I have fully configured MailScanner, spamassassin and razor (among many other programs). Everything is in full production. I have followed the documentation on razor.sourceforge.net and everything seems to be working properly. Now that I am scanning through the log files, I don't think MailScanner is using razor. Here are the stats of grep -c in /var/log/mail/info: PYZOR hits 729 times DCC hits 5450 times RAZOR hits 0 times This doesn't sound right. I will list the relevant portion of spam.assassin.prefs.conf below: # paths to utilities pyzor_path /usr/bin/pyzor dcc_path /usr/bin/dccproc razor_path /usr/bin/razor-check Using default timeouts and none of the stop checks are uncommented. I specify the location of razor with the following command: razor_config /root/.razor Razor is writing to the log file properly but I don't think MailScanner/spamassassin uses it. How can I make sure that it is being used? Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061108/87c2431d/attachment.html From ugob at camo-route.com Wed Nov 8 16:42:05 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Wed Nov 8 16:43:04 2006 Subject: Heads-up on Sanesecurity ClamAV signatures Message-ID: Hi, I just fixed a problem related to the sanesecurity ClamAV signatures. MailScanner kept on restarting, but I didn't realize it until I saw logwatch reports stating that MailScanner scanned 4 times more messages than it was logging to the MailWatch DB. I deleted the SaneSecurity ClamAV signatures and the messages that kept making MailScanner barf went through w/o problem. Unfortunately, I didn't save the problematic queue files, so I can't send them to SaneSecurity. Therefore, it may help people to know that I had problems with it, but, even more important, think about saving the files and sending them to prevent that. Regards, Ugo From martinh at solidstatelogic.com Wed Nov 8 16:47:00 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Nov 8 16:46:59 2006 Subject: Is razor working? In-Reply-To: References: Message-ID: <45520A04.2090109@solidstatelogic.com> Douglas Ward wrote: > I have fully configured MailScanner, spamassassin and razor (among many > other programs). Everything is in full production. I have followed the > documentation on razor.sourceforge.net > and everything seems to be working properly. Now that I am scanning > through the log files, I don't think MailScanner is using razor. Here > are the stats of grep -c in /var/log/mail/info: > > PYZOR hits 729 times > DCC hits 5450 times > RAZOR hits 0 times > > This doesn't sound right. I will list the relevant portion of > spam.assassin.prefs.conf below: > > # paths to utilities > pyzor_path /usr/bin/pyzor > dcc_path /usr/bin/dccproc > razor_path /usr/bin/razor-check > > Using default timeouts and none of the stop checks are uncommented. I > specify the location of razor with the following command: > > razor_config /root/.razor > > Razor is writing to the log file properly but I don't think > MailScanner/spamassassin uses it. How can I make sure that it is being > used? Thanks! > > Douglas have you installed the plugins for Spamassassin? /etc/mail/spamassassin/*.pre Also make sure the razor config points to a decent directory (ie outside any of the spool areas.) -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From dward at nccumc.org Wed Nov 8 16:50:54 2006 From: dward at nccumc.org (Douglas Ward) Date: Wed Nov 8 16:50:58 2006 Subject: Is razor working? In-Reply-To: <45520A04.2090109@solidstatelogic.com> References: <45520A04.2090109@solidstatelogic.com> Message-ID: I have v310.pre and v312.pre installed in /etc/mail/spamassassin. I uncommented dcc, razor and pyzor. This being a mandriva server I installed all three using urpmi. I did not install them using cpan. Does that make a difference? The razor config file does not point to any spool directories. On 11/8/06, Martin Hepworth wrote: > > Douglas Ward wrote: > > I have fully configured MailScanner, spamassassin and razor (among many > > other programs). Everything is in full production. I have followed the > > documentation on razor.sourceforge.net > > and everything seems to be working properly. Now that I am scanning > > through the log files, I don't think MailScanner is using razor. Here > > are the stats of grep -c in /var/log/mail/info: > > > > PYZOR hits 729 times > > DCC hits 5450 times > > RAZOR hits 0 times > > > > This doesn't sound right. I will list the relevant portion of > > spam.assassin.prefs.conf below: > > > > # paths to utilities > > pyzor_path /usr/bin/pyzor > > dcc_path /usr/bin/dccproc > > razor_path /usr/bin/razor-check > > > > Using default timeouts and none of the stop checks are uncommented. I > > specify the location of razor with the following command: > > > > razor_config /root/.razor > > > > Razor is writing to the log file properly but I don't think > > MailScanner/spamassassin uses it. How can I make sure that it is being > > used? Thanks! > > > > > Douglas > > have you installed the plugins for Spamassassin? > /etc/mail/spamassassin/*.pre > > Also make sure the razor config points to a decent directory (ie outside > any of the spool areas.) > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061108/7abc59e2/attachment.html From martinh at solidstatelogic.com Wed Nov 8 16:54:41 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Nov 8 16:54:45 2006 Subject: Is razor working? In-Reply-To: References: <45520A04.2090109@solidstatelogic.com> Message-ID: <45520BD1.7020409@solidstatelogic.com> Douglas Ward wrote: > I have v310.pre and v312.pre installed in /etc/mail/spamassassin. I > uncommented dcc, razor and pyzor. This being a mandriva server I > installed all three using urpmi. I did not install them using cpan. > Does that make a difference? The razor config file does not point to > any spool directories. > > On 11/8/06, *Martin Hepworth* > wrote: > > Douglas Ward wrote: > > I have fully configured MailScanner, spamassassin and razor > (among many > > other programs). Everything is in full production. I have > followed the > > documentation on razor.sourceforge.net > > > and everything seems to be working properly. Now that I am scanning > > through the log files, I don't think MailScanner is using > razor. Here > > are the stats of grep -c in /var/log/mail/info: > > > > PYZOR hits 729 times > > DCC hits 5450 times > > RAZOR hits 0 times > > > > This doesn't sound right. I will list the relevant portion of > > spam.assassin.prefs.conf below: > > > > # paths to utilities > > pyzor_path /usr/bin/pyzor > > dcc_path /usr/bin/dccproc > > razor_path /usr/bin/razor-check > > > > Using default timeouts and none of the stop checks are > uncommented. I > > specify the location of razor with the following command: > > > > razor_config /root/.razor > > > > Razor is writing to the log file properly but I don't think > > MailScanner/spamassassin uses it. How can I make sure that it is > being > > used? Thanks! > > > > > Douglas > > have you installed the plugins for Spamassassin? > /etc/mail/spamassassin/*.pre > > Also make sure the razor config points to a decent directory (ie outside > any of the spool areas.) > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > Doug Do a spamassassin -D --lint and it should mention razor etc -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From jwilliams at courtesymortgage.com Wed Nov 8 17:14:02 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Wed Nov 8 17:14:13 2006 Subject: MailScanner users using latest Postfix Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FD194@cmexchange01.CourtesyMortgage.local> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: Wednesday, November 08, 2006 1:26 AM To: MailScanner discussion Subject: Re: MailScanner users using latest Postfix On 08/11/06, Jason Williams wrote: > > > > Don't think so from the top of my head. There are a few extras that > you can play with in your own time (Like milter support in PF) but providing you > have set your queue depths correctly You will > know if you haven't, it > won't work!) both sides of MailScanner nothing much else has changed really. > > > Drew > -------- > > Thanks. I appreciate. > Well, it is accepting and delivering mail, so that is a good thing. > > Looks like I need to go through a just comb through the config file > again and set all my settings as needed. > I was not planning on this today, so I apologize for sounding and > being very rushed. > If I can ask a quick question. Is this correct, for settings in > MailScanner.conf? > > Should: > Incoming Work Dir = /var/spool/MailScanner/incoming > > > Thar right? > > >Jason, from am earlier mail by you, I couldn't help noticing that you had set the Incoming Work Dir to the postfiox hold queue directory... >This is, simply put, wrong. > >Set it to something like /var/spool/MailScanner/incoming ... This is the directory where the MailScanner children "plays" all by their lonesome selves... >There will be a subdirectory/process ID (with the PID as name). These subdirectories could potentially confuise the hell out of things, if placed in an >>active postfix queue. As it is now, when set to the hold queue, the only postfix commands that are affected are postqueue -p (mailq for short:-) and >>postsuper, and probably rather mildly. > >Simply stop MailScanner, adjust MailScanner.conf and fire it up again. > >So the quick answer is "yes":-). > Thanks for the help. I can't thank you enough. Just so I am sure and have everything correct, let me put down what I have here (still brewing my morning cup of java so bare with me :) ). Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming Incoming Work Dir = /var/spool/postfix/hold Quarantine Dir = /var/spool/MailScanner/quarantine Now, I should change Incoming Work Dir to:? Incoming Work Dir = /var/spool/postfix/incoming Still get those funny messages in maillog: Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9317: uid 125: not a regular file Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9352: uid 125: not a regular file Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9392: uid 125: not a regular file Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9439: uid 125: not a regular file Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9473: uid 125: not a regular file Doing a quick look at the directory (incoming) gammaflux2# ls -la /var/spool/postfix/incoming/ total 14 drwx------ 7 postfix wheel 512 Nov 8 10:47 . drwxr-xr-x 16 root wheel 512 Nov 7 16:10 .. drwx------ 2 postfix wheel 512 Nov 8 10:44 9317 drwx------ 2 postfix wheel 512 Nov 8 10:47 9352 drwx------ 2 postfix wheel 512 Nov 8 10:44 9392 drwx------ 2 postfix wheel 512 Nov 8 10:44 9439 drwx------ 2 postfix wheel 512 Nov 8 10:46 9473 Are those directories needed? Thanks again everyone. Really appreciate your help and patience. Cheers, -Jason -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solidstatelogic.com Wed Nov 8 17:22:59 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Nov 8 17:22:46 2006 Subject: MailScanner users using latest Postfix In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD194@cmexchange01.CourtesyMortgage.local> References: <01BCE961CD5E4146B83F920FC6A4F2353FD194@cmexchange01.CourtesyMortgage.local> Message-ID: <45521273.7090003@solidstatelogic.com> Jason Williams wrote: > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn > Steen > Sent: Wednesday, November 08, 2006 1:26 AM > To: MailScanner discussion > Subject: Re: MailScanner users using latest Postfix > > On 08/11/06, Jason Williams wrote: >> >> > Don't think so from the top of my head. There are a few extras that > >> you can play with in your own time (Like milter support in PF) but > providing you >> have set your queue depths correctly You will > know if you > haven't, it >> won't work!) both sides of MailScanner nothing much else has changed > really. >> >> Drew >> -------- >> >> Thanks. I appreciate. >> Well, it is accepting and delivering mail, so that is a good thing. >> >> Looks like I need to go through a just comb through the config file >> again and set all my settings as needed. >> I was not planning on this today, so I apologize for sounding and >> being very rushed. >> If I can ask a quick question. Is this correct, for settings in >> MailScanner.conf? >> >> Should: >> Incoming Work Dir = /var/spool/MailScanner/incoming >> >> >> Thar right? >> >> >> Jason, from am earlier mail by you, I couldn't help noticing that you > had set the Incoming Work Dir to the postfiox hold queue directory... >> This is, simply put, wrong. >> >> Set it to something like /var/spool/MailScanner/incoming ... This is > the directory where the MailScanner children "plays" all by their > lonesome selves... >There will be a subdirectory/process ID (with the > PID as name). These subdirectories could potentially confuise the hell > out of things, if placed in an >>active postfix queue. As it is now, > when set to the hold queue, the only postfix commands that are affected > are postqueue -p (mailq for short:-) and >>postsuper, and probably > rather mildly. >> Simply stop MailScanner, adjust MailScanner.conf and fire it up again. >> >> So the quick answer is "yes":-). >> > > > Thanks for the help. I can't thank you enough. > > Just so I am sure and have everything correct, let me put down what I > have here (still brewing my morning cup of java so bare with me :) ). > > > Incoming Queue Dir = /var/spool/postfix/hold > Outgoing Queue Dir = /var/spool/postfix/incoming > Incoming Work Dir = /var/spool/postfix/hold > Quarantine Dir = /var/spool/MailScanner/quarantine > > > Now, I should change Incoming Work Dir to:? > > Incoming Work Dir = /var/spool/postfix/incoming > > > Still get those funny messages in maillog: > > Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9317: > uid 125: not a regular file > Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9352: > uid 125: not a regular file > Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9392: > uid 125: not a regular file > Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9439: > uid 125: not a regular file > Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9473: > uid 125: not a regular file > > > Doing a quick look at the directory (incoming) > > gammaflux2# ls -la /var/spool/postfix/incoming/ > total 14 > drwx------ 7 postfix wheel 512 Nov 8 10:47 . > drwxr-xr-x 16 root wheel 512 Nov 7 16:10 .. > drwx------ 2 postfix wheel 512 Nov 8 10:44 9317 > drwx------ 2 postfix wheel 512 Nov 8 10:47 9352 > drwx------ 2 postfix wheel 512 Nov 8 10:44 9392 > drwx------ 2 postfix wheel 512 Nov 8 10:44 9439 > drwx------ 2 postfix wheel 512 Nov 8 10:46 9473 > > > Are those directories needed? > > > Thanks again everyone. Really appreciate your help and patience. > > Cheers, > > -Jason > Jason create a new dir for the work stuff - this can be a tmpfs on linux and is normally recommended that way -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From jwilliams at courtesymortgage.com Wed Nov 8 17:31:57 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Wed Nov 8 17:32:09 2006 Subject: MailScanner users using latest Postfix Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FD195@cmexchange01.CourtesyMortgage.local> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Wednesday, November 08, 2006 9:23 AM To: MailScanner discussion Subject: Re: MailScanner users using latest Postfix Jason Williams wrote: > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn > Steen > Sent: Wednesday, November 08, 2006 1:26 AM > To: MailScanner discussion > Subject: Re: MailScanner users using latest Postfix > > On 08/11/06, Jason Williams wrote: >> >> > Don't think so from the top of my head. There are a few extras >> that > >> you can play with in your own time (Like milter support in PF) but > providing you >> have set your queue depths correctly You will > know if you > haven't, it >> won't work!) both sides of MailScanner nothing much else has changed > really. >> >> Drew >> -------- >> >> Thanks. I appreciate. >> Well, it is accepting and delivering mail, so that is a good thing. >> >> Looks like I need to go through a just comb through the config file >> again and set all my settings as needed. >> I was not planning on this today, so I apologize for sounding and >> being very rushed. >> If I can ask a quick question. Is this correct, for settings in >> MailScanner.conf? >> >> Should: >> Incoming Work Dir = /var/spool/MailScanner/incoming >> >> >> Thar right? >> >> >> Jason, from am earlier mail by you, I couldn't help noticing that you > had set the Incoming Work Dir to the postfiox hold queue directory... >> This is, simply put, wrong. >> >> Set it to something like /var/spool/MailScanner/incoming ... This is > the directory where the MailScanner children "plays" all by their > lonesome selves... >There will be a subdirectory/process ID (with the > PID as name). These subdirectories could potentially confuise the hell > out of things, if placed in an >>active postfix queue. As it is now, > when set to the hold queue, the only postfix commands that are > affected are postqueue -p (mailq for short:-) and >>postsuper, and > probably rather mildly. >> Simply stop MailScanner, adjust MailScanner.conf and fire it up again. >> >> So the quick answer is "yes":-). >> > > > Thanks for the help. I can't thank you enough. > > Just so I am sure and have everything correct, let me put down what I > have here (still brewing my morning cup of java so bare with me :) ). > > > Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = > /var/spool/postfix/incoming Incoming Work Dir = > /var/spool/postfix/hold Quarantine Dir = > /var/spool/MailScanner/quarantine > > > Now, I should change Incoming Work Dir to:? > > Incoming Work Dir = /var/spool/postfix/incoming > > > Still get those funny messages in maillog: > > Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9317: > uid 125: not a regular file > Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9352: > uid 125: not a regular file > Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9392: > uid 125: not a regular file > Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9439: > uid 125: not a regular file > Nov 8 10:46:37 gammaflux2 postfix/showq[9478]: warning: incoming/9473: > uid 125: not a regular file > > > Doing a quick look at the directory (incoming) > > gammaflux2# ls -la /var/spool/postfix/incoming/ total 14 > drwx------ 7 postfix wheel 512 Nov 8 10:47 . > drwxr-xr-x 16 root wheel 512 Nov 7 16:10 .. > drwx------ 2 postfix wheel 512 Nov 8 10:44 9317 > drwx------ 2 postfix wheel 512 Nov 8 10:47 9352 > drwx------ 2 postfix wheel 512 Nov 8 10:44 9392 > drwx------ 2 postfix wheel 512 Nov 8 10:44 9439 > drwx------ 2 postfix wheel 512 Nov 8 10:46 9473 > > > Are those directories needed? > > > Thanks again everyone. Really appreciate your help and patience. > > Cheers, > > -Jason > > >Jason > >create a new dir for the work stuff - this can be a tmpfs on linux and is normally recommended that way > >Martin Hepworth So I can create something as simple as: Incoming Work Dir = /var/spool/postfix/work Put on appropriate permissions. Restart MS and that is it? Cheers, Jason -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solidstatelogic.com Wed Nov 8 17:38:46 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Nov 8 17:38:30 2006 Subject: MailScanner users using latest Postfix In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD195@cmexchange01.CourtesyMortgage.local> References: <01BCE961CD5E4146B83F920FC6A4F2353FD195@cmexchange01.CourtesyMortgage.local> Message-ID: <45521626.9060401@solidstatelogic.com> Jason Williams wrote: > > > So I can create something as simple as: > > Incoming Work Dir = /var/spool/postfix/work > > Put on appropriate permissions. > Restart MS and that is it? > > Cheers, > > Jason > > Nearly I suggest /var/spool/mailscanner/work, then you're keeping it well out of postfix's area.. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From jwilliams at courtesymortgage.com Wed Nov 8 17:59:08 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Wed Nov 8 17:59:21 2006 Subject: MailScanner users using latest Postfix Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FD198@cmexchange01.CourtesyMortgage.local> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Wednesday, November 08, 2006 9:39 AM To: MailScanner discussion Subject: Re: MailScanner users using latest Postfix Jason Williams wrote: > > > So I can create something as simple as: > > Incoming Work Dir = /var/spool/postfix/work > > Put on appropriate permissions. > Restart MS and that is it? > > Cheers, > > Jason > > >Nearly > >I suggest /var/spool/mailscanner/work, then you're keeping it well out of postfix's area.. > >-- >Martin Hepworth That did the trick. Thanks a ton! Now I can relax a bit, fine tune it, go home and get some sleep. :) Many thanks to everyone who helped. -Jason -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dward at nccumc.org Wed Nov 8 18:34:58 2006 From: dward at nccumc.org (Douglas Ward) Date: Wed Nov 8 18:35:01 2006 Subject: Is razor working? In-Reply-To: <45520BD1.7020409@solidstatelogic.com> References: <45520A04.2090109@solidstatelogic.com> <45520BD1.7020409@solidstatelogic.com> Message-ID: Lines referencing razor: [24295] dbg: diag: module installed: Razor2::Client::Agent, [24295] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [24295] dbg: razor2: local tests only, skipping Razor version 2.82 [24295] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_razor2.cf I did not have any warnings during the lint test. On 11/8/06, Martin Hepworth wrote: > > Douglas Ward wrote: > > I have v310.pre and v312.pre installed in /etc/mail/spamassassin. I > > uncommented dcc, razor and pyzor. This being a mandriva server I > > installed all three using urpmi. I did not install them using cpan. > > Does that make a difference? The razor config file does not point to > > any spool directories. > > > > On 11/8/06, *Martin Hepworth* > > wrote: > > > > Douglas Ward wrote: > > > I have fully configured MailScanner, spamassassin and razor > > (among many > > > other programs). Everything is in full production. I have > > followed the > > > documentation on razor.sourceforge.net > > > > > and everything seems to be working properly. Now that I am > scanning > > > through the log files, I don't think MailScanner is using > > razor. Here > > > are the stats of grep -c in /var/log/mail/info: > > > > > > PYZOR hits 729 times > > > DCC hits 5450 times > > > RAZOR hits 0 times > > > > > > This doesn't sound right. I will list the relevant portion of > > > spam.assassin.prefs.conf below: > > > > > > # paths to utilities > > > pyzor_path /usr/bin/pyzor > > > dcc_path /usr/bin/dccproc > > > razor_path /usr/bin/razor-check > > > > > > Using default timeouts and none of the stop checks are > > uncommented. I > > > specify the location of razor with the following command: > > > > > > razor_config /root/.razor > > > > > > Razor is writing to the log file properly but I don't think > > > MailScanner/spamassassin uses it. How can I make sure that it is > > being > > > used? Thanks! > > > > > > > > Douglas > > > > have you installed the plugins for Spamassassin? > > /etc/mail/spamassassin/*.pre > > > > Also make sure the razor config points to a decent directory (ie > outside > > any of the spool areas.) > > > > -- > > Martin Hepworth > > Senior Systems Administrator > > Solid State Logic > > Tel: +44 (0)1865 842300 > > > Doug > > Do a spamassassin -D --lint and it should mention razor etc > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061108/fb7af551/attachment.html From jkau at jasper.k12.ga.us Wed Nov 8 21:01:09 2006 From: jkau at jasper.k12.ga.us (Jason Kau) Date: Wed Nov 8 21:01:18 2006 Subject: disabling Spam Check for sender reports Message-ID: <20061108160109.hoo4vfkgw0cswg08@mail.jasper.k12.ga.us> I apologize if this question has been asked before. I can't figure how to keep sender reports (i.e. Sender Content Report, Sender Bad Filename Report, etc.) generated by MailScanner being Spam Checked. How do define a ruleset for "Spam Checks = " that excludes the sender reports given the envelope is not set in the sender report? For example, the headers of a sender report look like: ================================ Return-Path: <> X-Original-To: astokes@jasper.k12.ga.us Delivered-To: astokes@jasper.k12.ga.us Received: by puma.jasper.k12.ga.us (Postfix, from userid 89) id 4073413405B; Tue, 7 Nov 2006 10:58:10 -0500 (EST) From: "Jasper MailScanner" To: astokes@jasper.k12.ga.us Subject: Warning: Attachment stripped from email Message-Id: <20061107155810.4073413405B@puma.jasper.k12.ga.us> Date: Tue, 7 Nov 2006 10:58:10 -0500 (EST) X-Jasper-County-Schools-MailScanner-Information: MailScanner+McAfee+ClamAV X-Jasper-County-Schools-MailScanner: Found to be clean X-Jasper-County-Schools-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=0.9, required 5, BAYES_00 -2.60, NO_RELAYS -0.00, VIRUS_WARNING62 3.50) X-Jasper-County-Schools-MailScanner-From: X-Spam-Status: No ================================ This does not appear to match on "From: postmaster@jasper.k12.ga.us". Thank you for your help. -- Jason Kau Consultant Jasper County Schools Monticello, GA From alex at nkpanama.com Wed Nov 8 21:48:37 2006 From: alex at nkpanama.com (Alex Neuman) Date: Wed Nov 8 21:49:14 2006 Subject: Greylisting .. nice .. In-Reply-To: <625385e30611080514j15781a5cp51dbb7cb9e45fb13@mail.gmail.com> References: <45508986.65ED.00A2.0@plattesheriff.org> <20061107141218.D5240@mikea.ath.cx> <625385e30611080514j15781a5cp51dbb7cb9e45fb13@mail.gmail.com> Message-ID: <455250B5.9060709@nkpanama.com> shuttlebox wrote: > On 11/8/06, James Gray wrote: >> Not sure how BSD/Solaris/AIX/etc grep does things, but the "-c" >> option has been around for ages in Gnu-land and gnu-grep is the >> standard on Mac OSX along with all the Linuxes. > > Standard Solaris has it: > > -c Prints only a count of the lines that contain the pat- > tern. > > Old habits die hard... ;) From jimc at laridian.com Wed Nov 8 21:53:31 2006 From: jimc at laridian.com (Jim Coates) Date: Wed Nov 8 21:55:22 2006 Subject: Greylisting with Sendmail and FreeBSD In-Reply-To: <455250B5.9060709@nkpanama.com> Message-ID: <01e801c70380$54dd3970$6401a8c0@zorak> How hard is it to install Greylisting on a machine running FreeBSD, Sendmail and MailScanner? Is there a particular package that you all recommend? I asked out FreeBSD host about it, and they say that they've never used it. An interesting note - Yahoo has started using greylisting on their email accounts. Thanks, Jim From mkettler at evi-inc.com Wed Nov 8 22:12:06 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Nov 8 22:12:15 2006 Subject: Greylisting with Sendmail and FreeBSD In-Reply-To: <01e801c70380$54dd3970$6401a8c0@zorak> References: <01e801c70380$54dd3970$6401a8c0@zorak> Message-ID: <45525636.2010003@evi-inc.com> Jim Coates wrote: > How hard is it to install Greylisting on a machine running FreeBSD, Sendmail > and MailScanner? > > Is there a particular package that you all recommend? I use milter-greylist. It's pretty easy, and it's ACL based setup lets you set it up more-or-less any way you want.. greylist by default, or by explicit rule, etc. The current release candidates also support using dnsrbl's as acl rules, and per-rule over-ride of greylist duration. Putting the two together you can do things like greylist for longer periods of time if they're listed in a DNSRBL. (useful for DNSRBLs with too many FPs to use as outright blacklists). My current setup is more-or-less: whitelist whitelist greylist spamhaus SBL, 15mins greylist spamhaus XBL, 1hr greylist SORBS-WEB, 1hr greylist SORBS-DUL, 1hr greylist 1min greylist 1min greylist (regex for hosts with no RDNS) 1min greylist (a few other regexes) 1min greylist (list of ip's allocated to apnic) 1min greylist (list of ip's allocated to lacnic) 1min whitelist default And that works pretty well. Right now XBL, and more specifically the CBL contributed part of XBL, is taking the lions share of the hits. Thus far this week: Spamhaus SBL 3216 Spamhaus XBL (CBL) 12904 Spamhaus XBL (NJABL) 87 SORBS-WEB 141 SORBS-DUL 4071 delayed 1m (others) 2987 default action: 7217 not delayed and delivered (total, incl whitelists) 10390 > > I asked out FreeBSD host about it, and they say that they've never used it. > > An interesting note - Yahoo has started using greylisting on their email > accounts. From gdoris at rogers.com Wed Nov 8 23:44:28 2006 From: gdoris at rogers.com (Gerry Doris) Date: Wed Nov 8 23:44:51 2006 Subject: mailscanner-mrtg graph labels In-Reply-To: <45509A4E.7090303@USherbrooke.ca> References: <000b01c6ffa4$a4794c10$670a000a@dorfam.ca> <45509A4E.7090303@USherbrooke.ca> Message-ID: On Tue, 7 Nov 2006, Denis Beauchemin wrote: > Gerry Doris a ?crit : >> I upgraded my system from Fedora Core 4 to 6 last weekend. Surprisingly it >> went quite well. I thought everything was working properly until I noticed >> that two of the mailscanner-mrtg graphs have their labels messed up. The >> data looks correct. >> >> The two messed up graphs are Mail Transferred and Memory. It is the top >> level as well as the detail graphs. The vertical legend for each is >> showing the number scale followed by the letters M,G,T,P spread out into >> the graph area for each number. >> >> This has been working perfectly for ages...I think? Has anyone else >> noticed this? I'm using 0.10.00. I upgraded to the unstable version 11 >> but it didn't make a difference. > Gerry, > > This looks more like an MRTG problem than a MailScanner-MRTG one because the > 2 graphs that you are having problems with come from different sources: your > log files for MTA and SNMP for memory. > > Are you sure you didn't mess up the /etc/mrtg/mailscanner-mrtg.cfg file for > these 2 graphs? This is what I have for the MTA: > YLegend[mailbytes]: Bytes > ShortLegend[mailbytes]: bytes     > Legend1[mailbytes]: Average Bytes > Legend2[mailbytes]: > Legend3[mailbytes]: Maximum Bytes > Legend4[mailbytes]: > LegendI[mailbytes]: : > LegendO[mailbytes]: > kilo[mailbytes]: 1024 > kMG[mailbytes]: k,M,G,T,P > > If all is OK, then maybe something changed in FC6 and the last 2 lines (kilo > and kMG) are not having the same effect as they did before. > > Denis I think something changed in FC6. My config file matches yours. -- Gerry "The lyfe so short, the craft so long to learne" Chaucer From taz at taz-mania.com Wed Nov 8 23:54:42 2006 From: taz at taz-mania.com (Dennis Willson) Date: Wed Nov 8 23:54:46 2006 Subject: Notify Senders question In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD191@cmexchange01.CourtesyMortgage.local> Message-ID: I would think that you would want to notify the recipient. If you had a user that sent a virus and didn't know it... then if neither the sender or recipient was informed, neither would know the email never arrived, or was striped of an attachment. On an incoming email since so many of the from addresses of Spam and/or virus senders are bogus, you wouldn't want to notify the sender as that would be as bad as Spamming them. However, for those that come from real senders to your real users, you would want them to know someone is trying to send them something, but it's not getting through instead of it just disappearing (wouldn't you?). My configuration uses a set of receiving hubs that then forward to the real mail servers, and a different out-going set of servers (smart hosts). I have different rules for each. On the incoming it only notifies the recipients and on the outgoing it notifies the senders too (which are all only internal senders) A send also cannot spoof their outgoing address because even for local outgoing they must login using SMTP auth and the outgoing server only accepts from our domain, any from that is not our domain is rejected. Also no direct port 25 access is allowed to/from the outside world. On Tue, 7 Nov 2006 17:28:35 -0800 "Jason Williams" wrote: >Something that is odd right now. > >I have setup MS to NOT notify any senders if they send a virus, >blocked >files, blocked content, basically everything. > >In a quick test, I sent it from my account to a outside account and >noticed that it did not notify me (the sender) which is great. >However, >it notified the recipient. > >Is there a way to disable that? >Or is that built in and should it be that way? > >-Thanks > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. > -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham (Extra Class): ka6lsw Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Owner: Kepnet Internet Services Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" From mkettler at evi-inc.com Thu Nov 9 00:13:18 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Nov 9 00:13:27 2006 Subject: Mailscanner UDP connections In-Reply-To: <1098353490jeremy.henty@nec.ac.uk> References: <1098353490jeremy.henty@nec.ac.uk> Message-ID: <4552729E.90808@evi-inc.com> Jeremy Henty wrote: > Running lsof on a Mailscanner box (an ancient RH7) I see every few seconds a batch > of entries like this: > > MailScann 19062 postfix 7u IPv4 22883898 UDP *:58004 > MailScann 19062 postfix 9u IPv4 22883899 UDP *:58005 > MailScann 19062 postfix 10u IPv4 22883900 UDP *:58006 > MailScann 19062 postfix 11u IPv4 22883901 UDP *:58007 > MailScann 19062 postfix 12u IPv4 22883902 UDP *:58008 > MailScann 19062 postfix 13u IPv4 22883903 UDP *:58009 > MailScann 19062 postfix 14u IPv4 22883904 UDP *:58010 > MailScann 19062 postfix 15u IPv4 22883905 UDP *:58011 > MailScann 19062 postfix 16u IPv4 22883906 UDP *:58012 > MailScann 19062 postfix 17u IPv4 22883907 UDP *:58013 > > What is Mailscanner doing that requires these connections? RBL checks? Possibly.. Also, Since MailScanner loads SpamAssassin.pm as a part of itself, any network activity caused by SA tests could be attributed to MailScanner. This could be SA's DNS tests, or DCC. Really, without the port number for the foreign address, it's hard to guess what its doing. > > Regards, > > Jeremy Henty > > > From mkettler at evi-inc.com Thu Nov 9 00:17:18 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Nov 9 00:17:26 2006 Subject: Mailscanner UDP connections In-Reply-To: <1098353490jeremy.henty@nec.ac.uk> References: <1098353490jeremy.henty@nec.ac.uk> Message-ID: <4552738E.1030700@evi-inc.com> Jeremy Henty wrote: > Running lsof on a Mailscanner box (an ancient RH7) I see every few seconds a batch > of entries like this: > > MailScann 19062 postfix 7u IPv4 22883898 UDP *:58004 For what it's worth, I use MailScanner with no RBLs at the MS level, only in SA. I run a local DNS server, and I periodically see this in netstat -anp: udp 8736 0 127.0.0.1:33867 127.0.0.1:53 ESTABLISHED 18169/MailScanner: which is the MailScanner process connecting to the local DNS server, presumably for SA RBL lookups. From vaibhav at ozdocs.net.au Thu Nov 9 00:55:16 2006 From: vaibhav at ozdocs.net.au (Vaibhav Pandey) Date: Thu Nov 9 00:55:25 2006 Subject: SeLinux Issue with SpamAssassin.cache.db Message-ID: <200611091155.AA309002912@mail.ozdocs.net.au> Dear All, I installed MailScanner 4.57 with ClamAv and SpamAssasin 3.1. All working fine without any problem. But my SpamAssasin.cache.db not caching anything hense I am still getting spam. in my /var/log/messages I am getting the following line each time when MailScanner is trying to add something to cache.db. Please help me. Nov 9 04:27:24 mgate kernel: audit(1163006844.338:6247): avc: denied { read write } for pid=15114 comm="su" name="SpamAssassin.cache.db" dev=dm-0 ino=17990086 scontext=system_u:system_r:initrc_su_t:s0 tcontext=root:object_r:var_spool_t:s0 tclass=file Here mgate: is name of the Host With best regards, Webb. From azher at niit.edu.pk Thu Nov 9 01:52:26 2006 From: azher at niit.edu.pk (Azher Amin) Date: Thu Nov 9 01:52:49 2006 Subject: FuzzyOCR Message-ID: <455289DA.6070500@niit.edu.pk> Hi, I am using MailScanner on Debian and its working fine. To test the image spams i installed the FuzzyOCR and the related packages as listed on the mailscanner wiki. However I just received an email with image which can be seen here : http://www.niit.edu.pk/~azher/pict63.gif .It is just 6KB in size. I then added the words from this image to /etc/mail/spamassassin/FuzzyOcr.words, restarted mailscanner and again tried sending to another local account, but the image slipped again. Can some one plz guide why MailScanner missed the attachment and how i can tweak to catch images like above. Regards Azher Amin -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From csweeney at osubucks.org Thu Nov 9 01:59:15 2006 From: csweeney at osubucks.org (Chris Sweeney) Date: Thu Nov 9 01:59:26 2006 Subject: FuzzyOCR In-Reply-To: <455289DA.6070500@niit.edu.pk> References: <455289DA.6070500@niit.edu.pk> Message-ID: <45528B73.4030209@osubucks.org> You might want to post this in the FuzzyOCR mailing list. This isn't really a function of MailScanner FuzzyOCR is a SpamAssassin tool. Did you run spamassassin -x -D --lint ? Does it show that its picking up the FuzzyOCR plugin? Azher Amin wrote: > Hi, > > I am using MailScanner on Debian and its working fine. To test the > image spams i installed the FuzzyOCR and the related packages as > listed on the mailscanner wiki. However I just received an email with > image which can be seen here : > http://www.niit.edu.pk/~azher/pict63.gif .It is just 6KB in size. I > then added the words from this image to > /etc/mail/spamassassin/FuzzyOcr.words, restarted mailscanner and again > tried sending to another local account, but the image slipped again. > > Can some one plz guide why MailScanner missed the attachment and how i > can tweak to catch images like above. > > Regards > Azher Amin > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5188 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061108/39fdd07a/smime.bin From azher at niit.edu.pk Thu Nov 9 02:23:30 2006 From: azher at niit.edu.pk (Azher Amin) Date: Thu Nov 9 02:23:54 2006 Subject: FuzzyOCR In-Reply-To: <45528B73.4030209@osubucks.org> References: <455289DA.6070500@niit.edu.pk> <45528B73.4030209@osubucks.org> Message-ID: <45529122.2030002@niit.edu.pk> Sure I will email on FuzzyOCR list. SpamAssin is picking the plugin : Output from spamassassin -x -D --lint: [26334] dbg: config: read file /etc/mail/spamassassin/FuzzyOcr.cf [26888] dbg: plugin: fixed relative path: /etc/mail/spamassassin/FuzzyOcr.pm [26888] dbg: plugin: loading FuzzyOcr from /etc/mail/spamassassin/FuzzyOcr.pm [26888] dbg: plugin: registered FuzzyOcr=HASH(0x881bcf8) [26888] dbg: plugin: FuzzyOcr=HASH(0x881bcf8) implements 'parse_config' Regards Azher Chris Sweeney wrote: > You might want to post this in the FuzzyOCR mailing list. This isn't > really a function of MailScanner FuzzyOCR is a SpamAssassin tool. > > Did you run spamassassin -x -D --lint ? Does it show that its picking > up the FuzzyOCR plugin? > > Azher Amin wrote: > >> Hi, >> >> I am using MailScanner on Debian and its working fine. To test the >> image spams i installed the FuzzyOCR and the related packages as >> listed on the mailscanner wiki. However I just received an email with >> image which can be seen here : >> http://www.niit.edu.pk/~azher/pict63.gif .It is just 6KB in size. I >> then added the words from this image to >> /etc/mail/spamassassin/FuzzyOcr.words, restarted mailscanner and again >> tried sending to another local account, but the image slipped again. >> >> Can some one plz guide why MailScanner missed the attachment and how i >> can tweak to catch images like above. >> >> Regards >> Azher Amin >> >> >> -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From csweeney at osubucks.org Thu Nov 9 02:30:58 2006 From: csweeney at osubucks.org (Chris Sweeney) Date: Thu Nov 9 02:31:09 2006 Subject: FuzzyOCR In-Reply-To: <45529122.2030002@niit.edu.pk> References: <455289DA.6070500@niit.edu.pk> <45528B73.4030209@osubucks.org> <45529122.2030002@niit.edu.pk> Message-ID: <455292E2.4040204@osubucks.org> Well sorry I can't help more I'm new with FuzzyOCR myself only been using it for 2 weeks now, one week on a test machine and one in production now. Its been a wonderful tool. Its been catching so much I'd say 99% of that dang image SPAM. Its far from perfect and I know from the mailing list it will always need tweeked, but so far so good. Azher Amin wrote: > Sure I will email on FuzzyOCR list. SpamAssin is picking the plugin : > > Output from spamassassin -x -D --lint: > > [26334] dbg: config: read file /etc/mail/spamassassin/FuzzyOcr.cf > > [26888] dbg: plugin: fixed relative path: > /etc/mail/spamassassin/FuzzyOcr.pm > [26888] dbg: plugin: loading FuzzyOcr from > /etc/mail/spamassassin/FuzzyOcr.pm > [26888] dbg: plugin: registered FuzzyOcr=HASH(0x881bcf8) > [26888] dbg: plugin: FuzzyOcr=HASH(0x881bcf8) implements 'parse_config' > > Regards > Azher > > > Chris Sweeney wrote: >> You might want to post this in the FuzzyOCR mailing list. This isn't >> really a function of MailScanner FuzzyOCR is a SpamAssassin tool. >> >> Did you run spamassassin -x -D --lint ? Does it show that its picking >> up the FuzzyOCR plugin? >> >> Azher Amin wrote: >> >>> Hi, >>> >>> I am using MailScanner on Debian and its working fine. To test the >>> image spams i installed the FuzzyOCR and the related packages as >>> listed on the mailscanner wiki. However I just received an email with >>> image which can be seen here : >>> http://www.niit.edu.pk/~azher/pict63.gif .It is just 6KB in size. I >>> then added the words from this image to >>> /etc/mail/spamassassin/FuzzyOcr.words, restarted mailscanner and again >>> tried sending to another local account, but the image slipped again. >>> >>> Can some one plz guide why MailScanner missed the attachment and how i >>> can tweak to catch images like above. >>> >>> Regards >>> Azher Amin >>> >>> >>> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5188 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061108/3cedffcd/smime.bin From ajos1 at onion.demon.co.uk Thu Nov 9 02:54:54 2006 From: ajos1 at onion.demon.co.uk (ajos1@onion.demon.co.uk) Date: Thu Nov 9 02:55:00 2006 Subject: FuzzyOCR Message-ID: - Same as Sweeny... I have only recently installed it... and not managed to test or tweak it... You will get a basic idea of what is being found by doing: gocr pict63.gif Some words are very clear... others not so clear... lots of "r"s being intepreted as "c"... I will do some testing for you later on... -----Original Message----- From: MailScanner discussion References: Message-ID: <4552A12B.7050508@niit.edu.pk> Interesting, the output is below. After this I added on of the word 'Ejaculate' in the /etc/mail/spamassassin/FuzzyOcr.words, but even then mailscanner is not recognizing it ..... is there any way that i can check whether the spamassasin is really using the FuzzyOCR ?? coz i doubt that spamassain is not using the FuzzyOCR pluggin. Regards Azher Amin ns3:/opt/MailScanner/etc# gocr /home/azher/pict63.gif _ _ Elevate sex drive to ne w levels - pe_orm I_ke a profess_onal w_th your pa _ner, She'IIloveyournewfoundsexdr_ve! _ Maintainerectionsforlonqerperiods-penetrateyourpa_nerforhoursonend! _ Raise ejaculation volu m e - Ejaculate I_ke a Pornstar_n enorm ous quant_t_es! _ Help users realize a ne w deqree of sexual confidence and control-reaI_ze total and absolutepoweranddom_nat_on_nbed w_thyourpa_ner,w_thyournew-found Den_ss_zeandsexuaIDe_ormance! Name PatcheS Reqular Now Steel p ac _ 10 patc he 8 S_9.95 _49.95 Fcee shipping Sil _ r p ac _ 25 patc he 8 S129.95 _99.95 Fcee shipping 8n d hld pac _ 40 patche8 S189.95 _l49.95 execcise _8nu8l Platin _ p ac _ 65 patc he g S259.95 _l99.95 inClUded ajos1@onion.demon.co.uk wrote: > - > > Same as Sweeny... I have only recently installed it... and not managed to test or tweak it... > > You will get a basic idea of what is being found by doing: > > gocr pict63.gif > > Some words are very clear... others not so clear... lots of "r"s being intepreted as "c"... > > I will do some testing for you later on... > > > -----Original Message----- > From: MailScanner discussion Subj: FuzzyOCR > Date: Wed, 08 Nov 2006 17:52:26 -0800 > > Hi, > > I am using MailScanner on Debian and its working fine. To test the image > spams i installed the FuzzyOCR and the related packages as listed on the > mailscanner wiki. However I just received an email with image which can > be seen here : http://www.niit.edu.pk/~azher/pict63.gif .It is just 6KB > in size. I then added the words from this image to > /etc/mail/spamassassin/FuzzyOcr.words, restarted mailscanner and again > tried sending to another local account, but the image slipped again. > > Can some one plz guide why MailScanner missed the attachment and how i > can tweak to catch images like above. > > Regards > Azher Amin > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From a.peacock at chime.ucl.ac.uk Thu Nov 9 08:44:23 2006 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Thu Nov 9 08:45:04 2006 Subject: FuzzyOCR In-Reply-To: <4552A12B.7050508@niit.edu.pk> References: <4552A12B.7050508@niit.edu.pk> Message-ID: <4552EA67.9060305@chime.ucl.ac.uk> Hi, Azher Amin wrote: > Interesting, the output is below. After this I added on of the word > 'Ejaculate' in the /etc/mail/spamassassin/FuzzyOcr.words, but even then > mailscanner is not recognizing it ..... is there any way that i can > check whether the spamassasin is really using the FuzzyOCR ?? coz i > doubt that spamassain is not using the FuzzyOCR pluggin. > To test SpamAssassin save the complete email (not just the image) to a text file and run it through SpamAssassin in test mode. spamassassin -t < email.txt This will show the tests that hit on the email. To get a fuller output use debug mode: spamassassin -t -D < email.txt -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From glenn.steen at gmail.com Thu Nov 9 09:51:43 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 9 09:51:47 2006 Subject: Is razor working? In-Reply-To: References: <45520A04.2090109@solidstatelogic.com> <45520BD1.7020409@solidstatelogic.com> Message-ID: <223f97700611090151rca8b6bft1f1e1f6c7279f923@mail.gmail.com> On 08/11/06, Douglas Ward wrote: > Lines referencing razor: > > [24295] dbg: diag: module installed: Razor2::Client::Agent, > [24295] dbg: plugin: loading > Mail::SpamAssassin::Plugin::Razor2 from @INC > [24295] dbg: razor2: local tests only, skipping Razor > version 2.82 > [24295] dbg: config: read file > /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_razor2.cf > > I did not have any warnings during the lint test. > That version of SA will only load the module(s) and test for syntax errors, not actually try to perform any network tests. Save a complete message (headers and body) to a file and run it through like this spamassassin -t < /path/to/message/file or spamassassin -t -D < /path/to/message/file for more details. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Nov 9 10:19:30 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 9 10:19:33 2006 Subject: disabling Spam Check for sender reports In-Reply-To: <20061108160109.hoo4vfkgw0cswg08@mail.jasper.k12.ga.us> References: <20061108160109.hoo4vfkgw0cswg08@mail.jasper.k12.ga.us> Message-ID: <223f97700611090219i3de3a2fev8a1a1bd960f2ad21@mail.gmail.com> On 08/11/06, Jason Kau wrote: > I apologize if this question has been asked before. > > I can't figure how to keep sender reports (i.e. Sender Content Report, > Sender Bad Filename Report, etc.) generated by MailScanner being Spam > Checked. How do define a ruleset for "Spam Checks = " that excludes > the sender reports given the envelope is not set in the sender report? > For example, the headers of a sender report look like: > > ================================ > Return-Path: <> > X-Original-To: astokes@jasper.k12.ga.us > Delivered-To: astokes@jasper.k12.ga.us > Received: by puma.jasper.k12.ga.us (Postfix, from userid 89) > id 4073413405B; Tue, 7 Nov 2006 10:58:10 -0500 (EST) > From: "Jasper MailScanner" > To: astokes@jasper.k12.ga.us > Subject: Warning: Attachment stripped from email > Message-Id: <20061107155810.4073413405B@puma.jasper.k12.ga.us> > Date: Tue, 7 Nov 2006 10:58:10 -0500 (EST) > X-Jasper-County-Schools-MailScanner-Information: MailScanner+McAfee+ClamAV > X-Jasper-County-Schools-MailScanner: Found to be clean > X-Jasper-County-Schools-MailScanner-SpamCheck: not spam, > SpamAssassin (not cached, score=0.9, required 5, BAYES_00 -2.60, > NO_RELAYS -0.00, VIRUS_WARNING62 3.50) > X-Jasper-County-Schools-MailScanner-From: > X-Spam-Status: No > ================================ > > This does not appear to match on "From: postmaster@jasper.k12.ga.us". > > Thank you for your help. > Likely the sender is the "empty sender" <> (as per RFC). And you should definitely not try and whitelist that. Indeed, you shouldn't whitelist using addresses alone, at all, period. They would be far to easy to forge. Use the IP address of the sending server instead. Now, why do you _need_ these to be whitelisted? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Nov 9 10:33:27 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 9 10:33:30 2006 Subject: Notify Senders question In-Reply-To: References: <01BCE961CD5E4146B83F920FC6A4F2353FD191@cmexchange01.CourtesyMortgage.local> Message-ID: <223f97700611090233y39ac7680mb0651b4a51f77078@mail.gmail.com> On 09/11/06, Dennis Willson wrote: > I would think that you would want to notify the recipient. > If you had a user that sent a virus and didn't know it... then if > neither the sender or recipient was informed, neither would know the > email never arrived, or was striped of an attachment. Er, well... that is entirely *policy*, not technology:-). Depending on your setup and "local rules"... you assumptions might not hold true Dennis. And then there is the argument that a notification might be as irritating as any spam... Exactly as you go on...:-). > On an incoming email since so many of the from addresses of Spam > and/or virus senders are bogus, you wouldn't want to notify the sender > as that would be as bad as Spamming them. However, for those that come > from real senders to your real users, you would want them to know > someone is trying to send them something, but it's not getting through > instead of it just disappearing (wouldn't you?). Well, for certain setups (at least!) they would _never_ really just disappear... They would end up in quarantine ad/or logged as stripped... Possibly combined with a quarantine report. So again, that would all depend:-). > My configuration uses a set of receiving hubs that then forward to the > real mail servers, and a different out-going set of servers (smart > hosts). I have different rules for each. On the incoming it only > notifies the recipients and on the outgoing it notifies the senders > too (which are all only internal senders) A send also cannot spoof > their outgoing address because even for local outgoing they must login > using SMTP auth and the outgoing server only accepts from our domain, > any from that is not our domain is rejected. Also no direct port 25 > access is allowed to/from the outside world. Sounds like a nice setup, probably fitting your policy well;-). Mine looks quite different (I wont bore you with the details... again:-), and fit my requirements/policy equally well... Without almost any notifications at all. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Nov 9 10:41:08 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 9 10:41:11 2006 Subject: SeLinux Issue with SpamAssassin.cache.db In-Reply-To: <200611091155.AA309002912@mail.ozdocs.net.au> References: <200611091155.AA309002912@mail.ozdocs.net.au> Message-ID: <223f97700611090241s12ac353cy6462a26f643a5699@mail.gmail.com> On 09/11/06, Vaibhav Pandey wrote: > Dear All, > I installed MailScanner 4.57 with ClamAv and SpamAssasin 3.1. All working fine without any problem. > > But my SpamAssasin.cache.db not caching anything hense I am still getting spam. > > in my /var/log/messages I am getting the following line each time when MailScanner is trying to add something to cache.db. Please help me. > > > Nov 9 04:27:24 mgate kernel: audit(1163006844.338:6247): avc: denied { read write } for pid=15114 comm="su" name="SpamAssassin.cache.db" dev=dm-0 ino=17990086 scontext=system_u:system_r:initrc_su_t:s0 tcontext=root:object_r:var_spool_t:s0 tclass=file > > > Here mgate: is name of the Host > Might be a permission problem. Have you tried stopping MailScanner, removiung the SQLite file and starting MailScanner again (thus creating a new cache file, possibly with another owner)? What permissions do you have on it? Can the user you run your MTA/MailScanner as read/write it? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From hans at enem.nl Thu Nov 9 12:26:47 2006 From: hans at enem.nl (Hans Melgers) Date: Thu Nov 9 12:27:06 2006 Subject: mailscanner 4.55.10 Freebsd doesnt provide jobnumber in sendmail2 anymore or differently? Message-ID: <45531E87.3090904@enem.nl> Hi list, Im running MS for years now, ever running flawless on freebsd. Now im updating (from ports) to 4.55.10 on freebsd 6.2 pre and see something strange. Im using the sendmail2 with ms2cgp script to put MS output in my Communigate submitted queue: Sendmail2 = /usr/local/etc/ms2cgp2 However it seems MS is not providing the job number like it used too: Nov 9 13:11:06 fb1 MailScanner[51501]: Creating hardcoded struct_flock subroutine for freebsd (BSD-type) Nov 9 13:11:32 fb1 MailScanner[51430]: New Batch: Scanning 1 messages, 622 bytes Nov 9 13:11:32 fb1 MailScanner[51430]: Spam Checks: Starting Nov 9 13:11:32 fb1 MailScanner[51430]: Looked up unknown string spam in language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: Looked up unknown string notspam in language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: Message 51551 from 84.107.145.164 (hans@fb1.enem.nl) is whitelisted Nov 9 13:11:32 fb1 MailScanner[51430]: Looked up unknown string mailscanner in language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: Looked up unknown string unreadablearchive in language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: Looked up unknown string passwordedarchive in language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: Looked up unknown string archivetoodeep in language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: Virus and Content Scanning: Starting Nov 9 13:11:34 fb1 MailScanner[51430]: Uninfected: Delivered 1 messages Nov 9 13:11:34 fb1 ms2cgp[51564]: Job writing to /var/CommuniGate/Submitted/FB11.ms2cgp..51564.tmp ^^ no jobnumber Nov 9 13:11:34 fb1 ms2cgp[51564]: Open input /var/spool/mqueue/qf failed, dying ^^ no jobnumber The ms2cgp script is unchanged, qf and df files are there. Anybody knows what's going on, hopefully a workaround ? Thanks, Hans From glenn.steen at gmail.com Thu Nov 9 12:53:03 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 9 12:53:06 2006 Subject: Is razor working? In-Reply-To: <223f97700611090151rca8b6bft1f1e1f6c7279f923@mail.gmail.com> References: <45520A04.2090109@solidstatelogic.com> <45520BD1.7020409@solidstatelogic.com> <223f97700611090151rca8b6bft1f1e1f6c7279f923@mail.gmail.com> Message-ID: <223f97700611090453y5dd1e67di815711ac3004b810@mail.gmail.com> On 09/11/06, Glenn Steen wrote: (snip) > That version of SA will only load the module(s) and test for syntax > errors, not actually try to perform any network tests. .... for the --lint option, of course. Jeez, when will I learn to proofread _beforehand_. Sigh. -- -- Glenn (a.k.a. Le Grand Typo) email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From drolland at kdinet.com Thu Nov 9 12:59:11 2006 From: drolland at kdinet.com (Diane Rolland) Date: Thu Nov 9 13:00:24 2006 Subject: OT: archive mail functionality for windows? Message-ID: <014101c703fe$db9d3cc0$9700a8c0@kdinet.local> Hi all, We have a custom application that utilizes the archive mail function in MailScanner. Basically any email sent to a particular address is archived in MailScanner. The application then processes the email messages in the Archive directory and integrates them into the application. It also handles the file attachments. Now, our issue is needing to port this application to Windows. I am not at all familiar with any options that might be available to do this. If someone might have some suggestions, please let me know. Thank you for your time, Diane -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061109/817559e5/attachment.html From martinh at solidstatelogic.com Thu Nov 9 13:05:02 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Thu Nov 9 13:05:09 2006 Subject: OT: archive mail functionality for windows? In-Reply-To: <014101c703fe$db9d3cc0$9700a8c0@kdinet.local> References: <014101c703fe$db9d3cc0$9700a8c0@kdinet.local> Message-ID: <4553277E.9000203@solidstatelogic.com> Diane Rolland wrote: > Hi all, > > We have a custom application that utilizes the archive mail function in > MailScanner. Basically any email sent to a particular address is > archived in MailScanner. The application then processes the email > messages in the Archive directory and integrates them into the > application. It also handles the file attachments. > > Now, our issue is needing to port this application to Windows. I am not > at all familiar with any options that might be available to do this. If > someone might have some suggestions, please let me know. > > Thank you for your time, > Diane > Diane what's the application written in? perl, C ..??? besides 'archiving' the email somewhere else, what else does it do. If it needs to be accessed via windows then why not write a html interface to it then it's available on most platforms. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From dhawal at netmagicsolutions.com Thu Nov 9 13:16:26 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Thu Nov 9 13:16:48 2006 Subject: OT: archive mail functionality for windows? In-Reply-To: <014101c703fe$db9d3cc0$9700a8c0@kdinet.local> References: <014101c703fe$db9d3cc0$9700a8c0@kdinet.local> Message-ID: <45532A2A.1090801@netmagicsolutions.com> Diane Rolland wrote: > Hi all, > > We have a custom application that utilizes the archive mail function in > MailScanner. Basically any email sent to a particular address is > archived in MailScanner. The application then processes the email > messages in the Archive directory and integrates them into the > application. It also handles the file attachments. > > Now, our issue is needing to port this application to Windows. I am not > at all familiar with any options that might be available to do this. If > someone might have some suggestions, please let me know. Windows? Assuming MS Exchange. Not porting but a new application.. have you seen http://www.mailarchiva.com/, they have a GPL product for exchange. - dhawal From drolland at kdinet.com Thu Nov 9 13:16:45 2006 From: drolland at kdinet.com (Diane Rolland) Date: Thu Nov 9 13:17:57 2006 Subject: OT: archive mail functionality for windows? In-Reply-To: <4553277E.9000203@solidstatelogic.com> Message-ID: <014c01c70401$4fe5ff20$9700a8c0@kdinet.local> Martin Hepworth wrote: > Diane Rolland wrote: >> Hi all, >> >> We have a custom application that utilizes the archive mail function >> in MailScanner. Basically any email sent to a particular address is >> archived in MailScanner. The application then processes the email >> messages in the Archive directory and integrates them into the >> application. It also handles the file attachments. >> >> Now, our issue is needing to port this application to Windows. I am >> not at all familiar with any options that might be available to do >> this. If someone might have some suggestions, please let me know. >> >> Thank you for your time, >> Diane >> > Diane > > what's the application written in? perl, C ..??? The application is in php/mysql. > > besides 'archiving' the email somewhere else, what else does it do. > If it needs to be accessed via windows then why not write a html > interface to it then it's available on most platforms. The archive is just a temporary holding place so that the php application can parse the raw email files in the archive directory. It can take attached documents and them make them available to the web based php/mysql application. The attached documents are not available outside the application (i.e. you cannot browse to them on a file share). > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** Thanks again, Diane From martinh at solidstatelogic.com Thu Nov 9 13:30:46 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Thu Nov 9 13:36:00 2006 Subject: OT: archive mail functionality for windows? In-Reply-To: <014c01c70401$4fe5ff20$9700a8c0@kdinet.local> References: <014c01c70401$4fe5ff20$9700a8c0@kdinet.local> Message-ID: <45532D86.1000207@solidstatelogic.com> Diane Rolland wrote: > Martin Hepworth wrote: >> Diane Rolland wrote: >>> Hi all, >>> >>> We have a custom application that utilizes the archive mail function >>> in MailScanner. Basically any email sent to a particular address is >>> archived in MailScanner. The application then processes the email >>> messages in the Archive directory and integrates them into the >>> application. It also handles the file attachments. >>> >>> Now, our issue is needing to port this application to Windows. I am >>> not at all familiar with any options that might be available to do >>> this. If someone might have some suggestions, please let me know. >>> >>> Thank you for your time, >>> Diane >>> >> Diane >> >> what's the application written in? perl, C ..??? > > The application is in php/mysql. > >> besides 'archiving' the email somewhere else, what else does it do. >> If it needs to be accessed via windows then why not write a html >> interface to it then it's available on most platforms. > > The archive is just a temporary holding place so that the php application > can parse the raw email files in the archive directory. It can take > attached documents and them make them available to the web based php/mysql > application. The attached documents are not available outside the > application (i.e. you cannot browse to them on a file share). > >> -- >> Martin Hepworth >> Senior Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> So why port this to Windows??? you can access the data from Windows, or are you referring to emails that don't pass through mailScanner at any stage. perhaps you could be a little more specific about what you want the app to do, that it doesn't do now. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From a.peacock at chime.ucl.ac.uk Thu Nov 9 13:39:53 2006 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Thu Nov 9 13:40:24 2006 Subject: OT: archive mail functionality for windows? In-Reply-To: <014c01c70401$4fe5ff20$9700a8c0@kdinet.local> References: <014c01c70401$4fe5ff20$9700a8c0@kdinet.local> Message-ID: <45532FA9.4050401@chime.ucl.ac.uk> Diane Rolland wrote: > Martin Hepworth wrote: >> Diane Rolland wrote: >>> Hi all, >>> >>> We have a custom application that utilizes the archive mail function >>> in MailScanner. Basically any email sent to a particular address is >>> archived in MailScanner. The application then processes the email >>> messages in the Archive directory and integrates them into the >>> application. It also handles the file attachments. >>> >>> Now, our issue is needing to port this application to Windows. I am >>> not at all familiar with any options that might be available to do >>> this. If someone might have some suggestions, please let me know. >>> >>> Thank you for your time, >>> Diane >>> >> Diane >> >> what's the application written in? perl, C ..??? > > The application is in php/mysql. > >> besides 'archiving' the email somewhere else, what else does it do. >> If it needs to be accessed via windows then why not write a html >> interface to it then it's available on most platforms. > > The archive is just a temporary holding place so that the php application > can parse the raw email files in the archive directory. It can take > attached documents and them make them available to the web based php/mysql > application. The attached documents are not available outside the > application (i.e. you cannot browse to them on a file share). OK! So my question is what do you mean by 'application'? Are your referring to the whole infrastructure including MailScanner or are you just talking about your php app? -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From drolland at kdinet.com Thu Nov 9 13:58:36 2006 From: drolland at kdinet.com (Diane Rolland) Date: Thu Nov 9 13:59:44 2006 Subject: OT: archive mail functionality for windows? In-Reply-To: <45532FA9.4050401@chime.ucl.ac.uk> Message-ID: <015001c70407$284fd070$9700a8c0@kdinet.local> Anthony Peacock wrote: > Diane Rolland wrote: >> Martin Hepworth wrote: >>> Diane Rolland wrote: >>>> Hi all, >>>> >>>> We have a custom application that utilizes the archive mail >>>> function in MailScanner. Basically any email sent to a particular >>>> address is archived in MailScanner. The application then >>>> processes the email messages in the Archive directory and >>>> integrates them into the application. It also handles the file >>>> attachments. >>>> >>>> Now, our issue is needing to port this application to Windows. I >>>> am not at all familiar with any options that might be available to >>>> do this. If someone might have some suggestions, please let me >>>> know. >>>> >>>> Thank you for your time, >>>> Diane >>>> >>> Diane >>> >>> what's the application written in? perl, C ..??? >> >> The application is in php/mysql. >> >>> besides 'archiving' the email somewhere else, what else does it do. >>> If it needs to be accessed via windows then why not write a html >>> interface to it then it's available on most platforms. >> >> The archive is just a temporary holding place so that the php >> application can parse the raw email files in the archive directory. >> It can take attached documents and them make them available to the >> web based php/mysql application. The attached documents are not >> available outside the application (i.e. you cannot browse to them on >> a file share). > > OK! So my question is what do you mean by 'application'? > > Are your referring to the whole infrastructure including MailScanner > or are you just talking about your php app? > > -- > Anthony Peacock > CHIME, Royal Free & University College Medical School > WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ > "If you have an apple and I have an apple and we exchange apples > then you and I will still each have one apple. But if you have an > idea and I have an idea and we exchange these ideas, then each of us > will have two ideas." -- George Bernard Shaw I suppose my challenge is finding a way to get mailed delivered to a filesystem so that the php application can parse the raw mail files. On our Linux platforms we use MailScanner's archive to file functionality to do this. The php will run on either linux or windows web server, so the need I have is how to get the mail delivered to a file location where it is accessible to the php scripts. There isn't necessarily an Exchange server in the picture either, so maybe I'm needing to look at some sort of mail server?? From a.peacock at chime.ucl.ac.uk Thu Nov 9 14:04:44 2006 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Thu Nov 9 14:05:15 2006 Subject: OT: archive mail functionality for windows? In-Reply-To: <015001c70407$284fd070$9700a8c0@kdinet.local> References: <015001c70407$284fd070$9700a8c0@kdinet.local> Message-ID: <4553357C.3010904@chime.ucl.ac.uk> Hi, Diane Rolland wrote: > Anthony Peacock wrote: >> Diane Rolland wrote: >>> Martin Hepworth wrote: >>>> Diane Rolland wrote: >>>>> Hi all, >>>>> >>>>> We have a custom application that utilizes the archive mail >>>>> function in MailScanner. Basically any email sent to a particular >>>>> address is archived in MailScanner. The application then >>>>> processes the email messages in the Archive directory and >>>>> integrates them into the application. It also handles the file >>>>> attachments. >>>>> >>>>> Now, our issue is needing to port this application to Windows. I >>>>> am not at all familiar with any options that might be available to >>>>> do this. If someone might have some suggestions, please let me >>>>> know. >>>>> >>>>> Thank you for your time, >>>>> Diane >>>>> >>>> Diane >>>> >>>> what's the application written in? perl, C ..??? >>> The application is in php/mysql. >>> >>>> besides 'archiving' the email somewhere else, what else does it do. >>>> If it needs to be accessed via windows then why not write a html >>>> interface to it then it's available on most platforms. >>> The archive is just a temporary holding place so that the php >>> application can parse the raw email files in the archive directory. >>> It can take attached documents and them make them available to the >>> web based php/mysql application. The attached documents are not >>> available outside the application (i.e. you cannot browse to them on >>> a file share). >> OK! So my question is what do you mean by 'application'? >> >> Are your referring to the whole infrastructure including MailScanner >> or are you just talking about your php app? > > I suppose my challenge is finding a way to get mailed delivered to a > filesystem so that the php application can parse the raw mail files. On our > Linux platforms we use MailScanner's archive to file functionality to do > this. > > The php will run on either linux or windows web server, so the need I have > is how to get the mail delivered to a file location where it is accessible > to the php scripts. > > There isn't necessarily an Exchange server in the picture either, so maybe > I'm needing to look at some sort of mail server?? Ah! That make the situation much simpler. Can't you use something like Samba to make the 'archive' directory on the MailScanner machine available as a Windows share? -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From martinh at solidstatelogic.com Thu Nov 9 14:10:57 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Thu Nov 9 14:11:08 2006 Subject: OT: archive mail functionality for windows? In-Reply-To: <015001c70407$284fd070$9700a8c0@kdinet.local> References: <015001c70407$284fd070$9700a8c0@kdinet.local> Message-ID: <455336F1.3030509@solidstatelogic.com> Diane Rolland wrote: > Anthony Peacock wrote: >> Diane Rolland wrote: >>> Martin Hepworth wrote: >>>> Diane Rolland wrote: >>>>> Hi all, >>>>> >>>>> We have a custom application that utilizes the archive mail >>>>> function in MailScanner. Basically any email sent to a particular >>>>> address is archived in MailScanner. The application then >>>>> processes the email messages in the Archive directory and >>>>> integrates them into the application. It also handles the file >>>>> attachments. >>>>> >>>>> Now, our issue is needing to port this application to Windows. I >>>>> am not at all familiar with any options that might be available to >>>>> do this. If someone might have some suggestions, please let me >>>>> know. >>>>> >>>>> Thank you for your time, >>>>> Diane >>>>> >>>> Diane >>>> >>>> what's the application written in? perl, C ..??? >>> The application is in php/mysql. >>> >>>> besides 'archiving' the email somewhere else, what else does it do. >>>> If it needs to be accessed via windows then why not write a html >>>> interface to it then it's available on most platforms. >>> The archive is just a temporary holding place so that the php >>> application can parse the raw email files in the archive directory. >>> It can take attached documents and them make them available to the >>> web based php/mysql application. The attached documents are not >>> available outside the application (i.e. you cannot browse to them on >>> a file share). >> OK! So my question is what do you mean by 'application'? >> >> Are your referring to the whole infrastructure including MailScanner >> or are you just talking about your php app? >> >> -- >> Anthony Peacock >> CHIME, Royal Free & University College Medical School >> WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ >> "If you have an apple and I have an apple and we exchange apples >> then you and I will still each have one apple. But if you have an >> idea and I have an idea and we exchange these ideas, then each of us >> will have two ideas." -- George Bernard Shaw > > I suppose my challenge is finding a way to get mailed delivered to a > filesystem so that the php application can parse the raw mail files. On our > Linux platforms we use MailScanner's archive to file functionality to do > this. > > The php will run on either linux or windows web server, so the need I have > is how to get the mail delivered to a file location where it is accessible > to the php scripts. > > There isn't necessarily an Exchange server in the picture either, so maybe > I'm needing to look at some sort of mail server?? > I'd turn this on the it's head..... Start with a policy descision - mail MUST go through a validated gateway in order to achieve this. MailScanner can be one of the validated gateways. Then you need to make sure all your validated gateways dump the archives in a supported format to a supported storage point (remember Windows can do NFS mounts and Linux can mount windows/smb shares) -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From drolland at kdinet.com Thu Nov 9 14:27:11 2006 From: drolland at kdinet.com (Diane Rolland) Date: Thu Nov 9 14:28:28 2006 Subject: OT: archive mail functionality for windows? In-Reply-To: <4553357C.3010904@chime.ucl.ac.uk> Message-ID: <015401c7040b$26447340$9700a8c0@kdinet.local> Anthony Peacock wrote: > Hi, > > Diane Rolland wrote: >> Anthony Peacock wrote: >>> Diane Rolland wrote: >>>> Martin Hepworth wrote: >>>>> Diane Rolland wrote: >>>>>> Hi all, >>>>>> >>>>>> We have a custom application that utilizes the archive mail >>>>>> function in MailScanner. Basically any email sent to a >>>>>> particular address is archived in MailScanner. The application >>>>>> then processes the email messages in the Archive directory and >>>>>> integrates them into the application. It also handles the file >>>>>> attachments. >>>>>> >>>>>> Now, our issue is needing to port this application to Windows. I >>>>>> am not at all familiar with any options that might be available >>>>>> to do this. If someone might have some suggestions, please let >>>>>> me know. >>>>>> >>>>>> Thank you for your time, >>>>>> Diane >>>>>> >>>>> Diane >>>>> >>>>> what's the application written in? perl, C ..??? >>>> The application is in php/mysql. >>>> >>>>> besides 'archiving' the email somewhere else, what else does it >>>>> do. If it needs to be accessed via windows then why not write a >>>>> html interface to it then it's available on most platforms. >>>> The archive is just a temporary holding place so that the php >>>> application can parse the raw email files in the archive directory. >>>> It can take attached documents and them make them available to the >>>> web based php/mysql application. The attached documents are not >>>> available outside the application (i.e. you cannot browse to them >>>> on a file share). >>> OK! So my question is what do you mean by 'application'? >>> >>> Are your referring to the whole infrastructure including MailScanner >>> or are you just talking about your php app? > > >> I suppose my challenge is finding a way to get mailed delivered to a >> filesystem so that the php application can parse the raw mail files. >> On our Linux platforms we use MailScanner's archive to file >> functionality to do this. >> >> The php will run on either linux or windows web server, so the need I >> have is how to get the mail delivered to a file location where it is >> accessible to the php scripts. >> >> There isn't necessarily an Exchange server in the picture either, so >> maybe I'm needing to look at some sort of mail server?? > > Ah! That make the situation much simpler. > > Can't you use something like Samba to make the 'archive' directory on > the MailScanner machine available as a Windows share? > > > > > -- > Anthony Peacock > CHIME, Royal Free & University College Medical School > WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ > "If you have an apple and I have an apple and we exchange apples > then you and I will still each have one apple. But if you have an > idea and I have an idea and we exchange these ideas, then each of us > will have two ideas." -- George Bernard Shaw Thanks for all of the feedback/suggestions... We deliver this application to various customers some of which refuse to do anything outside of Windows... Therefore, the need for some other solution. I'm looking at some various email servers and hopefully can find something useful. Life is so much simpler when open minded IT departments are involved :) From Denis.Beauchemin at USherbrooke.ca Thu Nov 9 14:32:31 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Nov 9 14:32:48 2006 Subject: SeLinux Issue with SpamAssassin.cache.db In-Reply-To: <200611091155.AA309002912@mail.ozdocs.net.au> References: <200611091155.AA309002912@mail.ozdocs.net.au> Message-ID: <45533BFF.2010302@USherbrooke.ca> Vaibhav Pandey a ?crit : > Dear All, > I installed MailScanner 4.57 with ClamAv and SpamAssasin 3.1. All working fine without any problem. > > But my SpamAssasin.cache.db not caching anything hense I am still getting spam. > > in my /var/log/messages I am getting the following line each time when MailScanner is trying to add something to cache.db. Please help me. > > > Nov 9 04:27:24 mgate kernel: audit(1163006844.338:6247): avc: denied { read write } for pid=15114 comm="su" name="SpamAssassin.cache.db" dev=dm-0 ino=17990086 scontext=system_u:system_r:initrc_su_t:s0 tcontext=root:object_r:var_spool_t:s0 tclass=file > > > Here mgate: is name of the Host > > With best regards, > Webb. > I didn't take the time to understand SElinux so I disabled it on all my servers because it caused too much trouble. To do this edit /etc/selinux/config and change to: SELINUX=disabled Then save the file and reboot your server. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061109/bc64a76f/smime.bin From AHKAPLAN at PARTNERS.ORG Thu Nov 9 15:06:33 2006 From: AHKAPLAN at PARTNERS.ORG (Kaplan, Andrew H.) Date: Thu Nov 9 15:06:39 2006 Subject: Allowing .bmp and other Graphic Files To Get Through Message-ID: <9C63A4713C4E3342B90428CE44806A7302679A17@PHSXMB5.partners.org> Hi there - The current MailScanner configuration on our server does not allow .bmp and other graphic files to get through to the recipient. I have received requests to be more lenient in this matter. What would be the best configuration setting(s) to implement? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061109/56119e03/attachment.html From dward at nccumc.org Thu Nov 9 15:11:04 2006 From: dward at nccumc.org (Douglas Ward) Date: Thu Nov 9 15:11:07 2006 Subject: Is razor working? In-Reply-To: <223f97700611090453y5dd1e67di815711ac3004b810@mail.gmail.com> References: <45520A04.2090109@solidstatelogic.com> <45520BD1.7020409@solidstatelogic.com> <223f97700611090151rca8b6bft1f1e1f6c7279f923@mail.gmail.com> <223f97700611090453y5dd1e67di815711ac3004b810@mail.gmail.com> Message-ID: Glenn, Thank you for this advice. I found that the 10 second time out setting was too short for razor to complete properly. Pushing out this timeout setting corrected the issue. Thanks for your help! Douglas On 11/9/06, Glenn Steen wrote: > > On 09/11/06, Glenn Steen wrote: > (snip) > > That version of SA will only load the module(s) and test for syntax > > errors, not actually try to perform any network tests. > .... for the --lint option, of course. Jeez, when will I learn to > proofread _beforehand_. Sigh. > > -- > -- Glenn (a.k.a. Le Grand Typo) > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061109/0fdcf13f/attachment.html From glenn.steen at gmail.com Thu Nov 9 15:16:28 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 9 15:16:30 2006 Subject: SeLinux Issue with SpamAssassin.cache.db In-Reply-To: <45533BFF.2010302@USherbrooke.ca> References: <200611091155.AA309002912@mail.ozdocs.net.au> <45533BFF.2010302@USherbrooke.ca> Message-ID: <223f97700611090716q6cb4fb69oc68cf9c1c53f64bb@mail.gmail.com> On 09/11/06, Denis Beauchemin wrote: (snip) > > > I didn't take the time to understand SElinux so I disabled it on all my > servers because it caused too much trouble. > > To do this edit /etc/selinux/config and change to: > SELINUX=disabled > > Then save the file and reboot your server. > > Denis How did I miss the subject ....? Probably this darned cold making me even less sharp than usual. Sigh. Denis advice is (of course) the easy way to go. Hands up everyone who have a love-hate relationship with ACLs:-):-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From steve.swaney at fsl.com Thu Nov 9 15:20:22 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Thu Nov 9 15:20:24 2006 Subject: archive mail functionality for windows? In-Reply-To: <014101c703fe$db9d3cc0$9700a8c0@kdinet.local> Message-ID: <001701c70412$92ebfc50$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Diane Rolland > Sent: Thursday, November 09, 2006 7:59 AM > To: mailscanner@lists.mailscanner.info > Subject: OT: archive mail functionality for windows? > > Hi all, > > We have a custom application that utilizes the archive mail function in > MailScanner. Basically any email sent to a particular address is archived > in MailScanner. The application then processes the email messages in the > Archive directory and integrates them into the application. It also > handles the file attachments. > > Now, our issue is needing to port this application to Windows. I am not > at all familiar with any options that might be available to do this. If > someone might have some suggestions, please let me know. > > Thank you for your time, > Diane Might not be relevant but take a look at: http://www.mailarchiva.com/ I quote: "Email Archiving for Microsoft Exchange. MailArchiva is a powerful email archiving solution. It is all you need to ensure that your organization's emails are backed up permanently. It automatically retrieves emails from Microsoft Exchange and stores them on multiple hard disks." It's a free application. You pay for support. I've tested and it seems to work as advertised but I don't know how well the free version will scale. Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From Kevin_Miller at ci.juneau.ak.us Thu Nov 9 16:34:11 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Nov 9 16:34:22 2006 Subject: SeLinux Issue with SpamAssassin.cache.db In-Reply-To: <223f97700611090716q6cb4fb69oc68cf9c1c53f64bb@mail.gmail.com> Message-ID: Glenn Steen wrote: > Denis advice is (of course) the easy way to go. Completely off topic, but one of my favorite quotes (can't remember by whom) was along the lines of "It's always a bad idea to give advice. To give good advice is absolutely fatal." :-) > Hands up everyone who have a love-hate relationship with ACLs:-):-). I'm there... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From Kevin_Miller at ci.juneau.ak.us Thu Nov 9 16:46:28 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Nov 9 16:46:32 2006 Subject: Allowing .bmp and other Graphic Files To Get Through In-Reply-To: <9C63A4713C4E3342B90428CE44806A7302679A17@PHSXMB5.partners.org> Message-ID: Depends on how many users you're talking about. If it's just a few, I'd set up whitelists for those select folks. If you're managing multiple domains and dealing with large numbers of people wanting this, it becomes a policy decision and hence, much more political. I try to stay out of politics. In August I asked about allowing filetypes through via white lists. See the archives for August 10, subject "ALLOW FILETYPES in MailScanner.conf". Holler if you can't find it and I'll dig up the details. It was quite easy to set up... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Kaplan, Andrew H. Sent: Thursday, November 09, 2006 6:07 AM To: mailscanner@lists.mailscanner.info Subject: Allowing .bmp and other Graphic Files To Get Through Hi there - The current MailScanner configuration on our server does not allow .bmp and other graphic files to get through to the recipient. I have received requests to be more lenient in this matter. What would be the best configuration setting(s) to implement? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061109/fd961b7c/attachment.html From joost at waversveld.nl Thu Nov 9 16:50:12 2006 From: joost at waversveld.nl (Joost Waversveld) Date: Thu Nov 9 16:50:36 2006 Subject: [sendmail] Skipping rbl per domain Message-ID: <45535C44.708@waversveld.nl> Hi to all, I've searched but I could not find an good answer... We have some mailscanners with a lot of domains pointing to them, which are very busy. At the moment we do not use RBL's through sendmail. We let Mailscanner (SpamAssassin) handle those lookups. This way every end user can choose what to do with the SPAM. To handle the load better we want to enable some RBL-checks through sendmail but we know some customers don't want that, because then we are deciding which mail could be deleted, and which not. If you get what I mean. Is it possible to enable the RBL-checks in sendmail per domain, so customer1 can use the function(s), but customer2 does not?? Regards, Joost Waversveld From mailscanner at PDSCC.COM Thu Nov 9 17:22:38 2006 From: mailscanner at PDSCC.COM (Harondel J. Sibble) Date: Thu Nov 9 17:22:44 2006 Subject: spam actions doesn't seem to be working right Message-ID: <200611091722.kA9HMdAB006079@sinclaire.sibble.net> Okay, running MS 4.49.7-1 on Centos 4.x, also running Mailwatch. Spam Actions = store forward spambox@domain.tld Ditto for High Scoring Spam Actions Early this year in the spring, we replaced the older MS box with this one. Some point since then, there are no messages getting to the spambox account, however the end users are getting the messages tagged as spam by MS/SA which is what I want to avoid. I'm not sure what I should be looking at to resolve this as I know it worked at one point and going through the notes on changes made to the system, I don't see anything that should be causing this behaviour. -- Harondel J. Sibble Sibble Computer Consulting Creating solutions for the small business and home computer user. help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager) From steve.freegard at fsl.com Thu Nov 9 18:04:07 2006 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Nov 9 18:04:18 2006 Subject: [sendmail] Skipping rbl per domain In-Reply-To: <45535C44.708@waversveld.nl> References: <45535C44.708@waversveld.nl> Message-ID: <45536D97.2040608@fsl.com> Hi Joost, Joost Waversveld wrote: > Hi to all, > > I've searched but I could not find an good answer... > > We have some mailscanners with a lot of domains pointing to them, which > are very busy. At the moment we do not use RBL's through sendmail. We > let Mailscanner (SpamAssassin) handle those lookups. This way every end > user can choose what to do with the SPAM. > > To handle the load better we want to enable some RBL-checks through > sendmail but we know some customers don't want that, because then we are > deciding which mail could be deleted, and which not. If you get what I > mean. > > Is it possible to enable the RBL-checks in sendmail per domain, so > customer1 can use the function(s), but customer2 does not?? > Have a look at http://www.five-ten-sg.com/dnsbl/ it's a bit bloaty compared to the Snertsoft milters (and it's written in C++), but it does allow you to configure a blacklist policy on a per-domain basis. Hope this helps. Kind regards, Steve. From glenn.steen at gmail.com Thu Nov 9 19:03:51 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 9 19:03:56 2006 Subject: spam actions doesn't seem to be working right In-Reply-To: <200611091722.kA9HMdAB006079@sinclaire.sibble.net> References: <200611091722.kA9HMdAB006079@sinclaire.sibble.net> Message-ID: <223f97700611091103t5bb7c348k678500b72d6b9678@mail.gmail.com> On 09/11/06, Harondel J. Sibble wrote: > Okay, running MS 4.49.7-1 on Centos 4.x, also running Mailwatch. > > Spam Actions = store forward spambox@domain.tld > > Ditto for High Scoring Spam Actions > > Early this year in the spring, we replaced the older MS box with this one. > Some point since then, there are no messages getting to the spambox account, > however the end users are getting the messages tagged as spam by MS/SA which > is what I want to avoid. > > I'm not sure what I should be looking at to resolve this as I know it worked > at one point and going through the notes on changes made to the system, I > don't see anything that should be causing this behaviour. > Why such an old MailScanner (relatively speaking:)? Updating MailScanner is really well thought out, easy and fast;-). Easy instructions on what to do (backup relevant directories etc) are in the MAQ/wiki. I'm not sure at what version the --lint, --changed and --debug options to the MailScanner command was introduced (all of which could probably help you troubleshoot this to some extent)... If you don't have them, consider an update. There are no obvious syntax errors in the MailScanner.conf? Look for silliness like unmatched quotes etc. The syntax of the file is very forgiving, but one can botch things (read: Been there...:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ugob at camo-route.com Thu Nov 9 19:50:31 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Thu Nov 9 19:51:38 2006 Subject: from and to In-Reply-To: <223f97700611031122j4bd04714jfaa4035cd9808311@mail.gmail.com> References: <223f97700611031122j4bd04714jfaa4035cd9808311@mail.gmail.com> Message-ID: Glenn Steen wrote: > On 03/11/06, Ugo Bellavance wrote: >> Hi, >> >> Sorry if this has been asked in the past, but I couldn't find the >> answers on the wiki or list. >> >> Is it possible to do a ruleset like this? >> >> From: toto@domain.com and To: domain.com yes >> >> Thanks, >> >> Ugo >> > Yep. Don't remember where it is documented (book, example file or > what) but that would definitely work. > I just tested, it doesn't work :( ugo From philippe at beau.nom.fr Thu Nov 9 19:52:50 2006 From: philippe at beau.nom.fr (Philippe BEAU) Date: Thu Nov 9 19:53:16 2006 Subject: Mailscanner interface Message-ID: <60875.90.0.125.205.1163101970.squirrel@www.choup.net> Hello all, At first, i'm new to this so ... don't kill now, wait 5 minutes if the question already have been asked ... I would like to made interface for Mailscanner. I would like to know if someone like that already exist. The first goal is : - Get list of blocked email in - Get list of quarantine by email (one user can get his email blocked himself) - Get some light stats I know there is some product like Mailwatch or others, but i would like some advice on particulars solutions. I've some preference for the php interface ... Best regards Philippe, From ugob at camo-route.com Thu Nov 9 20:05:36 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Thu Nov 9 20:06:00 2006 Subject: Mailscanner interface In-Reply-To: <60875.90.0.125.205.1163101970.squirrel@www.choup.net> References: <60875.90.0.125.205.1163101970.squirrel@www.choup.net> Message-ID: Philippe BEAU wrote: > Hello all, > > At first, i'm new to this so ... don't kill now, wait 5 minutes if the > question already have been asked ... > > I would like to made interface for Mailscanner. I would like to know if > someone like that already exist. The first goal is : > > - Get list of blocked email in > - Get list of quarantine by email (one user can get his email blocked > himself) > - Get some light stats > > I know there is some product like Mailwatch or others, but i would like > some advice on particulars solutions. I think you should give a try to MailWatch first, then contribute to the code if you need anything else. BTW, V 2.0 is coming. From john at netdirect.ca Thu Nov 9 20:14:05 2006 From: john at netdirect.ca (John Van Ostrand) Date: Thu Nov 9 20:14:13 2006 Subject: from and to In-Reply-To: References: <223f97700611031122j4bd04714jfaa4035cd9808311@mail.gmail.com> Message-ID: <1163103245.11897.101.camel@venture.office.netdirect.ca> On Thu, 2006-11-09 at 14:50 -0500, Ugo Bellavance wrote: > >> Is it possible to do a ruleset like this? > >> > >> From: toto@domain.com and To: domain.com yes > >> > > Yep. Don't remember where it is documented (book, example file or > > what) but that would definitely work. If it helps it is documented in /etc/MailScanner/rules/EXAMPLES. -- John Van Ostrand Net Direct Inc. CTO, co-CEO 564 Weber St. N. Unit 12 Waterloo, ON N2L 5C6 map john@netdirect.ca Ph: 519-883-1172 ext.5102 Linux Solutions / IBM Hardware Fx: 519-883-8533 From john at netdirect.ca Thu Nov 9 20:23:19 2006 From: john at netdirect.ca (John Van Ostrand) Date: Thu Nov 9 20:23:32 2006 Subject: Mailscanner interface In-Reply-To: References: <60875.90.0.125.205.1163101970.squirrel@www.choup.net> Message-ID: <1163103799.11897.103.camel@venture.office.netdirect.ca> On Thu, 2006-11-09 at 15:05 -0500, Ugo Bellavance wrote: > I think you should give a try to MailWatch first, then contribute to the > code if you need anything else. BTW, V 2.0 is coming. What's the word on which features are going to be in the 2.0? -- John Van Ostrand Net Direct Inc. CTO, co-CEO 564 Weber St. N. Unit 12 Waterloo, ON N2L 5C6 john@netdirect.ca ph: 518-883-1172 x5102 Linux Solutions / IBM Hardware fx: 519-883-8533 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061109/75b1a1ba/attachment.bin From jwilliams at courtesymortgage.com Thu Nov 9 20:23:30 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Thu Nov 9 20:23:41 2006 Subject: New SPAM e-mails recently? Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> Anyone been getting some new SPAM recently, where it comes in with subjects like: It's Lorenzo :) It's Flavia :) Bunch of names in the subject line. In the body of the message, it is a wide range of things like to buy viagra and cialis. Or a couple today are for buying stock (buy this symbol) etc. Anyone been getting these? Im still getting my SA rules back in order. Wasn't sure if any of these were sneaking through to anyone else. For those that are blocking, what is catching it so I can quickly put it in? Thanks, -Jason -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061109/0493a181/attachment.html From technician at cenpac.net.nr Thu Nov 9 20:38:08 2006 From: technician at cenpac.net.nr (Jon Leeman) Date: Thu Nov 9 20:38:10 2006 Subject: New SPAM e-mails recently? In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> References: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> Message-ID: <455391B0.7000205@cenpac.net.nr> Jason Williams wrote: > Anyone been getting some new SPAM recently, where it comes in with > subjects like: > > It's Lorenzo :) > It's Flavia :) > > Bunch of names in the subject line. > > In the body of the message, it is a wide range of things like to buy > viagra and cialis. > Or a couple today are for buying stock (buy this symbol) etc. > > Anyone been getting these? Im still getting my SA rules back in order. > Wasn't sure if any of these were sneaking through to anyone else. > For those that are blocking, what is catching it so I can quickly put it > in? > > Thanks, > > -Jason Yes, I am seeing these and they're currently getting through MS / Postfix. Would also like to know how to drop them - preferrably with Postfix. Glenn? :-) Rgds., Jon (Nauru) From glenn.steen at gmail.com Thu Nov 9 20:42:23 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 9 20:42:26 2006 Subject: from and to In-Reply-To: References: <223f97700611031122j4bd04714jfaa4035cd9808311@mail.gmail.com> Message-ID: <223f97700611091242r1f638935qc7081abe4e7f3c09@mail.gmail.com> On 09/11/06, Ugo Bellavance wrote: > Glenn Steen wrote: > > On 03/11/06, Ugo Bellavance wrote: > >> Hi, > >> > >> Sorry if this has been asked in the past, but I couldn't find the > >> answers on the wiki or list. > >> > >> Is it possible to do a ruleset like this? > >> > >> From: toto@domain.com and To: domain.com yes > >> > >> Thanks, > >> > >> Ugo > >> > > Yep. Don't remember where it is documented (book, example file or > > what) but that would definitely work. > > > > I just tested, it doesn't work :( > Ok.... What, more precisely did you try, with what input (envelope sender/recipient... etc) and what did or didn't happen? "Didn't work" is such meager stuff to work with:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From dave.list at pixelhammer.com Thu Nov 9 20:43:27 2006 From: dave.list at pixelhammer.com (DAve) Date: Thu Nov 9 20:43:45 2006 Subject: New SPAM e-mails recently? In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> References: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> Message-ID: <455392EF.8070803@pixelhammer.com> Jason Williams wrote: > Anyone been getting some new SPAM recently, where it comes in with > subjects like: > > It's Lorenzo :) > It's Flavia :) > > Bunch of names in the subject line. > > In the body of the message, it is a wide range of things like to buy > viagra and cialis. > Or a couple today are for buying stock (buy this symbol) etc. > > Anyone been getting these? Im still getting my SA rules back in order. > Wasn't sure if any of these were sneaking through to anyone else. > For those that are blocking, what is catching it so I can quickly put it > in? We've been seeing them by the thousands here. Score Matching Rule Description 0.00 BAYES_50 Bayesian spam probability is 40 to 60% 1.66 SARE_CSBIG Only Mexican food gives me an Explosive Gain. 1.66 SARE_MLB_Stock1 1.66 SARE_MLB_Stock5 Mentions stock symbol, tickers, or OTC. SARE stocks catches them right off. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From glenn.steen at gmail.com Thu Nov 9 20:43:44 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 9 20:43:48 2006 Subject: from and to In-Reply-To: <1163103245.11897.101.camel@venture.office.netdirect.ca> References: <223f97700611031122j4bd04714jfaa4035cd9808311@mail.gmail.com> <1163103245.11897.101.camel@venture.office.netdirect.ca> Message-ID: <223f97700611091243o42bd0b27v4f62fbb5dbbc668@mail.gmail.com> On 09/11/06, John Van Ostrand wrote: > On Thu, 2006-11-09 at 14:50 -0500, Ugo Bellavance wrote: > > >> Is it possible to do a ruleset like this? > > >> > > >> From: toto@domain.com and To: domain.com yes > > >> > > > Yep. Don't remember where it is documented (book, example file or > > > what) but that would definitely work. > > If it helps it is documented in /etc/MailScanner/rules/EXAMPLES. Rulesets are actually documented in all the places I mentioned, I was just being a tad lazy looking it up:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Nov 9 20:55:39 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 9 20:55:45 2006 Subject: Mailscanner interface In-Reply-To: <1163103799.11897.103.camel@venture.office.netdirect.ca> References: <60875.90.0.125.205.1163101970.squirrel@www.choup.net> <1163103799.11897.103.camel@venture.office.netdirect.ca> Message-ID: <223f97700611091255y55188168y660b2b63a898458c@mail.gmail.com> On 09/11/06, John Van Ostrand wrote: > On Thu, 2006-11-09 at 15:05 -0500, Ugo Bellavance wrote: > > I think you should give a try to MailWatch first, then contribute to the > > code if you need anything else. BTW, V 2.0 is coming. > > What's the word on which features are going to be in the 2.0? > So far, apart from some quite irritating teasers on the MailWatch list (irritating, since they so far just make you long for 2.0 so much more:-), the MW wiki entry is all we have to go on: http://mailwatch.sourceforge.net/doku.php?id=mailwatch:documentation:v2_ideas ... it has been in the works for quite some time now, and one can hope that the delays are due to Steve wanting to finish all the nice stuff, and perhaps inventing new nice stuff as he goes along... and not due to him lacking the time to finish it because of insignificant things like work, sleep, life (How is marital bliss Steve? Still walking around on little clouds, or have reality asserted itself (with a >THUD<):-)....:-D -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jrudd at ucsc.edu Thu Nov 9 20:59:07 2006 From: jrudd at ucsc.edu (John Rudd) Date: Thu Nov 9 21:01:11 2006 Subject: New SPAM e-mails recently? In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> References: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> Message-ID: <4553969B.20802@ucsc.edu> Jason Williams wrote: > Anyone been getting some new SPAM recently, where it comes in with > subjects like: > > It's Lorenzo :) > It's Flavia :) > > Bunch of names in the subject line. > > In the body of the message, it is a wide range of things like to buy > viagra and cialis. > Or a couple today are for buying stock (buy this symbol) etc. > > Anyone been getting these? Im still getting my SA rules back in order. > Wasn't sure if any of these were sneaking through to anyone else. > For those that are blocking, what is catching it so I can quickly put it > in? > I see them in my spam folder... lately, most of my spam gets caught with the RelayChecker plugin I've been writing. I've been talking about it over on the SA list. I'm probably going to make another release for it this weekend. John From campbell at cnpapers.com Thu Nov 9 21:00:48 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Nov 9 21:01:25 2006 Subject: New SPAM e-mails recently? References: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> <455392EF.8070803@pixelhammer.com> Message-ID: <005d01c70442$21ffe6c0$0705000a@DDF5DW71> ----- Original Message ----- From: "DAve" To: "MailScanner discussion" Sent: Thursday, November 09, 2006 3:43 PM Subject: Re: New SPAM e-mails recently? > Jason Williams wrote: >> Anyone been getting some new SPAM recently, where it comes in with >> subjects like: >> >> It's Lorenzo :) >> It's Flavia :) >> >> Bunch of names in the subject line. >> >> In the body of the message, it is a wide range of things like to buy >> viagra and cialis. >> Or a couple today are for buying stock (buy this symbol) etc. >> >> Anyone been getting these? Im still getting my SA rules back in order. >> Wasn't sure if any of these were sneaking through to anyone else. >> For those that are blocking, what is catching it so I can quickly put it >> in? > > We've been seeing them by the thousands here. > > Score Matching Rule Description > 0.00 BAYES_50 Bayesian spam probability is 40 to 60% > 1.66 SARE_CSBIG Only Mexican food gives me an Explosive Gain. > 1.66 SARE_MLB_Stock1 > 1.66 SARE_MLB_Stock5 Mentions stock symbol, tickers, or OTC. > > SARE stocks catches them right off. Not so here. I never see SARE stocks in any of them. It appears to be image based here, not sure though. Course, I load the SARE stocks manually and mine is from October 31. Steve > > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From philippe at beau.nom.fr Thu Nov 9 21:06:14 2006 From: philippe at beau.nom.fr (Philippe BEAU) Date: Thu Nov 9 21:06:43 2006 Subject: Mailscanner interface In-Reply-To: <223f97700611091255y55188168y660b2b63a898458c@mail.gmail.com> References: <60875.90.0.125.205.1163101970.squirrel@www.choup.net> <1163103799.11897.103.camel@venture.office.netdirect.ca> <223f97700611091255y55188168y660b2b63a898458c@mail.gmail.com> Message-ID: <61441.90.0.125.205.1163106374.squirrel@www.choup.net> Huhu ... At first, thx for all the answers. i haven't see theses ideas before. but just a little question : is anyone can made me a summary of WORKING functionnality of MailWatch ? > On 09/11/06, John Van Ostrand wrote: >> On Thu, 2006-11-09 at 15:05 -0500, Ugo Bellavance wrote: >> > I think you should give a try to MailWatch first, then contribute to >> the >> > code if you need anything else. BTW, V 2.0 is coming. >> >> What's the word on which features are going to be in the 2.0? >> > So far, apart from some quite irritating teasers on the MailWatch list > (irritating, since they so far just make you long for 2.0 so much > more:-), the MW wiki entry is all we have to go on: > http://mailwatch.sourceforge.net/doku.php?id=mailwatch:documentation:v2_ideas Best regards Philippe, From john at netdirect.ca Thu Nov 9 21:09:15 2006 From: john at netdirect.ca (John Van Ostrand) Date: Thu Nov 9 21:09:24 2006 Subject: New SPAM e-mails recently? In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> References: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> Message-ID: <1163106555.11897.117.camel@venture.office.netdirect.ca> On Thu, 2006-11-09 at 12:23 -0800, Jason Williams wrote: > Anyone been getting some new SPAM recently, where it comes in with > subjects like: > > It's Lorenzo :) > It's Flavia :) > > Bunch of names in the subject line. > > In the body of the message, it is a wide range of things like to buy > viagra and cialis. > Or a couple today are for buying stock (buy this symbol) etc. > > Anyone been getting these? Im still getting my SA rules back in order. > Wasn't sure if any of these were sneaking through to anyone else. > > For those that are blocking, what is catching it so I can quickly put > it in? I have seen these at a customer, but I don't see them in my office. The only difference is that we have sendmail configured to refuse email from domains without an MX or A DNS record. Could that be it? -- John Van Ostrand Net Direct Inc. CTO, co-CEO 564 Weber St. N. Unit 12 Waterloo, ON N2L 5C6 john@netdirect.ca ph: 518-883-1172 x5102 Linux Solutions / IBM Hardware fx: 519-883-8533 From campbell at cnpapers.com Thu Nov 9 21:14:33 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Nov 9 21:15:01 2006 Subject: New SPAM e-mails recently? References: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local><455392EF.8070803@pixelhammer.com> <005d01c70442$21ffe6c0$0705000a@DDF5DW71> Message-ID: <008001c70444$0ddbe2f0$0705000a@DDF5DW71> OK, I searched for SARE_MLB_Stock5 through Mailwatch, and none of the 200k+ emails have been hit by this rule. That's really strange. Do you want me to start a new thread or maybe someone has a clue as to what's going on. I have the 70_sare_stocks.cf in my /etc/mail/spamassassin directory. Is this right? The rules are added when I update my Mailwatch SA rules, so I think it's OK. Sorry to hijack - sort of related. Steve ----- Original Message ----- From: "Steve Campbell" To: "MailScanner discussion" Sent: Thursday, November 09, 2006 4:00 PM Subject: Re: New SPAM e-mails recently? > > ----- Original Message ----- > From: "DAve" > To: "MailScanner discussion" > Sent: Thursday, November 09, 2006 3:43 PM > Subject: Re: New SPAM e-mails recently? > > >> Jason Williams wrote: >>> Anyone been getting some new SPAM recently, where it comes in with >>> subjects like: >>> >>> It's Lorenzo :) >>> It's Flavia :) >>> >>> Bunch of names in the subject line. >>> >>> In the body of the message, it is a wide range of things like to buy >>> viagra and cialis. >>> Or a couple today are for buying stock (buy this symbol) etc. >>> >>> Anyone been getting these? Im still getting my SA rules back in order. >>> Wasn't sure if any of these were sneaking through to anyone else. >>> For those that are blocking, what is catching it so I can quickly put it >>> in? >> >> We've been seeing them by the thousands here. >> >> Score Matching Rule Description >> 0.00 BAYES_50 Bayesian spam probability is 40 to 60% >> 1.66 SARE_CSBIG Only Mexican food gives me an Explosive Gain. >> 1.66 SARE_MLB_Stock1 >> 1.66 SARE_MLB_Stock5 Mentions stock symbol, tickers, or OTC. >> >> SARE stocks catches them right off. > > Not so here. I never see SARE stocks in any of them. It appears to be > image based here, not sure though. Course, I load the SARE stocks manually > and mine is from October 31. > > Steve >> >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From bpumphrey at woodmclaw.com Thu Nov 9 21:23:34 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Thu Nov 9 21:23:44 2006 Subject: New SPAM e-mails recently? In-Reply-To: <455391B0.7000205@cenpac.net.nr> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501C140D4@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Jon Leeman > Sent: Thursday, November 09, 2006 3:38 PM > To: MailScanner discussion > Subject: Re: New SPAM e-mails recently? > > > Jason Williams wrote: > > Anyone been getting some new SPAM recently, where it comes in with > > subjects like: > > > > It's Lorenzo :) > > It's Flavia :) > > > > Bunch of names in the subject line. > > > > In the body of the message, it is a wide range of things like to buy > > viagra and cialis. > > Or a couple today are for buying stock (buy this symbol) etc. > > > > Anyone been getting these? Im still getting my SA rules back in order. > > Wasn't sure if any of these were sneaking through to anyone else. > > For those that are blocking, what is catching it so I can quickly put it > > in? > > > > Thanks, > > > > -Jason > I have 174 so far this month, so not too many. Mine has caught about 97% of them. Most of the catching has been done by bayes. I have stocks installed but I do not see it on these messages for whatever reason. Rules has been updating stocks I believe. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Thu Nov 9 21:32:34 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 9 21:33:01 2006 Subject: Is razor working? In-Reply-To: <223f97700611090453y5dd1e67di815711ac3004b810@mail.gmail.com> References: <45520A04.2090109@solidstatelogic.com> <45520BD1.7020409@solidstatelogic.com> <223f97700611090151rca8b6bft1f1e1f6c7279f923@mail.gmail.com> <223f97700611090453y5dd1e67di815711ac3004b810@mail.gmail.com> Message-ID: Glenn Steen spake the following on 11/9/2006 4:53 AM: > On 09/11/06, Glenn Steen wrote: > (snip) >> That version of SA will only load the module(s) and test for syntax >> errors, not actually try to perform any network tests. > .... for the --lint option, of course. Jeez, when will I learn to > proofread _beforehand_. Sigh. > Sometime after they pry Postfix from your cold dead fingers! ;-) -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From john at netdirect.ca Thu Nov 9 21:35:58 2006 From: john at netdirect.ca (John Van Ostrand) Date: Thu Nov 9 21:36:13 2006 Subject: New SPAM e-mails recently? In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501C140D4@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D1501C140D4@woodenex.woodmaclaw.local> Message-ID: <1163108158.11897.125.camel@venture.office.netdirect.ca> On Thu, 2006-11-09 at 16:23 -0500, Billy A. Pumphrey wrote: > I have 174 so far this month, so not too many. Mine has caught about > 97% of them. Most of the catching has been done by bayes. I have > stocks installed but I do not see it on these messages for whatever > reason. Rules has been updating stocks I believe. Here are my results: SORBS-DNSBL, SpamAssassin (cached, score=14.361, required 4.5, autolearn=spam, BAYES_20 -0.74, DATE_IN_PAST_03_06 0.48, PYZOR_CHECK 3.70, RCVD_IN_SORBS_DUL 2.05, RCVD_IN_XBL 3.90, SARE_CSBIG 1.66, SARE_MLB_Stock1 1.66, SARE_MLB_Stock5 1.66) These are from an install just 4 days old and a clean bayes database. -- John Van Ostrand Net Direct Inc. CTO, co-CEO 564 Weber St. N. Unit 12 Waterloo, ON N2L 5C6 map john@netdirect.ca Ph: 519-883-1172 ext.5102 Linux Solutions / IBM Hardware Fx: 519-883-8533 From ssilva at sgvwater.com Thu Nov 9 21:39:35 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 9 21:39:54 2006 Subject: mailscanner 4.55.10 Freebsd doesnt provide jobnumber in sendmail2 anymore or differently? In-Reply-To: <45531E87.3090904@enem.nl> References: <45531E87.3090904@enem.nl> Message-ID: Hans Melgers spake the following on 11/9/2006 4:26 AM: > > > Hi list, > > Im running MS for years now, ever running flawless on freebsd. > Now im updating (from ports) to 4.55.10 on freebsd 6.2 pre and see > something strange. > > Im using the sendmail2 with ms2cgp script to put MS output in my > Communigate submitted queue: > > Sendmail2 = /usr/local/etc/ms2cgp2 > > However it seems MS is not providing the job number like it used too: > > Nov 9 13:11:06 fb1 MailScanner[51501]: Creating hardcoded struct_flock > subroutine for freebsd (BSD-type) > Nov 9 13:11:32 fb1 MailScanner[51430]: New Batch: Scanning 1 messages, > 622 bytes > Nov 9 13:11:32 fb1 MailScanner[51430]: Spam Checks: Starting > Nov 9 13:11:32 fb1 MailScanner[51430]: Looked up unknown string spam in > language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: Looked > up unknown string notspam in language translation file Nov 9 13:11:32 > fb1 MailScanner[51430]: Message 51551 from 84.107.145.164 > (hans@fb1.enem.nl) is whitelisted > Nov 9 13:11:32 fb1 MailScanner[51430]: Looked up unknown string > mailscanner in language translation file Nov 9 13:11:32 fb1 > MailScanner[51430]: Looked up unknown string unreadablearchive in > language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: Looked > up unknown string passwordedarchive in language translation file Nov 9 > 13:11:32 fb1 MailScanner[51430]: Looked up unknown string archivetoodeep > in language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: > Virus and Content Scanning: Starting > Nov 9 13:11:34 fb1 MailScanner[51430]: Uninfected: Delivered 1 messages > Nov 9 13:11:34 fb1 ms2cgp[51564]: Job writing to > /var/CommuniGate/Submitted/FB11.ms2cgp..51564.tmp > > ^^ no jobnumber > Nov 9 13:11:34 fb1 ms2cgp[51564]: Open input /var/spool/mqueue/qf > failed, dying > > ^^ no jobnumber > > The ms2cgp script is unchanged, qf and df files are there. > > Anybody knows what's going on, hopefully a workaround ? > > Thanks, > Hans > > You need to upgrade your languages.conf file. That is where the unknown string errors are comming from. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From bpumphrey at woodmclaw.com Thu Nov 9 21:43:49 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Thu Nov 9 21:43:59 2006 Subject: New SPAM e-mails recently? In-Reply-To: <1163108158.11897.125.camel@venture.office.netdirect.ca> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501C140D5@woodenex.woodmaclaw.local> > > Here are my results: > > SORBS-DNSBL, SpamAssassin (cached, score=14.361, required 4.5, > autolearn=spam, BAYES_20 -0.74, DATE_IN_PAST_03_06 0.48, PYZOR_CHECK > 3.70, RCVD_IN_SORBS_DUL 2.05, RCVD_IN_XBL 3.90, SARE_CSBIG 1.66, > SARE_MLB_Stock1 1.66, SARE_MLB_Stock5 1.66) > > These are from an install just 4 days old and a clean bayes database. > > -- > John Van Ostrand > Net Direct Inc. > > CTO, co-CEO > 564 Weber St. N. Unit 12 > Waterloo, ON N2L 5C6 > map > john@netdirect.ca > Ph: 519-883-1172 > ext.5102 > Linux Solutions / IBM > Hardware > Fx: 519-883-8533 > > Oh yes, you were looking for the rule sets. Here are a few examples: Score Matching Rule Description cached not score=11.566 5 required 3.50 BAYES_99 Bayesian spam probability is 99 to 100% 0.14 FORGED_RCVD_HELO Received: contains a forged HELO 0.55 HELO_MISMATCH_COM 1.66 SARE_CSBIG Only Mexican food gives me an Explosive Gain. 1.66 SARE_MLB_Stock1 1.66 SARE_MLB_Stock5 Mentions stock symbol, tickers, or OTC. 2.40 TVD_STOCK1 Score Matching Rule Description cached not score=15.699 5 required autolearn=spam 2.00 BAYES_80 Bayesian spam probability is 80 to 95% 0.48 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date 2.17 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 0.14 FORGED_RCVD_HELO Received: contains a forged HELO 0.77 HELO_EQ_MODEMCABLE 0.97 HOST_EQ_MODEMCABLE 1.80 HOST_EQ_SHAWCAB 1.66 SARE_CSBIG Only Mexican food gives me an Explosive Gain. 1.66 SARE_MLB_Stock1 1.66 SARE_MLB_Stock5 Mentions stock symbol, tickers, or OTC. 2.40 TVD_STOCK1 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Thu Nov 9 21:51:48 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 9 21:52:36 2006 Subject: [sendmail] Skipping rbl per domain In-Reply-To: <45535C44.708@waversveld.nl> References: <45535C44.708@waversveld.nl> Message-ID: Joost Waversveld spake the following on 11/9/2006 8:50 AM: > Hi to all, > > I've searched but I could not find an good answer... > > We have some mailscanners with a lot of domains pointing to them, which > are very busy. At the moment we do not use RBL's through sendmail. We > let Mailscanner (SpamAssassin) handle those lookups. This way every end > user can choose what to do with the SPAM. > > To handle the load better we want to enable some RBL-checks through > sendmail but we know some customers don't want that, because then we are > deciding which mail could be deleted, and which not. If you get what I > mean. > > Is it possible to enable the RBL-checks in sendmail per domain, so > customer1 can use the function(s), but customer2 does not?? > > Regards, > > Joost Waversveld This might do what you want with some experimentation; http://www.technoids.org/spamlovers.html -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From dave.list at pixelhammer.com Thu Nov 9 21:55:54 2006 From: dave.list at pixelhammer.com (DAve) Date: Thu Nov 9 21:56:19 2006 Subject: New SPAM e-mails recently? In-Reply-To: <008001c70444$0ddbe2f0$0705000a@DDF5DW71> References: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local><455392EF.8070803@pixelhammer.com> <005d01c70442$21ffe6c0$0705000a@DDF5DW71> <008001c70444$0ddbe2f0$0705000a@DDF5DW71> Message-ID: <4553A3EA.80209@pixelhammer.com> Steve Campbell wrote: > OK, I searched for SARE_MLB_Stock5 through Mailwatch, and none of the > 200k+ emails have been hit by this rule. That's really strange. > > Do you want me to start a new thread or maybe someone has a clue as to > what's going on. > > I have the 70_sare_stocks.cf in my /etc/mail/spamassassin directory. Is > this right? The rules are added when I update my Mailwatch SA rules, so > I think it's OK. > > Sorry to hijack - sort of related. > > Steve > > > > ----- Original Message ----- From: "Steve Campbell" > To: "MailScanner discussion" > Sent: Thursday, November 09, 2006 4:00 PM > Subject: Re: New SPAM e-mails recently? > > >> >> ----- Original Message ----- From: "DAve" >> To: "MailScanner discussion" >> Sent: Thursday, November 09, 2006 3:43 PM >> Subject: Re: New SPAM e-mails recently? >> >> >>> Jason Williams wrote: >>>> Anyone been getting some new SPAM recently, where it comes in with >>>> subjects like: >>>> >>>> It's Lorenzo :) >>>> It's Flavia :) >>>> >>>> Bunch of names in the subject line. >>>> >>>> In the body of the message, it is a wide range of things like to buy >>>> viagra and cialis. >>>> Or a couple today are for buying stock (buy this symbol) etc. >>>> >>>> Anyone been getting these? Im still getting my SA rules back in order. >>>> Wasn't sure if any of these were sneaking through to anyone else. >>>> For those that are blocking, what is catching it so I can quickly >>>> put it >>>> in? >>> >>> We've been seeing them by the thousands here. >>> >>> Score Matching Rule Description >>> 0.00 BAYES_50 Bayesian spam probability is 40 to 60% >>> 1.66 SARE_CSBIG Only Mexican food gives me an Explosive Gain. >>> 1.66 SARE_MLB_Stock1 >>> 1.66 SARE_MLB_Stock5 Mentions stock symbol, tickers, or OTC. >>> >>> SARE stocks catches them right off. >> >> Not so here. I never see SARE stocks in any of them. It appears to be >> image based here, not sure though. Course, I load the SARE stocks >> manually and mine is from October 31. >> >> Steve We have gotten 7200 in the last five days (those that made it past the MTA rules). I consistently hit on SARE stock rules, at least the dozen messages I checked. Here is what I am running, bash-2.05b# head 70_sare_stocks.cf # SARE Stocks Ruleset for SpamAssassin # Version: 01.00.37 # Created: 2005-12-18 # Modified: 2006-10-18 # License: Artistic - http://www.rulesemporium.com/license.txt # Current Maintainer: Sare Ninja - maddoc@maddoc.net # Current Home: http://www.rulesemporium.com/rules/70_sare_stocks.cf This on all servers. I also see a sprinkling of date in future, missing headers, garbage_this and garbage_that. SARE Stocks is consistently hitting every message. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From ka at pacific.net Thu Nov 9 22:03:54 2006 From: ka at pacific.net (Ken A) Date: Thu Nov 9 22:01:51 2006 Subject: trackback option not valid config option? Message-ID: <4553A5CA.1090209@pacific.net> Nov 9 13:59:47 server MailScanner[17647]: Syntax error in line 1630, 60k trackback for maxspamassassinsize should be a number Is this not the correct syntax? Thanks, Ken A Pacific.Net From glenn.steen at gmail.com Thu Nov 9 22:09:21 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 9 22:09:26 2006 Subject: Mailscanner interface In-Reply-To: <61441.90.0.125.205.1163106374.squirrel@www.choup.net> References: <60875.90.0.125.205.1163101970.squirrel@www.choup.net> <1163103799.11897.103.camel@venture.office.netdirect.ca> <223f97700611091255y55188168y660b2b63a898458c@mail.gmail.com> <61441.90.0.125.205.1163106374.squirrel@www.choup.net> Message-ID: <223f97700611091409r429f4e91sf972daf992498ec2@mail.gmail.com> On 09/11/06, Philippe BEAU wrote: > Huhu ... At first, thx for all the answers. > > i haven't see theses ideas before. but just a little question : is anyone > can made me a summary of WORKING functionnality of MailWatch ? > It does basically all you stipulated and more. The 1.03 version is quite mature. You should look through the MailScanner wiki pages about it at http://wiki.mailscanner.info/doku.php?do=index&id=documentation%3Arelated_software%3Amanagement%3Amailwatch%3Adescription and more importantly the MailWatch site (that happen to be a wiki as well:) at http://mailwatch.sourceforge.net/doku.php?id=start Cheers, -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From hans at enem.nl Thu Nov 9 22:09:32 2006 From: hans at enem.nl (Hans Melgers) Date: Thu Nov 9 22:09:56 2006 Subject: mailscanner 4.55.10 Freebsd doesnt provide jobnumber in sendmail2 anymore or differently? In-Reply-To: References: <45531E87.3090904@enem.nl> Message-ID: <4553A71C.9@enem.nl> Scott Silva schreef: > Hans Melgers spake the following on 11/9/2006 4:26 AM: > >> Hi list, >> >> Im running MS for years now, ever running flawless on freebsd. >> Now im updating (from ports) to 4.55.10 on freebsd 6.2 pre and see >> something strange. >> >> Im using the sendmail2 with ms2cgp script to put MS output in my >> Communigate submitted queue: >> >> Sendmail2 = /usr/local/etc/ms2cgp2 >> >> However it seems MS is not providing the job number like it used too: >> >> Nov 9 13:11:06 fb1 MailScanner[51501]: Creating hardcoded struct_flock >> subroutine for freebsd (BSD-type) >> Nov 9 13:11:32 fb1 MailScanner[51430]: New Batch: Scanning 1 messages, >> 622 bytes >> Nov 9 13:11:32 fb1 MailScanner[51430]: Spam Checks: Starting >> Nov 9 13:11:32 fb1 MailScanner[51430]: Looked up unknown string spam in >> language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: Looked >> up unknown string notspam in language translation file Nov 9 13:11:32 >> fb1 MailScanner[51430]: Message 51551 from 84.107.145.164 >> (hans@fb1.enem.nl) is whitelisted >> Nov 9 13:11:32 fb1 MailScanner[51430]: Looked up unknown string >> mailscanner in language translation file Nov 9 13:11:32 fb1 >> MailScanner[51430]: Looked up unknown string unreadablearchive in >> language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: Looked >> up unknown string passwordedarchive in language translation file Nov 9 >> 13:11:32 fb1 MailScanner[51430]: Looked up unknown string archivetoodeep >> in language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: >> Virus and Content Scanning: Starting >> Nov 9 13:11:34 fb1 MailScanner[51430]: Uninfected: Delivered 1 messages >> Nov 9 13:11:34 fb1 ms2cgp[51564]: Job writing to >> /var/CommuniGate/Submitted/FB11.ms2cgp..51564.tmp >> >> ^^ no jobnumber >> Nov 9 13:11:34 fb1 ms2cgp[51564]: Open input /var/spool/mqueue/qf >> failed, dying >> >> ^^ no jobnumber >> >> The ms2cgp script is unchanged, qf and df files are there. >> >> Anybody knows what's going on, hopefully a workaround ? >> >> Thanks, >> Hans >> >> >> > You need to upgrade your languages.conf file. That is where the unknown string > errors are comming from. > > Thanks Scott, that language error is solved, However the problem still exists. Could it be that anything has changed in how MS calls sendmail2 ? All my script needs is a msg number corresponding with the df and qf files in mqueue. It just reads the -qI argument MS (used to) sends with the sendmail command. Right now i only see -qI, without number.. I know there IS a number because the qf and df files are correct. And if i call my script from cli with that number everything works fine: like: /usr/local/etc/ms2cgp2 -qI23456 >> no problem. I installed this version on another machine, same problem. Nov 9 21:59:43 fb1 MailScanner[1573]: New Batch: Scanning 1 messages, 602 bytes Nov 9 21:59:43 fb1 MailScanner[1573]: Spam Checks: Starting Nov 9 21:59:43 fb1 MailScanner[1573]: Message 1656 from 84.107.145.164 (hans@fb1.enem.nl) is whitelisted Nov 9 21:59:43 fb1 MailScanner[1573]: Virus and Content Scanning: Starting Nov 9 21:59:45 fb1 MailScanner[1573]: Uninfected: Delivered 1 messages Nov 9 21:59:45 fb1 ms2cgp[1670]: Job -qI << changed script to show all arguments Nov 9 21:59:45 fb1 ms2cgp[1670]: Job writing to /var/CommuniGate/Submitted/FB11.ms2cgp..1670.tmp Nov 9 21:59:45 fb1 ms2cgp[1670]: Open input /var/spool/mqueue/qf failed, dying From glenn.steen at gmail.com Thu Nov 9 22:11:22 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 9 22:11:32 2006 Subject: Is razor working? In-Reply-To: References: <45520A04.2090109@solidstatelogic.com> <45520BD1.7020409@solidstatelogic.com> <223f97700611090151rca8b6bft1f1e1f6c7279f923@mail.gmail.com> <223f97700611090453y5dd1e67di815711ac3004b810@mail.gmail.com> Message-ID: <223f97700611091411w11f14c8dob42afcba84e665f2@mail.gmail.com> On 09/11/06, Scott Silva wrote: > Glenn Steen spake the following on 11/9/2006 4:53 AM: > > On 09/11/06, Glenn Steen wrote: > > (snip) > >> That version of SA will only load the module(s) and test for syntax > >> errors, not actually try to perform any network tests. > > .... for the --lint option, of course. Jeez, when will I learn to > > proofread _beforehand_. Sigh. > > > Sometime after they pry Postfix from your cold dead fingers! ;-) > :-) Hope to be around for a while longer;-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From philippe at beau.nom.fr Thu Nov 9 22:14:38 2006 From: philippe at beau.nom.fr (Philippe BEAU) Date: Thu Nov 9 22:15:19 2006 Subject: MailWatch question was Re: Mailscanner interface In-Reply-To: <61441.90.0.125.205.1163106374.squirrel@www.choup.net> References: <60875.90.0.125.205.1163101970.squirrel@www.choup.net> <1163103799.11897.103.camel@venture.office.netdirect.ca> <223f97700611091255y55188168y660b2b63a898458c@mail.gmail.com> <61441.90.0.125.205.1163106374.squirrel@www.choup.net> Message-ID: <61970.90.0.125.205.1163110478.squirrel@www.choup.net> So ... i try MailWatch. Also it's not in french, but i will try it for the moment. A question, is the current version working with more than one MailScanner server ? (one is remote from the front-end interface) Best regards Philippe From glenn.steen at gmail.com Thu Nov 9 22:15:45 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 9 22:15:50 2006 Subject: New SPAM e-mails recently? In-Reply-To: <455391B0.7000205@cenpac.net.nr> References: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> <455391B0.7000205@cenpac.net.nr> Message-ID: <223f97700611091415m1a9b8ah46922b55ab127740@mail.gmail.com> On 09/11/06, Jon Leeman wrote: > > Jason Williams wrote: > > Anyone been getting some new SPAM recently, where it comes in with > > subjects like: > > > > It's Lorenzo :) > > It's Flavia :) > > > > Bunch of names in the subject line. > > > > In the body of the message, it is a wide range of things like to buy > > viagra and cialis. > > Or a couple today are for buying stock (buy this symbol) etc. > > > > Anyone been getting these? Im still getting my SA rules back in order. > > Wasn't sure if any of these were sneaking through to anyone else. > > For those that are blocking, what is catching it so I can quickly put it > > in? > > > > Thanks, > > > > -Jason > > Yes, I am seeing these and they're currently getting through MS / > Postfix. Would also like to know how to drop them - preferrably with > Postfix. > > Glenn? :-) > You rang?:-) Well, I've had a few too, but most seem to get caught... so I've not reflected on why that is just yet. I'd imagine most are image based, so ImageInfo and/or FuzzyOcr should help. Will look a bit harder tomorrow (it's about bedtime around here:) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Thu Nov 9 22:45:45 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 9 22:46:23 2006 Subject: New SPAM e-mails recently? In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> References: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> Message-ID: Jason Williams spake the following on 11/9/2006 12:23 PM: > Anyone been getting some new SPAM recently, where it comes in with > subjects like: > > It's Lorenzo :) > It's Flavia :) > > Bunch of names in the subject line. > > In the body of the message, it is a wide range of things like to buy > viagra and cialis. > Or a couple today are for buying stock (buy this symbol) etc. > > Anyone been getting these? Im still getting my SA rules back in order. > Wasn't sure if any of these were sneaking through to anyone else. > > For those that are blocking, what is catching it so I can quickly put it > in? > > Thanks, > > -Jason Mine usually hit these; 3.50 BAYES_99 Bayesian spam probability is 99 to 100% 2.17 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 2.50 DIGEST_MULTIPLE Message hits more than one network digest check 1.00 FORGED_RCVD_HELO Received: contains a forged HELO 1.50 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% 1.50 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level above 50% 1.50 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 1.56 RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net 2.05 RCVD_IN_SORBS_DUL SORBS: sent directly from dynamic IP address 1.66 SARE_CSBIG Only Mexican food gives me an Explosive Gain. 1.66 SARE_MLB_Stock1 1.66 SARE_MLB_Stock5 Mentions stock symbol, tickers, or OTC. 1.07 SPF_NEUTRAL SPF: sender does not match SPF record (neutral) Some variation, but mostly in the SARE rules and the digests. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Nov 9 22:57:14 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 9 23:00:11 2006 Subject: mailscanner 4.55.10 Freebsd doesnt provide jobnumber in sendmail2 anymore or differently? In-Reply-To: <4553A71C.9@enem.nl> References: <45531E87.3090904@enem.nl> <4553A71C.9@enem.nl> Message-ID: Hans Melgers spake the following on 11/9/2006 2:09 PM: > > > Scott Silva schreef: >> Hans Melgers spake the following on 11/9/2006 4:26 AM: >> >>> Hi list, >>> >>> Im running MS for years now, ever running flawless on freebsd. >>> Now im updating (from ports) to 4.55.10 on freebsd 6.2 pre and see >>> something strange. >>> >>> Im using the sendmail2 with ms2cgp script to put MS output in my >>> Communigate submitted queue: >>> >>> Sendmail2 = /usr/local/etc/ms2cgp2 >>> >>> However it seems MS is not providing the job number like it used too: >>> >>> Nov 9 13:11:06 fb1 MailScanner[51501]: Creating hardcoded struct_flock >>> subroutine for freebsd (BSD-type) >>> Nov 9 13:11:32 fb1 MailScanner[51430]: New Batch: Scanning 1 messages, >>> 622 bytes >>> Nov 9 13:11:32 fb1 MailScanner[51430]: Spam Checks: Starting >>> Nov 9 13:11:32 fb1 MailScanner[51430]: Looked up unknown string spam in >>> language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: Looked >>> up unknown string notspam in language translation file Nov 9 13:11:32 >>> fb1 MailScanner[51430]: Message 51551 from 84.107.145.164 >>> (hans@fb1.enem.nl) is whitelisted >>> Nov 9 13:11:32 fb1 MailScanner[51430]: Looked up unknown string >>> mailscanner in language translation file Nov 9 13:11:32 fb1 >>> MailScanner[51430]: Looked up unknown string unreadablearchive in >>> language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: Looked >>> up unknown string passwordedarchive in language translation file Nov 9 >>> 13:11:32 fb1 MailScanner[51430]: Looked up unknown string archivetoodeep >>> in language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: >>> Virus and Content Scanning: Starting >>> Nov 9 13:11:34 fb1 MailScanner[51430]: Uninfected: Delivered 1 messages >>> Nov 9 13:11:34 fb1 ms2cgp[51564]: Job writing to >>> /var/CommuniGate/Submitted/FB11.ms2cgp..51564.tmp >>> >>> ^^ no jobnumber >>> Nov 9 13:11:34 fb1 ms2cgp[51564]: Open input /var/spool/mqueue/qf >>> failed, dying >>> >>> ^^ no jobnumber >>> >>> The ms2cgp script is unchanged, qf and df files are there. >>> >>> Anybody knows what's going on, hopefully a workaround ? >>> >>> Thanks, >>> Hans >>> >>> >>> >> You need to upgrade your languages.conf file. That is where the >> unknown string >> errors are comming from. >> >> > Thanks Scott, that language error is solved, However the problem still > exists. > Could it be that anything has changed in how MS calls sendmail2 ? > > All my script needs is a msg number corresponding with the df > and qf files in mqueue. It just reads the -qI argument > MS (used to) sends with the sendmail command. Right now i only see -qI, > without number.. > I know there IS a number because the qf and df files are correct. And if > i call my script from cli with that number everything works fine: > > like: /usr/local/etc/ms2cgp2 -qI23456 >> no problem. > > I installed this version on another machine, same problem. > > Nov 9 21:59:43 fb1 MailScanner[1573]: New Batch: Scanning 1 messages, > 602 bytes > Nov 9 21:59:43 fb1 MailScanner[1573]: Spam Checks: Starting > Nov 9 21:59:43 fb1 MailScanner[1573]: Message 1656 from 84.107.145.164 > (hans@fb1.enem.nl) is whitelisted > Nov 9 21:59:43 fb1 MailScanner[1573]: Virus and Content Scanning: Starting > Nov 9 21:59:45 fb1 MailScanner[1573]: Uninfected: Delivered 1 messages > Nov 9 21:59:45 fb1 ms2cgp[1670]: Job > -qI << changed script to > show all arguments > Nov 9 21:59:45 fb1 ms2cgp[1670]: Job writing to > /var/CommuniGate/Submitted/FB11.ms2cgp..1670.tmp > Nov 9 21:59:45 fb1 ms2cgp[1670]: Open input /var/spool/mqueue/qf > failed, dying It was worth a shot. I thought that the munged languages file could be messing up the calls. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Nov 9 23:10:22 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 9 23:10:43 2006 Subject: MailWatch question was Re: Mailscanner interface In-Reply-To: <61970.90.0.125.205.1163110478.squirrel@www.choup.net> References: <60875.90.0.125.205.1163101970.squirrel@www.choup.net> <1163103799.11897.103.camel@venture.office.netdirect.ca> <223f97700611091255y55188168y660b2b63a898458c@mail.gmail.com> <61441.90.0.125.205.1163106374.squirrel@www.choup.net> <61970.90.0.125.205.1163110478.squirrel@www.choup.net> Message-ID: Philippe BEAU spake the following on 11/9/2006 2:14 PM: > So ... > > i try MailWatch. Also it's not in french, but i will try it for the > moment. A question, is the current version working with more than one > MailScanner server ? (one is remote from the front-end interface) > > Best regards > > Philippe > It can be set up to oversee many mailscanner servers. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Nov 9 23:13:34 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 9 23:16:15 2006 Subject: trackback option not valid config option? In-Reply-To: <4553A5CA.1090209@pacific.net> References: <4553A5CA.1090209@pacific.net> Message-ID: Ken A spake the following on 11/9/2006 2:03 PM: > > Nov 9 13:59:47 server MailScanner[17647]: Syntax error in line 1630, > 60k trackback for maxspamassassinsize should be a number > > Is this not the correct syntax? > Thanks, > > Ken A > Pacific.Net try 60000. There has been some problems parsing the k in amounts. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ka at pacific.net Thu Nov 9 23:28:26 2006 From: ka at pacific.net (Ken A) Date: Thu Nov 9 23:26:13 2006 Subject: trackback option not valid config option? In-Reply-To: References: <4553A5CA.1090209@pacific.net> Message-ID: <4553B99A.7030801@pacific.net> Scott Silva wrote: > Ken A spake the following on 11/9/2006 2:03 PM: >> Nov 9 13:59:47 server MailScanner[17647]: Syntax error in line 1630, >> 60k trackback for maxspamassassinsize should be a number >> >> Is this not the correct syntax? >> Thanks, >> >> Ken A >> Pacific.Net > try 60000. There has been some problems parsing the k in amounts. I tried that too. I think it's something with Config.pm thinking this is still only a 'number' type setting. I'm just not sure whether the warning means the limit gets some default, or if it's honoring the setting in the config file? This is version 4.56.6-1 Thanks, Ken A Pacific.Net > > From ka at pacific.net Fri Nov 10 00:49:36 2006 From: ka at pacific.net (Ken A) Date: Fri Nov 10 00:47:31 2006 Subject: trackback option not valid config option? In-Reply-To: <4553B99A.7030801@pacific.net> References: <4553A5CA.1090209@pacific.net> <4553B99A.7030801@pacific.net> Message-ID: <4553CCA0.5000303@pacific.net> Ken A wrote: > > > Scott Silva wrote: >> Ken A spake the following on 11/9/2006 2:03 PM: >>> Nov 9 13:59:47 server MailScanner[17647]: Syntax error in line 1630, >>> 60k trackback for maxspamassassinsize should be a number >>> >>> Is this not the correct syntax? >>> Thanks, >>> >>> Ken A >>> Pacific.Net >> try 60000. There has been some problems parsing the k in amounts. > > I tried that too. I think it's something with Config.pm thinking this is > still only a 'number' type setting. > > I'm just not sure whether the warning means the limit gets some default, > or if it's honoring the setting in the config file? This is version > 4.56.6-1 Julian, I did some testing, and MailScanner is using the default of 30k when I specify the trackback option to Max SpamAssassin Size. For now, I've just hardcoded $maxsize in SA.pm (certainly not the right way to fix this!), but it works, and gets me through the weekend. The trackback option seems to work correctly once it is used by MailScanner. I have a test email that scores FUZZY_OCR_CORRUPT_IMG every time otherwise. Thanks, Ken A. Pacific.Net > Thanks, > Ken A > Pacific.Net > > > >> >> From campbell at cnpapers.com Fri Nov 10 01:00:17 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Nov 10 01:00:35 2006 Subject: Think I found why SAREs rules weren't working. Message-ID: <1163120417.4553cf2145c04@perdition.cnpapers.net> OK, I feel a little blushy now, but this is what I found about why my SARE rule sets weren't working. A little background - For some time, auto-learn hasn't been working. I noticed this a while back, but just thought it might have been due to a great set of Bayes files. I also noticed that the SARE rules were catching a lot (none, in fact), but just noticed the "none" part today with the recent thread on "New SPAM emails recently". I have both SARE adult and stocks in my /etc/mail/spamassassin folder. When I would update the rules database for MailWatch from the Tools menu, they showed up. When I ran Spamassassin Lint test from the same menu, nothing showed up as a problem. The problem was I never noticed that a lot of the rules files weren't showing up. I use a lot of Sendmail access table entries and was doing pretty well without the rules. So I was given a false sense of "rightness" until I ran into these "Hi" emails and they weren't being trapped. I soon discovered that the setting in MailScanner.conf, SpamAssassin Site Rules Dir, was blank, apparently from a past update that I didn't catch. At one point, this folder _was_ being used. After setting this to "/etc/mail/spamassassin", all is well now. It must not use the default I thought it did. AutoLearn even works now. Hope this helps someone else. Steve Campbell ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From mikej at rogers.com Fri Nov 10 01:05:07 2006 From: mikej at rogers.com (Mike Jakubik) Date: Fri Nov 10 01:05:03 2006 Subject: Releasing dangerous content from quarantine using MailWatch Message-ID: <4553D043.207@rogers.com> While adding the local server (127.0.0.1) to the whitelist allows releasing of quarantined spam emails using MailWatch, doing so with emails that have blocked filenames or content does not work, as the whitelist seems to be ignored for this. Does anyone know of a workaround for this? From ugob at camo-route.com Fri Nov 10 04:07:39 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Nov 10 04:08:00 2006 Subject: Releasing dangerous content from quarantine using MailWatch In-Reply-To: <4553D043.207@rogers.com> References: <4553D043.207@rogers.com> Message-ID: Mike Jakubik wrote: > While adding the local server (127.0.0.1) to the whitelist allows > releasing of quarantined spam emails using MailWatch, doing so with > emails that have blocked filenames or content does not work, as the > whitelist seems to be ignored for this. Does anyone know of a workaround > for this? > Create a ruleset for "Virus Scanning = ". Should include filetype/name checks. Ugo From r.berber at computer.org Fri Nov 10 04:42:31 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Fri Nov 10 04:42:49 2006 Subject: trackback option not valid config option? In-Reply-To: <4553CCA0.5000303@pacific.net> References: <4553A5CA.1090209@pacific.net> <4553B99A.7030801@pacific.net> <4553CCA0.5000303@pacific.net> Message-ID: Ken A wrote: [snip] >> I'm just not sure whether the warning means the limit gets some >> default, or if it's honoring the setting in the config file? This is >> version 4.56.6-1 > > Julian, > I did some testing, and MailScanner is using the default of 30k when I > specify the trackback option to Max SpamAssassin Size. For now, I've > just hardcoded $maxsize in SA.pm (certainly not the right way to fix > this!), but it works, and gets me through the weekend. > > The trackback option seems to work correctly once it is used by > MailScanner. I have a test email that scores FUZZY_OCR_CORRUPT_IMG every > time otherwise. I think the trackback option was introduced after the version you have, I have it (and it works fine) with version 4.57.1 . -- Ren? Berber From develop at in-tech.us Fri Nov 10 05:13:12 2006 From: develop at in-tech.us (Integrated Technologies) Date: Fri Nov 10 05:07:47 2006 Subject: Bayes daily cron job Message-ID: <000001c70486$f15c5f40$c8fea8c0@intech.us> I am running the following: CentOS 4.4 MailScanner 4.56.8-1 Spamassassin 3.0.6-1.el4 I currently have the parameter, "Rebuild Bayes Every = 0" set in my MailScanner.conf file and would like to set up a daily cron job to expire these old Bayes tokens. I downloaded and printed the MailScanner Administrators Guide, Version 1.0.5. On page 64, it gives an example script for this exact requirement: #! /bin/bash # re-builds the Bayes database daily /usr/bin/sa-learn --sync --force-expire \ -p /etc/MailScanner/spam.assassin.prefs.conf I placed the following script in my /etc/cron.daily folder and it is giving me this error: /etc/cron.daily/bayes.cron: line 4: -p: command not found When I remove the -p switch, I receive the following error: /etc/cron.daily/bayes.cron: line 4: /etc/MailScanner/spam.assassin.prefs.conf: Permission denied Any help here would be appreciated. My gratitude for your patience and time! SRB -------------------- Integrated Technologies has scanned this message for viruses and it is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061109/1a49cd01/attachment.html From ka at pacific.net Fri Nov 10 05:42:44 2006 From: ka at pacific.net (Ken A) Date: Fri Nov 10 05:42:56 2006 Subject: trackback option not valid config option? In-Reply-To: References: <4553A5CA.1090209@pacific.net> <4553B99A.7030801@pacific.net> <4553CCA0.5000303@pacific.net> Message-ID: <45541154.7080203@pacific.net> Ren? Berber wrote: > Ken A wrote: > [snip] >>> I'm just not sure whether the warning means the limit gets some >>> default, or if it's honoring the setting in the config file? This is >>> version 4.56.6-1 >> Julian, >> I did some testing, and MailScanner is using the default of 30k when I >> specify the trackback option to Max SpamAssassin Size. For now, I've >> just hardcoded $maxsize in SA.pm (certainly not the right way to fix >> this!), but it works, and gets me through the weekend. >> >> The trackback option seems to work correctly once it is used by >> MailScanner. I have a test email that scores FUZZY_OCR_CORRUPT_IMG every >> time otherwise. > > I think the trackback option was introduced after the version you have, I have > it (and it works fine) with version 4.57.1 . This may be something that was fixed in that version. Thanks! Ken A. Pacific.Net From jimc at laridian.com Fri Nov 10 05:41:33 2006 From: jimc at laridian.com (Jim Coates) Date: Fri Nov 10 05:43:19 2006 Subject: OT: milter-greylist config In-Reply-To: Message-ID: <03c001c7048a$e1e4ba90$6401a8c0@zorak> This may be a dumb question, but how do you go about copying the greylist exceptions from http://cvs.puremagic.com/viewcvs/greylisting/schema/whitelist_ip.txt?rev=1.1 6 over to your milter-greylist.conf? I copied them in there an added the acl whitelist info before each of them, but it bombed upon restarting the milter because it didn't like the addresses that were incomplete (IE - missing the last number from the IP etc). Also - I have the local host set as whitelisted, but do I also need the public IP of our MTA set as whitelisted? The reason I ask is that I went to send an email to another user on our system and it immediately told me it was rejected. Thanks, Jim Coates From glenn.steen at gmail.com Fri Nov 10 08:23:14 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 10 08:23:18 2006 Subject: New SPAM e-mails recently? In-Reply-To: References: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> Message-ID: <223f97700611100023l59599e62y2ae20ebed9eded8f@mail.gmail.com> On 09/11/06, Scott Silva wrote: > Jason Williams spake the following on 11/9/2006 12:23 PM: > > Anyone been getting some new SPAM recently, where it comes in with > > subjects like: > > > > It's Lorenzo :) > > It's Flavia :) > > > > Bunch of names in the subject line. > > > > In the body of the message, it is a wide range of things like to buy > > viagra and cialis. > > Or a couple today are for buying stock (buy this symbol) etc. > > > > Anyone been getting these? Im still getting my SA rules back in order. > > Wasn't sure if any of these were sneaking through to anyone else. > > > > For those that are blocking, what is catching it so I can quickly put it > > in? > > > > Thanks, > > > > -Jason > Mine usually hit these; > 3.50 BAYES_99 Bayesian spam probability is 99 to 100% > 2.17 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) > 2.50 DIGEST_MULTIPLE Message hits more than one network digest check > 1.00 FORGED_RCVD_HELO Received: contains a forged HELO > 1.50 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% > 1.50 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level above 50% > 1.50 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) > 1.56 RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net > 2.05 RCVD_IN_SORBS_DUL SORBS: sent directly from dynamic IP address > 1.66 SARE_CSBIG Only Mexican food gives me an Explosive Gain. > 1.66 SARE_MLB_Stock1 > 1.66 SARE_MLB_Stock5 Mentions stock symbol, tickers, or OTC. > 1.07 SPF_NEUTRAL SPF: sender does not match SPF record (neutral) > > Some variation, but mostly in the SARE rules and the digests. > I've now checked mine too. Yesterday I got 340, where all but one was marked as spam (7 were low-scoring, the rest high). The rules that did it for me was Bayes, Razor, TVD_STOCK1, DIGEST_MULTIPLE, DCC, a slew of BLs (SORBS_DUL etc etc), HELO_DYNAMIC_* and SPF_NEUTRAL ... and then some. So, for me these haven't really been a problem (Postfix and all:-). Note that I don't run the SARE stocks rules, else those would likely have made an impact too. And finally, my gut reaction ("they're probably images") was plain wrong. Aren't statistics wonderful:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Nov 10 08:28:21 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 10 08:28:26 2006 Subject: New SPAM e-mails recently? In-Reply-To: <223f97700611100023l59599e62y2ae20ebed9eded8f@mail.gmail.com> References: <01BCE961CD5E4146B83F920FC6A4F2353FD1AF@cmexchange01.CourtesyMortgage.local> <223f97700611100023l59599e62y2ae20ebed9eded8f@mail.gmail.com> Message-ID: <223f97700611100028x74166279u9fa1ed03423cb6fc@mail.gmail.com> On 10/11/06, Glenn Steen wrote: (snip) > I've now checked mine too. Yesterday I got 340, where all but one was > marked as spam (7 were low-scoring, the rest high). The rules that did > it for me was Bayes, Razor, TVD_STOCK1, DIGEST_MULTIPLE, DCC, a slew > of BLs (SORBS_DUL etc etc), HELO_DYNAMIC_* and SPF_NEUTRAL ... and > then some. > > So, for me these haven't really been a problem (Postfix and all:-). > > Note that I don't run the SARE stocks rules, else those would likely > have made an impact too. > > And finally, my gut reaction ("they're probably images") was plain > wrong. Aren't statistics wonderful:-). > BTW, there seems to be a variation where the subject is "hi xxx.xxx" (xxx.xxx == the user part of the email address) that hit pretty much the same rules. Had about 200 of those yesterday (yesterday was an all-time-high for spam (and caught spam) here:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Nov 10 08:37:53 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 10 08:38:02 2006 Subject: Bayes daily cron job In-Reply-To: <000001c70486$f15c5f40$c8fea8c0@intech.us> References: <000001c70486$f15c5f40$c8fea8c0@intech.us> Message-ID: <223f97700611100037n31f33602rbbc31998b0aeba9b@mail.gmail.com> On 10/11/06, Integrated Technologies wrote: > > > > > I am running the following: > > > > CentOS 4.4 > > MailScanner 4.56.8-1 > > Spamassassin 3.0.6-1.el4 > > > > I currently have the parameter, "Rebuild Bayes Every = 0" set in my > MailScanner.conf file and would like to set up a daily cron job to expire > these old Bayes tokens. > > I downloaded and printed the MailScanner Administrators Guide, Version > 1.0.5. On page 64, it gives an example script for this exact requirement: > > > > #! /bin/bash > > # re-builds the Bayes database daily > > /usr/bin/sa-learn --sync --force-expire \ > > -p /etc/MailScanner/spam.assassin.prefs.conf > You have whitespace or something like that _after_ the backslash. Don't. Since quite a few versions back MailScanner should have a link from /etc/mail/spamassassin/mailscanner.cf pointing at your spam.assassin.prefs.conf, so you likely don't need specify it separately. Change the script to #! /bin/bash # re-builds the Bayes database daily /usr/bin/sa-learn --sync --force-expire # End of script -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From joost at waversveld.nl Fri Nov 10 10:35:37 2006 From: joost at waversveld.nl (Joost Waversveld) Date: Fri Nov 10 10:36:02 2006 Subject: [sendmail] Skipping rbl per domain In-Reply-To: References: <45535C44.708@waversveld.nl> Message-ID: <455455F9.6010509@waversveld.nl> Scott, This is exactly what I was looking for, great! I also looked at the solution of Steven Freegard, but that solution needs an extra milter. This solution is 'standard' available in sendmail. I think we are going to integrate this in our systems.... Thanks again!! Best Regards, Joost Waversveld Scott Silva wrote: > Joost Waversveld spake the following on 11/9/2006 8:50 AM: >> Hi to all, >> >> I've searched but I could not find an good answer... >> >> We have some mailscanners with a lot of domains pointing to them, which >> are very busy. At the moment we do not use RBL's through sendmail. We >> let Mailscanner (SpamAssassin) handle those lookups. This way every end >> user can choose what to do with the SPAM. >> >> To handle the load better we want to enable some RBL-checks through >> sendmail but we know some customers don't want that, because then we are >> deciding which mail could be deleted, and which not. If you get what I >> mean. >> >> Is it possible to enable the RBL-checks in sendmail per domain, so >> customer1 can use the function(s), but customer2 does not?? >> >> Regards, >> >> Joost Waversveld > This might do what you want with some experimentation; > http://www.technoids.org/spamlovers.html > > From martinh at solidstatelogic.com Fri Nov 10 10:42:40 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Fri Nov 10 10:42:50 2006 Subject: [sendmail] Skipping rbl per domain In-Reply-To: <455455F9.6010509@waversveld.nl> References: <45535C44.708@waversveld.nl> <455455F9.6010509@waversveld.nl> Message-ID: <455457A0.5080902@solidstatelogic.com> Joost Waversveld wrote: > Scott, > > This is exactly what I was looking for, great! > > I also looked at the solution of Steven Freegard, but that solution > needs an extra milter. This solution is 'standard' available in sendmail. > > I think we are going to integrate this in our systems.... > > Thanks again!! > > Best Regards, > > Joost Waversveld > > > Scott Silva wrote: >> Joost Waversveld spake the following on 11/9/2006 8:50 AM: >>> Hi to all, >>> >>> I've searched but I could not find an good answer... >>> >>> We have some mailscanners with a lot of domains pointing to them, which >>> are very busy. At the moment we do not use RBL's through sendmail. We >>> let Mailscanner (SpamAssassin) handle those lookups. This way every end >>> user can choose what to do with the SPAM. >>> >>> To handle the load better we want to enable some RBL-checks through >>> sendmail but we know some customers don't want that, because then we are >>> deciding which mail could be deleted, and which not. If you get what I >>> mean. >>> >>> Is it possible to enable the RBL-checks in sendmail per domain, so >>> customer1 can use the function(s), but customer2 does not?? >>> >>> Regards, >>> >>> Joost Waversveld >> This might do what you want with some experimentation; >> http://www.technoids.org/spamlovers.html >> >> Joost I'd look at milter-ahead or sender-verification (http://smfs.sourceforge.net/smf-sav.html, which can also so recipient verification) so reduce your load too. i drop over 66% of my inbound traffic this way. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From joost at waversveld.nl Fri Nov 10 10:57:24 2006 From: joost at waversveld.nl (Joost Waversveld) Date: Fri Nov 10 10:57:46 2006 Subject: [sendmail] Skipping rbl per domain In-Reply-To: <455457A0.5080902@solidstatelogic.com> References: <45535C44.708@waversveld.nl> <455455F9.6010509@waversveld.nl> <455457A0.5080902@solidstatelogic.com> Message-ID: <45545B14.8030603@waversveld.nl> Martin, That are indeed very good options but we are an hosting-provider and we want the customer to decide what is SPAM and what is not. Only for the customer who really understands what is happening and what it means, we want to implement this features. Also, at the moment we use windows mailservers with MailScanner in front of them. I did not investigate yet if these milters will work with the mailserver. I'll keep them in mind for the future. Thanx for the information. Best regards, Joost Waversveld Martin Hepworth wrote: > Joost Waversveld wrote: >> Scott, >> >> This is exactly what I was looking for, great! >> >> I also looked at the solution of Steven Freegard, but that solution >> needs an extra milter. This solution is 'standard' available in sendmail. >> >> I think we are going to integrate this in our systems.... >> >> Thanks again!! >> >> Best Regards, >> >> Joost Waversveld >> >> >> Scott Silva wrote: >>> Joost Waversveld spake the following on 11/9/2006 8:50 AM: >>>> Hi to all, >>>> >>>> I've searched but I could not find an good answer... >>>> >>>> We have some mailscanners with a lot of domains pointing to them, which >>>> are very busy. At the moment we do not use RBL's through sendmail. We >>>> let Mailscanner (SpamAssassin) handle those lookups. This way every end >>>> user can choose what to do with the SPAM. >>>> >>>> To handle the load better we want to enable some RBL-checks through >>>> sendmail but we know some customers don't want that, because then we >>>> are >>>> deciding which mail could be deleted, and which not. If you get what I >>>> mean. >>>> >>>> Is it possible to enable the RBL-checks in sendmail per domain, so >>>> customer1 can use the function(s), but customer2 does not?? >>>> >>>> Regards, >>>> >>>> Joost Waversveld >>> This might do what you want with some experimentation; >>> http://www.technoids.org/spamlovers.html >>> >>> > Joost > > I'd look at milter-ahead or sender-verification > (http://smfs.sourceforge.net/smf-sav.html, which can also so recipient > verification) so reduce your load too. > > i drop over 66% of my inbound traffic this way. > From hans at enem.nl Fri Nov 10 11:48:57 2006 From: hans at enem.nl (Hans Melgers) Date: Fri Nov 10 11:54:29 2006 Subject: mailscanner 4.55.10 Freebsd doesnt provide jobnumber in sendmail2 anymore or differently? In-Reply-To: References: <45531E87.3090904@enem.nl> <4553A71C.9@enem.nl> Message-ID: <45546729.7040805@enem.nl> Scott Silva schreef: > Hans Melgers spake the following on 11/9/2006 2:09 PM: > >> Scott Silva schreef: >> >>> Hans Melgers spake the following on 11/9/2006 4:26 AM: >>> >>> >>>> Hi list, >>>> >>>> Im running MS for years now, ever running flawless on freebsd. >>>> Now im updating (from ports) to 4.55.10 on freebsd 6.2 pre and see >>>> something strange. >>>> >>>> Im using the sendmail2 with ms2cgp script to put MS output in my >>>> Communigate submitted queue: >>>> >>>> Sendmail2 = /usr/local/etc/ms2cgp2 >>>> >>>> However it seems MS is not providing the job number like it used too: >>>> >>>> Nov 9 13:11:06 fb1 MailScanner[51501]: Creating hardcoded struct_flock >>>> subroutine for freebsd (BSD-type) >>>> Nov 9 13:11:32 fb1 MailScanner[51430]: New Batch: Scanning 1 messages, >>>> 622 bytes >>>> Nov 9 13:11:32 fb1 MailScanner[51430]: Spam Checks: Starting >>>> Nov 9 13:11:32 fb1 MailScanner[51430]: Looked up unknown string spam in >>>> language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: Looked >>>> up unknown string notspam in language translation file Nov 9 13:11:32 >>>> fb1 MailScanner[51430]: Message 51551 from 84.107.145.164 >>>> (hans@fb1.enem.nl) is whitelisted >>>> Nov 9 13:11:32 fb1 MailScanner[51430]: Looked up unknown string >>>> mailscanner in language translation file Nov 9 13:11:32 fb1 >>>> MailScanner[51430]: Looked up unknown string unreadablearchive in >>>> language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: Looked >>>> up unknown string passwordedarchive in language translation file Nov 9 >>>> 13:11:32 fb1 MailScanner[51430]: Looked up unknown string archivetoodeep >>>> in language translation file Nov 9 13:11:32 fb1 MailScanner[51430]: >>>> Virus and Content Scanning: Starting >>>> Nov 9 13:11:34 fb1 MailScanner[51430]: Uninfected: Delivered 1 messages >>>> Nov 9 13:11:34 fb1 ms2cgp[51564]: Job writing to >>>> /var/CommuniGate/Submitted/FB11.ms2cgp..51564.tmp >>>> >>>> ^^ no jobnumber >>>> Nov 9 13:11:34 fb1 ms2cgp[51564]: Open input /var/spool/mqueue/qf >>>> failed, dying >>>> >>>> ^^ no jobnumber >>>> >>>> The ms2cgp script is unchanged, qf and df files are there. >>>> >>>> Anybody knows what's going on, hopefully a workaround ? >>>> >>>> Thanks, >>>> Hans >>>> >>>> >>>> >>>> >>> You need to upgrade your languages.conf file. That is where the >>> unknown string >>> errors are comming from. >>> >>> >>> >> Thanks Scott, that language error is solved, However the problem still >> exists. >> Could it be that anything has changed in how MS calls sendmail2 ? >> >> All my script needs is a msg number corresponding with the df >> and qf files in mqueue. It just reads the -qI argument >> MS (used to) sends with the sendmail command. Right now i only see -qI, >> without number.. >> I know there IS a number because the qf and df files are correct. And if >> i call my script from cli with that number everything works fine: >> >> like: /usr/local/etc/ms2cgp2 -qI23456 >> no problem. >> >> I installed this version on another machine, same problem. >> >> Nov 9 21:59:43 fb1 MailScanner[1573]: New Batch: Scanning 1 messages, >> 602 bytes >> Nov 9 21:59:43 fb1 MailScanner[1573]: Spam Checks: Starting >> Nov 9 21:59:43 fb1 MailScanner[1573]: Message 1656 from 84.107.145.164 >> (hans@fb1.enem.nl) is whitelisted >> Nov 9 21:59:43 fb1 MailScanner[1573]: Virus and Content Scanning: Starting >> Nov 9 21:59:45 fb1 MailScanner[1573]: Uninfected: Delivered 1 messages >> Nov 9 21:59:45 fb1 ms2cgp[1670]: Job >> -qI << changed script to >> show all arguments >> Nov 9 21:59:45 fb1 ms2cgp[1670]: Job writing to >> /var/CommuniGate/Submitted/FB11.ms2cgp..1670.tmp >> Nov 9 21:59:45 fb1 ms2cgp[1670]: Open input /var/spool/mqueue/qf >> failed, dying >> > It was worth a shot. I thought that the munged languages file could be messing > up the calls. > > The problem is solved. It appeared to be a bug in this MS version and is already solved in later versions. Thanks Julian and everybody else helping! From prandal at herefordshire.gov.uk Fri Nov 10 12:24:02 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Nov 10 12:24:11 2006 Subject: milter-greylist config Message-ID: <86144ED6CE5B004DA23E1EAC0B569B581057BF07@isabella.herefordshire.gov.uk> With milter-greylist-3.0rc6, you do list "my network" addr { 127.0.0.1/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 } acl whitelist list "my network" As for your other problem, grep greylist /etc/mail/maillog and see what it tells you. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Jim Coates > Sent: 10 November 2006 05:42 > To: 'MailScanner discussion' > Subject: OT: milter-greylist config > > This may be a dumb question, but how do you go about copying > the greylist > exceptions from > http://cvs.puremagic.com/viewcvs/greylisting/schema/whitelist_ > ip.txt?rev=1.1 > 6 over to your milter-greylist.conf? I copied them in there > an added the > acl whitelist info before each of them, but it bombed upon > restarting the > milter because it didn't like the addresses that were incomplete (IE - > missing the last number from the IP etc). > > Also - I have the local host set as whitelisted, but do I > also need the > public IP of our MTA set as whitelisted? The reason I ask is > that I went to > send an email to another user on our system and it > immediately told me it > was rejected. > > Thanks, > Jim Coates > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From philippe at beau.nom.fr Fri Nov 10 13:22:45 2006 From: philippe at beau.nom.fr (Philippe BEAU) Date: Fri Nov 10 13:22:57 2006 Subject: Mailwatch configuration for some servers Message-ID: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> Hello all, I've try Mailwatch and find it very usefull. Also i found there is a lot of developpement to do on. i would like to found a documentation to install Mailwatch with 2 mailscanners servers. Is anyone did it ? i have made a french version of mailwatch (if someone is interested) and i will plan to integrate this to my web interface best regards Philippe, From amoore at dekalbmemorial.com Fri Nov 10 13:48:10 2006 From: amoore at dekalbmemorial.com (Aaron K. Moore) Date: Fri Nov 10 13:48:14 2006 Subject: [sendmail] Skipping rbl per domain In-Reply-To: Message-ID: <60D398EB2DB948409CA1F50D8AF1225701A6E31B@exch1.dekalbmemorial.local> If you are hosting individual e-mail accounts, then you should give milter-ahead a second look. All it does is verify that the recipient's e-mail address really exists by querying the internal mail server hosting the domain. If it does not exist, then it rejects the e-mail. That way you're not chewing up processing time with MailScanner scanning e-mails that are only going to be rejected because the account doesn't exist. I used to have a lot of those messages clogging my outbound mail queue on my MailScanner box until I started using milter-ahead. Joost Waversveld wrote: > Martin, > > That are indeed very good options but we are an hosting-provider and > we want the customer to decide what is SPAM and what is not. Only for > the customer who really understands what is happening and what it > means, we want to implement this features. Also, at the moment we use > windows mailservers with MailScanner in front of them. I did not > investigate yet if these milters will work with the mailserver. > > I'll keep them in mind for the future. Thanx for the information. > > Best regards, > > Joost Waversveld > < snip > >> >> I'd look at milter-ahead or sender-verification >> (http://smfs.sourceforge.net/smf-sav.html, which can also so >> recipient verification) so reduce your load too. >> >> i drop over 66% of my inbound traffic this way. -- Aaron Kent Moore Information Technology Services DeKalb Memorial Hospital, Inc. Auburn, IN E-mail: amoore@dekalbmemorial.com From joost at waversveld.nl Fri Nov 10 14:02:02 2006 From: joost at waversveld.nl (Joost Waversveld) Date: Fri Nov 10 14:02:29 2006 Subject: [sendmail] Skipping rbl per domain In-Reply-To: <60D398EB2DB948409CA1F50D8AF1225701A6E31B@exch1.dekalbmemorial.local> References: <60D398EB2DB948409CA1F50D8AF1225701A6E31B@exch1.dekalbmemorial.local> Message-ID: <4554865A.5040204@waversveld.nl> Ya, I know, but we are hosting a lot of different domains, not just one domain. We use the mailserver Imail on Windows for now. We are planning to change this, but this will not be in the near future I think. Should milter-ahead work with Imail?? If so, it's an option we can think of implementing... Our vision for now is that we do not want to through any email, if not necessary. It's up to the customer to decide this. Now I'm busy with the RBL in sendmail on per-domain basis, because some of the domains generate so much SPAM, that it is abnormal. Aaron K. Moore wrote: > If you are hosting individual e-mail accounts, then you should give > milter-ahead a second look. All it does is verify that the recipient's > e-mail address really exists by querying the internal mail server > hosting the domain. If it does not exist, then it rejects the e-mail. > > That way you're not chewing up processing time with MailScanner scanning > e-mails that are only going to be rejected because the account doesn't > exist. > > I used to have a lot of those messages clogging my outbound mail queue > on my MailScanner box until I started using milter-ahead. > > Joost Waversveld wrote: >> Martin, >> >> That are indeed very good options but we are an hosting-provider and >> we want the customer to decide what is SPAM and what is not. Only for >> the customer who really understands what is happening and what it >> means, we want to implement this features. Also, at the moment we use >> windows mailservers with MailScanner in front of them. I did not >> investigate yet if these milters will work with the mailserver. >> >> I'll keep them in mind for the future. Thanx for the information. >> >> Best regards, >> >> Joost Waversveld >> > < snip > >>> I'd look at milter-ahead or sender-verification >>> (http://smfs.sourceforge.net/smf-sav.html, which can also so >>> recipient verification) so reduce your load too. >>> >>> i drop over 66% of my inbound traffic this way. > From john at netdirect.ca Fri Nov 10 14:07:00 2006 From: john at netdirect.ca (John Van Ostrand) Date: Fri Nov 10 14:07:11 2006 Subject: Bayes daily cron job In-Reply-To: <000001c70486$f15c5f40$c8fea8c0@intech.us> References: <000001c70486$f15c5f40$c8fea8c0@intech.us> Message-ID: <1163167621.11897.146.camel@venture.office.netdirect.ca> On Thu, 2006-11-09 at 23:13 -0600, Integrated Technologies wrote: > I am running the following: > #! /bin/bash > > # re-builds the Bayes database daily > > /usr/bin/sa-learn --sync --force-expire \ > > -p /etc/MailScanner/spam.assassin.prefs.conf > > I placed the following script in my /etc/cron.daily folder and it is > giving me this error: > /etc/cron.daily/bayes.cron: line 4: -p: command not found > When I remove the ?p switch, I receive the following error: > /etc/cron.daily/bayes.cron: line > 4: /etc/MailScanner/spam.assassin.prefs.conf: Permission denied Your problem is that the backslash (\) is not working. It indicates line continuance when followed by a line feed. Here is what I think is wrong: 1. There is a space, tab or other whitespace character after the \. 2. Your script has CRLF line breaks because it was created in windows. I think it's option 1. delete the blank after the \ or simply remove the backslash and join the two lines. -- John Van Ostrand Net Direct Inc. CTO, co-CEO 564 Weber St. N. Unit 12 Waterloo, ON N2L 5C6 john@netdirect.ca ph: 518-883-1172 x5102 Linux Solutions / IBM Hardware fx: 519-883-8533 From john at netdirect.ca Fri Nov 10 14:14:55 2006 From: john at netdirect.ca (John Van Ostrand) Date: Fri Nov 10 14:15:06 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> Message-ID: <1163168095.11897.156.camel@venture.office.netdirect.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061110/f8a026bd/attachment.bin From ugob at camo-route.com Fri Nov 10 14:15:52 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Nov 10 14:22:51 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> Message-ID: Philippe BEAU wrote: > Hello all, > > I've try Mailwatch and find it very usefull. Also i found there is a lot > of developpement to do on. > > i would like to found a documentation to install Mailwatch with 2 > mailscanners servers. Is anyone did it ? It can be done, but I don't think there is much doc on it. Contact Steve Freegard from FSL (the author of MailWatch) for details. > > i have made a french version of mailwatch (if someone is interested) and i > will plan to integrate this to my web interface You should discuss with Steve before investing too much efforts on MailWatch 1.x. There will probably be a lot of changes in 2.0, especially the switch from MySQL to Postgresql. > > best regards > > Philippe, > > Nice to see that you are willing to help :). There is a separate mailing list for MailWatch, you'd be better off discussing there. http://lists.sourceforge.net/lists/listinfo/mailwatch-users http://sourceforge.net/forum/?group_id=87163 Ugo From philippe at beau.nom.fr Fri Nov 10 14:24:07 2006 From: philippe at beau.nom.fr (Philippe BEAU) Date: Fri Nov 10 14:24:18 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <1163168095.11897.156.camel@venture.office.netdirect.ca> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> <1163168095.11897.156.camel@venture.office.netdirect.ca> Message-ID: <3259.82.127.125.185.1163168647.squirrel@www.choup.net> oh ... NFS ! i don't want this .. it will slow all .. (lot of files etc..) Regards Philippe, > On Fri, 2006-11-10 at 14:22 +0100, Philippe BEAU wrote: > >> I've try Mailwatch and find it very usefull. Also i found there is a lot >> of developpement to do on. >> >> i would like to found a documentation to install Mailwatch with 2 >> mailscanners servers. Is anyone did it ? >> >> i have made a french version of mailwatch (if someone is interested) and >> i >> will plan to integrate this to my web interface > > > I haven't done it but it seems to be there are only a few things to do: > > Determine one server to be the MailWatch server and which will be the > database server. > > 1. Install MailWatch on your designated MailWatch server. > 2. Configure the MailWatch.pm file on both systems to use the same > database server host. It doesn't matter which one has the database. > 3. Configure the database permissions so that both servers have > permissions to read and write. > 4. Use NFS to share the /var/spool/MailScanner folder on the MailWatch > server and configure the other server to mount it on > its /var/spool/MailScanner. > > There will likely be other issues to address like mail server > configuration or whitelisting. > > -- > John Van Ostrand > Net Direct Inc. > > CTO, co-CEO > 564 Weber St. N. Unit 12 > Waterloo, ON N2L 5C6 > map > john@netdirect.ca > Ph: 519-883-1172 > ext.5102 > Linux Solutions / IBM > Hardware > Fx: 519-883-8533 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From bpumphrey at woodmclaw.com Fri Nov 10 14:26:11 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Fri Nov 10 14:26:32 2006 Subject: Think I found why SAREs rules weren't working. In-Reply-To: <1163120417.4553cf2145c04@perdition.cnpapers.net> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501C140E0@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Steve Campbell > Sent: Thursday, November 09, 2006 8:00 PM > To: mailscanner@lists.mailscanner.info > Subject: Think I found why SAREs rules weren't working. > > OK, I feel a little blushy now, but this is what I found about why my SARE > rule > sets weren't working. > > A little background - > > For some time, auto-learn hasn't been working. I noticed this a while > back, but > just thought it might have been due to a great set of Bayes files. > > I also noticed that the SARE rules were catching a lot (none, in fact), > but just > noticed the "none" part today with the recent thread on "New SPAM emails > recently". > > I have both SARE adult and stocks in my /etc/mail/spamassassin folder. > > When I would update the rules database for MailWatch from the Tools menu, > they > showed up. When I ran Spamassassin Lint test from the same menu, nothing > showed > up as a problem. The problem was I never noticed that a lot of the rules > files > weren't showing up. I use a lot of Sendmail access table entries and was > doing > pretty well without the rules. > > So I was given a false sense of "rightness" until I ran into these "Hi" > emails > and they weren't being trapped. > > I soon discovered that the setting in MailScanner.conf, SpamAssassin Site > Rules > Dir, was blank, apparently from a past update that I didn't catch. At one > point, > this folder _was_ being used. After setting this to > "/etc/mail/spamassassin", > all is well now. It must not use the default I thought it did. > > AutoLearn even works now. > > Hope this helps someone else. > > Steve Campbell > > > > ------------------------------------------------- > This mail sent through IMP: http://horde.org/imp/ > -- Glad to here all is better. Billy Pumphrey IT Manager Wooden & McLaughlin http://www.billypumphrey.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From john at netdirect.ca Fri Nov 10 14:37:47 2006 From: john at netdirect.ca (John Van Ostrand) Date: Fri Nov 10 14:38:07 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <3259.82.127.125.185.1163168647.squirrel@www.choup.net> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> <1163168095.11897.156.camel@venture.office.netdirect.ca> <3259.82.127.125.185.1163168647.squirrel@www.choup.net> Message-ID: <1163169467.11897.163.camel@venture.office.netdirect.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061110/0df604f3/attachment.bin From philippe at beau.nom.fr Fri Nov 10 14:47:51 2006 From: philippe at beau.nom.fr (Philippe BEAU) Date: Fri Nov 10 14:48:03 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <1163169467.11897.163.camel@venture.office.netdirect.ca> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> <1163168095.11897.156.camel@venture.office.netdirect.ca> <3259.82.127.125.185.1163168647.squirrel@www.choup.net> <1163169467.11897.163.camel@venture.office.netdirect.ca> Message-ID: <3425.82.127.125.185.1163170071.squirrel@www.choup.net> i thunk they use XML/RPC but apparently no ... >From Mailwatch website : XML-RPC support that allows multiple MailScanner/MailWatch installations to act as one. Can anyone confirm ? Philippe, > On Fri, 2006-11-10 at 15:24 +0100, Philippe BEAU wrote: > >> oh ... NFS ! i don't want this .. it will slow all .. (lot of files >> etc..) > > > Another solution, but more complicated is the Global File System that > RedHat purchased recently. Unlike NFS, GFS scales to multiple servers > very well in situations where the servers are not competing for the same > files. I believe GFS is available for CentOS, but it does require a > shared block device. It is expected to be used with a SAN but it can be > used with GNBD and a Linux server. > > The other issues that came to mind was message IDs. It is possible, but > unlikely that one message from each server will have the same message > ID on the same day and one will overwrite the other. Settings changes > would be another challenge. > > > -- > John Van Ostrand > Net Direct Inc. > > CTO, co-CEO > 564 Weber St. N. Unit 12 > Waterloo, ON N2L 5C6 > map > john@netdirect.ca > Ph: 519-883-1172 > ext.5102 > Linux Solutions / IBM > Hardware > Fx: 519-883-8533 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From ugob at camo-route.com Fri Nov 10 14:52:16 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Nov 10 14:54:58 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <3425.82.127.125.185.1163170071.squirrel@www.choup.net> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> <1163168095.11897.156.camel@venture.office.netdirect.ca> <3259.82.127.125.185.1163168647.squirrel@www.choup.net> <1163169467.11897.163.camel@venture.office.netdirect.ca> <3425.82.127.125.185.1163170071.squirrel@www.choup.net> Message-ID: Philippe BEAU wrote: > i thunk they use XML/RPC but apparently no ... > >>From Mailwatch website : > > XML-RPC support that allows multiple MailScanner/MailWatch installations > to act as one. > > > > Can anyone confirm ? I can confirm. It does work. > > Philippe, From philippe at beau.nom.fr Fri Nov 10 14:57:27 2006 From: philippe at beau.nom.fr (Philippe BEAU) Date: Fri Nov 10 14:57:40 2006 Subject: Mailwatch configuration for some servers In-Reply-To: References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> Message-ID: <3496.82.127.125.185.1163170647.squirrel@www.choup.net> Re, > Philippe BEAU wrote: >> Hello all, >> >> I've try Mailwatch and find it very usefull. Also i found there is a lot >> of developpement to do on. >> >> i would like to found a documentation to install Mailwatch with 2 >> mailscanners servers. Is anyone did it ? > > It can be done, but I don't think there is much doc on it. Contact > Steve Freegard from FSL (the author of MailWatch) for details. > yes but ... to contact me ... you have to first found his email ! i've subscribe to the Mailing list ... another one .... Philippe From philippe at beau.nom.fr Fri Nov 10 15:01:08 2006 From: philippe at beau.nom.fr (Philippe BEAU) Date: Fri Nov 10 15:01:21 2006 Subject: Mailwatch configuration for some servers In-Reply-To: References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> <1163168095.11897.156.camel@venture.office.netdirect.ca> <3259.82.127.125.185.1163168647.squirrel@www.choup.net> <1163169467.11897.163.camel@venture.office.netdirect.ca> <3425.82.127.125.185.1163170071.squirrel@www.choup.net> Message-ID: <3550.82.127.125.185.1163170868.squirrel@www.choup.net> > Philippe BEAU wrote: >> i thunk they use XML/RPC but apparently no ... >> >>>From Mailwatch website : >> >> XML-RPC support that allows multiple MailScanner/MailWatch installations >> to act as one. >> >> >> >> Can anyone confirm ? > > I can confirm. It does work. yes but have you a clear documentation ? i don't found anything about Philippe, From dhawal at netmagicsolutions.com Fri Nov 10 15:19:00 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Fri Nov 10 15:19:22 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> Message-ID: <45549864.9020900@netmagicsolutions.com> Philippe BEAU wrote: > Hello all, > > I've try Mailwatch and find it very usefull. Also i found there is a lot > of developpement to do on. > > i would like to found a documentation to install Mailwatch with 2 > mailscanners servers. Is anyone did it ? > > i have made a french version of mailwatch (if someone is interested) and i > will plan to integrate this to my web interface > > best regards > > Philippe, No docs.. some guidelines though. Set 'n' similar servers with MailScanner + MTA + MailWatch. Identify one of them as the Database server (or have an altogether different DB server). Configure Mailwatch.pm and conf.php on every server to talk to the database on this server (and additionally SQLBlacklist.pm). To reduce complication install but do not use MailScanner + MTA + MailWatch + SA (with rules) on the DB server as well. Make sure you rsync the MailScanner configuration files and any extra rules that you use in SA. Now see if each server can ping to every other server using their respective FQDNs (read Fully qualified hostnames). Additionally each server ought to be able to access apache (port 80) on every other server. This should get you started.. more can be taken up on the mailwatch list if required. - dhawal From glenn.steen at gmail.com Fri Nov 10 15:22:58 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 10 15:23:02 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> Message-ID: <223f97700611100722p2b449de9tf3fd071752bdb96e@mail.gmail.com> On 10/11/06, Philippe BEAU wrote: > Hello all, > > I've try Mailwatch and find it very usefull. Also i found there is a lot > of developpement to do on. > > i would like to found a documentation to install Mailwatch with 2 > mailscanners servers. Is anyone did it ? Yes, Steve Freegard;-). Look in the mailwatch directory (created by unpacking te tar-ball) for the file Remote_DB.txt ... Perhaps a bit of a misnomer, but it is all you need (together with the normal install doc) to setup multiple MailScanner gateways logging to one database, but with quarantine etc distributed. Note that you need at least the MailScanner config directory on the "frontend server", and at least a skeleton install of MailWatch on each gateway (so that XML-RPC can function)... And that it is rather important that the IP address <-> FQDN coupling is setup correctly for each machine. > i have made a french version of mailwatch (if someone is interested) and i > will plan to integrate this to my web interface I think Denis or Ugo (or perhaps some other of our Canadian friends) have done this too. 2.0 will have some facility builtin (the demos we've seen have used automatic translation courtesy of Google or somesuch... rather abominable, and lacking Swedish(!):-). We'll see where that lands. Eventually:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From philippe at beau.nom.fr Fri Nov 10 15:28:17 2006 From: philippe at beau.nom.fr (Philippe BEAU) Date: Fri Nov 10 15:28:29 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <45549864.9020900@netmagicsolutions.com> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> <45549864.9020900@netmagicsolutions.com> Message-ID: <3846.82.127.125.185.1163172497.squirrel@www.choup.net> > Philippe BEAU wrote: >> Hello all, >> >> I've try Mailwatch and find it very usefull. Also i found there is a lot >> of developpement to do on. >> >> i would like to found a documentation to install Mailwatch with 2 >> mailscanners servers. Is anyone did it ? >> >> i have made a french version of mailwatch (if someone is interested) and >> i >> will plan to integrate this to my web interface >> >> best regards >> >> Philippe, > > No docs.. some guidelines though. > > Set 'n' similar servers with MailScanner + MTA + MailWatch. Identify one > of them as the Database server (or have an altogether different DB > server). Configure Mailwatch.pm and conf.php on every server to talk to > the database on this server (and additionally SQLBlacklist.pm). > i'm ok with this. > To reduce complication install but do not use MailScanner + MTA + > MailWatch + SA (with rules) on the DB server as well. Make sure you > rsync the MailScanner configuration files and any extra rules that you > use in SA. > > Now see if each server can ping to every other server using their > respective FQDNs (read Fully qualified hostnames). Additionally each > server ought to be able to access apache (port 80) on every other server. > > This should get you started.. more can be taken up on the mailwatch list > if required. > yes but how the main server know the others ? > - dhawal > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From jimc at laridian.com Fri Nov 10 15:34:30 2006 From: jimc at laridian.com (Jim Coates) Date: Fri Nov 10 15:36:15 2006 Subject: milter-greylist config In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B581057BF07@isabella.herefordshire.gov.uk> Message-ID: <03eb01c704dd$b755b740$6401a8c0@zorak> My server uses poprelayd to handle relaying authentication (the server is an offsite server). Is there a way to have the milter whitelist people who authenticate to poprelay? Jim -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Friday, November 10, 2006 6:24 AM To: MailScanner discussion Subject: RE: milter-greylist config With milter-greylist-3.0rc6, you do list "my network" addr { 127.0.0.1/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 } acl whitelist list "my network" As for your other problem, grep greylist /etc/mail/maillog and see what it tells you. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Jim Coates > Sent: 10 November 2006 05:42 > To: 'MailScanner discussion' > Subject: OT: milter-greylist config > > This may be a dumb question, but how do you go about copying > the greylist > exceptions from > http://cvs.puremagic.com/viewcvs/greylisting/schema/whitelist_ > ip.txt?rev=1.1 > 6 over to your milter-greylist.conf? I copied them in there > an added the > acl whitelist info before each of them, but it bombed upon > restarting the > milter because it didn't like the addresses that were incomplete (IE - > missing the last number from the IP etc). > > Also - I have the local host set as whitelisted, but do I > also need the > public IP of our MTA set as whitelisted? The reason I ask is > that I went to > send an email to another user on our system and it > immediately told me it > was rejected. > > Thanks, > Jim Coates > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Denis.Beauchemin at USherbrooke.ca Fri Nov 10 15:39:38 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Nov 10 15:40:12 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <223f97700611100722p2b449de9tf3fd071752bdb96e@mail.gmail.com> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> <223f97700611100722p2b449de9tf3fd071752bdb96e@mail.gmail.com> Message-ID: <45549D3A.9090308@USherbrooke.ca> Glenn Steen a ?crit : > i have made a french version of mailwatch (if someone is interested) > and i > > I think Denis or Ugo (or perhaps some other of our Canadian friends) > have done this too. > 2.0 will have some facility builtin (the demos we've seen have used > automatic translation courtesy of Google or somesuch... rather > abominable, and lacking Swedish(!):-). We'll see where that lands. > Eventually:-). > Sorry, I don't use MW... just mailscanner-mrtg with some local mods. Maybe Ugo? Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061110/2f4ef797/smime.bin From dhawal at netmagicsolutions.com Fri Nov 10 15:42:31 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Fri Nov 10 15:42:52 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <3846.82.127.125.185.1163172497.squirrel@www.choup.net> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> <45549864.9020900@netmagicsolutions.com> <3846.82.127.125.185.1163172497.squirrel@www.choup.net> Message-ID: <45549DE7.4000004@netmagicsolutions.com> Philippe BEAU wrote: [SNIP] >> To reduce complication install but do not use MailScanner + MTA + >> MailWatch + SA (with rules) on the DB server as well. Make sure you >> rsync the MailScanner configuration files and any extra rules that you >> use in SA. >> >> Now see if each server can ping to every other server using their >> respective FQDNs (read Fully qualified hostnames). Additionally each >> server ought to be able to access apache (port 80) on every other server. >> >> This should get you started.. more can be taken up on the mailwatch list >> if required. > > yes but how the main server know the others ? using XML-RPC, thats why you need to ensure that all servers can talk to each other via their respective FQDNs over port 80. BTW, there is no 'main' server.. you can manage any quarantine folder from any of the servers as long as they are talking to the same database. - dhawal From t.d.lee at durham.ac.uk Fri Nov 10 15:45:44 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Fri Nov 10 15:46:07 2006 Subject: SA 3.1.7 returning no result to MS? Message-ID: (Linux/FC5; sendmail 8.13.7; MS 4.56.8) Yesterday on our two main inbound mailrelays I upgraded SA from 3.1.4 to 3.1.7. The MS config has: Log Spam = yes Log Non Spam = yes In the daily logs we now seem to be getting several occurence of: Message XXX from YYY to ZZZ is not spam, SpamAssassin (not cached, score=0, required 6, autolearn=) and: Message PPP from QQQ to RRR is not spam, SpamAssassin (cached, score=0, required 6, autolearn=) scattered amongst the occurences of more real data. (Around 7% of entries on one machine, around 4% on the other, are in such truncated/empty forms). The daily logs prior to this show no occurences at all. Any thoughts? Further data: 1. At the same time, I also got Razor2 working (from within SA) on these two machines. 2. When I check on a third (higher MX, lower preference) machine on which I did a similar upgrade, but on which Razor had been working properly working both before and after the upgrade, this has such entries both before and after. Which sort of points the finger towards Razor, rather than the SA upgrade. Anyone seen anything like this before? Is the apparently empty result from SA something that MS might be able to detect? How to debug something like this? (My next step might be to disable Razor and see if that seemed to stop these occurences. But that would simply provide an extra data point, not really provide a useful route to debug, understand and fix this overall MS/SA/Razor issue.) -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From P.G.M.Peters at utwente.nl Fri Nov 10 15:49:28 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Fri Nov 10 15:49:34 2006 Subject: # of messages per batch In-Reply-To: References: Message-ID: <45549F88.5070009@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sven De Troch wrote on 1-11-2006 23:24: > how can I define how much files per batch MailScanner is handling? > According to the logfiles MailScanner is processing almost always 1 > message per batch, even if there are different messages waiting in the > queues? Every time MS checks the incoming queue it tries to get as much messages as possible in the batch to scan. With the configured maximum of course. The reason you sometime see "100 waiting, 1 scanning" is because the other 99 are locked. Either by sendmail not having received the complete message yet. Or other MS children are already scanning those messages. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFVJ+HelLo80lrIdIRAi1+AJ93mzgRcVJ1nmOP0Ro753Yo/a46RQCfetAI IBN76qZzV83YSvuhmy1/bro= =+8AW -----END PGP SIGNATURE----- From glenn.steen at gmail.com Fri Nov 10 15:50:13 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 10 15:50:19 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <3846.82.127.125.185.1163172497.squirrel@www.choup.net> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> <45549864.9020900@netmagicsolutions.com> <3846.82.127.125.185.1163172497.squirrel@www.choup.net> Message-ID: <223f97700611100750k6cc51e7coa18bfdac2a94f6ba@mail.gmail.com> On 10/11/06, Philippe BEAU wrote: > > Philippe BEAU wrote: > >> Hello all, > >> > >> I've try Mailwatch and find it very usefull. Also i found there is a lot > >> of developpement to do on. > >> > >> i would like to found a documentation to install Mailwatch with 2 > >> mailscanners servers. Is anyone did it ? > >> > >> i have made a french version of mailwatch (if someone is interested) and > >> i > >> will plan to integrate this to my web interface > >> > >> best regards > >> > >> Philippe, > > > > No docs.. some guidelines though. > > > > Set 'n' similar servers with MailScanner + MTA + MailWatch. Identify one > > of them as the Database server (or have an altogether different DB > > server). Configure Mailwatch.pm and conf.php on every server to talk to > > the database on this server (and additionally SQLBlacklist.pm). > > > > i'm ok with this. > > > To reduce complication install but do not use MailScanner + MTA + > > MailWatch + SA (with rules) on the DB server as well. Make sure you > > rsync the MailScanner configuration files and any extra rules that you > > use in SA. > > > > Now see if each server can ping to every other server using their > > respective FQDNs (read Fully qualified hostnames). Additionally each > > server ought to be able to access apache (port 80) on every other server. > > > > This should get you started.. more can be taken up on the mailwatch list > > if required. > > > > yes but how the main server know the others ? > By the maillog table content. Do a select distinct(hostname) from maillog; in the mysql CLI (on the mailscanner DB, of course). This should yield the FQDN of the host that put the entry in the database... and would hold any quarantine files etc. The rest is quite simple;-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From P.G.M.Peters at utwente.nl Fri Nov 10 15:51:06 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Fri Nov 10 15:51:12 2006 Subject: out of curiosity: reload and restart In-Reply-To: References: <29fik2l7h03h7jfrltkgrscd18kse8g6vd@4ax.com> Message-ID: <45549FEA.7090006@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote on 2-11-2006 1:54: > If you are rebuilding the access file (makemap) sendmail will read it. It only > seems to need a restart if you rebuild the cf file. Sendmail automatically rereads all map-files (aliases, virtuser, access, mailertable) but not all the other configurations (virthosts, sendmail.cf). - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFVJ/qelLo80lrIdIRAprlAJoCGN8nEUo++ueCLIdG/A/qmDXlzQCcDvRJ zlYMkkjYCLxzz8LWyYGCE8Q= =uZBw -----END PGP SIGNATURE----- From vlad at mazek.com Fri Nov 10 15:56:36 2006 From: vlad at mazek.com (Vlad Mazek) Date: Fri Nov 10 15:57:16 2006 Subject: MailScanner/sendmail load balancing Message-ID: <4554A134.4060103@mazek.com> Does anybody use Linux Virtual Server with MailScanner/sendmail? Any recommendations / pitfalls? If not, do you recommend / use something else to spread the load across multiple MailScanner servers? -Vlad From ugob at camo-route.com Fri Nov 10 15:59:13 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Nov 10 16:00:45 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <45549D3A.9090308@USherbrooke.ca> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> <223f97700611100722p2b449de9tf3fd071752bdb96e@mail.gmail.com> <45549D3A.9090308@USherbrooke.ca> Message-ID: Denis Beauchemin wrote: > Glenn Steen a ?crit : >> i have made a french version of mailwatch (if someone is interested) >> and i >> >> I think Denis or Ugo (or perhaps some other of our Canadian friends) >> have done this too. >> 2.0 will have some facility builtin (the demos we've seen have used >> automatic translation courtesy of Google or somesuch... rather >> abominable, and lacking Swedish(!):-). We'll see where that lands. >> Eventually:-). >> > Sorry, I don't use MW... just mailscanner-mrtg with some local mods. > Maybe Ugo? No, I haven't translated MW. I'll most likely be translating MW 2.0, though. From danc at bluestarshows.com Fri Nov 10 15:57:50 2006 From: danc at bluestarshows.com (Dan Carl) Date: Fri Nov 10 16:02:13 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches it Message-ID: <00a901c704e0$f9a257e0$0200000a@danc3> Hi all, I'm perplexed, Today I took a spam email from my inbox that got through Mailscanner and saved it to my mail server. I then ran it though spamassassin(spamassassin -t test.eml) and it caught it as SPAM. What's up with that?? Just yesterday I upgraded to the latest version of Mailscanner (thanks volunteers) because a lot of spam was getting through. After many hours of work I also installed the Fuzzy OCR plugin. Mailscanner appears to be working fine and using spamassassin. My maillog shows lines this: MailScanner[7707]: SpamAssassin cache hit for message kAAFfqxU010369 Thanks in advance From mkettler at evi-inc.com Fri Nov 10 16:06:52 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Nov 10 16:07:47 2006 Subject: SA 3.1.7 returning no result to MS? In-Reply-To: References: Message-ID: <4554A39C.1050404@evi-inc.com> David Lee wrote: > (Linux/FC5; sendmail 8.13.7; MS 4.56.8) > > Yesterday on our two main inbound mailrelays I upgraded SA from 3.1.4 to > 3.1.7. The MS config has: > Log Spam = yes > Log Non Spam = yes > > In the daily logs we now seem to be getting several occurence of: > Message XXX from YYY to ZZZ is not spam, SpamAssassin (not cached, score=0, required 6, autolearn=) > > and: > Message PPP from QQQ to RRR is not spam, SpamAssassin (cached, score=0, required 6, autolearn=) > > scattered amongst the occurences of more real data. (Around 7% of entries > on one machine, around 4% on the other, are in such truncated/empty forms). > > The daily logs prior to this show no occurences at all. > > Any thoughts? spamassassin --lint any errors reported, or just runs and exits quietly? spamassassin -D --lint, and see what the "default rules dir" is, and make sure all the default .cf files are there. > 2. When I check on a third (higher MX, lower preference) machine on which > I did a similar upgrade, but on which Razor had been working properly > working both before and after the upgrade, this has such entries both > before and after. Which sort of points the finger towards Razor, rather > than the SA upgrade. I highly doubt razor is involved. From the sounds of it, SA isn't parsing its ruleset. From ugob at camo-route.com Fri Nov 10 16:07:26 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Nov 10 16:08:44 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <3496.82.127.125.185.1163170647.squirrel@www.choup.net> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> <3496.82.127.125.185.1163170647.squirrel@www.choup.net> Message-ID: Philippe BEAU wrote: > Re, > >> Philippe BEAU wrote: >>> Hello all, >>> >>> I've try Mailwatch and find it very usefull. Also i found there is a lot >>> of developpement to do on. >>> >>> i would like to found a documentation to install Mailwatch with 2 >>> mailscanners servers. Is anyone did it ? >> It can be done, but I don't think there is much doc on it. Contact >> Steve Freegard from FSL (the author of MailWatch) for details. >> > > yes but ... to contact me ... you have to first found his email ! i've > subscribe to the Mailing list ... another one .... That is the best path to take, as everyone on the list can benefit from the input. BTW MailWatch's development is paid by FSL and is GPL released. For advanced features, there might not be a lot of easy-to-find documentation, so if you need advanced features, I suggest you support MailWatch's development by collaborating with Steve (steve.freegard at fsl.com) or paying FSL to do the job on your servers. They do a great job and the pricetag is fair. Regards, Ugo From glenn.steen at gmail.com Fri Nov 10 16:27:56 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 10 16:28:00 2006 Subject: SA 3.1.7 returning no result to MS? In-Reply-To: References: Message-ID: <223f97700611100827w6b24562ai5dcb5dc24c308f31@mail.gmail.com> On 10/11/06, David Lee wrote: > (Linux/FC5; sendmail 8.13.7; MS 4.56.8) > > Yesterday on our two main inbound mailrelays I upgraded SA from 3.1.4 to > 3.1.7. The MS config has: > Log Spam = yes > Log Non Spam = yes > > In the daily logs we now seem to be getting several occurence of: > Message XXX from YYY to ZZZ is not spam, SpamAssassin (not cached, score=0, required 6, autolearn=) > > and: > Message PPP from QQQ to RRR is not spam, SpamAssassin (cached, score=0, required 6, autolearn=) > > scattered amongst the occurences of more real data. (Around 7% of entries > on one machine, around 4% on the other, are in such truncated/empty forms). > > The daily logs prior to this show no occurences at all. > > Any thoughts? > > Further data: > > 1. At the same time, I also got Razor2 working (from within SA) on these > two machines. > > 2. When I check on a third (higher MX, lower preference) machine on which > I did a similar upgrade, but on which Razor had been working properly > working both before and after the upgrade, this has such entries both > before and after. Which sort of points the finger towards Razor, rather > than the SA upgrade. > > > > Anyone seen anything like this before? Is the apparently empty result > from SA something that MS might be able to detect? How to debug something > like this? > > (My next step might be to disable Razor and see if that seemed to stop > these occurences. But that would simply provide an extra data point, not > really provide a useful route to debug, understand and fix this overall > MS/SA/Razor issue.) > Could be razor, I suppose. But couldn't this be the same sa-update "madness" some have seen, where MS/SA simply fail to load the moved/merged/updated rules from /var/lib/spamassassin/....? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From martinh at solidstatelogic.com Fri Nov 10 16:35:04 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Fri Nov 10 16:35:19 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches it In-Reply-To: <00a901c704e0$f9a257e0$0200000a@danc3> References: <00a901c704e0$f9a257e0$0200000a@danc3> Message-ID: <4554AA38.2070909@solidstatelogic.com> Dan Carl wrote: > Hi all, > > I'm perplexed, > Today I took a spam email from my inbox that got through Mailscanner and > saved it to my mail server. > I then ran it though spamassassin(spamassassin -t test.eml) and it caught it > as SPAM. > What's up with that?? > > Just yesterday I upgraded to the latest version of Mailscanner (thanks > volunteers) > because a lot of spam was getting through. After many hours of work I also > installed the Fuzzy OCR plugin. > > Mailscanner appears to be working fine and using spamassassin. > My maillog shows lines this: > MailScanner[7707]: SpamAssassin cache hit for message kAAFfqxU010369 > > Thanks in advance > Check the SA paths in MailScanner to make sure you're running the same rules - also check you've only got one perl and one SA installed. IF you've run sa-update make sure MS knows about it by setting SpamAssassin Local State Dir = /var/lib -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From prandal at herefordshire.gov.uk Fri Nov 10 16:38:52 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Nov 10 16:39:22 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches i t Message-ID: <86144ED6CE5B004DA23E1EAC0B569B581057C030@isabella.herefordshire.gov.uk> In the intervening period dnsbl and uribl rules could have triggered. Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Dan Carl > Sent: 10 November 2006 15:58 > To: mailscanner@lists.mailscanner.info > Subject: Mailscanner not catching SPAM but manual run via SA > catches it > > Hi all, > > I'm perplexed, > Today I took a spam email from my inbox that got through > Mailscanner and > saved it to my mail server. > I then ran it though spamassassin(spamassassin -t test.eml) > and it caught it > as SPAM. > What's up with that?? > > Just yesterday I upgraded to the latest version of Mailscanner (thanks > volunteers) > because a lot of spam was getting through. After many hours > of work I also > installed the Fuzzy OCR plugin. > > Mailscanner appears to be working fine and using spamassassin. > My maillog shows lines this: > MailScanner[7707]: SpamAssassin cache hit for message kAAFfqxU010369 > > Thanks in advance > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From glenn.steen at gmail.com Fri Nov 10 17:01:06 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 10 17:01:10 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches it In-Reply-To: <00a901c704e0$f9a257e0$0200000a@danc3> References: <00a901c704e0$f9a257e0$0200000a@danc3> Message-ID: <223f97700611100901ma3d4061gba655c7ea5a6db15@mail.gmail.com> On 10/11/06, Dan Carl wrote: > Hi all, > > I'm perplexed, > Today I took a spam email from my inbox that got through Mailscanner and > saved it to my mail server. > I then ran it though spamassassin(spamassassin -t test.eml) and it caught it > as SPAM. > What's up with that?? > > Just yesterday I upgraded to the latest version of Mailscanner (thanks > volunteers) > because a lot of spam was getting through. After many hours of work I also > installed the Fuzzy OCR plugin. > > Mailscanner appears to be working fine and using spamassassin. > My maillog shows lines this: > MailScanner[7707]: SpamAssassin cache hit for message kAAFfqxU010369 > > Thanks in advance Do the "spamassassin --lint" and "spamassassin -D --lint" as the user you run your MTA as. Same result? If you've upgraded SA, did you run the sa-update after that? Does it look like MailScanners instance of SA is finding/using the correct /var/lib/spamassassin/...? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From daniel.maher at ubisoft.com Fri Nov 10 17:06:48 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Fri Nov 10 17:06:52 2006 Subject: MailScanner/sendmail load balancing In-Reply-To: <4554A134.4060103@mazek.com> Message-ID: <1E293D3FF63A3740B10AD5AAD88535D203AC0947@UBIMAIL1.ubisoft.org> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Vlad Mazek > Sent: November 10, 2006 10:57 AM > To: MailScanner discussion > Subject: MailScanner/sendmail load balancing > > Does anybody use Linux Virtual Server with MailScanner/sendmail? > Any recommendations / pitfalls? > If not, do you recommend / use something else to spread the load across > multiple MailScanner servers? > In our environment, we have a small cluster of incoming mail servers, each running Postfix & MailScanner. We balance these via DNS, in the same way that Google, Yahoo, and many other email players do: our MX points to a single hostname (mail01), which in turn has A-records for each of the machines in the cluster. ubisoft.com. 300 IN MX 10 mail01.ubisoft.com. ;; mail01.ubisoft.com. 3600 IN A 216.98.56.133 mail01.ubisoft.com. 3600 IN A 216.98.56.138 mail01.ubisoft.com. 3600 IN A 216.98.56.132 Done and done - it works like a charm, and it is fantastically easy to set up and maintain. -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. From mailscanner at PDSCC.COM Fri Nov 10 17:27:38 2006 From: mailscanner at PDSCC.COM (Harondel J. Sibble) Date: Fri Nov 10 17:27:16 2006 Subject: spam actions doesn't seem to be working right In-Reply-To: <223f97700611091103t5bb7c348k678500b72d6b9678@mail.gmail.com> References: <200611091722.kA9HMdAB006079@sinclaire.sibble.net>, <223f97700611091103t5bb7c348k678500b72d6b9678@mail.gmail.com> Message-ID: <200611101727.kAAHR8Rb011481@sinclaire.sibble.net> On 9 Nov 2006 at 20:03, Glenn Steen wrote: > Why such an old MailScanner (relatively speaking:)? Updating Just haven't gotten around to it ;-) Plus scheduling downtime to do the upgrade at this office is difficult at best. > help you troubleshoot this to some extent)... If you don't have them, > consider an update. Might give that a try this weekend. > There are no obvious syntax errors in the MailScanner.conf? Look for > silliness like unmatched quotes etc. The syntax of the file is very > forgiving, but one can botch things (read: Been there... about purchases and T-shirts />:-). No, none, other than this specific problem, it just hums along. -- Harondel J. Sibble Sibble Computer Consulting Creating solutions for the small business and home computer user. help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager) From philippe at beau.nom.fr Fri Nov 10 17:48:15 2006 From: philippe at beau.nom.fr (Philippe BEAU) Date: Fri Nov 10 17:48:29 2006 Subject: Mailwatch configuration for some servers In-Reply-To: References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> <223f97700611100722p2b449de9tf3fd071752bdb96e@mail.gmail.com> <45549D3A.9090308@USherbrooke.ca> Message-ID: <64489.90.0.125.205.1163180895.squirrel@www.choup.net> > Denis Beauchemin wrote: >> Glenn Steen a ?crit : >>> i have made a french version of mailwatch (if someone is interested) >>> and i >>> >>> I think Denis or Ugo (or perhaps some other of our Canadian friends) >>> have done this too. >>> 2.0 will have some facility builtin (the demos we've seen have used >>> automatic translation courtesy of Google or somesuch... rather >>> abominable, and lacking Swedish(!):-). We'll see where that lands. >>> Eventually:-). >>> >> Sorry, I don't use MW... just mailscanner-mrtg with some local mods. >> Maybe Ugo? > > No, I haven't translated MW. I'll most likely be translating MW 2.0, > though. > Also the translation permit me to view the php code and it just take somes minutes. Also the gettext is very wonderful for this type of job ! Philippe > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From glenn.steen at gmail.com Fri Nov 10 19:51:42 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 10 19:51:46 2006 Subject: spam actions doesn't seem to be working right In-Reply-To: <200611101727.kAAHR8Rb011481@sinclaire.sibble.net> References: <200611091722.kA9HMdAB006079@sinclaire.sibble.net> <223f97700611091103t5bb7c348k678500b72d6b9678@mail.gmail.com> <200611101727.kAAHR8Rb011481@sinclaire.sibble.net> Message-ID: <223f97700611101151x56a3af58y2d5cf6de0fd4ae17@mail.gmail.com> On 10/11/06, Harondel J. Sibble wrote: > > > On 9 Nov 2006 at 20:03, Glenn Steen wrote: > > > Why such an old MailScanner (relatively speaking:)? Updating > > Just haven't gotten around to it ;-) Plus scheduling downtime to do the > upgrade at this office is difficult at best. When you do the upgrade, the actual _processes_ aren't affected untill you do the "service MailScanner restart"... No need for any perceptible downtime at all;-). Last time the complete process took me 10 minutes, tops. If you also wan't to do SA etc, you might need add a few minutes, but... This is SMTP, are you really in such a situation that you can't afor a 10-15 minute "gap" (worst case:-)? > > help you troubleshoot this to some extent)... If you don't have them, > > consider an update. > > Might give that a try this weekend. > > > There are no obvious syntax errors in the MailScanner.conf? Look for > > silliness like unmatched quotes etc. The syntax of the file is very > > forgiving, but one can botch things (read: Been there... > about purchases and T-shirts />:-). > > No, none, other than this specific problem, it just hums along. Best type of system:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Nov 10 19:59:27 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 10 19:59:32 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <64489.90.0.125.205.1163180895.squirrel@www.choup.net> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> <223f97700611100722p2b449de9tf3fd071752bdb96e@mail.gmail.com> <45549D3A.9090308@USherbrooke.ca> <64489.90.0.125.205.1163180895.squirrel@www.choup.net> Message-ID: <223f97700611101159x4a160b8ete3b15e16eb200ecc@mail.gmail.com> On 10/11/06, Philippe BEAU wrote: > > Denis Beauchemin wrote: > >> Glenn Steen a ?crit : > >>> i have made a french version of mailwatch (if someone is interested) > >>> and i > >>> > >>> I think Denis or Ugo (or perhaps some other of our Canadian friends) > >>> have done this too. > >>> 2.0 will have some facility builtin (the demos we've seen have used > >>> automatic translation courtesy of Google or somesuch... rather > >>> abominable, and lacking Swedish(!):-). We'll see where that lands. > >>> Eventually:-). > >>> > >> Sorry, I don't use MW... just mailscanner-mrtg with some local mods. > >> Maybe Ugo? > > > > No, I haven't translated MW. I'll most likely be translating MW 2.0, > > though. > > > > Also the translation permit me to view the php code and it just take somes > minutes. Also the gettext is very wonderful for this type of job ! > Mais bien-sur;-). Might even offer to do the Swedish one myself... Unless someone beats me to it:-). Anyway, I hope you have enough documentation now to be able to forge ahead. Do take up any problems you encounter on the MailWatch list (since they would likely be a bit off-topic on this one). You might run into some rather well-known errors/discrepancies with 1.0.3, but a quick search of gmane/the archive should get you through those (Message Ops containing more than the quarantined entries, geoip update not working right on some systems etc). Cheers, -- -- Glenn (Slightly tipsy, else would never dare "air" my school-french:-) email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ugob at camo-route.com Fri Nov 10 20:16:09 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Nov 10 20:16:24 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <223f97700611101159x4a160b8ete3b15e16eb200ecc@mail.gmail.com> References: <2922.82.127.125.185.1163164965.squirrel@www.choup.net> <223f97700611100722p2b449de9tf3fd071752bdb96e@mail.gmail.com> <45549D3A.9090308@USherbrooke.ca> <64489.90.0.125.205.1163180895.squirrel@www.choup.net> <223f97700611101159x4a160b8ete3b15e16eb200ecc@mail.gmail.com> Message-ID: Glenn Steen wrote: > On 10/11/06, Philippe BEAU wrote: >> > Denis Beauchemin wrote: >> >> Glenn Steen a ?crit : >> >>> i have made a french version of mailwatch (if someone is interested) >> >>> and i >> >>> >> >>> I think Denis or Ugo (or perhaps some other of our Canadian friends) >> >>> have done this too. >> >>> 2.0 will have some facility builtin (the demos we've seen have used >> >>> automatic translation courtesy of Google or somesuch... rather >> >>> abominable, and lacking Swedish(!):-). We'll see where that lands. >> >>> Eventually:-). >> >>> >> >> Sorry, I don't use MW... just mailscanner-mrtg with some local mods. >> >> Maybe Ugo? >> > >> > No, I haven't translated MW. I'll most likely be translating MW 2.0, >> > though. >> > >> >> Also the translation permit me to view the php code and it just take >> somes >> minutes. Also the gettext is very wonderful for this type of job ! >> > Mais bien-sur;-). > Might even offer to do the Swedish one myself... Unless someone beats > me to it:-). > Anyway, I hope you have enough documentation now to be able to forge > ahead. Do take up any problems you encounter on the MailWatch list > (since they would likely be a bit off-topic on this one). You might > run into some rather well-known errors/discrepancies with 1.0.3, but a > quick search of gmane/the archive should get you through those > (Message Ops containing more than the quarantined entries, geoip > update not working right on some systems etc). And, if you feel like it, you can document what you did and put it online. If you document it in french, I'll gladly translate it into english. Ugo From mrm at medicine.wisc.edu Fri Nov 10 20:16:35 2006 From: mrm at medicine.wisc.edu (Michael Masse) Date: Fri Nov 10 20:17:08 2006 Subject: What is causing this rule to be tripped? Message-ID: <45548946.7FBE.00FC.3@medicine.wisc.edu> Never had an issue like this before. This morning a pdf attachment tripped the deny .{150,} Very long filename rule. The filename is: RealTime Ultra.pdf Anyone know what could cause this? Mike From steve.swaney at fsl.com Fri Nov 10 20:31:05 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Fri Nov 10 20:31:08 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <223f97700611101159x4a160b8ete3b15e16eb200ecc@mail.gmail.com> Message-ID: <021701c70507$25e51ab0$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Glenn Steen > Sent: Friday, November 10, 2006 2:59 PM > To: MailScanner discussion > Subject: Re: Mailwatch configuration for some servers > > On 10/11/06, Philippe BEAU wrote: > > > Denis Beauchemin wrote: > > >> Glenn Steen a ?crit : > > >>> i have made a french version of mailwatch (if someone is interested) > > >>> and i > > >>> > > >>> I think Denis or Ugo (or perhaps some other of our Canadian friends) > > >>> have done this too. > > >>> 2.0 will have some facility builtin (the demos we've seen have used > > >>> automatic translation courtesy of Google or somesuch... rather > > >>> abominable, and lacking Swedish(!):-). We'll see where that lands. > > >>> Eventually:-). > > >>> > > >> Sorry, I don't use MW... just mailscanner-mrtg with some local mods. > > >> Maybe Ugo? > > > > > > No, I haven't translated MW. I'll most likely be translating MW 2.0, > > > though. > > > > > > > Also the translation permit me to view the php code and it just take > somes > > minutes. Also the gettext is very wonderful for this type of job ! > > > Mais bien-sur;-). > Might even offer to do the Swedish one myself... Unless someone beats > me to it:-). > Anyway, I hope you have enough documentation now to be able to forge > ahead. Do take up any problems you encounter on the MailWatch list > (since they would likely be a bit off-topic on this one). You might > run into some rather well-known errors/discrepancies with 1.0.3, but a > quick search of gmane/the archive should get you through those > (Message Ops containing more than the quarantined entries, geoip > update not working right on some systems etc). > > Cheers, > -- > -- Glenn (Slightly tipsy, else would never dare "air" my school-french:-) At the risk of stealing Steve's thunder, the new MailWatch will have multi-language support which will make it much easier easy to provide translations so I wouldn?t spend a lot of time translating the current version. Steve is very busy right now working on the new MailWatch and new product for us which maybe why he's not been as active responding to MailWatch questions on this list as he normally is. Just keep an eye on http://mailwatch.sourceforge.net/ or sign up for the MailWatch mailing list on the web site. It won't be that long :) Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From jwilliams at courtesymortgage.com Fri Nov 10 20:33:37 2006 From: jwilliams at courtesymortgage.com (Jason Williams) Date: Fri Nov 10 20:33:54 2006 Subject: What is causing this rule to be tripped? Message-ID: <01BCE961CD5E4146B83F920FC6A4F2353FD1B7@cmexchange01.CourtesyMortgage.local> >Never had an issue like this before. This morning a pdf attachment >tripped the >deny .{150,} Very long filename rule. The filename is: >RealTime Ultra.pdf > >Anyone know what could cause this? > >Mike I have had these stripped off before and I think it is because there is a space between 'RealTime' and 'Ultra' I also would get this stripped if the file would be named like: RealTime.Ultra.pdf I could be wrong though. -Jason -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Denis.Beauchemin at USherbrooke.ca Fri Nov 10 20:51:18 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Nov 10 20:51:34 2006 Subject: What is causing this rule to be tripped? In-Reply-To: <45548946.7FBE.00FC.3@medicine.wisc.edu> References: <45548946.7FBE.00FC.3@medicine.wisc.edu> Message-ID: <4554E646.6000309@USherbrooke.ca> Michael Masse a ?crit : > Never had an issue like this before. This morning a pdf attachment > tripped the > deny .{150,} Very long filename rule. The filename is: > RealTime Ultra.pdf > > Anyone know what could cause this? > > Mike > > Michael, The file name you are seeing in your logs has been sanitized so it won't cause any harm. This rule catches filenames that are at least 150 characters long. Usually there is a lot of whitespace in the file name (but MS won't show it to you). Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061110/532abbb0/smime.bin From danc at bluestarshows.com Fri Nov 10 20:47:33 2006 From: danc at bluestarshows.com (Dan Carl) Date: Fri Nov 10 20:51:58 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches it References: <00a901c704e0$f9a257e0$0200000a@danc3> <223f97700611100901ma3d4061gba655c7ea5a6db15@mail.gmail.com> Message-ID: <016401c70509$72f609c0$0200000a@danc3> ----- Original Message ----- From: "Glenn Steen" To: "MailScanner discussion" Sent: Friday, November 10, 2006 11:01 AM Subject: Re: Mailscanner not catching SPAM but manual run via SA catches it > On 10/11/06, Dan Carl wrote: > > Hi all, > > > > I'm perplexed, > > Today I took a spam email from my inbox that got through Mailscanner and > > saved it to my mail server. > > I then ran it though spamassassin(spamassassin -t test.eml) and it caught it > > as SPAM. > > What's up with that?? > > > > Just yesterday I upgraded to the latest version of Mailscanner (thanks > > volunteers) > > because a lot of spam was getting through. After many hours of work I also > > installed the Fuzzy OCR plugin. > > > > Mailscanner appears to be working fine and using spamassassin. > > My maillog shows lines this: > > MailScanner[7707]: SpamAssassin cache hit for message kAAFfqxU010369 > > > > Thanks in advance I check the conf and SpamAssassin Local State Dir = /var/lib is correct as Martin stated in previous post > Do the "spamassassin --lint" and "spamassassin -D --lint" as the user > you run your MTA as. Same result? spamassassin --lint yeilds no output spamassassin -D --lint snipid [28023] dbg: config: read file /etc/mail/spamassassin/init.pre [28023] dbg: config: read file /etc/mail/spamassassin/v310.pre [28023] dbg: config: read file /etc/mail/spamassassin/v312.pre [28023] dbg: config: using "/var/lib/spamassassin/3.001007" for sys rules pre files [28023] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org.pre [28023] dbg: config: using "/var/lib/spamassassin/3.001007" for default rules dir [28023] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org.cf [28023] dbg: config: using "/etc/mail/spamassassin" for site rules dir [28023] dbg: config: read file /etc/mail/spamassassin/FuzzyOcr.cf [28023] dbg: config: read file /etc/mail/spamassassin/local.cf [28023] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf > If you've upgraded SA, did you run the sa-update after that? I ran sa-update > Does it look like MailScanners instance of SA is finding/using the correct > /var/lib/spamassassin/...? > sorry not sure how to verify this. > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mkettler at evi-inc.com Fri Nov 10 21:19:34 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Nov 10 21:19:47 2006 Subject: What is causing this rule to be tripped? In-Reply-To: <45548946.7FBE.00FC.3@medicine.wisc.edu> References: <45548946.7FBE.00FC.3@medicine.wisc.edu> Message-ID: <4554ECE6.207@evi-inc.com> Michael Masse wrote: > Never had an issue like this before. This morning a pdf attachment > tripped the > deny .{150,} Very long filename rule. The filename is: > RealTime Ultra.pdf > > Anyone know what could cause this? A very long filename, over 150 characters in length. Note the filename you're seeing in the report and your maillog is the "sanitized" filename, not necessarily the real filename in the original message. Check with the sender to be sure. The santization is done to prevent an absurdly long filename (ie: many thousands of charachters long) from flooding your logs with really large entries. From mrm at medicine.wisc.edu Fri Nov 10 21:29:55 2006 From: mrm at medicine.wisc.edu (Michael Masse) Date: Fri Nov 10 21:30:24 2006 Subject: What is causing this rule to be tripped? In-Reply-To: <01BCE961CD5E4146B83F920FC6A4F2353FD1B7@cmexchange01.CourtesyMortgage.local> References: <01BCE961CD5E4146B83F920FC6A4F2353FD1B7@cmexchange01.CourtesyMortgage.local> Message-ID: <45549A76.7FBE.00FC.3@medicine.wisc.edu> >>> On 11/10/2006 at 2:33 PM, in message <01BCE961CD5E4146B83F920FC6A4F2353FD1B7@cmexchange01.CourtesyMortgage.local>, "Jason Williams" wrote: >> Never had an issue like this before. This morning a pdf attachment >>tripped the >>deny .{150,} Very long filename rule. The filename is: >>RealTime Ultra.pdf >> >>Anyone know what could cause this? >> >>Mike > > > I have had these stripped off before and I think it is because there is > a space between 'RealTime' and 'Ultra' > > I also would get this stripped if the file would be named like: > RealTime.Ultra.pdf > > I could be wrong though. > > -Jason Thanks. Looking at the log I can now see that the length of the filename was indeed over 150 characters long. Mike From ssilva at sgvwater.com Sat Nov 11 04:53:45 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Nov 11 04:54:37 2006 Subject: spam actions doesn't seem to be working right In-Reply-To: <200611101727.kAAHR8Rb011481@sinclaire.sibble.net> References: <200611091722.kA9HMdAB006079@sinclaire.sibble.net>, <223f97700611091103t5bb7c348k678500b72d6b9678@mail.gmail.com> <200611101727.kAAHR8Rb011481@sinclaire.sibble.net> Message-ID: Harondel J. Sibble spake the following on 11/10/2006 9:27 AM: > > On 9 Nov 2006 at 20:03, Glenn Steen wrote: > >> Why such an old MailScanner (relatively speaking:)? Updating > > Just haven't gotten around to it ;-) Plus scheduling downtime to do the > upgrade at this office is difficult at best. > >> help you troubleshoot this to some extent)... If you don't have them, >> consider an update. > > Might give that a try this weekend. > >> There are no obvious syntax errors in the MailScanner.conf? Look for >> silliness like unmatched quotes etc. The syntax of the file is very >> forgiving, but one can botch things (read: Been there...> about purchases and T-shirts />:-). > > No, none, other than this specific problem, it just hums along. > I can do MailScanner upgrades with less than 5 minutes downtime. It doesn't really take that much. You can run the install while the process is running, and the children in memory will happily finish. After the install is done, just restart mailscanner. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Sat Nov 11 05:13:22 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Nov 11 05:13:40 2006 Subject: What is causing this rule to be tripped? In-Reply-To: <45548946.7FBE.00FC.3@medicine.wisc.edu> References: <45548946.7FBE.00FC.3@medicine.wisc.edu> Message-ID: Michael Masse spake the following on 11/10/2006 12:16 PM: > Never had an issue like this before. This morning a pdf attachment > tripped the > deny .{150,} Very long filename rule. The filename is: > RealTime Ultra.pdf > > Anyone know what could cause this? > > Mike > That name in the logs is sanitized by mailscanner. If it put the actual long filename, it might cause a buffer overrun in syslog. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From glenn.steen at gmail.com Sat Nov 11 08:20:35 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Nov 11 08:20:38 2006 Subject: Mailwatch configuration for some servers In-Reply-To: <021701c70507$25e51ab0$287ba8c0@office.fsl> References: <223f97700611101159x4a160b8ete3b15e16eb200ecc@mail.gmail.com> <021701c70507$25e51ab0$287ba8c0@office.fsl> Message-ID: <223f97700611110020t781e7d00h804f6fd4430e11c@mail.gmail.com> On 10/11/06, Stephen Swaney wrote: > (snippety-snip) > > Mais bien-sur;-). > > Might even offer to do the Swedish one myself... Unless someone beats > > me to it:-). > > Anyway, I hope you have enough documentation now to be able to forge > > ahead. Do take up any problems you encounter on the MailWatch list > > (since they would likely be a bit off-topic on this one). You might > > run into some rather well-known errors/discrepancies with 1.0.3, but a > > quick search of gmane/the archive should get you through those > > (Message Ops containing more than the quarantined entries, geoip > > update not working right on some systems etc). > > > > Cheers, > > -- > > -- Glenn (Slightly tipsy, else would never dare "air" my school-french:-) > > At the risk of stealing Steve's thunder, the new MailWatch will have > multi-language support which will make it much easier easy to provide > translations so I wouldn't spend a lot of time translating the current > version. Wouldn't dream of "jumping the gun" there:-). > Steve is very busy right now working on the new MailWatch and new product > for us which maybe why he's not been as active responding to MailWatch > questions on this list as he normally is. > > Just keep an eye on http://mailwatch.sourceforge.net/ or sign up for the > MailWatch mailing list on the web site. > > It won't be that long :) Since you _are_ the PHB^H^H^HBoss, that last statement is really wonderful news;-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Nov 11 08:26:50 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Nov 11 08:26:54 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches it In-Reply-To: <016401c70509$72f609c0$0200000a@danc3> References: <00a901c704e0$f9a257e0$0200000a@danc3> <223f97700611100901ma3d4061gba655c7ea5a6db15@mail.gmail.com> <016401c70509$72f609c0$0200000a@danc3> Message-ID: <223f97700611110026t75fe5f9cte6b654fc68c40e2c@mail.gmail.com> On 10/11/06, Dan Carl wrote: > (snip) > > If you've upgraded SA, did you run the sa-update after that? > I ran sa-update Good. > > Does it look like MailScanners instance of SA is finding/using the correct > > /var/lib/spamassassin/...? > > > sorry not sure how to verify this. Well, the output you just showed (snipped by me:) is an indicator. You could add a rule that would be sure to fire into that directory, restart MS and run a testmessage through... and look at what rules fired... -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From roalda at gmail.com Sat Nov 11 11:18:33 2006 From: roalda at gmail.com (Roald) Date: Sat Nov 11 11:18:37 2006 Subject: [sendmail] Skipping rbl per domain In-Reply-To: <4554865A.5040204@waversveld.nl> References: <60D398EB2DB948409CA1F50D8AF1225701A6E31B@exch1.dekalbmemorial.local> <4554865A.5040204@waversveld.nl> Message-ID: On 11/10/06, Joost Waversveld wrote: > > Ya, I know, but we are hosting a lot of different domains, not just one > domain. > > We use the mailserver Imail on Windows for now. We are planning to > change this, but this will not be in the near future I think. Should > milter-ahead work with Imail?? If so, it's an option we can think of > implementing... Hi! We have a similar setup, with a lot of domains on a Imail-server and several Exchange-servers and also other Linux-servers, and smf-sav works great. -- Roald Martin Amundsen -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061111/1e69d182/attachment.html From joost at waversveld.nl Sat Nov 11 13:19:17 2006 From: joost at waversveld.nl (Joost Waversveld) Date: Sat Nov 11 13:19:25 2006 Subject: [sendmail] Skipping rbl per domain In-Reply-To: References: <60D398EB2DB948409CA1F50D8AF1225701A6E31B@exch1.dekalbmemorial.local> <4554865A.5040204@waversveld.nl> Message-ID: <20061111141917.1jng39frk8w044k4@webmail.waversveld.nl> Roald, Ok, great to hear that... I'm going to take a closer look at smf-sav then... Thanx for the information!!! Joost Waversveld ----- Bericht van roalda@gmail.com --------- Datum: Sat, 11 Nov 2006 12:18:33 +0100 Van: Roald Antwoorden aan:MailScanner discussion Onderwerp: Re: [sendmail] Skipping rbl per domain Aan: MailScanner discussion > On 11/10/06, Joost Waversveld wrote: >> >> Ya, I know, but we are hosting a lot of different domains, not just one >> domain. >> >> We use the mailserver Imail on Windows for now. We are planning to >> change this, but this will not be in the near future I think. Should >> milter-ahead work with Imail?? If so, it's an option we can think of >> implementing... > > > > Hi! We have a similar setup, with a lot of domains on a Imail-server and > several Exchange-servers and also other Linux-servers, and smf-sav works > great. > > -- > Roald Martin Amundsen > ----- Einde bericht van roalda@gmail.com ----- From alex at nkpanama.com Sat Nov 11 14:41:03 2006 From: alex at nkpanama.com (Alex Neuman) Date: Sat Nov 11 14:41:43 2006 Subject: MailScanner/sendmail load balancing In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D203AC0947@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D203AC0947@UBIMAIL1.ubisoft.org> Message-ID: <4555E0FF.8090300@nkpanama.com> Daniel Maher wrote: > In our environment, we have a small cluster of incoming mail servers, each running Postfix & MailScanner. We balance these via DNS, in the same way that Google, Yahoo, and many other email players do: our MX points to a single hostname (mail01), which in turn has A-records for each of the machines in the cluster. > > ubisoft.com. 300 IN MX 10 mail01.ubisoft.com. > ;; > mail01.ubisoft.com. 3600 IN A 216.98.56.133 > mail01.ubisoft.com. 3600 IN A 216.98.56.138 > mail01.ubisoft.com. 3600 IN A 216.98.56.132 > > Done and done - it works like a charm, and it is fantastically easy to set up and maintain. > Do you also cluster the message stores? POP/IMAP? From dhawal at netmagicsolutions.com Sat Nov 11 15:05:26 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Sat Nov 11 15:05:44 2006 Subject: MailScanner/sendmail load balancing In-Reply-To: <4555E0FF.8090300@nkpanama.com> References: <1E293D3FF63A3740B10AD5AAD88535D203AC0947@UBIMAIL1.ubisoft.org> <4555E0FF.8090300@nkpanama.com> Message-ID: <4555E6B6.9000403@netmagicsolutions.com> Alex Neuman wrote: > Daniel Maher wrote: >> In our environment, we have a small cluster of incoming mail servers, >> each running Postfix & MailScanner. We balance these via DNS, in the >> same way that Google, Yahoo, and many other email players do: our MX >> points to a single hostname (mail01), which in turn has A-records for >> each of the machines in the cluster. >> >> ubisoft.com. 300 IN MX 10 mail01.ubisoft.com. >> ;; >> mail01.ubisoft.com. 3600 IN A 216.98.56.133 >> mail01.ubisoft.com. 3600 IN A 216.98.56.138 >> mail01.ubisoft.com. 3600 IN A 216.98.56.132 >> >> Done and done - it works like a charm, and it is fantastically easy to >> set up and maintain. >> > Do you also cluster the message stores? POP/IMAP? I doubt you can do this for POP due to the UIDL problem, it'll create havoc for the 'leave message on server' people. You could though do it for the IMAP users, since they are supposed to always connected. - dhawal From lists at gmnet.net Sat Nov 11 15:52:39 2006 From: lists at gmnet.net (Mailing Lists) Date: Sat Nov 11 15:52:46 2006 Subject: Mail Not Delivering Message-ID: <1163260360.27853.97.camel@thor.greenbuzz.net> Hi, Yesterday my mail stopped getting to the in-boxes. I am using sendmail and MailScanner 4.23.11. when I stopped MailScanner, and just started sendmail, things get delevered fine, however, during the time it was not delivering mail, I sent myself a bunch of test emails, and I never got them at all. It seems that I have lost mail! What happened to that mail? will it be delivered eventually? One clue that I noticed in /var/log/messages: Nov 10 15:45:32 pipe named[1928]: lame server resolving '205.78.168.68.relays.ordb.org' (in 'relays.ordb.org'?): 206.154.202.54#53 I will appreciate any help on this... Thanks! Rick From martinh at solidstatelogic.com Sat Nov 11 17:10:13 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Sat Nov 11 17:10:30 2006 Subject: Mail Not Delivering In-Reply-To: <1163260360.27853.97.camel@thor.greenbuzz.net> References: <1163260360.27853.97.camel@thor.greenbuzz.net> Message-ID: <455603F5.4050101@solidstatelogic.com> Mailing Lists wrote: > Hi, > > Yesterday my mail stopped getting to the in-boxes. I am using sendmail > and MailScanner 4.23.11. when I stopped MailScanner, and just started > sendmail, things get delevered fine, however, during the time it was not > delivering mail, I sent myself a bunch of test emails, and I never got > them at all. It seems that I have lost mail! > What happened to that mail? will it be delivered eventually? > > One clue that I noticed in /var/log/messages: > Nov 10 15:45:32 pipe named[1928]: lame server resolving > '205.78.168.68.relays.ordb.org' (in 'relays.ordb.org'?): > 206.154.202.54#53 > > I will appreciate any help on this... > > Thanks! > Rick > > Hi wow, thats really really old code you got running there - three years at least. check the inbound, and outbound queues to see if they are there.. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From lists at gmnet.net Sat Nov 11 17:33:41 2006 From: lists at gmnet.net (Mailing Lists) Date: Sat Nov 11 17:33:48 2006 Subject: Mail Not Delivering In-Reply-To: <455603F5.4050101@solidstatelogic.com> References: <1163260360.27853.97.camel@thor.greenbuzz.net> <455603F5.4050101@solidstatelogic.com> Message-ID: <1163266421.27853.120.camel@thor.greenbuzz.net> On Sat, 2006-11-11 at 17:10 +0000, Martin Hepworth wrote: > Mailing Lists wrote: > > Hi, > > > > Yesterday my mail stopped getting to the in-boxes. I am using sendmail > > and MailScanner 4.23.11. when I stopped MailScanner, and just started > > sendmail, things get delevered fine, however, during the time it was not > > delivering mail, I sent myself a bunch of test emails, and I never got > > them at all. It seems that I have lost mail! > > What happened to that mail? will it be delivered eventually? > > > > One clue that I noticed in /var/log/messages: > > Nov 10 15:45:32 pipe named[1928]: lame server resolving > > '205.78.168.68.relays.ordb.org' (in 'relays.ordb.org'?): > > 206.154.202.54#53 > > > > I will appreciate any help on this... > > > > Thanks! > > Rick > > > > > Hi > > wow, thats really really old code you got running there - three years at > least. > > check the inbound, and outbound queues to see if they are there.. > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > Forgive me for not knowing much about this. but I looked in the /var/spool/MailScanner/incoming/ directory. there are a few directories there but no files at all. Is this the right place to look? were are the inbound and outbound directories? Right it is old! I installed it back when it was new as a rpm. The OS is RedHat 9. Now is seems there is no rpm for it. Is there any good docs that step me through an upgrade? Thanks! Rick From ssilva at sgvwater.com Sat Nov 11 19:55:02 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Nov 11 19:55:24 2006 Subject: Mail Not Delivering In-Reply-To: <1163266421.27853.120.camel@thor.greenbuzz.net> References: <1163260360.27853.97.camel@thor.greenbuzz.net> <455603F5.4050101@solidstatelogic.com> <1163266421.27853.120.camel@thor.greenbuzz.net> Message-ID: Mailing Lists spake the following on 11/11/2006 9:33 AM: > On Sat, 2006-11-11 at 17:10 +0000, Martin Hepworth wrote: >> Mailing Lists wrote: >>> Hi, >>> >>> Yesterday my mail stopped getting to the in-boxes. I am using sendmail >>> and MailScanner 4.23.11. when I stopped MailScanner, and just started >>> sendmail, things get delevered fine, however, during the time it was not >>> delivering mail, I sent myself a bunch of test emails, and I never got >>> them at all. It seems that I have lost mail! >>> What happened to that mail? will it be delivered eventually? >>> >>> One clue that I noticed in /var/log/messages: >>> Nov 10 15:45:32 pipe named[1928]: lame server resolving >>> '205.78.168.68.relays.ordb.org' (in 'relays.ordb.org'?): >>> 206.154.202.54#53 >>> >>> I will appreciate any help on this... >>> >>> Thanks! >>> Rick >>> >>> >> Hi >> >> wow, thats really really old code you got running there - three years at >> least. >> >> check the inbound, and outbound queues to see if they are there.. >> >> -- >> Martin Hepworth >> Senior Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> > > Forgive me for not knowing much about this. but I looked in > the /var/spool/MailScanner/incoming/ directory. there are a few > directories there but no files at all. Is this the right place to look? > were are the inbound and outbound directories? > > Right it is old! I installed it back when it was new as a rpm. The OS is > RedHat 9. Now is seems there is no rpm for it. Is there any good docs > that step me through an upgrade? > > Thanks! > Rick > > > > Go to www.mailscanner.info there are links to the current code, and lots of docs. The current rpm install is actually several src.rpms and the mailscanner rpm in a tarball. You unpack the tarball in some working directory and run an install.sh script. It will update any code you need fixed, and give you some instructions at the end. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From glenn.steen at gmail.com Sat Nov 11 20:08:10 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Nov 11 20:08:13 2006 Subject: Mail Not Delivering In-Reply-To: References: <1163260360.27853.97.camel@thor.greenbuzz.net> <455603F5.4050101@solidstatelogic.com> <1163266421.27853.120.camel@thor.greenbuzz.net> Message-ID: <223f97700611111208o45d37376pf5f42980f601b579@mail.gmail.com> On 11/11/06, Scott Silva wrote: > Mailing Lists spake the following on 11/11/2006 9:33 AM: > > On Sat, 2006-11-11 at 17:10 +0000, Martin Hepworth wrote: > >> Mailing Lists wrote: > >>> Hi, > >>> > >>> Yesterday my mail stopped getting to the in-boxes. I am using sendmail > >>> and MailScanner 4.23.11. when I stopped MailScanner, and just started > >>> sendmail, things get delevered fine, however, during the time it was not > >>> delivering mail, I sent myself a bunch of test emails, and I never got > >>> them at all. It seems that I have lost mail! > >>> What happened to that mail? will it be delivered eventually? > >>> > >>> One clue that I noticed in /var/log/messages: > >>> Nov 10 15:45:32 pipe named[1928]: lame server resolving > >>> '205.78.168.68.relays.ordb.org' (in 'relays.ordb.org'?): > >>> 206.154.202.54#53 > >>> > >>> I will appreciate any help on this... > >>> > >>> Thanks! > >>> Rick > >>> > >>> > >> Hi > >> > >> wow, thats really really old code you got running there - three years at > >> least. > >> > >> check the inbound, and outbound queues to see if they are there.. > >> > >> -- > >> Martin Hepworth > >> Senior Systems Administrator > >> Solid State Logic > >> Tel: +44 (0)1865 842300 > >> > > > > Forgive me for not knowing much about this. but I looked in > > the /var/spool/MailScanner/incoming/ directory. there are a few > > directories there but no files at all. Is this the right place to look? > > were are the inbound and outbound directories? > > > > Right it is old! I installed it back when it was new as a rpm. The OS is > > RedHat 9. Now is seems there is no rpm for it. Is there any good docs > > that step me through an upgrade? > > > > Thanks! > > Rick > > > > > > > > > Go to www.mailscanner.info there are links to the current code, and lots of > docs. The current rpm install is actually several src.rpms and the mailscanner > rpm in a tarball. You unpack the tarball in some working directory and run an > install.sh script. It will update any code you need fixed, and give you some > instructions at the end. > One could also point a helping finger to the MAQ and the rest of the wiki (both contain partly overlapping instructions for how to go about the upgrade(s) necessary). You'll find them from the documentation page on www.mailscanner.info;-). Another thing to consider is if it isn't time for a more Alexanrian cut, so to speak, to solve this Gordian knot:-):-)... If MailScanner is that old, so is probably every part of the system. Perhaps time for a fresh start? Anyway, the queues Martin is alluding to are the mqueue.in and mqueue ones (usually found in /var/spool). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Sat Nov 11 20:27:09 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Nov 11 20:27:46 2006 Subject: Mail Not Delivering In-Reply-To: <223f97700611111208o45d37376pf5f42980f601b579@mail.gmail.com> References: <1163260360.27853.97.camel@thor.greenbuzz.net> <455603F5.4050101@solidstatelogic.com> <1163266421.27853.120.camel@thor.greenbuzz.net> <223f97700611111208o45d37376pf5f42980f601b579@mail.gmail.com> Message-ID: Glenn Steen spake the following on 11/11/2006 12:08 PM: > On 11/11/06, Scott Silva wrote: >> Mailing Lists spake the following on 11/11/2006 9:33 AM: >> > On Sat, 2006-11-11 at 17:10 +0000, Martin Hepworth wrote: >> >> Mailing Lists wrote: >> >>> Hi, >> >>> >> >>> Yesterday my mail stopped getting to the in-boxes. I am using >> sendmail >> >>> and MailScanner 4.23.11. when I stopped MailScanner, and just started >> >>> sendmail, things get delevered fine, however, during the time it >> was not >> >>> delivering mail, I sent myself a bunch of test emails, and I >> never got >> >>> them at all. It seems that I have lost mail! >> >>> What happened to that mail? will it be delivered eventually? >> >>> >> >>> One clue that I noticed in /var/log/messages: >> >>> Nov 10 15:45:32 pipe named[1928]: lame server resolving >> >>> '205.78.168.68.relays.ordb.org' (in 'relays.ordb.org'?): >> >>> 206.154.202.54#53 >> >>> >> >>> I will appreciate any help on this... >> >>> >> >>> Thanks! >> >>> Rick >> >>> >> >>> >> >> Hi >> >> >> >> wow, thats really really old code you got running there - three >> years at >> >> least. >> >> >> >> check the inbound, and outbound queues to see if they are there.. >> >> >> >> -- >> >> Martin Hepworth >> >> Senior Systems Administrator >> >> Solid State Logic >> >> Tel: +44 (0)1865 842300 >> >> >> > >> > Forgive me for not knowing much about this. but I looked in >> > the /var/spool/MailScanner/incoming/ directory. there are a few >> > directories there but no files at all. Is this the right place to look? >> > were are the inbound and outbound directories? >> > >> > Right it is old! I installed it back when it was new as a rpm. The >> OS is >> > RedHat 9. Now is seems there is no rpm for it. Is there any good docs >> > that step me through an upgrade? >> > >> > Thanks! >> > Rick >> > >> > >> > >> > >> Go to www.mailscanner.info there are links to the current code, and >> lots of >> docs. The current rpm install is actually several src.rpms and the >> mailscanner >> rpm in a tarball. You unpack the tarball in some working directory and >> run an >> install.sh script. It will update any code you need fixed, and give >> you some >> instructions at the end. >> > One could also point a helping finger to the MAQ and the rest of the > wiki (both contain partly overlapping instructions for how to go about > the upgrade(s) necessary). You'll find them from the documentation > page on www.mailscanner.info;-). > > Another thing to consider is if it isn't time for a more Alexanrian > cut, so to speak, to solve this Gordian knot:-):-)... If MailScanner > is that old, so is probably every part of the system. Perhaps time for > a fresh start? > > Anyway, the queues Martin is alluding to are the mqueue.in and mqueue > ones (usually found in /var/spool). > I guess I'm not the only one working today! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From glenn.steen at gmail.com Sat Nov 11 20:59:50 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Nov 11 20:59:54 2006 Subject: Mail Not Delivering In-Reply-To: References: <1163260360.27853.97.camel@thor.greenbuzz.net> <455603F5.4050101@solidstatelogic.com> <1163266421.27853.120.camel@thor.greenbuzz.net> <223f97700611111208o45d37376pf5f42980f601b579@mail.gmail.com> Message-ID: <223f97700611111259v721966fdnb986ef9746653a55@mail.gmail.com> On 11/11/06, Scott Silva wrote: (snip) > I guess I'm not the only one working today! > Free time.... I've heard of the concept.... Don't really know when I'll actually experience it:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From res at ausics.net Sat Nov 11 22:22:29 2006 From: res at ausics.net (Res) Date: Sat Nov 11 22:22:37 2006 Subject: Mail Not Delivering In-Reply-To: <223f97700611111259v721966fdnb986ef9746653a55@mail.gmail.com> References: <1163260360.27853.97.camel@thor.greenbuzz.net> <455603F5.4050101@solidstatelogic.com> <1163266421.27853.120.camel@thor.greenbuzz.net> <223f97700611111208o45d37376pf5f42980f601b579@mail.gmail.com> <223f97700611111259v721966fdnb986ef9746653a55@mail.gmail.com> Message-ID: On Sat, 11 Nov 2006, Glenn Steen wrote: > Free time.... I've heard of the concept.... Don't really know when > I'll actually experience it:-) Thats because you run postmix Glenn :) -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From lists at gmnet.net Sat Nov 11 23:59:20 2006 From: lists at gmnet.net (Mailing Lists) Date: Sat Nov 11 23:59:26 2006 Subject: Mail Not Delivering --REALLY BAD!! In-Reply-To: <1163260360.27853.97.camel@thor.greenbuzz.net> References: <1163260360.27853.97.camel@thor.greenbuzz.net> Message-ID: <1163289560.27853.146.camel@thor.greenbuzz.net> Hi, Thanks for all your replies, but this is starting to get serious! I have a bunch of clients who are expecting mail, and I don't know what to tell them. Here is the situation: Mail stopped being delivered last Friday with no notice! I even sent test emails right from my local command promt to myself and they went nowhere! i.e. #echo test |mail -s test lists@gmnet.net Where did this mail go? Right now, I am running sendmail w/o mailscanner at all! this is the only way mail gets delivered! Please Help! Rick From bhuff at colltech.com Sun Nov 12 01:04:57 2006 From: bhuff at colltech.com (Bill Huff) Date: Sun Nov 12 01:05:10 2006 Subject: Mail Not Delivering --REALLY BAD!! In-Reply-To: <1163289560.27853.146.camel@thor.greenbuzz.net> References: <1163260360.27853.97.camel@thor.greenbuzz.net> <1163289560.27853.146.camel@thor.greenbuzz.net> Message-ID: Rick, the way that mailscanner works is to have a sendmail process that pulls mail into an incoming queue ( usually /var/spool/mqueue.in ) and then mailscanner scans it and moves it to the outgoing queue ( usually /var/spool/mqueue ). If mailscanner just stopped scanning mail for some reason then you should be able to see any mail that you received by looking in /var/spool/mqueue.in. A 'mailq -OQueueDirectory=/var/spool/mqueue.in' will show you any mail that is stuck in that directory. If there is no mail sitting in that queue, then that means that mailscanner was scanning and moving it to the outgoing queue. If that is the case, then a 'mailq -OQueueDirectory=/var/spool/mqueue' should show you what is hung up there. However if you have started sendmail by itself, then that directory should be clear, as that is what sendmail will use by default as well. Have you looked in /var/log/maillog for anything strange starting Friday afternoon? I would suspect something to be there if Mailscanner started having problems. It is usally pretty talkative when it starts having any sort of issues. The directories that I have pointed out above are the Mailscanner defaults, so it is possible that your setup may be using different directories. You will need to check your /etc/Mailscanner/Mailscanner.conf file to make sure where your incoming and outgoing queues are ( 'Incoming Queue Dir' and 'Outgoing Queue Dir' ). Hopefully all of your mail just spooled up in /var/spool/mqueue.in and didn't get lost, but in any case, /var/log/maillog should give you a clue what is going on. I hope that this helps. I know that feeling that comes when you think that you have lost users mail. -- Bill ______________________________________________________________________ Bill Huff, CISSP ?| ? Director, IT Services Division - MTI Technology Corporation voice: 512-263-0770 x 262 ?|? fax: 512-263-0606 ?|? cell: 512-630-5424 web: www.mti.com -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mailing Lists Sent: Saturday, November 11, 2006 5:59 PM To: MailScanner discussion Subject: Re: Mail Not Delivering --REALLY BAD!! Hi, Thanks for all your replies, but this is starting to get serious! I have a bunch of clients who are expecting mail, and I don't know what to tell them. Here is the situation: Mail stopped being delivered last Friday with no notice! I even sent test emails right from my local command promt to myself and they went nowhere! i.e. #echo test |mail -s test lists@gmnet.net Where did this mail go? Right now, I am running sendmail w/o mailscanner at all! this is the only way mail gets delivered! Please Help! Rick -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From lists at gmnet.net Sun Nov 12 03:46:50 2006 From: lists at gmnet.net (Mailing Lists) Date: Sun Nov 12 03:47:12 2006 Subject: Mail Not Delivering --REALLY BAD!! In-Reply-To: References: <1163260360.27853.97.camel@thor.greenbuzz.net> <1163289560.27853.146.camel@thor.greenbuzz.net> Message-ID: <1163303210.27853.167.camel@thor.greenbuzz.net> On Sat, 2006-11-11 at 19:04 -0600, Bill Huff wrote: > Rick, the way that mailscanner works is to have a sendmail process that pulls mail into an incoming queue ( usually /var/spool/mqueue.in ) and then mailscanner scans it and moves it to the outgoing queue ( usually /var/spool/mqueue ). If mailscanner just stopped scanning mail for some reason then you should be able to see any mail that you received by looking in /var/spool/mqueue.in. A 'mailq -OQueueDirectory=/var/spool/mqueue.in' will show you any mail that is stuck in that directory. If there is no mail sitting in that queue, then that means that mailscanner was scanning and moving it to the outgoing queue. If that is the case, then a 'mailq -OQueueDirectory=/var/spool/mqueue' should show you what is hung up there. However if you have started sendmail by itself, then that directory should be clear, as that is what sendmail will use by default as well. > > Have you looked in /var/log/maillog for anything strange starting Friday afternoon? I would suspect something to be there if Mailscanner started having problems. It is usally pretty talkative when it starts having any sort of issues. > > The directories that I have pointed out above are the Mailscanner defaults, so it is possible that your setup may be using different directories. You will need to check your /etc/Mailscanner/Mailscanner.conf file to make sure where your incoming and outgoing queues are ( 'Incoming Queue Dir' and 'Outgoing Queue Dir' ). Hopefully all of your mail just spooled up in /var/spool/mqueue.in and didn't get lost, but in any case, /var/log/maillog should give you a clue what is going on. > > I hope that this helps. I know that feeling that comes when you think that you have lost users mail. > > -- > Bill > > _______________________________________ Thanks for the info! My directories are just like you said. unfortunately, it seems that I DID loose email!! there is nothing in the queues. I just stopped sendmail, started MailScanner, sent myself another test email, and never got it again!! so now I'm running sendmail by itself and it is fine. my maillog file shows tons of the following: Nov 11 22:44:45 pipe MailScanner[12837]: Batch: Found invalid qf queue file for message k9HDF4fq030592 but MailScanner is not even running! I am running barefoot w/o protection!! Rick From res at ausics.net Sun Nov 12 03:54:50 2006 From: res at ausics.net (Res) Date: Sun Nov 12 03:54:58 2006 Subject: Mail Not Delivering --REALLY BAD!! In-Reply-To: <1163303210.27853.167.camel@thor.greenbuzz.net> References: <1163260360.27853.97.camel@thor.greenbuzz.net> <1163289560.27853.146.camel@thor.greenbuzz.net> <1163303210.27853.167.camel@thor.greenbuzz.net> Message-ID: What version Sendmail? and are you using the correct lock type On Sat, 11 Nov 2006, Mailing Lists wrote: > On Sat, 2006-11-11 at 19:04 -0600, Bill Huff wrote: >> Rick, the way that mailscanner works is to have a sendmail process that pulls mail into an incoming queue ( usually /var/spool/mqueue.in ) and then mailscanner scans it and moves it to the outgoing queue ( usually /var/spool/mqueue ). If mailscanner just stopped scanning mail for some reason then you should be able to see any mail that you received by looking in /var/spool/mqueue.in. A 'mailq -OQueueDirectory=/var/spool/mqueue.in' will show you any mail that is stuck in that directory. If there is no mail sitting in that queue, then that means that mailscanner was scanning and moving it to the outgoing queue. If that is the case, then a 'mailq -OQueueDirectory=/var/spool/mqueue' should show you what is hung up there. However if you have started sendmail by itself, then that directory should be clear, as that is what sendmail will use by default as well. >> >> Have you looked in /var/log/maillog for anything strange starting Friday afternoon? I would suspect something to be there if Mailscanner started having problems. It is usally pretty talkative when it starts having any sort of issues. >> >> The directories that I have pointed out above are the Mailscanner defaults, so it is possible that your setup may be using different directories. You will need to check your /etc/Mailscanner/Mailscanner.conf file to make sure where your incoming and outgoing queues are ( 'Incoming Queue Dir' and 'Outgoing Queue Dir' ). Hopefully all of your mail just spooled up in /var/spool/mqueue.in and didn't get lost, but in any case, /var/log/maillog should give you a clue what is going on. >> >> I hope that this helps. I know that feeling that comes when you think that you have lost users mail. >> >> -- >> Bill >> >> _______________________________________ > > Thanks for the info! > > My directories are just like you said. unfortunately, it seems that I > DID loose email!! there is nothing in the queues. I just stopped > sendmail, started MailScanner, sent myself another test email, and never > got it again!! so now I'm running sendmail by itself and it is fine. my > maillog file shows tons of the following: > > Nov 11 22:44:45 pipe MailScanner[12837]: Batch: Found invalid qf queue > file for message k9HDF4fq030592 > > but MailScanner is not even running! I am running barefoot w/o > protection!! > > Rick > > > > -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From uxbod at splatnix.net Sun Nov 12 09:49:21 2006 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Sun Nov 12 09:48:59 2006 Subject: Mail Not Delivering --REALLY BAD!! In-Reply-To: <1163303210.27853.167.camel@thor.greenbuzz.net> References: <1163260360.27853.97.camel@thor.greenbuzz.net> <1163289560.27853.146.camel@thor.greenbuzz.net> <1163303210.27853.167.camel@thor.greenbuzz.net> Message-ID: <20061112094921.760eb155@localhost> Do you have a rougue MailScanner process running then ? ps -ef | grep -i mailscanner What happens if you run MailScanner if the foreground so you can see what it is doing ? UxBoD -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From lists at gmnet.net Sun Nov 12 17:32:34 2006 From: lists at gmnet.net (Mailing Lists) Date: Sun Nov 12 17:32:42 2006 Subject: Mail Not Delivering --REALLY BAD!! In-Reply-To: <1163303210.27853.167.camel@thor.greenbuzz.net> References: <1163260360.27853.97.camel@thor.greenbuzz.net> <1163289560.27853.146.camel@thor.greenbuzz.net> <1163303210.27853.167.camel@thor.greenbuzz.net> Message-ID: <1163352754.27853.197.camel@thor.greenbuzz.net> I think this points to the problem... in my /var/log/maillog I get tons of these... Nov 11 22:44:45 pipe MailScanner[12837]: Batch: Found invalid qf queue file for message k9HDF4fq030592 Does anybody know what this means?? Thanks for your help!! Rick From prandal at herefordshire.gov.uk Sun Nov 12 17:50:29 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Sun Nov 12 17:50:45 2006 Subject: Mail Not Delivering --REALLY BAD!! Message-ID: <86144ED6CE5B004DA23E1EAC0B569B58017681DD@isabella.herefordshire.gov.uk> cd /var/spool/mqueue.in Move out to another directory dfk9HDF4fq030592 and qfk9HDF4fq030592, and restart MailScanner. Or is it not always the same message id? Cheers, Phil -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mailing Lists Sent: Sunday, November 12, 2006 5:33 PM To: MailScanner discussion Subject: RE: Mail Not Delivering --REALLY BAD!! I think this points to the problem... in my /var/log/maillog I get tons of these... Nov 11 22:44:45 pipe MailScanner[12837]: Batch: Found invalid qf queue file for message k9HDF4fq030592 Does anybody know what this means?? Thanks for your help!! Rick -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Sun Nov 12 18:09:58 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Nov 12 18:10:15 2006 Subject: Mail Not Delivering --REALLY BAD!! In-Reply-To: <1163352754.27853.197.camel@thor.greenbuzz.net> References: <1163260360.27853.97.camel@thor.greenbuzz.net> <1163289560.27853.146.camel@thor.greenbuzz.net> <1163303210.27853.167.camel@thor.greenbuzz.net> <1163352754.27853.197.camel@thor.greenbuzz.net> Message-ID: <223f97700611121009k62207471v1b382b0e298fd413@mail.gmail.com> On 12/11/06, Mailing Lists wrote: > I think this points to the problem... > > in my /var/log/maillog I get tons of these... > > Nov 11 22:44:45 pipe MailScanner[12837]: Batch: Found invalid qf queue > file for message k9HDF4fq030592 > > Does anybody know what this means?? > > Thanks for your help!! > Rick > It might indicate that you are using one type of locking in Sendmail and another in MailScanner, so that MailScanner starts reading before the file is really finished being written. Might cause all sorts of problems. (In "MailScanner speak" the locking types are called posix (for fcntl() ...) and flock (for flock:-). At about version 8.12.11, there was a shift in Sendmail locking (for linux) from flock to posix/fcntl ... And newer versions of MailScanner has moved from the default assumption that flock is right for sendmail to the assumption that posix is right (you can be explicit about this). So what to do might be very much dependant on what happened on that Friday. Did you upgrade sendmail? Likely your MailScanner needs have Lock Type set to posix (assuming an "elderly" MailScanner)... If it was an update of MailScanner, you might need set it to "flock", to match an older sendmail... But there has been an interesting idea "aired" already... After stopping MailScanner, are there any MailScanner processes lingering? There should be none, and it should definitely not be logging anything after you had stopped it. If there are such processes, try just killing them off, check that they die, then fire up MailScanner again. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jon at radel.com Sun Nov 12 18:38:38 2006 From: jon at radel.com (Jon Radel) Date: Sun Nov 12 18:38:16 2006 Subject: Mail Not Delivering --REALLY BAD!! In-Reply-To: <223f97700611121009k62207471v1b382b0e298fd413@mail.gmail.com> References: <1163260360.27853.97.camel@thor.greenbuzz.net> <1163289560.27853.146.camel@thor.greenbuzz.net> <1163303210.27853.167.camel@thor.greenbuzz.net> <1163352754.27853.197.camel@thor.greenbuzz.net> <223f97700611121009k62207471v1b382b0e298fd413@mail.gmail.com> Message-ID: <45576A2E.8050500@radel.com> Have you explored whether your machine has been subverted? There is always the possibility that somebody has installed something that handles SMTP, which might have very strange effects, or simply broken sendmail. You're running all this on RH 9 (old, old). Have you been applying all the security patches from the Fedora Legacy Project, which issued a security update for sendmail as recently as this April? If you have this machine bare on the Internet w/o at least a paranoid firewall at the host level, and you've not installed any patches since Red Hat dropped support for RH 9, well.... That would be not so good. I've re-read all your responses to this, and I don't catch any place where you've answered the implicit question that came up several times: Did you do ANYTHING to the configuration of this machine on Friday? Did you do ANYTHING to the configuration of the network it plugs into on Friday? --Jon Radel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2828 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061112/832a2830/smime.bin From glenn.steen at gmail.com Sun Nov 12 18:40:34 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Nov 12 18:40:48 2006 Subject: Mail Not Delivering In-Reply-To: References: <1163260360.27853.97.camel@thor.greenbuzz.net> <455603F5.4050101@solidstatelogic.com> <1163266421.27853.120.camel@thor.greenbuzz.net> <223f97700611111208o45d37376pf5f42980f601b579@mail.gmail.com> <223f97700611111259v721966fdnb986ef9746653a55@mail.gmail.com> Message-ID: <223f97700611121040k2d3ac16fy6bd6357ac6314100@mail.gmail.com> On 11/11/06, Res wrote: > On Sat, 11 Nov 2006, Glenn Steen wrote: > > > Free time.... I've heard of the concept.... Don't really know when > > I'll actually experience it:-) > > Thats because you run postmix Glenn :) > (... Moving severly off-topic...) Nope, I think it has something to do with general understaffing and continually jumping from one hot spot to the next (networking (switches, firewalls, VPN GWs, RSA ACE etc etc), Unix admin (some hefty AIX boxes, a slew of Suns, a plethora of linuces), backup (Networker mostly), DBAing some fairly big Oracle DBs, some Postgresql and some MySQL, trying to do some app development on and off, and generally help the windoze guys whenever they need it (which they seem to do, continually) ... not to mention the overall responsiblity for the center facilities (alarmsystems, cooling, Novec fire extinguishing facility, KVM switches etc etc) ... and the list goes on (ad nauseum:) ). In other words, no different situation than most of you have;-). The MX GWs with postfix/MailScanner/etc/etc is what _saves_ me time, so that I can do all the rest;-)... I'm sure I'd have to commit a lot more time to qmail (Q for quirky, right:) or snide^H^H^H^Hendmail if I used that... After all, I know PF pretty well by now:-D -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From lists at gmnet.net Sun Nov 12 18:45:03 2006 From: lists at gmnet.net (Mailing Lists) Date: Sun Nov 12 18:45:07 2006 Subject: Mail Not Delivering --REALLY BAD!! In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B58017681DD@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B58017681DD@isabella.herefordshire.gov.uk> Message-ID: <1163357103.27853.219.camel@thor.greenbuzz.net> On Sun, 2006-11-12 at 17:50 +0000, Randal, Phil wrote: > cd /var/spool/mqueue.in > > Move out to another directory dfk9HDF4fq030592 and qfk9HDF4fq030592, and > restart MailScanner. > > Or is it not always the same message id? > > Cheers, > > Phil Thanks, That fixed that, but when I run MailScanner, some mail still does not get delevered.. Here is a snip from my maillog... Nov 12 13:12:21 pipe sendmail[23527]: kACICK54023527: from=, size=570, class=0, nrcpts=1, msgid=<1163355140.27853.213.camel@thor.greenbuzz.net>, proto=ESMTP, daemon=MTA, relay=mailgate5.sover.net [209.198.87.110] Nov 12 13:12:24 pipe MailScanner[23528]: MailScanner E-Mail Virus Scanner version 4.23-11 starting... Nov 12 13:12:24 pipe MailScanner[23525]: RBL Check Infinite-Monkeys timed out and was killed, consecutive failure 1 of 7 Thanks for all youe help!! Rick From lists at gmnet.net Sun Nov 12 18:50:25 2006 From: lists at gmnet.net (Mailing Lists) Date: Sun Nov 12 18:50:32 2006 Subject: Mail Not Delivering --REALLY BAD!! In-Reply-To: <45576A2E.8050500@radel.com> References: <1163260360.27853.97.camel@thor.greenbuzz.net> <1163289560.27853.146.camel@thor.greenbuzz.net> <1163303210.27853.167.camel@thor.greenbuzz.net> <1163352754.27853.197.camel@thor.greenbuzz.net> <223f97700611121009k62207471v1b382b0e298fd413@mail.gmail.com> <45576A2E.8050500@radel.com> Message-ID: <1163357425.27853.223.camel@thor.greenbuzz.net> On Sun, 2006-11-12 at 13:38 -0500, Jon Radel wrote: > Have you explored whether your machine has been subverted? There is > always the possibility that somebody has installed something that > handles SMTP, which might have very strange effects, or simply broken > sendmail. You're running all this on RH 9 (old, old). Have you been > applying all the security patches from the Fedora Legacy Project, which > issued a security update for sendmail as recently as this April? > > If you have this machine bare on the Internet w/o at least a paranoid > firewall at the host level, and you've not installed any patches since > Red Hat dropped support for RH 9, well.... That would be not so good. > > I've re-read all your responses to this, and I don't catch any place > where you've answered the implicit question that came up several times: > Did you do ANYTHING to the configuration of this machine on Friday? > Did you do ANYTHING to the configuration of the network it plugs into on > Friday? sorry, I did nothing to the config files for a while. It was working fine on Fri morning. and yes I do have a solid firewall in place... I plan on replacing the whole system in a few months, i guess I just want a basic solution for now... > > --Jon Radel From csweeney at osubucks.org Sun Nov 12 18:50:27 2006 From: csweeney at osubucks.org (Chris Sweeney) Date: Sun Nov 12 18:50:43 2006 Subject: Mail Not Delivering --REALLY BAD!! In-Reply-To: <1163357103.27853.219.camel@thor.greenbuzz.net> References: <86144ED6CE5B004DA23E1EAC0B569B58017681DD@isabella.herefordshire.gov.uk> <1163357103.27853.219.camel@thor.greenbuzz.net> Message-ID: <45576CF3.5040904@osubucks.org> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5188 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061112/6f7e435b/smime.bin From glenn.steen at gmail.com Sun Nov 12 19:24:42 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Nov 12 19:24:49 2006 Subject: Mail Not Delivering --REALLY BAD!! In-Reply-To: <1163357425.27853.223.camel@thor.greenbuzz.net> References: <1163260360.27853.97.camel@thor.greenbuzz.net> <1163289560.27853.146.camel@thor.greenbuzz.net> <1163303210.27853.167.camel@thor.greenbuzz.net> <1163352754.27853.197.camel@thor.greenbuzz.net> <223f97700611121009k62207471v1b382b0e298fd413@mail.gmail.com> <45576A2E.8050500@radel.com> <1163357425.27853.223.camel@thor.greenbuzz.net> Message-ID: <223f97700611121124w4245c5eamdfcf2b4f6c911008@mail.gmail.com> On 12/11/06, Mailing Lists wrote: (snip) > sorry, I did nothing to the config files for a while. It was working > fine on Fri morning. and yes I do have a solid firewall in place... I > plan on replacing the whole system in a few months, i guess I just want > a basic solution for now... Setting up a new system could be done in a day or two (in its entirety... Counting the time to acquire HW;-)... And it'd likely solve all your problems, so you should perhaps reconsider your timetable. Just a suggestion, mind you;-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From prandal at herefordshire.gov.uk Sun Nov 12 19:43:19 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Sun Nov 12 19:43:33 2006 Subject: Mail Not Delivering --REALLY BAD!! Message-ID: <86144ED6CE5B004DA23E1EAC0B569B58017681DE@isabella.herefordshire.gov.uk> The Infinite monkeys RBL has long gone to the great bit bucket in the sky. You need to remove it from your RBL list in /etc/MailScanner/MailScanner.conf Cheers, Phil -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mailing Lists Sent: Sunday, November 12, 2006 6:45 PM To: MailScanner discussion Subject: RE: Mail Not Delivering --REALLY BAD!! On Sun, 2006-11-12 at 17:50 +0000, Randal, Phil wrote: > cd /var/spool/mqueue.in > > Move out to another directory dfk9HDF4fq030592 and qfk9HDF4fq030592, and > restart MailScanner. > > Or is it not always the same message id? > > Cheers, > > Phil Thanks, That fixed that, but when I run MailScanner, some mail still does not get delevered.. Here is a snip from my maillog... Nov 12 13:12:21 pipe sendmail[23527]: kACICK54023527: from=, size=570, class=0, nrcpts=1, msgid=<1163355140.27853.213.camel@thor.greenbuzz.net>, proto=ESMTP, daemon=MTA, relay=mailgate5.sover.net [209.198.87.110] Nov 12 13:12:24 pipe MailScanner[23528]: MailScanner E-Mail Virus Scanner version 4.23-11 starting... Nov 12 13:12:24 pipe MailScanner[23525]: RBL Check Infinite-Monkeys timed out and was killed, consecutive failure 1 of 7 Thanks for all youe help!! Rick -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From admin at thenamegame.com Sun Nov 12 20:01:21 2006 From: admin at thenamegame.com (Michael S.) Date: Sun Nov 12 19:54:10 2006 Subject: Debora is a huge spammers!!!! Message-ID: <200611121954.kACJs8mT030323@bkserver.blacknight.ie> The huge increase in stock spam that everyone is seeing is coming from the username that is consistently the same. Has anyone noticed? These are different variations of the username@ deborahpessanha@bridportleisure.com deborasalsano@brokermart.com deborahvw@brooksmetals.com Etc. Notice the first 6 characters of every username being Debora? Is there an exim rule that one can implement in exim.conf for example that rejects all mail arriving from Debora??????@fakedomain.com? Id rather do this at SMTP time instead of allows MS to kill it off as there are thousands and the less MS has to work the better. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061112/deee1d77/attachment.html From prandal at herefordshire.gov.uk Sun Nov 12 20:21:20 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Sun Nov 12 20:21:29 2006 Subject: Debora is a huge spammers!!!! Message-ID: <86144ED6CE5B004DA23E1EAC0B569B58017681DF@isabella.herefordshire.gov.uk> Oh that it were so simple. The current sa-updated 3.1.7 rules, various rules from www.rulesemporium.com and the ImageInfo plugin (http://www.rulesemporium.com/plugins.htm ) get most of them anyway, and FuzzyOCR 3.4.2 (from http://fuzzyocr.own-hero.net/wiki/Downloads ) catches many of what's left. Cheers, Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael S. Sent: Sunday, November 12, 2006 8:01 PM To: mailscanner@lists.mailscanner.info Subject: Debora is a huge spammers!!!! The huge increase in stock spam that everyone is seeing is coming from the username that is consistently the same. Has anyone noticed? These are different variations of the username@ deborahpessanha@bridportleisure.com deborasalsano@brokermart.com deborahvw@brooksmetals.com Etc. Notice the first 6 characters of every username being Debora? Is there an exim rule that one can implement in exim.conf for example that rejects all mail arriving from Debora??????@fakedomain.com ? Id rather do this at SMTP time instead of allows MS to kill it off as there are thousands and the less MS has to work the better. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061112/1d2b56d2/attachment.html From admin at thenamegame.com Sun Nov 12 20:40:57 2006 From: admin at thenamegame.com (Michael S.) Date: Sun Nov 12 20:33:32 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B58017681DF@isabella.herefordshire.gov.uk> Message-ID: <200611122033.kACKXUcD030959@bkserver.blacknight.ie> As I mentioned, I want to catch them at smtp time and not after its been received therefore it needs to be implamented in exim.conf and not sa. Why accpt 25,000 debora spam messages and waste bandwidth accepting them when it could be done up front? _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Sunday, November 12, 2006 3:21 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! Oh that it were so simple. The current sa-updated 3.1.7 rules, various rules from www.rulesemporium.com and the ImageInfo plugin (http://www.rulesemporium.com/plugins.htm ) get most of them anyway, and FuzzyOCR 3.4.2 (from http://fuzzyocr.own-hero.net/wiki/Downloads ) catches many of what's left. Cheers, Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael S. Sent: Sunday, November 12, 2006 8:01 PM To: mailscanner@lists.mailscanner.info Subject: Debora is a huge spammers!!!! The huge increase in stock spam that everyone is seeing is coming from the username that is consistently the same. Has anyone noticed? These are different variations of the username@ deborahpessanha@bridportleisure.com deborasalsano@brokermart.com deborahvw@brooksmetals.com Etc. Notice the first 6 characters of every username being Debora? Is there an exim rule that one can implement in exim.conf for example that rejects all mail arriving from Debora??????@fakedomain.com? Id rather do this at SMTP time instead of allows MS to kill it off as there are thousands and the less MS has to work the better. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061112/1e8afd49/attachment.html From prandal at herefordshire.gov.uk Sun Nov 12 20:39:34 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Sun Nov 12 20:39:46 2006 Subject: Debora is a huge spammers!!!! Message-ID: <86144ED6CE5B004DA23E1EAC0B569B58017681E0@isabella.herefordshire.gov.uk> Use an RBL such as cbl.abuseat.org in exim, if you can - that'll probably get most of them. We're not seeing any form the lovely debs here. Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael S. Sent: Sunday, November 12, 2006 8:41 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! As I mentioned, I want to catch them at smtp time and not after its been received therefore it needs to be implamented in exim.conf and not sa. Why accpt 25,000 debora spam messages and waste bandwidth accepting them when it could be done up front? _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Sunday, November 12, 2006 3:21 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! Oh that it were so simple. The current sa-updated 3.1.7 rules, various rules from www.rulesemporium.com and the ImageInfo plugin (http://www.rulesemporium.com/plugins.htm ) get most of them anyway, and FuzzyOCR 3.4.2 (from http://fuzzyocr.own-hero.net/wiki/Downloads ) catches many of what's left. Cheers, Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael S. Sent: Sunday, November 12, 2006 8:01 PM To: mailscanner@lists.mailscanner.info Subject: Debora is a huge spammers!!!! The huge increase in stock spam that everyone is seeing is coming from the username that is consistently the same. Has anyone noticed? These are different variations of the username@ deborahpessanha@bridportleisure.com deborasalsano@brokermart.com deborahvw@brooksmetals.com Etc. Notice the first 6 characters of every username being Debora? Is there an exim rule that one can implement in exim.conf for example that rejects all mail arriving from Debora??????@fakedomain.com ? Id rather do this at SMTP time instead of allows MS to kill it off as there are thousands and the less MS has to work the better. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061112/f1d29032/attachment.html From admin at thenamegame.com Sun Nov 12 20:56:30 2006 From: admin at thenamegame.com (Michael S.) Date: Sun Nov 12 20:49:06 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B58017681E0@isabella.herefordshire.gov.uk> Message-ID: <200611122049.kACKn3KF031398@bkserver.blacknight.ie> Already using CBL. Iv seen it on 32 boxes, same Debora spam messages being pumped inbound. Boxes are located all over the world not just in the USA so this is a worldwide issue. Cant say its just one or two boxes. CBL doesn't stop it. _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Sunday, November 12, 2006 3:40 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! Use an RBL such as cbl.abuseat.org in exim, if you can - that'll probably get most of them. We're not seeing any form the lovely debs here. Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael S. Sent: Sunday, November 12, 2006 8:41 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! As I mentioned, I want to catch them at smtp time and not after its been received therefore it needs to be implamented in exim.conf and not sa. Why accpt 25,000 debora spam messages and waste bandwidth accepting them when it could be done up front? _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Sunday, November 12, 2006 3:21 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! Oh that it were so simple. The current sa-updated 3.1.7 rules, various rules from www.rulesemporium.com and the ImageInfo plugin (http://www.rulesemporium.com/plugins.htm ) get most of them anyway, and FuzzyOCR 3.4.2 (from http://fuzzyocr.own-hero.net/wiki/Downloads ) catches many of what's left. Cheers, Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael S. Sent: Sunday, November 12, 2006 8:01 PM To: mailscanner@lists.mailscanner.info Subject: Debora is a huge spammers!!!! The huge increase in stock spam that everyone is seeing is coming from the username that is consistently the same. Has anyone noticed? These are different variations of the username@ deborahpessanha@bridportleisure.com deborasalsano@brokermart.com deborahvw@brooksmetals.com Etc. Notice the first 6 characters of every username being Debora? Is there an exim rule that one can implement in exim.conf for example that rejects all mail arriving from Debora??????@fakedomain.com? Id rather do this at SMTP time instead of allows MS to kill it off as there are thousands and the less MS has to work the better. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061112/ace03442/attachment-0001.html From prandal at herefordshire.gov.uk Sun Nov 12 20:53:08 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Sun Nov 12 20:54:12 2006 Subject: Debora is a huge spammers!!!! Message-ID: <86144ED6CE5B004DA23E1EAC0B569B58017681E1@isabella.herefordshire.gov.uk> We're not seeing because I wasn't looking... All fifteen from Deborah came from the one IP address 70.86.164.242, which isn't yet in any RBL that I use. Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Sunday, November 12, 2006 8:40 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! Use an RBL such as cbl.abuseat.org in exim, if you can - that'll probably get most of them. We're not seeing any form the lovely debs here. Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael S. Sent: Sunday, November 12, 2006 8:41 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! As I mentioned, I want to catch them at smtp time and not after its been received therefore it needs to be implamented in exim.conf and not sa. Why accpt 25,000 debora spam messages and waste bandwidth accepting them when it could be done up front? _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Sunday, November 12, 2006 3:21 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! Oh that it were so simple. The current sa-updated 3.1.7 rules, various rules from www.rulesemporium.com and the ImageInfo plugin (http://www.rulesemporium.com/plugins.htm ) get most of them anyway, and FuzzyOCR 3.4.2 (from http://fuzzyocr.own-hero.net/wiki/Downloads ) catches many of what's left. Cheers, Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael S. Sent: Sunday, November 12, 2006 8:01 PM To: mailscanner@lists.mailscanner.info Subject: Debora is a huge spammers!!!! The huge increase in stock spam that everyone is seeing is coming from the username that is consistently the same. Has anyone noticed? These are different variations of the username@ deborahpessanha@bridportleisure.com deborasalsano@brokermart.com deborahvw@brooksmetals.com Etc. Notice the first 6 characters of every username being Debora? Is there an exim rule that one can implement in exim.conf for example that rejects all mail arriving from Debora??????@fakedomain.com ? Id rather do this at SMTP time instead of allows MS to kill it off as there are thousands and the less MS has to work the better. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061112/b72a766b/attachment.html From admin at thenamegame.com Sun Nov 12 21:24:21 2006 From: admin at thenamegame.com (Michael S.) Date: Sun Nov 12 21:16:51 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B58017681E1@isabella.herefordshire.gov.uk> Message-ID: <200611122116.kACLGo1c031961@bkserver.blacknight.ie> I did a grep on Debora in my logs and although that ip reveals the same ip as what you have the rest are from all different ips so ip blocking wont do it. _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Sunday, November 12, 2006 3:53 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! We're not seeing because I wasn't looking... All fifteen from Deborah came from the one IP address 70.86.164.242, which isn't yet in any RBL that I use. Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Sunday, November 12, 2006 8:40 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! Use an RBL such as cbl.abuseat.org in exim, if you can - that'll probably get most of them. We're not seeing any form the lovely debs here. Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael S. Sent: Sunday, November 12, 2006 8:41 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! As I mentioned, I want to catch them at smtp time and not after its been received therefore it needs to be implamented in exim.conf and not sa. Why accpt 25,000 debora spam messages and waste bandwidth accepting them when it could be done up front? _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Sunday, November 12, 2006 3:21 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! Oh that it were so simple. The current sa-updated 3.1.7 rules, various rules from www.rulesemporium.com and the ImageInfo plugin (http://www.rulesemporium.com/plugins.htm ) get most of them anyway, and FuzzyOCR 3.4.2 (from http://fuzzyocr.own-hero.net/wiki/Downloads ) catches many of what's left. Cheers, Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael S. Sent: Sunday, November 12, 2006 8:01 PM To: mailscanner@lists.mailscanner.info Subject: Debora is a huge spammers!!!! The huge increase in stock spam that everyone is seeing is coming from the username that is consistently the same. Has anyone noticed? These are different variations of the username@ deborahpessanha@bridportleisure.com deborasalsano@brokermart.com deborahvw@brooksmetals.com Etc. Notice the first 6 characters of every username being Debora? Is there an exim rule that one can implement in exim.conf for example that rejects all mail arriving from Debora??????@fakedomain.com? Id rather do this at SMTP time instead of allows MS to kill it off as there are thousands and the less MS has to work the better. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061112/4d69ca95/attachment.html From arturs at netvision.net.il Sun Nov 12 22:15:26 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Sun Nov 12 22:18:11 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: <200611122116.kACLGo1c031961@bkserver.blacknight.ie> Message-ID: <015101c706a8$0e9f9400$3701a8c0@lapxp> i see it too, about 40 instances in maillog during 20 hours. Different IP all. Most were catched by MS. If i'd get ~25,000 such spams a day, i'd consider filtering them at MTA, everything that would stop the flood on the spot would be good. Otherways, it is just a short-lasting workaround and a waste of time. Best, -- Arthur Sherman +972-52-4878851 CPTeam _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael S. Sent: Sunday, November 12, 2006 11:24 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! I did a grep on Debora in my logs and although that ip reveals the same ip as what you have the rest are from all different ips so ip blocking wont do it. _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Sunday, November 12, 2006 3:53 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! We're not seeing because I wasn't looking... All fifteen from Deborah came from the one IP address 70.86.164.242, which isn't yet in any RBL that I use. Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Sunday, November 12, 2006 8:40 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! Use an RBL such as cbl.abuseat.org in exim, if you can - that'll probably get most of them. We're not seeing any form the lovely debs here. Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael S. Sent: Sunday, November 12, 2006 8:41 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! As I mentioned, I want to catch them at smtp time and not after its been received therefore it needs to be implamented in exim.conf and not sa. Why accpt 25,000 debora spam messages and waste bandwidth accepting them when it could be done up front? _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Sunday, November 12, 2006 3:21 PM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! Oh that it were so simple. The current sa-updated 3.1.7 rules, various rules from www.rulesemporium.com and the ImageInfo plugin (http://www.rulesemporium.com/plugins.htm ) get most of them anyway, and FuzzyOCR 3.4.2 (from http://fuzzyocr.own-hero.net/wiki/Downloads ) catches many of what's left. Cheers, Phil _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael S. Sent: Sunday, November 12, 2006 8:01 PM To: mailscanner@lists.mailscanner.info Subject: Debora is a huge spammers!!!! The huge increase in stock spam that everyone is seeing is coming from the username that is consistently the same. Has anyone noticed? These are different variations of the username@ deborahpessanha@bridportleisure.com deborasalsano@brokermart.com deborahvw@brooksmetals.com Etc. Notice the first 6 characters of every username being Debora? Is there an exim rule that one can implement in exim.conf for example that rejects all mail arriving from Debora??????@fakedomain.com? Id rather do this at SMTP time instead of allows MS to kill it off as there are thousands and the less MS has to work the better. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061113/56ddcaa8/attachment.html From glenn.steen at gmail.com Sun Nov 12 22:31:47 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Nov 12 22:31:50 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: <200611122116.kACLGo1c031961@bkserver.blacknight.ie> References: <86144ED6CE5B004DA23E1EAC0B569B58017681E1@isabella.herefordshire.gov.uk> <200611122116.kACLGo1c031961@bkserver.blacknight.ie> Message-ID: <223f97700611121431p20dd877buc09e4c9e14d97211@mail.gmail.com> On 12/11/06, Michael S. wrote: > I did a grep on Debora in my logs and although that ip reveals the same ip > as what you have the rest are from all different ips so ip blocking wont do > it. Look through the stuff since the begining of this month... Had 28 matches, where 3 would've been false positives with a rule rejecting anyone named debora.*@.* ... would be unacceptable to me. And MS cauth the other ones so...:-). If saw this in very large numbers, I might be tempted do try capitalise it... But I'm afraid that if you cannot find something else they have in common (and that you can easily identify at SMTP time), you wouldn't be able to use this at all. For me, looking at the headers for the 28, nothing really popped out. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From res at ausics.net Mon Nov 13 00:31:20 2006 From: res at ausics.net (Res) Date: Mon Nov 13 00:31:35 2006 Subject: Mail Not Delivering In-Reply-To: <223f97700611121040k2d3ac16fy6bd6357ac6314100@mail.gmail.com> References: <1163260360.27853.97.camel@thor.greenbuzz.net> <455603F5.4050101@solidstatelogic.com> <1163266421.27853.120.camel@thor.greenbuzz.net> <223f97700611111208o45d37376pf5f42980f601b579@mail.gmail.com> <223f97700611111259v721966fdnb986ef9746653a55@mail.gmail.com> <223f97700611121040k2d3ac16fy6bd6357ac6314100@mail.gmail.com> Message-ID: On Sun, 12 Nov 2006, Glenn Steen wrote: > Nope, I think it has something to do with general understaffing and > continually jumping from one hot spot to the next (networking > (switches, firewalls, VPN GWs, RSA ACE etc etc), Unix admin (some > hefty AIX boxes, a slew of Suns, a plethora of linuces), backup *snip* what are you a one man NOC ? surely you can delegate, but I know if somthing f2#$#s up it still comes back down to me, thats why competant engineers by my side are a must ;) > The MX GWs with postfix/MailScanner/etc/etc is what _saves_ me time, > more time to qmail (Q for quirky, right:) or snide^H^H^H^Hendmail if I We are shortly about to remove qmail from equation on all our virtual domain boxes by using sendmail and cyrus, I'm sick to death of spending 2 days patching the usless peice of crap every time we want some other feature thats defaultly in sendmail and has been in it for like 8 years or more. bernstein is right about one thing tho, qmail is secure, afterall how can you exploit somthing that does nothing :D -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From jimc at laridian.com Mon Nov 13 04:42:02 2006 From: jimc at laridian.com (Jim Coates) Date: Mon Nov 13 04:44:30 2006 Subject: OT: poprelayd and milter-greylist In-Reply-To: Message-ID: <008301c706de$10bf7e40$6401a8c0@zorak> Hey all... I have a server that handles all mail from our remote offices (offsite offices). We use poprelayd to handle relay authentication for our mail services. We recently started using milter-greylist, but I'm running into a problem where dynamic IPs are changing on my remote offices and therefore are no longer listed as whitelisted in the milter-greylist config file. I'm wondering if there is a way to take the poprelayd IP table and auto-whitelist the milter-greylst config using those IPs (which would also mean adding new ones as they are "approved" by poprelayd. Any thoughts? Thanks, Jim Coates From ram at netcore.co.in Mon Nov 13 07:03:23 2006 From: ram at netcore.co.in (Ramprasad) Date: Mon Nov 13 07:03:50 2006 Subject: how to not run SA-scan if on whitelist/blacklist Message-ID: <1163401404.780.26.camel@darkstar.netcore.co.in> We are using MS 4.50.15 for spamassassin and AV checks I use "Is Definitely Not Spam = " feature for whitelisting when a mail is already on this how do I tell MS not to run SA for such a mail. Currently the mail is sent thru spamassassin and the checks happen before the whitelisting happens Thanks Ram From matt at coders.co.uk Mon Nov 13 08:17:06 2006 From: matt at coders.co.uk (Matt Hampton) Date: Mon Nov 13 08:17:38 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: <223f97700611121431p20dd877buc09e4c9e14d97211@mail.gmail.com> References: <86144ED6CE5B004DA23E1EAC0B569B58017681E1@isabella.herefordshire.gov.uk> <200611122116.kACLGo1c031961@bkserver.blacknight.ie> <223f97700611121431p20dd877buc09e4c9e14d97211@mail.gmail.com> Message-ID: <45582A02.9000009@coders.co.uk> Glenn Steen wrote: > On 12/11/06, Michael S. wrote: >> I did a grep on Debora in my logs and although that ip reveals the >> same ip >> as what you have the rest are from all different ips so ip blocking >> wont do >> it. > Look through the stuff since the begining of this month... Had 28 > matches, where 3 would've been false positives with a rule rejecting > anyone named debora.*@.* ... would be unacceptable to me. And MS cauth > the other ones so...:-). Gone back through my logs and only 185 got as far as MS - of these 11 were not identified as spam and of these only 6 were false negatives. Of those 6 - 3 were caused by SA timeouts. I was getting Razor hits on the rest and Bayes was > 60% on two of them. The lowest score was 2.5, the highest 4.76. I haven't (touch wood) had a false negative since the 5th. The majority (at least an order of magnitude larger) were blocked at connection level. I haven't had a chance to work out which milters hit the most but I have the following installed: milter-link, smf-sav, smf-grey (patched to only greylist if the sending IP is on an RBL) and smf-spf (reject only on fails). > > If saw this in very large numbers, I might be tempted do try > capitalise it... But I'm afraid that if you cannot find something else > they have in common (and that you can easily identify at SMTP time), > you wouldn't be able to use this at all. > For me, looking at the headers for the 28, nothing really popped out. > The only thing that I saw was they All had X-Priority: 3(normal) set. matt From martinh at solidstatelogic.com Mon Nov 13 09:05:15 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Mon Nov 13 09:05:33 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: <200611121954.kACJs8mT030323@bkserver.blacknight.ie> References: <200611121954.kACJs8mT030323@bkserver.blacknight.ie> Message-ID: <4558354B.20705@solidstatelogic.com> Michael S. wrote: > The huge increase in stock spam that everyone is seeing is coming from > the username that is consistently the same. Has anyone noticed? > > These are different variations of the username@ > > > > deborahpessanha@bridportleisure.com > > > deborasalsano@brokermart.com > > deborahvw@brooksmetals.com > > > > Etc. Notice the first 6 characters of every username being Debora? > > > > > > Is there an exim rule that one can implement in exim.conf for example > that rejects all mail arriving from Debora??????@fakedomain.com > ? > > > > Id rather do this at SMTP time instead of allows MS to kill it off as > there are thousands and the less MS has to work the better. > > > > Thanks > Michael trapping them nicely here without fuzzyocr or imageinfo.. 5.40 BAYES_99 Bayesian spam probability is 99 to 100% 4.00 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 0.77 DIGEST_MULTIPLE Message hits more than one network digest check 1.25 HOST_EQ_IT 0.50 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% 1.50 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level above 50% 0.50 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.79 SARE_LWSHORTT 1.66 SARE_MLB_Stock1 1.66 SARE_MLB_Stock2 1.66 SARE_MLB_Stock5 Mentions stock symbol, tickers, or OTC. the SARE stocks rules is very useful here... -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From glenn.steen at gmail.com Mon Nov 13 09:19:28 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Nov 13 09:19:32 2006 Subject: Mail Not Delivering In-Reply-To: References: <1163260360.27853.97.camel@thor.greenbuzz.net> <455603F5.4050101@solidstatelogic.com> <1163266421.27853.120.camel@thor.greenbuzz.net> <223f97700611111208o45d37376pf5f42980f601b579@mail.gmail.com> <223f97700611111259v721966fdnb986ef9746653a55@mail.gmail.com> <223f97700611121040k2d3ac16fy6bd6357ac6314100@mail.gmail.com> Message-ID: <223f97700611130119k45a4ba9cm2a7ab87f52c5c1f2@mail.gmail.com> On 13/11/06, Res wrote: > On Sun, 12 Nov 2006, Glenn Steen wrote: > > > Nope, I think it has something to do with general understaffing and > > continually jumping from one hot spot to the next (networking > > (switches, firewalls, VPN GWs, RSA ACE etc etc), Unix admin (some > > hefty AIX boxes, a slew of Suns, a plethora of linuces), backup > > *snip* what are you a one man NOC ? surely you can delegate, but I > know if somthing f2#$#s up it still comes back down to me, thats why > competant engineers by my side are a must ;) The term there is _understaffed_;-). Then one becomes "key" to operations in oh so many ways. Sigh. We're leasing the needed people to delegate to, but... It's not the same as a fellow employee. > > The MX GWs with postfix/MailScanner/etc/etc is what _saves_ me time, > > more time to qmail (Q for quirky, right:) or snide^H^H^H^Hendmail if I > > We are shortly about to remove qmail from equation on all our virtual > domain boxes by using sendmail and cyrus, I'm sick to death of spending 2 days > patching the usless peice of crap every time we want some other feature > thats defaultly in sendmail and has been in it for like 8 years or more. > > bernstein is right about one thing tho, qmail is secure, afterall how can > you exploit somthing that does nothing :D > Yep:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From matt at coders.co.uk Mon Nov 13 10:44:06 2006 From: matt at coders.co.uk (Matt Hampton) Date: Mon Nov 13 10:44:31 2006 Subject: OT: poprelayd and milter-greylist In-Reply-To: <008301c706de$10bf7e40$6401a8c0@zorak> References: <008301c706de$10bf7e40$6401a8c0@zorak> Message-ID: <45584C76.6080100@coders.co.uk> Jim Coates wrote: > Hey all... > > I have a server that handles all mail from our remote offices (offsite > offices). > > We use poprelayd to handle relay authentication for our mail services. > > We recently started using milter-greylist, but I'm running into a problem > where dynamic IPs are changing on my remote offices and therefore are no > longer listed as whitelisted in the milter-greylist config file. > > I'm wondering if there is a way to take the poprelayd IP table and > auto-whitelist the milter-greylst config using those IPs (which would also > mean adding new ones as they are "approved" by poprelayd. > > Any thoughts? Is there a particular reason why you can't use SMTP-AUTH? milter-greylist can use that as an automatic whitelist. Alternatively: http://hcpnet.free.fr/milter-greylist/poprelay/ matt From t.d.lee at durham.ac.uk Mon Nov 13 10:56:09 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Mon Nov 13 10:56:33 2006 Subject: SA 3.1.7 returning no result to MS? In-Reply-To: <4554A39C.1050404@evi-inc.com> References: <4554A39C.1050404@evi-inc.com> Message-ID: On Fri, 10 Nov 2006, Matt Kettler wrote: > David Lee wrote: > > (Linux/FC5; sendmail 8.13.7; MS 4.56.8) > > > > Yesterday on our two main inbound mailrelays I upgraded SA from 3.1.4 to > > 3.1.7. The MS config has: > > Log Spam = yes > > Log Non Spam = yes > > > > In the daily logs we now seem to be getting several occurence of: > > Message XXX from YYY to ZZZ is not spam, SpamAssassin (not cached, score=0, required 6, autolearn=) > > > > and: > > Message PPP from QQQ to RRR is not spam, SpamAssassin (cached, score=0, required 6, autolearn=) > > > > scattered amongst the occurences of more real data. (Around 7% of entries > > on one machine, around 4% on the other, are in such truncated/empty forms). > > > > The daily logs prior to this show no occurences at all. > > > > Any thoughts? > > spamassassin --lint any errors reported, or just runs and exits quietly? Runs and exits quietly. > spamassassin -D --lint, and see what the "default rules dir" is, and make sure > all the default .cf files are there. Attached. Looks mostly clean. There's an SA "FP_MIXED_PORN3" problem, but apparently several people have reported this in various places and, if I read those reports correctly, it is not deemed to be a major problem (rather just a warning). Googling around a little, I find: http://www.gossamer-threads.com/lists/spamassassin/users/87230 and one of the replies in the thread says: "There's been some discussion about scores with 0 rating popping similar so I wonder if that's related." That "0 rating" sounds like the symptoms I'm seeing. Message ... is not spam, SpamAssassin (cached, score=0, required 6, autolearn=) When I do a manual "sa-update", the entries continue to appear in the log file. But when I follow this with "service MailScanner reload", these entries almost cease for a while. ("For a while"? I tried before the weekend and they seemed to have ceased. Returning after the weekend, they seem to have resumed. Re-tried just now: seem to have ceased.) Note that this void scoring is only on a minority of the emails (nothing like all of them). > > > 2. When I check on a third (higher MX, lower preference) machine on which > > I did a similar upgrade, but on which Razor had been working properly > > working both before and after the upgrade, this has such entries both > > before and after. Which sort of points the finger towards Razor, rather > > than the SA upgrade. > > I highly doubt razor is involved. From the sounds of it, SA isn't parsing its > ruleset. But (speculation!) might some sort of SA/Razor timeout cause subsequent SA results to be discarded/ignored, causing emptiness to be returned to MS? (I'm happy not to get distracted onto this razor datapoint, but I though I at least ought to have mentioned it...) -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : -------------- next part -------------- [30406] dbg: logger: adding facilities: all [30406] dbg: logger: logging level is DBG [30406] dbg: generic: SpamAssassin version 3.1.7 [30406] dbg: config: score set 0 chosen. [30406] dbg: util: running in taint mode? yes [30406] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [30406] dbg: util: PATH included '/usr/kerberos/sbin', keeping [30406] dbg: util: PATH included '/usr/kerberos/bin', keeping [30406] dbg: util: PATH included '/sbin', keeping [30406] dbg: util: PATH included '/bin', keeping [30406] dbg: util: PATH included '/usr/sbin', keeping [30406] dbg: util: PATH included '/usr/bin', keeping [30406] dbg: util: PATH included '/root/bin', which doesn't exist, dropping [30406] dbg: util: PATH included '/usr/local/clamav/bin', keeping [30406] dbg: util: final PATH set to: /usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/clamav/bin [30406] dbg: message: ---- MIME PARSER START ---- [30406] dbg: message: main message type: text/plain [30406] dbg: message: parsing normal part [30406] dbg: message: added part, type: text/plain [30406] dbg: message: ---- MIME PARSER END ---- [30406] dbg: dns: is Net::DNS::Resolver available? yes [30406] dbg: dns: Net::DNS version: 0.59 [30406] dbg: diag: perl platform: 5.008008 linux [30406] dbg: diag: module installed: Digest::SHA1, version 2.11 [30406] dbg: diag: module installed: HTML::Parser, version 3.54 [30406] dbg: diag: module installed: MIME::Base64, version 3.07 [30406] dbg: diag: module installed: DB_File, version 1.814 [30406] dbg: diag: module installed: Net::DNS, version 0.59 [30406] dbg: diag: module installed: Net::SMTP, version 2.29 [30406] dbg: diag: module installed: Mail::SPF::Query, version 1.999001 [30406] dbg: diag: module installed: IP::Country::Fast, version 604.001 [30406] dbg: diag: module installed: Razor2::Client::Agent, version 2.82 [30406] dbg: diag: module not installed: Net::Ident ('require' failed) [30406] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed) [30406] dbg: diag: module not installed: IO::Socket::SSL ('require' failed) [30406] dbg: diag: module installed: Time::HiRes, version 1.86 [30406] dbg: diag: module installed: DBI, version 1.52 [30406] dbg: diag: module installed: Getopt::Long, version 2.35 [30406] dbg: diag: module installed: LWP::UserAgent, version 2.033 [30406] dbg: diag: module installed: HTTP::Date, version 1.47 [30406] dbg: diag: module installed: Archive::Tar, version 1.29 [30406] dbg: diag: module installed: IO::Zlib, version 1.04 [30406] dbg: ignore: using a test message to lint rules [30406] dbg: config: using "/etc/mail/spamassassin" for site rules pre files [30406] dbg: config: read file /etc/mail/spamassassin/init.pre [30406] dbg: config: read file /etc/mail/spamassassin/v310.pre [30406] dbg: config: read file /etc/mail/spamassassin/v312.pre [30406] dbg: config: using "/var/lib/spamassassin/3.001007" for sys rules pre files [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org.pre [30406] dbg: config: using "/var/lib/spamassassin/3.001007" for default rules dir [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org.cf [30406] dbg: config: using "/etc/mail/spamassassin" for site rules dir [30406] dbg: config: read file /etc/mail/spamassassin/70_sare_adult.cf [30406] dbg: config: read file /etc/mail/spamassassin/70_sare_bayes_poison_nxm.cf [30406] dbg: config: read file /etc/mail/spamassassin/70_sare_evilnum0.cf [30406] dbg: config: read file /etc/mail/spamassassin/70_sare_evilnum1.cf [30406] dbg: config: read file /etc/mail/spamassassin/70_sare_evilnum2.cf [30406] dbg: config: read file /etc/mail/spamassassin/70_sare_stocks.cf [30406] dbg: config: read file /etc/mail/spamassassin/72_sare_bml_post25x.cf [30406] dbg: config: read file /etc/mail/spamassassin/99_sare_fraud_post25x.cf [30406] dbg: config: read file /etc/mail/spamassassin/german.cf [30406] dbg: config: read file /etc/mail/spamassassin/local.cf [30406] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf [30406] dbg: config: read file /etc/mail/spamassassin/nazi.cf [30406] dbg: config: read file /etc/mail/spamassassin/spamassassin.cf [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [30406] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x83ce40) [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC [30406] dbg: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x256fa30) [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [30406] dbg: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x2532530) [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayCountry from @INC [30406] dbg: plugin: registered Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x2532ff0) [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [30406] dbg: razor2: local tests only, skipping Razor [30406] dbg: plugin: registered Mail::SpamAssassin::Plugin::Razor2=HASH(0x26f38a0) [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC [30406] dbg: dcc: local tests only, disabling DCC [30406] dbg: plugin: registered Mail::SpamAssassin::Plugin::DCC=HASH(0x2765410) [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC [30406] dbg: pyzor: local tests only, disabling Pyzor [30406] dbg: plugin: registered Mail::SpamAssassin::Plugin::Pyzor=HASH(0x27977a0) [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [30406] dbg: razor2: local tests only, skipping Razor [30406] dbg: plugin: did not register Mail::SpamAssassin::Plugin::Razor2=HASH(0x25c9350), already registered [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC [30406] dbg: reporter: local tests only, disabling SpamCop [30406] dbg: plugin: registered Mail::SpamAssassin::Plugin::SpamCop=HASH(0x27c96f0) [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC [30406] dbg: plugin: registered Mail::SpamAssassin::Plugin::AWL=HASH(0x27f7240) [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC [30406] dbg: plugin: registered Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0x2807ca0) [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC [30406] dbg: plugin: registered Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0x281dbc0) [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC [30406] dbg: plugin: registered Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0x282ba40) [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC [30406] dbg: plugin: registered Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x28407b0) [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayCountry from @INC [30406] dbg: plugin: did not register Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x2840850), already registered [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [30406] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF=HASH(0x25c9590), already registered [30406] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [30406] dbg: plugin: did not register Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x2532820), already registered [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/empty.pre [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/empty.pre" for included file [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_antivirus.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_antivirus.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_antivirus.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/80_additional.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/80_additional.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/80_additional.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_dkim.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_dkim.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_dkim.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_net_tests.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_net_tests.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_net_tests.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_dcc.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_dcc.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_dcc.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_advance_fee.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_advance_fee.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_advance_fee.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_hashcash.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_hashcash.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_hashcash.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_drugs.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_drugs.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_drugs.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_phrases.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_phrases.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_phrases.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_uribl.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_uribl.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_uribl.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_awl.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/60_awl.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_awl.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_body_tests_es.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_body_tests_es.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_body_tests_es.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_head_tests.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_head_tests.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_head_tests.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_dnsbl_tests.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_dnsbl_tests.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_dnsbl_tests.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_ratware.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_ratware.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_ratware.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_accessdb.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_accessdb.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_accessdb.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_uri_tests.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_uri_tests.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_uri_tests.cf [30406] dbg: config: adding redirector regex: /^http:\/\/chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i [30406] dbg: config: adding redirector regex: /^http:\/\/www(?:\d+)?\.nate\.com\/r\/\w+\/(.*)$/i [30406] dbg: config: adding redirector regex: /^http:\/\/.+\.gov\/(?:.*\/)?externalLink\.jhtml\?.*url=(.*?)(?:&.*)?$/i [30406] dbg: config: adding redirector regex: /^http:\/\/redir\.internet\.com\/.+?\/.+?\/(.*)$/i [30406] dbg: config: adding redirector regex: /^http:\/\/(?:.*?\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i [30406] dbg: config: adding redirector regex: m'^http.*?/redirect\.php\?.*(?<=[?&])goto=(.*?)(?:$|[&#])'i [30406] dbg: config: adding redirector regex: m'^https?:/*(?:[^/]+\.)?emf\d\.com/r\.cfm.*?&r=(.*)'i [30406] dbg: config: adding redirector regex: m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&#])'i [30406] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&#])'i [30406] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])site:(.*?)(?:$|%20|[\s+&#])'i [30406] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&#])'i [30406] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&#])'i [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_spf.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_spf.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_spf.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_meta_tests.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_meta_tests.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_meta_tests.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_razor2.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_razor2.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_razor2.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_pl.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_pl.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_pl.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_dkim.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_dkim.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_dkim.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/50_scores.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/50_scores.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/50_scores.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_anti_ratware.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_anti_ratware.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_anti_ratware.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_it.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_it.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_it.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_fr.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_fr.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_fr.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_porn.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_porn.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_porn.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_body_tests_pl.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_body_tests_pl.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_body_tests_pl.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_replace.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_replace.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_replace.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/23_bayes.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/23_bayes.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/23_bayes.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_nl.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_nl.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_nl.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_body_tests.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_body_tests.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_body_tests.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_subject.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_subject.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_subject.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/70_iadb.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/70_iadb.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/70_iadb.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/10_misc.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/10_misc.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/10_misc.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_pyzor.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_pyzor.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_pyzor.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_textcat.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_textcat.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_textcat.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_domainkeys.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_domainkeys.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_domainkeys.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_de.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_de.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_de.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_fake_helo_tests.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_fake_helo_tests.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_fake_helo_tests.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_compensate.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_compensate.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_compensate.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_dk.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_dk.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_dk.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_pt_br.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_pt_br.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_pt_br.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_html_tests.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_html_tests.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_html_tests.cf [30406] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_spf.cf [30406] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_spf.cf" for included file [30406] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_spf.cf [30406] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x28407b0) implements 'finish_parsing_end' [30406] dbg: replacetags: replacing tags [30406] dbg: replacetags: done replacing tags [30406] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_toks [30406] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_seen [30406] dbg: bayes: found bayes db version 3 [30406] dbg: bayes: DB journal sync: last sync: 1163413288 [30406] dbg: config: score set 2 chosen. [30406] dbg: message: ---- MIME PARSER START ---- [30406] dbg: message: main message type: text/plain [30406] dbg: message: parsing normal part [30406] dbg: message: added part, type: text/plain [30406] dbg: message: ---- MIME PARSER END ---- [30406] dbg: dns: is DNS available? 0 [30406] dbg: metadata: X-Spam-Relays-Trusted: [30406] dbg: metadata: X-Spam-Relays-Untrusted: [30406] dbg: metadata: X-Spam-Relays-Internal: [30406] dbg: metadata: X-Spam-Relays-External: [30406] dbg: plugin: Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x2532ff0) implements 'extract_metadata' [30406] dbg: metadata: X-Relay-Countries: [30406] dbg: message: no encoding detected [30406] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x83ce40) implements 'parsed_metadata' [30406] dbg: plugin: Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x2532ff0) implements 'parsed_metadata' [30406] dbg: rules: local tests only, ignoring RBL eval [30406] dbg: check: running tests for priority: 0 [30406] dbg: rules: running header regexp tests; score so far=0 [30406] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" [30406] dbg: rules: ran header rule __SANE_MSGID ======> got hit: "<1163413298@lint_rules> [30406] dbg: rules: " [30406] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: "@lint_rules>" [30406] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: "1163413298" [30406] dbg: eval: all '*From' addrs: ignore@compiling.spamassassin.taint.org [30406] dbg: eval: all '*To' addrs: [30406] dbg: rules: ran eval rule NO_RELAYS ======> got hit [30406] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit [30406] dbg: rules: running body-text per-line regexp tests; score so far=-0.001 [30406] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" [30406] dbg: uri: running uri tests; score so far=-0.001 [30406] dbg: bayes: DB journal sync: last sync: 1163413288 [30406] dbg: bayes: corpus size: nspam = 2768964, nham = 846951 [30406] dbg: bayes: score = 0.146100146430509 [30406] dbg: bayes: DB journal sync: last sync: 1163413288 [30406] dbg: bayes: untie-ing [30406] dbg: bayes: untie-ing db_toks [30406] dbg: bayes: untie-ing db_seen [30406] dbg: rules: ran eval rule BAYES_20 ======> got hit [30406] dbg: rules: running raw-body-text per-line regexp tests; score so far=-0.741 [30406] dbg: rules: running full-text regexp tests; score so far=-0.741 [30406] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x83ce40) implements 'check_tick' [30406] dbg: check: running tests for priority: 500 [30406] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x83ce40) implements 'check_post_dnsbl' [30406] dbg: rules: running meta tests; score so far=-0.741 [30406] info: rules: meta test FP_MIXED_PORN3 has undefined dependency 'FP_PENETRATION' [30406] dbg: rules: running header regexp tests; score so far=1.416 [30406] dbg: rules: running body-text per-line regexp tests; score so far=1.416 [30406] dbg: uri: running uri tests; score so far=1.416 [30406] dbg: rules: running raw-body-text per-line regexp tests; score so far=1.416 [30406] dbg: rules: running full-text regexp tests; score so far=1.416 [30406] dbg: check: running tests for priority: 1000 [30406] dbg: rules: running meta tests; score so far=1.416 [30406] dbg: rules: running header regexp tests; score so far=1.416 [30406] dbg: rules: running body-text per-line regexp tests; score so far=1.416 [30406] dbg: uri: running uri tests; score so far=1.416 [30406] dbg: rules: running raw-body-text per-line regexp tests; score so far=1.416 [30406] dbg: rules: running full-text regexp tests; score so far=1.416 [30406] dbg: check: is spam? score=1.416 required=5 [30406] dbg: check: tests=BAYES_20,MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS,TO_CC_NONE [30406] dbg: check: subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__NONEMPTY_BODY,__SANE_MSGID,__UNUSABLE_MSGID From tenderby at mailwash.com.au Mon Nov 13 11:18:21 2006 From: tenderby at mailwash.com.au (Tony Enderby) Date: Mon Nov 13 11:18:49 2006 Subject: Slightly OT - RBL test. Message-ID: <4558547D.4010602@mailwash.com.au> Hi all, I was wondering if someone who gets a fair mail volume passing through their servers (10 to 30k) per day and who uses MailScanner would mind testing a budding RBL I am setting up and in the process of testing at the moment. The current IP lists are small and won't return anything useful for a while but I'd like to load test the servers on which they run. If you feel like helping please give me a yell when you get a moment. Thanks, Tony. ----------------------------------------------------------------------------------- Scanned by MailWash Australia - http://www.mailwash.com.au ----------------------------------------------------------------------------------- From mikechoo at opensos.net Mon Nov 13 13:24:33 2006 From: mikechoo at opensos.net (Michael Choo) Date: Mon Nov 13 13:24:55 2006 Subject: File extension issue Message-ID: <43B130E6-F9BB-4146-92A1-9392E7981284@opensos.net> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2423 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061113/55dc48a3/smime.bin From glenn.steen at gmail.com Mon Nov 13 13:43:57 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Nov 13 13:44:07 2006 Subject: File extension issue In-Reply-To: <43B130E6-F9BB-4146-92A1-9392E7981284@opensos.net> References: <43B130E6-F9BB-4146-92A1-9392E7981284@opensos.net> Message-ID: <223f97700611130543r40fd6398peab0fe8e99b6ce8b@mail.gmail.com> On 13/11/06, Michael Choo wrote: > > Ran into this issue, user is running Mac OS X which can use multiple periods > in the filename. > Don't suppose there is a work around besides disabling file checks? > > MailScanner: Attempt to hide real filename extension (IMR WITH BW-8.xls.pdf) > Sure there is. Either you could just disable that rule in filenames.rules.conf, or you could use the "overloading" feature of the Filename setting to do some intelligent exceptions (look at the wiki page http://wiki.mailscanner.info/doku.php?id=documentation:configuration:rulesets:overloading) ... Or you could convince him/her to not do that:-):-). > cheers > -Mike Bottoms up! -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From bpumphrey at woodmclaw.com Mon Nov 13 15:06:32 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Mon Nov 13 15:06:47 2006 Subject: Mail Not Delivering In-Reply-To: <1163260360.27853.97.camel@thor.greenbuzz.net> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501C140F3@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Mailing Lists > Sent: Saturday, November 11, 2006 10:53 AM > To: mailscanner@lists.mailscanner.info > Subject: Mail Not Delivering > > Hi, > > Yesterday my mail stopped getting to the in-boxes. I am using sendmail > and MailScanner 4.23.11. when I stopped MailScanner, and just started > sendmail, things get delevered fine, however, during the time it was not > delivering mail, I sent myself a bunch of test emails, and I never got > them at all. It seems that I have lost mail! > What happened to that mail? will it be delivered eventually? > > One clue that I noticed in /var/log/messages: > Nov 10 15:45:32 pipe named[1928]: lame server resolving > '205.78.168.68.relays.ordb.org' (in 'relays.ordb.org'?): > 206.154.202.54#53 > > I will appreciate any help on this... > > Thanks! > Rick > > > -- Try doing this command, which tells sendmail to process messages in queue (at least for my version). Sendmail -q -v Billy Pumphrey IT Manager Wooden & McLaughlin -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Denis.Beauchemin at USherbrooke.ca Mon Nov 13 15:47:23 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Nov 13 15:48:01 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: <200611121954.kACJs8mT030323@bkserver.blacknight.ie> References: <200611121954.kACJs8mT030323@bkserver.blacknight.ie> Message-ID: <4558938B.8000907@USherbrooke.ca> Michael S. a ?crit : > > The huge increase in stock spam that everyone is seeing is coming from > the username that is consistently the same. Has anyone noticed? > > These are different variations of the username@ > > > > deborahpessanha@bridportleisure.com > > > deborasalsano@brokermart.com > > deborahvw@brooksmetals.com > > > > Etc. Notice the first 6 characters of every username being Debora? > > > > > > Is there an exim rule that one can implement in exim.conf for example > that rejects all mail arriving from Debora??????@fakedomain.com > ? > > > > Id rather do this at SMTP time instead of allows MS to kill it off as > there are thousands and the less MS has to work the better. > > > > Thanks > I seem to be getting many thousands a day (more than 18000 yesterday)... I think I will deploy milter-regex: http://www.benzedrine.cx/milter-regex.html Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061113/267cd621/smime.bin From danc at bluestarshows.com Mon Nov 13 15:38:30 2006 From: danc at bluestarshows.com (Dan Carl) Date: Mon Nov 13 15:49:03 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches it References: <00a901c704e0$f9a257e0$0200000a@danc3><223f97700611100901ma3d4061gba655c7ea5a6db15@mail.gmail.com><016401c70509$72f609c0$0200000a@danc3> <223f97700611110026t75fe5f9cte6b654fc68c40e2c@mail.gmail.com> Message-ID: <013301c70739$c57359f0$0200000a@danc3> ----- Original Message ----- From: "Glenn Steen" To: "MailScanner discussion" Sent: Saturday, November 11, 2006 2:26 AM Subject: Re: Mailscanner not catching SPAM but manual run via SA catches it > On 10/11/06, Dan Carl wrote: > > > (snip) > > > If you've upgraded SA, did you run the sa-update after that? > > I ran sa-update > Good. > > > Does it look like MailScanners instance of SA is finding/using the correct > > > /var/lib/spamassassin/...? > > > > > sorry not sure how to verify this. > Well, the output you just showed (snipped by me:) is an indicator. You > could add a rule that would be sure to fire into that directory, > restart MS and run a testmessage through... and look at what rules > fired... Can you please explain how to do this? Question: Do these need to be set? SpamAssassin Install Prefix = SpamAssassin Local Rules Dir = SpamAssassin Default Rules Dir = The conf says that if spamassassin is installed in its defualt location(which mine is) they don't need to be set.. Correct? > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mkettler at evi-inc.com Mon Nov 13 15:58:24 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Nov 13 15:58:35 2006 Subject: SA 3.1.7 returning no result to MS? In-Reply-To: References: <4554A39C.1050404@evi-inc.com> Message-ID: <45589620.2010900@evi-inc.com> David Lee wrote: > On Fri, 10 Nov 2006, Matt Kettler wrote: > >> David Lee wrote: >>> (Linux/FC5; sendmail 8.13.7; MS 4.56.8) >>> >>> Yesterday on our two main inbound mailrelays I upgraded SA from 3.1.4 to >>> 3.1.7. The MS config has: >>> Log Spam = yes >>> Log Non Spam = yes >>> >>> In the daily logs we now seem to be getting several occurence of: >>> Message XXX from YYY to ZZZ is not spam, SpamAssassin (not cached, score=0, required 6, autolearn=) >>> >>> and: >>> Message PPP from QQQ to RRR is not spam, SpamAssassin (cached, score=0, required 6, autolearn=) >>> >>> scattered amongst the occurences of more real data. (Around 7% of entries >>> on one machine, around 4% on the other, are in such truncated/empty forms). >>> >>> The daily logs prior to this show no occurences at all. >>> >>> Any thoughts? >> spamassassin --lint any errors reported, or just runs and exits quietly? > > Runs and exits quietly. > >> spamassassin -D --lint, and see what the "default rules dir" is, and make sure >> all the default .cf files are there. > > Attached. Looks mostly clean. > > There's an SA "FP_MIXED_PORN3" problem, but apparently several people have > reported this in various places and, if I read those reports correctly, it > is not deemed to be a major problem (rather just a warning). > Check your mail logs for messages along the lines of "SpamAssassin timed out and was killed" From prandal at herefordshire.gov.uk Mon Nov 13 16:15:08 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Mon Nov 13 16:16:27 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches i t Message-ID: <86144ED6CE5B004DA23E1EAC0B569B581086D838@isabella.herefordshire.gov.uk> You'll need SpamAssassin Local State Dir = /var/lib but the others should be OK. Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Dan Carl > Sent: 13 November 2006 15:39 > To: MailScanner discussion > Subject: Re: Mailscanner not catching SPAM but manual run via > SA catches it > > > ----- Original Message ----- > From: "Glenn Steen" > To: "MailScanner discussion" > Sent: Saturday, November 11, 2006 2:26 AM > Subject: Re: Mailscanner not catching SPAM but manual run via > SA catches it > > > > On 10/11/06, Dan Carl wrote: > > > > > (snip) > > > > If you've upgraded SA, did you run the sa-update after that? > > > I ran sa-update > > Good. > > > > Does it look like MailScanners instance of SA is > finding/using the > correct > > > > /var/lib/spamassassin/...? > > > > > > > sorry not sure how to verify this. > > Well, the output you just showed (snipped by me:) is an > indicator. You > > could add a rule that would be sure to fire into that directory, > > restart MS and run a testmessage through... and look at what rules > > fired... > Can you please explain how to do this? > Question: > Do these need to be set? > SpamAssassin Install Prefix = > SpamAssassin Local Rules Dir = > SpamAssassin Default Rules Dir = > The conf says that if spamassassin is installed in its defualt > location(which mine is) > they don't need to be set.. Correct? > > > > > -- Glenn > > email: glenn < dot > steen < at > gmail < dot > com > > work: glenn < dot > steen < at > ap1 < dot > se > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From anders.andersson at ltkalmar.se Mon Nov 13 17:10:50 2006 From: anders.andersson at ltkalmar.se (Anders Andersson, IT) Date: Mon Nov 13 17:10:58 2006 Subject: SV: File extension issue In-Reply-To: <43B130E6-F9BB-4146-92A1-9392E7981284@opensos.net> Message-ID: <5EBABD62DC5AC048AD8AEC3312E02D4CCD3237@exchange03.lkl.ltkalmar.se> Personally, I just removed the double periods check. It will still check the last extension for forbiden extensions. Just make sure you got a desent filetype.rules.conf to rely on /Anders ________________________________ Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] F?r Michael Choo Skickat: den 13 november 2006 14:25 Till: mailscanner@lists.mailscanner.info ?mne: File extension issue Ran into this issue, user is running Mac OS X which can use multiple periods in the filename. Don't suppose there is a work around besides disabling file checks? MailScanner: Attempt to hide real filename extension (IMR WITH BW-8.xls.pdf) cheers -Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061113/992f1c83/attachment.html From mikes at hartwellcorp.com Mon Nov 13 17:39:10 2006 From: mikes at hartwellcorp.com (Michael St. Laurent) Date: Mon Nov 13 17:41:03 2006 Subject: Upgraded to new SA+Clam - Bayes not working Message-ID: <3BF93070B3D1B047BA7ABF612958950DF78C23@hcex.hartwellcorp.com> Last Friday I updated to the new SA+Clam package. Over the weekend it became clear from the amout of spam getting through that something was not right. ;) It looks as if the Bayes scoring is not working. Thinking that the database change might be the culprit I downloaded the starter DB for SA 3.0 from the Fortress systems site and installed. However, that does not seem to have solved the problem. Could someone point me to any pertinent troubleshooting docs? Thank you for your time. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061113/e73a3acc/attachment.html From t.d.lee at durham.ac.uk Mon Nov 13 17:41:03 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Mon Nov 13 17:41:18 2006 Subject: SA 3.1.7 returning no result to MS? In-Reply-To: <45589620.2010900@evi-inc.com> References: <4554A39C.1050404@evi-inc.com> <45589620.2010900@evi-inc.com> Message-ID: On Mon, 13 Nov 2006, Matt Kettler wrote: > [...] > Check your mail logs for messages along the lines of "SpamAssassin timed out and > was killed" There are a few "... was killed, failure of 20" but they don't appear near the emtpy SA returns, and although they build in series, the "" don't seem to reach anywhere near the "20". There's nothing else nearby in the log that seems linked. There are some "SpamAssassin cache hit for message XXX" next to the failures, but that same process both before after returns non-empty with such incidents (as if these incidents are sporadic, rather than an MS process going long-term bad/corrupt). If someone who knows SA (3.1.7) or MS (4.56.8) internals can dream up some debug/log statements, I'd be happy to try to patch them in and watch what happens. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From rpoe at plattesheriff.org Mon Nov 13 17:43:14 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Mon Nov 13 17:44:01 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: <4558354B.20705@solidstatelogic.com> References: <200611121954.kACJs8mT030323@bkserver.blacknight.ie> <4558354B.20705@solidstatelogic.com> Message-ID: <45585A52.65ED.00A2.0@plattesheriff.org> grep -c debora maillog* maillog:1364 maillog.1:4611 maillog.2:732 maillog.3:4 maillog.4:3 >>> Martin Hepworth 11/13/2006 3:05 AM >>> Michael S. wrote: > The huge increase in stock spam that everyone is seeing is coming from > the username that is consistently the same. Has anyone noticed? > > These are different variations of the username@ > > > > deborahpessanha@bridportleisure.com > > > deborasalsano@brokermart.com > > deborahvw@brooksmetals.com > > > > Etc. Notice the first 6 characters of every username being Debora? > > > > > > Is there an exim rule that one can implement in exim.conf for example > that rejects all mail arriving from Debora??????@fakedomain.com > ? > > > > Id rather do this at SMTP time instead of allows MS to kill it off as > there are thousands and the less MS has to work the better. > > > > Thanks > Michael trapping them nicely here without fuzzyocr or imageinfo.. 5.40 BAYES_99 Bayesian spam probability is 99 to 100% 4.00 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 0.77 DIGEST_MULTIPLE Message hits more than one network digest check 1.25 HOST_EQ_IT 0.50 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% 1.50 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level above 50% 0.50 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.79 SARE_LWSHORTT 1.66 SARE_MLB_Stock1 1.66 SARE_MLB_Stock2 1.66 SARE_MLB_Stock5 Mentions stock symbol, tickers, or OTC. the SARE stocks rules is very useful here... -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From rpoe at plattesheriff.org Mon Nov 13 17:50:10 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Mon Nov 13 17:51:39 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: <015101c706a8$0e9f9400$3701a8c0@lapxp> References: <200611122116.kACLGo1c031961@bkserver.blacknight.ie> <015101c706a8$0e9f9400$3701a8c0@lapxp> Message-ID: <45585BF2.65ED.00A2.0@plattesheriff.org> grep -c debora maillog server 1: 5881 server 2: 7996 server 3: 380 server 4: 1366 server 5: 1752 All of these servers are on different networks, each handling different domain names. Server 2 is a co-located web host, and it has 2 relay domains (i.e. it scans and forwards for 2 domains), and 38 local domain names (for clients). All servers are Centos (3 or 4, mostly 4), MailScanner latest, SA latest, 4-5 are greylisting, clam latest, running most of the SARE rulesets, most of them are using at least 1 or 2 RBLs. From rpoe at plattesheriff.org Mon Nov 13 17:53:11 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Mon Nov 13 17:53:53 2006 Subject: Annoying!!! Message-ID: <45585CA7.65ED.00A2.0@plattesheriff.org> Someone is sending spam as one of my domains (poeweb.com, if you're getting it, it's NOT me!). I'm getting literally hundreds of bounce messages daily. I *DO* have a catchall for this domain, and that's getting a lot of the bounceback messages. Anyone have any great ideas for at least slowing the delivery failure, bounced for spam, etc messages? It's image based stock spam that they're sending. I'd really like them to stop, it's quite annoying. From martinh at solidstatelogic.com Mon Nov 13 18:03:25 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Mon Nov 13 18:03:42 2006 Subject: Annoying!!! In-Reply-To: <45585CA7.65ED.00A2.0@plattesheriff.org> References: <45585CA7.65ED.00A2.0@plattesheriff.org> Message-ID: <4558B36D.60904@solidstatelogic.com> Rob Poe wrote: > Someone is sending spam as one of my domains (poeweb.com, if you're getting it, it's NOT me!). I'm getting literally hundreds of bounce messages daily. > > I *DO* have a catchall for this domain, and that's getting a lot of the bounceback messages. > > Anyone have any great ideas for at least slowing the delivery failure, bounced for spam, etc messages? > > It's image based stock spam that they're sending. I'd really like them to stop, it's quite annoying. > > > Rob the latest sare_stock and dcc/razor2 handle the email quite nicely.... there's a nice ruleset for SA to deal with bounce email at.... http://www.timj.co.uk/linux/bogus-virus-warnings.cf BUT you'll need to stop of the rules firing otherwise alot of mailscanner processed stuff will get caught....add this to your local.cf score VIRUS_WARNING15 0 score VIRUS_WARNING28 0 score VIRUS_WARNING33 0 score VIRUS_WARNING62 0 score VIRUS_WARNING66 0 score VIRUS_WARNING226 0 score VIRUS_WARNING250 0 score VIRUS_WARNING300 0 score VIRUS_WARNING326 0 score VIRUS_WARNING339 0 score VIRUS_WARNING340 0 -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From glenn.steen at gmail.com Mon Nov 13 18:05:16 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Nov 13 18:05:19 2006 Subject: Annoying!!! In-Reply-To: <45585CA7.65ED.00A2.0@plattesheriff.org> References: <45585CA7.65ED.00A2.0@plattesheriff.org> Message-ID: <223f97700611131005l5cea595ahe4d74c0a7f89c373@mail.gmail.com> On 13/11/06, Rob Poe wrote: > Someone is sending spam as one of my domains (poeweb.com, if you're getting it, it's NOT me!). I'm getting literally hundreds of bounce messages daily. > > I *DO* have a catchall for this domain, and that's getting a lot of the bounceback messages. > > Anyone have any great ideas for at least slowing the delivery failure, bounced for spam, etc messages? > > It's image based stock spam that they're sending. I'd really like them to stop, it's quite annoying. > > Why do you "catch all"? Reject unknown instead. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From danc at bluestarshows.com Mon Nov 13 18:01:04 2006 From: danc at bluestarshows.com (Dan Carl) Date: Mon Nov 13 18:05:38 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches it References: <00a901c704e0$f9a257e0$0200000a@danc3><223f97700611100901ma3d4061gba655c7ea5a6db15@mail.gmail.com><016401c70509$72f609c0$0200000a@danc3><223f97700611110026t75fe5f9cte6b654fc68c40e2c@mail.gmail.com> <013301c70739$c57359f0$0200000a@danc3> Message-ID: <01f501c7074d$b0296e90$0200000a@danc3> I dont understand whats going on. Here's a header that was marked as spam. X-Bluestar-MScan-SpamCheck: spam, SpamAssassin (not cached, score=9.897, required 6, BAYES_99 3.50, FORGED_RCVD_HELO 0.14, HTML_40_50 0.50, HTML_IMAGE_ONLY_12 1.87, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.00, RCVD_IN_XBL 3.90) Doesn't this tell me that mailscanner is using Spamassassin? If it is, why when I manually run spam that doesn't get marked through spamassassin I get an output like this? Content analysis details: (9.0 points, 5.0 required) pts rule name description ---- ---------------------- ------------------------------------------------ -- 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 1.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80% [score: 0.7092] 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [151.41.202.96 listed in dnsbl.sorbs.net] 3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL [151.41.202.96 listed in sbl-xbl.spamhaus.org] 1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP [151.41.202.96 listed in combined.njabl.org] The header shows: X-Bluestar-SpamScore: sssss X-Spam-Status: No Please someone tell me how to stop this crap from getting through? ----- Original Message ----- From: "Dan Carl" To: "MailScanner discussion" Sent: Monday, November 13, 2006 9:38 AM Subject: Re: Mailscanner not catching SPAM but manual run via SA catches it > > ----- Original Message ----- > From: "Glenn Steen" > To: "MailScanner discussion" > Sent: Saturday, November 11, 2006 2:26 AM > Subject: Re: Mailscanner not catching SPAM but manual run via SA catches it > > > > On 10/11/06, Dan Carl wrote: > > > > > (snip) > > > > If you've upgraded SA, did you run the sa-update after that? > > > I ran sa-update > > Good. > > > > Does it look like MailScanners instance of SA is finding/using the > correct > > > > /var/lib/spamassassin/...? > > > > > > > sorry not sure how to verify this. > > Well, the output you just showed (snipped by me:) is an indicator. You > > could add a rule that would be sure to fire into that directory, > > restart MS and run a testmessage through... and look at what rules > > fired... > Can you please explain how to do this? > Question: > Do these need to be set? > SpamAssassin Install Prefix = > SpamAssassin Local Rules Dir = > SpamAssassin Default Rules Dir = > The conf says that if spamassassin is installed in its defualt > location(which mine is) > they don't need to be set.. Correct? > > > > > -- Glenn > > email: glenn < dot > steen < at > gmail < dot > com > > work: glenn < dot > steen < at > ap1 < dot > se > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From ka at pacific.net Mon Nov 13 18:08:48 2006 From: ka at pacific.net (Ken A) Date: Mon Nov 13 18:06:32 2006 Subject: Annoying!!! In-Reply-To: <45585CA7.65ED.00A2.0@plattesheriff.org> References: <45585CA7.65ED.00A2.0@plattesheriff.org> Message-ID: <4558B4B0.3050309@pacific.net> Catchalls are popular with spammers. They like the fact that all bounces that they generate will be delivered to some poor sucker and not end up in a postmaster box that might be looked at carefully and reported more quickly. You should remove the catchall and bounce the bounces. Ken Pacific.Net Rob Poe wrote: > Someone is sending spam as one of my domains (poeweb.com, if you're > getting it, it's NOT me!). I'm getting literally hundreds of bounce > messages daily. > > I *DO* have a catchall for this domain, and that's getting a lot of > the bounceback messages. > > Anyone have any great ideas for at least slowing the delivery > failure, bounced for spam, etc messages? > > It's image based stock spam that they're sending. I'd really like > them to stop, it's quite annoying. > > > From matt at coders.co.uk Mon Nov 13 18:11:30 2006 From: matt at coders.co.uk (Matt Hampton) Date: Mon Nov 13 18:11:58 2006 Subject: Annoying!!! In-Reply-To: <45585CA7.65ED.00A2.0@plattesheriff.org> References: <45585CA7.65ED.00A2.0@plattesheriff.org> Message-ID: <4558B552.3080902@coders.co.uk> Rob Poe wrote: > Someone is sending spam as one of my domains (poeweb.com, if you're getting it, it's NOT me!). I'm getting literally hundreds of bounce messages daily. > > I *DO* have a catchall for this domain, and that's getting a lot of the bounceback messages. > > Anyone have any great ideas for at least slowing the delivery failure, bounced for spam, etc messages? > > It's image based stock spam that they're sending. I'd really like them to stop, it's quite annoying. > > > If you are running sendmail look at milter-null matt From clacroix at cegep-ste-foy.qc.ca Mon Nov 13 18:25:02 2006 From: clacroix at cegep-ste-foy.qc.ca (Charles Lacroix) Date: Mon Nov 13 18:25:10 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: <45585A52.65ED.00A2.0@plattesheriff.org> References: <200611121954.kACJs8mT030323@bkserver.blacknight.ie> <4558354B.20705@solidstatelogic.com> <45585A52.65ED.00A2.0@plattesheriff.org> Message-ID: <200611131325.03871.clacroix@cegep-ste-foy.qc.ca> I'm also beiing hit quite a bit by this debora :) maillog:22218 maillog.0.bz2:59521 maillog.1.bz2:5076 On Monday 13 November 2006 12:43, Rob Poe wrote: > grep -c debora maillog* > maillog:1364 > maillog.1:4611 > maillog.2:732 > maillog.3:4 > maillog.4:3 > > >>> Martin Hepworth 11/13/2006 3:05 AM >>> > > Michael S. wrote: > > The huge increase in stock spam that everyone is seeing is coming from > > the username that is consistently the same. Has anyone noticed? > > > > These are different variations of the username@ > > > > > > > > deborahpessanha@bridportleisure.com > > > > > > deborasalsano@brokermart.com > > > > deborahvw@brooksmetals.com > > > > > > > > Etc. Notice the first 6 characters of every username being Debora? > > > > > > > > > > > > Is there an exim rule that one can implement in exim.conf for example > > that rejects all mail arriving from Debora??????@fakedomain.com > > ? > > > > > > > > Id rather do this at SMTP time instead of allows MS to kill it off as > > there are thousands and the less MS has to work the better. > > > > > > > > Thanks > > Michael > > trapping them nicely here without fuzzyocr or imageinfo.. > > 5.40 BAYES_99 Bayesian spam probability is 99 to 100% > 4.00 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) > 0.77 DIGEST_MULTIPLE Message hits more than one network digest check > 1.25 HOST_EQ_IT > 0.50 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% > 1.50 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level > above 50% > 0.50 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) > 0.79 SARE_LWSHORTT > 1.66 SARE_MLB_Stock1 > 1.66 SARE_MLB_Stock2 > 1.66 SARE_MLB_Stock5 Mentions stock symbol, tickers, or OTC. > > the SARE stocks rules is very useful here... > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Charles Lacroix, Administrateur UNIX. Service des t?l?communications et des technologies C?gep de Sainte-Foy (418) 659-6600 # 4266 From prandal at herefordshire.gov.uk Mon Nov 13 18:34:45 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Mon Nov 13 18:35:18 2006 Subject: Debora is a huge spammers!!!! Message-ID: <86144ED6CE5B004DA23E1EAC0B569B581086D886@isabella.herefordshire.gov.uk> grep -c "from= -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Rob Poe > Sent: 13 November 2006 17:43 > To: MailScanner discussion; Martin Hepworth > Subject: Re: Debora is a huge spammers!!!! > > grep -c debora maillog* > maillog:1364 > maillog.1:4611 > maillog.2:732 > maillog.3:4 > maillog.4:3 > > > > >>> Martin Hepworth 11/13/2006 > 3:05 AM >>> > Michael S. wrote: > > The huge increase in stock spam that everyone is seeing is > coming from > > the username that is consistently the same. Has anyone noticed? > > > > These are different variations of the username@ > > > > > > > > deborahpessanha@bridportleisure.com > > > > > > deborasalsano@brokermart.com > > > > deborahvw@brooksmetals.com > > > > > > > > Etc. Notice the first 6 characters of every username being Debora? > > > > > > > > > > > > Is there an exim rule that one can implement in exim.conf > for example > > that rejects all mail arriving from Debora??????@fakedomain.com > > ? > > > > > > > > Id rather do this at SMTP time instead of allows MS to kill > it off as > > there are thousands and the less MS has to work the better. > > > > > > > > Thanks > > > Michael > > trapping them nicely here without fuzzyocr or imageinfo.. > > 5.40 BAYES_99 Bayesian spam probability is 99 to 100% > 4.00 DCC_CHECK Listed in DCC > (http://rhyolite.com/anti-spam/dcc/) > 0.77 DIGEST_MULTIPLE Message hits more than one network digest check > 1.25 HOST_EQ_IT > 0.50 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% > 1.50 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 > confidence level > above 50% > 0.50 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) > 0.79 SARE_LWSHORTT > 1.66 SARE_MLB_Stock1 > 1.66 SARE_MLB_Stock2 > 1.66 SARE_MLB_Stock5 Mentions stock symbol, tickers, or OTC. > > the SARE stocks rules is very useful here... > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From rpoe at plattesheriff.org Mon Nov 13 20:39:01 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Mon Nov 13 20:39:37 2006 Subject: Annoying!!! In-Reply-To: <223f97700611131005l5cea595ahe4d74c0a7f89c373@mail.gmail.com> References: <45585CA7.65ED.00A2.0@plattesheriff.org> <223f97700611131005l5cea595ahe4d74c0a7f89c373@mail.gmail.com> Message-ID: <45588385.65ED.00A2.0@plattesheriff.org> >Why do you "catch all"? Reject unknown instead. Catch all, because it's used for family, but I use the rob- prefix .. When I sign up for a site, i use a code that I know I used on each site .. makes it easier to filter out spam if/when the email address gets sold.. From dward at nccumc.org Mon Nov 13 20:45:06 2006 From: dward at nccumc.org (Douglas Ward) Date: Mon Nov 13 20:45:08 2006 Subject: Annoying!!! In-Reply-To: <45585CA7.65ED.00A2.0@plattesheriff.org> References: <45585CA7.65ED.00A2.0@plattesheriff.org> Message-ID: I have started rejecting the .gif extension in postfix. That has taken care of the majority of the image based stock spam (for now). On 11/13/06, Rob Poe wrote: > > Someone is sending spam as one of my domains (poeweb.com, if you're > getting it, it's NOT me!). I'm getting literally hundreds of bounce > messages daily. > > I *DO* have a catchall for this domain, and that's getting a lot of the > bounceback messages. > > Anyone have any great ideas for at least slowing the delivery failure, > bounced for spam, etc messages? > > It's image based stock spam that they're sending. I'd really like them to > stop, it's quite annoying. > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061113/d4beaa50/attachment.html From r.berber at computer.org Mon Nov 13 20:46:44 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Mon Nov 13 20:47:54 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches it In-Reply-To: <01f501c7074d$b0296e90$0200000a@danc3> References: <00a901c704e0$f9a257e0$0200000a@danc3><223f97700611100901ma3d4061gba655c7ea5a6db15@mail.gmail.com><016401c70509$72f609c0$0200000a@danc3><223f97700611110026t75fe5f9cte6b654fc68c40e2c@mail.gmail.com> <013301c70739$c57359f0$0200000a@danc3> <01f501c7074d$b0296e90$0200000a@danc3> Message-ID: Dan Carl wrote: > I dont understand whats going on. > Here's a header that was marked as spam. > X-Bluestar-MScan-SpamCheck: spam, SpamAssassin (not cached, score=9.897, > required 6, BAYES_99 3.50, FORGED_RCVD_HELO 0.14, HTML_40_50 0.50, > HTML_IMAGE_ONLY_12 1.87, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.00, > RCVD_IN_XBL 3.90) > Doesn't this tell me that mailscanner is using Spamassassin? Yes. > If it is, why when I manually run spam that doesn't get marked through > spamassassin I get an output like this? > > Content analysis details: (9.0 points, 5.0 required) > > pts rule name description > ---- ---------------------- ------------------------------------------------ > -- > 0.1 FORGED_RCVD_HELO Received: contains a forged HELO > 1.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80% > [score: 0.7092] > 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP > address > [151.41.202.96 listed in dnsbl.sorbs.net] > 3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL > [151.41.202.96 listed in sbl-xbl.spamhaus.org] > 1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP > [151.41.202.96 listed in combined.njabl.org] 7.9 / 9.0 is from RBLs, perhaps you have configured MS to use its own RBL checks (or none at all) and they are different from what SA uses by default. That would mean that you didn't configure SA as recommended (link MS's etc/spam.assassin.prefs.conf to /etc/mail/spamassassin/mailscanner.cf or to local.cf, so they use the same configuration). > The header shows: > X-Bluestar-SpamScore: sssss > X-Spam-Status: No [snip] About 5 (for the same message?), this could also be caused by AWL. If you are running SA as a different user, this happens all the time, I prefer to run `spamassassin -x ...` to avoid this (but not cache hits or image hits, which are more difficult to avoid) and erase the email address from the whitelist (i.e. `spamassassin --remove-addr-from-whitelist=...`). You need to analyze just one message in detail, what scores differ, what rules match or don't match. Then look at what is causing the differences. -- Ren? Berber From ccampbell at brueggers.com Mon Nov 13 20:46:45 2006 From: ccampbell at brueggers.com (Christian Campbell) Date: Mon Nov 13 20:48:13 2006 Subject: OT: Sendmail.cf question Message-ID: Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3090 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061113/5034b4dc/smime.bin From Kevin_Miller at ci.juneau.ak.us Mon Nov 13 21:07:03 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Nov 13 21:07:18 2006 Subject: Annoying!!! In-Reply-To: <45585CA7.65ED.00A2.0@plattesheriff.org> Message-ID: Rob Poe wrote: > Someone is sending spam as one of my domains (poeweb.com, if you're > getting it, it's NOT me!). I'm getting literally hundreds of bounce > messages daily. Are you running SPF? It won't stop the spam, but many sites will refuse to accept it if it's not coming from your server. That will cut down on the bounce messages. ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From john at netdirect.ca Mon Nov 13 21:20:00 2006 From: john at netdirect.ca (John Van Ostrand) Date: Mon Nov 13 21:20:14 2006 Subject: OT: Sendmail.cf question In-Reply-To: References: Message-ID: <1163452800.11897.266.camel@venture.office.netdirect.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061113/a661c1fa/attachment.bin From res at ausics.net Mon Nov 13 21:33:54 2006 From: res at ausics.net (Res) Date: Mon Nov 13 21:34:11 2006 Subject: Slightly OT - RBL test. In-Reply-To: <4558547D.4010602@mailwash.com.au> References: <4558547D.4010602@mailwash.com.au> Message-ID: On Mon, 13 Nov 2006, Tony Enderby wrote: > Hi all, > > I was wondering if someone who gets a fair mail volume passing through their > servers (10 to 30k) per day > and who uses MailScanner would mind testing a budding RBL I am setting up and > in the process of testing > at the moment. > > The current IP lists are small and won't return anything useful for a while > but I'd like to load test the servers on which they run. Useing rbldnsd? I set this up once, we used a crappy single cpu p3 server with like only 512 ram, thats how gutless it was..(well it was only occupying storage space otherwise)... Our 6 key mail servers processed well over 3 million messages a day and it never murmered, nor was there any impact on the mail servers, we went this way because it was easier to maintain our mail blocking rather than add them to all the servers access lists. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From danc at bluestarshows.com Mon Nov 13 21:38:20 2006 From: danc at bluestarshows.com (Dan Carl) Date: Mon Nov 13 21:42:25 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches it References: <00a901c704e0$f9a257e0$0200000a@danc3><223f97700611100901ma3d4061gba655c7ea5a6db15@mail.gmail.com><016401c70509$72f609c0$0200000a@danc3><223f97700611110026t75fe5f9cte6b654fc68c40e2c@mail.gmail.com> <013301c70739$c57359f0$0200000a@danc3><01f501c7074d$b0296e90$0200000a@danc3> Message-ID: <029501c7076c$0a099110$0200000a@danc3> ----- Original Message ----- From: "Ren? Berber" To: Sent: Monday, November 13, 2006 2:46 PM Subject: Re: Mailscanner not catching SPAM but manual run via SA catches it > > > If it is, why when I manually run spam that doesn't get marked through > > spamassassin I get an output like this? > > > > Content analysis details: (9.0 points, 5.0 required) > > > > pts rule name description > > ---- ---------------------- ---------------------------------------------- -- > > -- > > 0.1 FORGED_RCVD_HELO Received: contains a forged HELO > > 1.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80% > > [score: 0.7092] > > 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP > > address > > [151.41.202.96 listed in dnsbl.sorbs.net] > > 3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL > > [151.41.202.96 listed in sbl-xbl.spamhaus.org] > > 1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP > > [151.41.202.96 listed in combined.njabl.org] > > 7.9 / 9.0 is from RBLs, perhaps you have configured MS to use its own RBL checks > (or none at all) and they are different from what SA uses by default. That I have no RBL listed in my MS conf. because I thought if it was set to use SA it would use SA's RBL. > would mean that you didn't configure SA as recommended (link MS's > etc/spam.assassin.prefs.conf to /etc/mail/spamassassin/mailscanner.cf or to > local.cf, so they use the same configuration). Have the link set. /etc/mail/spamassassin/mailscanner.cf -> /etc/MailScanner/spam.assassin.prefs.conf > > The header shows: > > X-Bluestar-SpamScore: sssss > > X-Spam-Status: No > [snip] > > About 5 (for the same message?), YES > this could also be caused by AWL. If you are > running SA as a different user, this happens all the time, I prefer to run I have spamassassin and mailscanner running as the same user. > `spamassassin -x ...` to avoid this (but not cache hits or image hits, which are > more difficult to avoid) and erase the email address from the whitelist (i.e. > `spamassassin --remove-addr-from-whitelist=...`) > You need to analyze just one message in detail, what scores differ, what rules > match or don't match. Then look at what is causing the differences. OK I know how run a test email through SA: spamassassin -tx < test.eml How do I do it with Mailscanner? > -- > Ren? Berber > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From leah at frauerpower.com Mon Nov 13 21:42:53 2006 From: leah at frauerpower.com (Leah Cunningham) Date: Mon Nov 13 21:42:48 2006 Subject: Messages passing through Mailscanner lose X-Mailer headers, and turn up as SPAM, but no Mailscanner no problem Message-ID: <200611131642.53900.leah@frauerpower.com> I have a strange problem. I have a client whose internal user is able to successfully send messages to me from their old Q-Mail server without a problem. If the same user, with the same mail client, computer, etc, sends a message through a newer mail server that I have set up for them that runs MailScanner (with Postfix), the message is detected by my own mail server (and many others) as Spam, and has different headers. It seems part of the reason is that Spamassassin thinks it is a bogus Outlook, maybe because the X-Mailer header is not there. The major difference I notice is that in the one that went through MailScanner, we are missing these two headers that are in the one that went through their old mail server, and I want to know why: X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Here are the headers when the message is sent through their old Qmail based server: Return-Path: Delivered-To: leah@frauerpower.com Received: from misconnew.misconsult.com (misconsult.com [209.226.172.34]) by sauerkraut.heinous.org (Postfix) with SMTP id D7BB6E565 for ; Thu, 9 Nov 2006 15:17:10 -0500 (EST) Received: (qmail 3965 invoked by uid 1010); 9 Nov 2006 20:33:11 -0000 Received: from robert@misconsult.com by misconnew by uid 1007 with qmail-scanner-1.20st (clamuko: 0.70. spamassassin: 2.63. Clear:RC:1(192.168.1.28):. Processed in 62.666888 secs); 09 Nov 2006 20:33:11 -0000 Received: from unknown (HELO MIS05) (192.168.1.28) by misconnew.misconsult.com with SMTP; 9 Nov 2006 20:32:05 -0000 From: "Bob Lewis" To: Subject: Test 3 Nov 9 to leah@frauerpower.com Date: Thu, 9 Nov 2006 15:15:50 -0500 Message-ID: <000801c7043b$dcf7aff0$1c01a8c0@MIS05> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0009_01C70411.F421A7F0" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-heinous-MailScanner-Information: Please contact the ISP for more information X-heinous-MailScanner: Found to be clean X-heinous-MailScanner-From: robert@misconsult.com X-Spam-Status: No X-Length: 10426 X-UID: 3026 And here are the headers using the Postfix + MailScanner combination: Return-Path: Delivered-To: support@frauerpower.com Received: from misconsult.com (misconsult.com [209.226.172.34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by sauerkraut.heinous.org (Postfix) with ESMTP id B6A10DE3C for ; Thu, 9 Nov 2006 12:49:27 -0500 (EST) From: "Bob Lewis" To: Subject: {Spam?} test nov 9 Date: Thu, 9 Nov 2006 12:49:02 -0500 Message-ID: <000301c70427$5b061770$1c01a8c0@MIS05> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0004_01C703FD.72328070" X-Priority: 3 (Normal) X-MSMail-Priority: Normal Importance: Normal X-misconsult-MailScanner-Information: Please contact the ISP for more information X-misconsult-MailScanner: Found to be clean X-misconsult-MailScanner-From: robert@misconsult.com X-Spam-Status: No, Yes X-heinous-MailScanner-Information: Please contact the ISP for more information X-heinous-MailScanner: Found to be clean X-heinous-MailScanner-SpamCheck: spam, SpamAssassin (score=8.23, required 6, BAYES_00 -2.60, HTML_90_100 0.11, HTML_MESSAGE 0.00, MISSING_MIMEOLE 1.61, MSGID_DOLLARS 1.72, PRIORITY_NO_NAME 2.70, RATWARE_MS_HASH 1.91, RATWARE_OUTLOOK_NONAME 2.78) X-heinous-MailScanner-SpamScore: ssssssss X-heinous-MailScanner-From: robert@misconsult.com Any ideas on why these headers are missing, and what else I might do so that we can have the new mail server work? Please cc leah@heinous.org on this if it's not too much trouble. Thanks, Leah -- Leah Cunningham : d416-585-9971x692 : d416-703-5977 : m416-559-6511 Frauerpower! Co. : www.frauerpower.com : Toronto, ON Canada From r.berber at computer.org Mon Nov 13 22:13:58 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Mon Nov 13 22:16:49 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches it In-Reply-To: <029501c7076c$0a099110$0200000a@danc3> References: <00a901c704e0$f9a257e0$0200000a@danc3><223f97700611100901ma3d4061gba655c7ea5a6db15@mail.gmail.com><016401c70509$72f609c0$0200000a@danc3><223f97700611110026t75fe5f9cte6b654fc68c40e2c@mail.gmail.com> <013301c70739$c57359f0$0200000a@danc3><01f501c7074d$b0296e90$0200000a@danc3> <029501c7076c$0a099110$0200000a@danc3> Message-ID: Dan Carl wrote: [snip] > I have no RBL listed in my MS conf. because I thought if it was set to use > SA it would use SA's RBL. It does, but the configuration (mailscanner.cf) has to explicitly enable it with "skip_rbl_checks 0" (the default is set to 1). [snip] > OK I know how run a test email through SA: > spamassassin -tx < test.eml > How do I do it with Mailscanner? The easiest way is to send a message from outside. MS works with the mail queues so any manual test would have to add the qf/df files directly to mqueue.in which doesn't look easy to me. -- Ren? Berber From chandler at chapman.edu Mon Nov 13 22:31:34 2006 From: chandler at chapman.edu (Jay Chandler) Date: Mon Nov 13 22:31:46 2006 Subject: Massive queue buildup Message-ID: Built my first Mailscanner / Postfix box on Friday due to a Sendmail meltdown last week-- was forced to throw this box into production early. It ran fine over the weekend, but today there's a massive queue buildup when I run an mqueue-- 10K so far and building. Any idea where to look to sort out where it's coming from? It's possible the box itself is overloaded, 2 2.4 ghz procs, with a load average of around 13. Any guidance would be greatly appreciated. -- Jay Chandler Network Administrator, Chapman University 714-628-7249 / chandler@chapman.edu "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter Da Silva in a.s.r. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061113/17deeafb/attachment.html From brent.addis at pronet.co.nz Mon Nov 13 22:42:32 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Mon Nov 13 22:44:22 2006 Subject: Massive queue buildup References: Message-ID: <7EF1F27F7292534D82933F70AB6996CC07AF4D@pro-ak-exch01.hosted.pronet.net.nz> Check your not running one of those massive blacklists from SARE. I was running one for a while while testing and a similar thing happened. removing it dropped my average scan time from ~2 1/2 minutes to 11 seconds per message. Other ideas: - Check your dns servers are capable of standing up to the amount of dns requests you are making. Running something like nscd locally is a good idea. - Are you running very many RBL's within mailscanner? Try disabling these and see if it helps. - Are you running any type of recipient verification? (as in, checking that the person being sent the mail actually exists). If not, try turning it on. I am unsure what it is called within postfix as I don't use it. - Check out http://wiki.mailscanner.info/doku.php?id=maq:index#optimization_tips which has a few others as well. How much mail are you handling a day? I have a couple of single cpu 3.0 ghz machines comfortably handling many thousands of messages a day. ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Jay Chandler Sent: Tue 11/14/2006 11:31 AM To: mailscanner@lists.mailscanner.info Subject: Massive queue buildup Built my first Mailscanner / Postfix box on Friday due to a Sendmail meltdown last week-- was forced to throw this box into production early. It ran fine over the weekend, but today there's a massive queue buildup when I run an mqueue-- 10K so far and building. Any idea where to look to sort out where it's coming from? It's possible the box itself is overloaded, 2 2.4 ghz procs, with a load average of around 13. Any guidance would be greatly appreciated. -- Jay Chandler Network Administrator, Chapman University 714-628-7249 / chandler@chapman.edu "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter Da Silva in a.s.r. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 5930 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061114/40f2a805/attachment.bin From john at netdirect.ca Mon Nov 13 22:51:51 2006 From: john at netdirect.ca (John Van Ostrand) Date: Mon Nov 13 22:52:09 2006 Subject: Messages passing through Mailscanner lose X-Mailer headers, and turn up as SPAM, but no Mailscanner no problem In-Reply-To: <200611131642.53900.leah@frauerpower.com> References: <200611131642.53900.leah@frauerpower.com> Message-ID: <1163458311.11897.286.camel@venture.office.netdirect.ca> On Mon, 2006-11-13 at 16:42 -0500, Leah Cunningham wrote: > I have a strange problem. I have a client whose internal user is able to > successfully send messages to me from their old Q-Mail server without a > problem. If the same user, with the same mail client, computer, etc, sends a > message through a newer mail server that I have set up for them that runs > MailScanner (with Postfix), the message is detected by my own mail server > (and many others) as Spam, and has different headers. It seems part of the > reason is that Spamassassin thinks it is a bogus Outlook, maybe because the > X-Mailer header is not there. > > The major difference I notice is that in the one that went through > MailScanner, we are missing these two headers that are in the one that went > through their old mail server, and I want to know why: > > X-Mailer: Microsoft Outlook, Build 10.0.2627 > Importance: Normal > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 This may not be much help, but you have received headers missing too. Based on the Spam report in the second message I think you've identified the missing Outlook headers as being the key. Find out whether postfix or Mailscanner is removing them and you should be fine. I would try a tcpdump on the client's postfix server to see what is being delivered to postfix. Do a similar one on the outgoing email to at least confirm that it's the client server. I use sendmail, where a split queue is used. One may be able to examine the queue files in each queue if you can stop the processes at the right time. Good luck. -- John Van Ostrand Net Direct Inc. CTO, co-CEO 564 Weber St. N. Unit 12 Waterloo, ON N2L 5C6 john@netdirect.ca ph: 518-883-1172 x5102 Linux Solutions / IBM Hardware fx: 519-883-8533 From raymond at prolocation.net Mon Nov 13 22:55:05 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Mon Nov 13 22:55:03 2006 Subject: Massive queue buildup In-Reply-To: References: Message-ID: Hi! > Built my first Mailscanner / Postfix box on Friday due to a Sendmail meltdown > last week-- was forced to throw this box into production early. > > It ran fine over the weekend, but today there's a massive queue buildup when > I run an mqueue-- 10K so far and building. > > Any idea where to look to sort out where it's coming from? I know this sounds silly, but what about your mail log? > It's possible the box itself is overloaded, 2 2.4 ghz procs, with a load > average of around 13. Slow DNS lookups? Large bayes db's ect ect ... Bye, Raymond. From danc at bluestarshows.com Mon Nov 13 22:57:44 2006 From: danc at bluestarshows.com (Dan Carl) Date: Mon Nov 13 23:01:50 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches it References: <00a901c704e0$f9a257e0$0200000a@danc3><223f97700611100901ma3d4061gba655c7ea5a6db15@mail.gmail.com><016401c70509$72f609c0$0200000a@danc3><223f97700611110026t75fe5f9cte6b654fc68c40e2c@mail.gmail.com> <013301c70739$c57359f0$0200000a@danc3><01f501c7074d$b0296e90$0200000a@danc3> <029501c7076c$0a099110$0200000a@danc3> Message-ID: <02d601c70777$216cf580$0200000a@danc3> ----- Original Message ----- From: "Ren? Berber" To: Sent: Monday, November 13, 2006 4:13 PM Subject: Re: Mailscanner not catching SPAM but manual run via SA catches it > Dan Carl wrote: > [snip] > > I have no RBL listed in my MS conf. because I thought if it was set to use > > SA it would use SA's RBL. > > It does, but the configuration (mailscanner.cf) has to explicitly enable it with > "skip_rbl_checks 0" (the default is set to 1). this defers from what's noted in the mailscanner cf # By default, SpamAssassin will run RBL checks. If your ISP already # does this, stop RBL checks in SpamAssassin by un-commenting the # following line but I uncommented it out anyway and set it to 0 like you suggested > [snip] > > OK I know how run a test email through SA: > > spamassassin -tx < test.eml > > How do I do it with Mailscanner? > Test with the same message FROM SPAMASSASSIN: Content analysis details: (9.1 points, 5.0 required) pts rule name description ---- ---------------------- ------------------------------------------------ -- 0.5 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5000] 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see ] 3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL [58.56.112.230 listed in sbl-xbl.spamhaus.org] 3.2 RCVD_IN_SBL RBL: Received via a relay in Spamhaus SBL [58.56.112.230 listed in sbl-xbl.spamhaus.org] FROM MAILSCANNER: X-Bluestar-MScan-SpamCheck: spam, SpamAssassin (not cached, score=9.094, required 6, BAYES_50 0.00, DATE_IN_PAST_03_06 0.48, RCVD_IN_BL_SPAMCOP_NET 1.56, RCVD_IN_SBL 3.16, RCVD_IN_XBL 3.90) X-Bluestar-SpamScore: sssssssss Looks to me like there very close to one another. Do they have to be exact? Both marked them as spam, good no problem. The problem I have is the the ones that get though MailScanner. They contain no information in the header. Example: FROM MAILSCANNER: X-Bluestar-Scanned: Found to be clean X-Spam-Status: No FROM SPAMASSASSIN: Content analysis details: (31.9 points, 5.0 required) pts rule name description ---- ---------------------- ------------------------------------------------ -- 2.2 INVALID_DATE Invalid Date: header (not RFC 2822) 4.1 HELO_DYNAMIC_HCC Relay HELO'd using suspicious hostname (HCC) 3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2) 1.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80% [score: 0.6529] 0.0 HTML_MESSAGE BODY: HTML included in message 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist [URIs: goneextra.com] 4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist [URIs: goneextra.com] 3.8 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist [URIs: goneextra.com] 4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist [URIs: goneextra.com] 0.8 DIGEST_MULTIPLE Message hits more than one network digest check These are the same message. What gives? Me dog could tell this is SPAM. Its like Mailscanner changes the header but never scans the message Any ideas for me? sorry for the length just trying a give detail infomation. I set conf file to log spam and no spam maybe I'll find something here. thx for your help. > The easiest way is to send a message from outside. MS works with the mail > queues so any manual test would have to add the qf/df files directly to > mqueue.in which doesn't look easy to me. > -- > Ren? Berber > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Mon Nov 13 23:24:31 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Nov 13 23:25:53 2006 Subject: Mail Not Delivering In-Reply-To: <223f97700611130119k45a4ba9cm2a7ab87f52c5c1f2@mail.gmail.com> References: <1163260360.27853.97.camel@thor.greenbuzz.net> <455603F5.4050101@solidstatelogic.com> <1163266421.27853.120.camel@thor.greenbuzz.net> <223f97700611111208o45d37376pf5f42980f601b579@mail.gmail.com> <223f97700611111259v721966fdnb986ef9746653a55@mail.gmail.com> <223f97700611121040k2d3ac16fy6bd6357ac6314100@mail.gmail.com> <223f97700611130119k45a4ba9cm2a7ab87f52c5c1f2@mail.gmail.com> Message-ID: Glenn Steen spake the following on 11/13/2006 1:19 AM: > On 13/11/06, Res wrote: >> On Sun, 12 Nov 2006, Glenn Steen wrote: >> >> > Nope, I think it has something to do with general understaffing and >> > continually jumping from one hot spot to the next (networking >> > (switches, firewalls, VPN GWs, RSA ACE etc etc), Unix admin (some >> > hefty AIX boxes, a slew of Suns, a plethora of linuces), backup >> >> *snip* what are you a one man NOC ? surely you can delegate, but I >> know if somthing f2#$#s up it still comes back down to me, thats why >> competant engineers by my side are a must ;) > The term there is _understaffed_;-). Then one becomes "key" to > operations in oh so many ways. Sigh. We're leasing the needed people > to delegate to, but... It's not the same as a fellow employee. > >> > The MX GWs with postfix/MailScanner/etc/etc is what _saves_ me time, >> > more time to qmail (Q for quirky, right:) or snide^H^H^H^Hendmail if I >> >> We are shortly about to remove qmail from equation on all our virtual >> domain boxes by using sendmail and cyrus, I'm sick to death of >> spending 2 days >> patching the usless peice of crap every time we want some other feature >> thats defaultly in sendmail and has been in it for like 8 years or more. >> >> bernstein is right about one thing tho, qmail is secure, afterall how can >> you exploit somthing that does nothing :D >> > Yep:-). > Understaffed and underpaid! That is the sysop's theme song! Lets all sing along!!! It is so easy for my boss to give me 3 or 4 jobs, but I sure can't get payroll to cut me 3 or 4 paychecks!!!! I'll stop sniveling now! I'll just go beat my head against a server. :-/ -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From chandler at chapman.edu Mon Nov 13 23:39:02 2006 From: chandler at chapman.edu (Jay Chandler) Date: Mon Nov 13 23:39:12 2006 Subject: Massive queue buildup In-Reply-To: <7EF1F27F7292534D82933F70AB6996CC07AF4D@pro-ak-exch01.hosted.pronet.net.nz> References: <7EF1F27F7292534D82933F70AB6996CC07AF4D@pro-ak-exch01.hosted.pronet.net.nz> Message-ID: On Nov 13, 2006, at 2:42 PM, Brent Addis wrote: > Check your not running one of those massive blacklists from SARE. > > I was running one for a while while testing and a similar thing > happened. removing it dropped my average scan time from ~2 1/2 > minutes to 11 seconds per message. > Where does one determine how long the average scan time is? > Other ideas: > > - Check your dns servers are capable of standing up to the amount > of dns requests you are making. Running something like nscd locally > is a good idea. > I suspect they are, but I'll verify this. > - Are you running very many RBL's within mailscanner? Try disabling > these and see if it helps. > Three or four-- nothing insane. > - Are you running any type of recipient verification? (as in, > checking that the person being sent the mail actually exists). If > not, try turning it on. I am unsure what it is called within > postfix as I don't use it. > We are. Messages to undefined users fault to a 5xx error. > - Check out http://wiki.mailscanner.info/doku.php? > id=maq:index#optimization_tips which has a few others as well. > Thanks! > How much mail are you handling a day? I have a couple of single cpu > 3.0 ghz machines comfortably handling many thousands of messages a > day. > Right now, about 100K a day. Thanks for the help! -- Jay Chandler Network Administrator, Chapman University 714-628-7249 / chandler@chapman.edu "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter Da Silva in a.s.r. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061113/959a54f8/attachment.html From damian at workgroupsolutions.com Mon Nov 13 23:45:59 2006 From: damian at workgroupsolutions.com (Damian Mendoza) Date: Mon Nov 13 23:46:13 2006 Subject: Massive queue buildup In-Reply-To: Message-ID: <0C941442AC84A8449448BA2207DD4F4D190EBF@core01.workgroupsolutions.com> Run a DNS server locally, add more memory/CPU, use Greylisting, process mail using sender address verification before SA at the postfix or sendmail level and use RBLs at the postfix or sendmail level. That should get your server load down to 2.0 or lower to keep up with your traffic. Regards, Damian Mendoza Mission Viejo, CA 949 586-2200 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jay Chandler Sent: Monday, November 13, 2006 2:32 PM To: mailscanner@lists.mailscanner.info Subject: Massive queue buildup Built my first Mailscanner / Postfix box on Friday due to a Sendmail meltdown last week-- was forced to throw this box into production early. It ran fine over the weekend, but today there's a massive queue buildup when I run an mqueue-- 10K so far and building. Any idea where to look to sort out where it's coming from? It's possible the box itself is overloaded, 2 2.4 ghz procs, with a load average of around 13. Any guidance would be greatly appreciated. -- Jay Chandler Network Administrator, Chapman University 714-628-7249 / chandler@chapman.edu "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter Da Silva in a.s.r. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061113/8d1d4a16/attachment.html From pete at enitech.com.au Mon Nov 13 23:47:46 2006 From: pete at enitech.com.au (Peter Russell) Date: Mon Nov 13 23:47:54 2006 Subject: Massive queue buildup In-Reply-To: References: <7EF1F27F7292534D82933F70AB6996CC07AF4D@pro-ak-exch01.hosted.pronet.net.nz> Message-ID: <45590422.60706@enitech.com.au> Happened to me for a while - it was always an issue with a ruleset in SA. Are you sure you arent running a redundant one? If you disable SA do you get the same problem? spamassassin -D --lint would probably give you a few hints. From brent.addis at pronet.co.nz Mon Nov 13 23:48:07 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Mon Nov 13 23:49:36 2006 Subject: Massive queue buildup References: <7EF1F27F7292534D82933F70AB6996CC07AF4D@pro-ak-exch01.hosted.pronet.net.nz> Message-ID: <7EF1F27F7292534D82933F70AB6996CC07AF51@pro-ak-exch01.hosted.pronet.net.nz> if you want to only check spamassassin (generally the slowest part with lots of rules) "time spamassassin -D --lint" is a good start. as long as your mailscanner.cf is in a reasonable place it should pick it up. If you keep an eye on where it seems to take a while, it should help you track down the problem. Or, there is an option within mailscanner to turn on batch process time. I forget the name however its in the last quarter of the config somewhere. are you running bayes? If you are, and its standard db files on the server, I would recommend migrating these to an sql server somewhere. This helped scan times a fair bit too. Another upside is this also means you can have multiple servers using the same db. With RBL's, don't forget spamassassin also does RBL checking so make sure your not doing twice the lookups you need to. 100k a day should be fine on the hardware you have. ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Jay Chandler Sent: Tue 11/14/2006 12:39 PM To: MailScanner discussion Subject: Re: Massive queue buildup On Nov 13, 2006, at 2:42 PM, Brent Addis wrote: Check your not running one of those massive blacklists from SARE. I was running one for a while while testing and a similar thing happened. removing it dropped my average scan time from ~2 1/2 minutes to 11 seconds per message. Where does one determine how long the average scan time is? Other ideas: - Check your dns servers are capable of standing up to the amount of dns requests you are making. Running something like nscd locally is a good idea. I suspect they are, but I'll verify this. - Are you running very many RBL's within mailscanner? Try disabling these and see if it helps. Three or four-- nothing insane. - Are you running any type of recipient verification? (as in, checking that the person being sent the mail actually exists). If not, try turning it on. I am unsure what it is called within postfix as I don't use it. We are. Messages to undefined users fault to a 5xx error. - Check out http://wiki.mailscanner.info/doku.php?id=maq:index#optimization_tips which has a few others as well. Thanks! How much mail are you handling a day? I have a couple of single cpu 3.0 ghz machines comfortably handling many thousands of messages a day. Right now, about 100K a day. Thanks for the help! -- Jay Chandler Network Administrator, Chapman University 714-628-7249 / chandler@chapman.edu "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter Da Silva in a.s.r. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 7350 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061114/ddd4ef2c/attachment-0001.bin From r.berber at computer.org Mon Nov 13 23:51:13 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Mon Nov 13 23:51:37 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches it In-Reply-To: <02d601c70777$216cf580$0200000a@danc3> References: <00a901c704e0$f9a257e0$0200000a@danc3><223f97700611100901ma3d4061gba655c7ea5a6db15@mail.gmail.com><016401c70509$72f609c0$0200000a@danc3><223f97700611110026t75fe5f9cte6b654fc68c40e2c@mail.gmail.com> <013301c70739$c57359f0$0200000a@danc3><01f501c7074d$b0296e90$0200000a@danc3> <029501c7076c$0a099110$0200000a@danc3> <02d601c70777$216cf580$0200000a@danc3> Message-ID: Dan Carl wrote: [snip] > Looks to me like there very close to one another. > Do they have to be exact? No, but one score is just the rounded (to one decimal) value, so they seem to be the same. > Both marked them as spam, good no problem. > > The problem I have is the the ones that get though MailScanner. > They contain no information in the header. That's an option on MS, look for "Always Include SpamAssassin Report". [snip] > These are the same message. > What gives? Me dog could tell this is SPAM. > Its like Mailscanner changes the header but never scans the message > Any ideas for me? I would take a look at the mail log, was the message white listed? Perhaps it used a fake address which causes MS to not scan it (check custom rules if you use them). > sorry for the length just trying a give detail infomation. No problem. [snip] -- Ren? Berber From brent.addis at pronet.co.nz Mon Nov 13 23:49:29 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Mon Nov 13 23:54:34 2006 Subject: Massive queue buildup References: <0C941442AC84A8449448BA2207DD4F4D190EBF@core01.workgroupsolutions.com> Message-ID: <7EF1F27F7292534D82933F70AB6996CC07AF52@pro-ak-exch01.hosted.pronet.net.nz> greylisting is bad and I will never ever run it. I know of one case where greylisting has very nearly killed someone. They probably shouldn't have been using email to do what they were, but thats not the point. greylisting adds an unnecessary delay to email, and can quite easilly be beaten if a spammer sets his mind to it. ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Damian Mendoza Sent: Tue 11/14/2006 12:45 PM To: MailScanner discussion Subject: RE: Massive queue buildup Run a DNS server locally, add more memory/CPU, use Greylisting, process mail using sender address verification before SA at the postfix or sendmail level and use RBLs at the postfix or sendmail level. That should get your server load down to 2.0 or lower to keep up with your traffic. Regards, Damian Mendoza Mission Viejo, CA 949 586-2200 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jay Chandler Sent: Monday, November 13, 2006 2:32 PM To: mailscanner@lists.mailscanner.info Subject: Massive queue buildup Built my first Mailscanner / Postfix box on Friday due to a Sendmail meltdown last week-- was forced to throw this box into production early. It ran fine over the weekend, but today there's a massive queue buildup when I run an mqueue-- 10K so far and building. Any idea where to look to sort out where it's coming from? It's possible the box itself is overloaded, 2 2.4 ghz procs, with a load average of around 13. Any guidance would be greatly appreciated. -- Jay Chandler Network Administrator, Chapman University 714-628-7249 / chandler@chapman.edu "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter Da Silva in a.s.r. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 7762 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061114/a8336973/attachment.bin From ka at pacific.net Tue Nov 14 00:05:30 2006 From: ka at pacific.net (Ken A) Date: Tue Nov 14 00:03:14 2006 Subject: Massive queue buildup In-Reply-To: <7EF1F27F7292534D82933F70AB6996CC07AF52@pro-ak-exch01.hosted.pronet.net.nz> References: <0C941442AC84A8449448BA2207DD4F4D190EBF@core01.workgroupsolutions.com> <7EF1F27F7292534D82933F70AB6996CC07AF52@pro-ak-exch01.hosted.pronet.net.nz> Message-ID: <4559084A.6060801@pacific.net> Brent Addis wrote: > greylisting is bad and I will never ever run it. I know of one case where greylisting has very nearly killed someone. Oh, come on.. tell us how!! lol They probably shouldn't have been using email to do what they were, but thats not the point. > > greylisting adds an unnecessary delay to email, and can quite easilly be beaten if a spammer sets his mind to it. There's no reason for it to delay legit mail. Just configure to delay suspicious mail, based on rbl lookup or helo or whatever.. Ken A. Pacific.Net > > ________________________________ > > From: mailscanner-bounces@lists.mailscanner.info on behalf of Damian Mendoza > Sent: Tue 11/14/2006 12:45 PM > To: MailScanner discussion > Subject: RE: Massive queue buildup > > > > Run a DNS server locally, add more memory/CPU, use Greylisting, process mail using sender address verification before SA at the postfix or sendmail level and use RBLs at the postfix or sendmail level. > > > > That should get your server load down to 2.0 or lower to keep up with your traffic. > > > > > > Regards, > > > Damian Mendoza > > Mission Viejo, CA > > 949 586-2200 > > > > > > ________________________________ > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jay Chandler > Sent: Monday, November 13, 2006 2:32 PM > To: mailscanner@lists.mailscanner.info > Subject: Massive queue buildup > > > > Built my first Mailscanner / Postfix box on Friday due to a Sendmail meltdown last week-- was forced to throw this box into production early. > > > > It ran fine over the weekend, but today there's a massive queue buildup when I run an mqueue-- 10K so far and building. > > > > Any idea where to look to sort out where it's coming from? > > > > It's possible the box itself is overloaded, 2 2.4 ghz procs, with a load average of around 13. > > > > Any guidance would be greatly appreciated. > > > > From chandler at chapman.edu Tue Nov 14 00:09:54 2006 From: chandler at chapman.edu (Chandler, Jay) Date: Tue Nov 14 00:09:58 2006 Subject: Massive queue buildup Message-ID: Time spamassassin -D --lint takes three point seven seconds-- I don't think that's where the holdup is occuring. Our DNS server is local and on the same netblock as the mailserver in question. We have a few RBLs at connecttime, but they seem to be holding up well. It's a bit of a stumper... -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Today's Excuse: your keyboard's space bar is generating spurious keycodes. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brent Addis Sent: Monday, November 13, 2006 3:48 PM To: MailScanner discussion Subject: RE: Massive queue buildup if you want to only check spamassassin (generally the slowest part with lots of rules) "time spamassassin -D --lint" is a good start. as long as your mailscanner.cf is in a reasonable place it should pick it up. If you keep an eye on where it seems to take a while, it should help you track down the problem. Or, there is an option within mailscanner to turn on batch process time. I forget the name however its in the last quarter of the config somewhere. are you running bayes? If you are, and its standard db files on the server, I would recommend migrating these to an sql server somewhere. This helped scan times a fair bit too. Another upside is this also means you can have multiple servers using the same db. With RBL's, don't forget spamassassin also does RBL checking so make sure your not doing twice the lookups you need to. 100k a day should be fine on the hardware you have. ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Jay Chandler Sent: Tue 11/14/2006 12:39 PM To: MailScanner discussion Subject: Re: Massive queue buildup On Nov 13, 2006, at 2:42 PM, Brent Addis wrote: Check your not running one of those massive blacklists from SARE. I was running one for a while while testing and a similar thing happened. removing it dropped my average scan time from ~2 1/2 minutes to 11 seconds per message. Where does one determine how long the average scan time is? Other ideas: - Check your dns servers are capable of standing up to the amount of dns requests you are making. Running something like nscd locally is a good idea. I suspect they are, but I'll verify this. - Are you running very many RBL's within mailscanner? Try disabling these and see if it helps. Three or four-- nothing insane. - Are you running any type of recipient verification? (as in, checking that the person being sent the mail actually exists). If not, try turning it on. I am unsure what it is called within postfix as I don't use it. We are. Messages to undefined users fault to a 5xx error. - Check out http://wiki.mailscanner.info/doku.php?id=maq:index#optimization_tips which has a few others as well. Thanks! How much mail are you handling a day? I have a couple of single cpu 3.0 ghz machines comfortably handling many thousands of messages a day. Right now, about 100K a day. Thanks for the help! -- Jay Chandler Network Administrator, Chapman University 714-628-7249 / chandler@chapman.edu "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter Da Silva in a.s.r. From brent.addis at pronet.co.nz Tue Nov 14 00:12:37 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Tue Nov 14 00:15:43 2006 Subject: Massive queue buildup References: Message-ID: <7EF1F27F7292534D82933F70AB6996CC07AF54@pro-ak-exch01.hosted.pronet.net.nz> 3 seconds? Not bad! However, are you sure that includes the mailscanner config? (It might be in /etc/spamassassin or /etc/mail/spamassassin) if not, include the config file in your lint (I think its either -C or -P /path/to/spam.assassin.conf) ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Chandler, Jay Sent: Tue 11/14/2006 1:09 PM To: MailScanner discussion Subject: RE: Massive queue buildup Time spamassassin -D --lint takes three point seven seconds-- I don't think that's where the holdup is occuring. Our DNS server is local and on the same netblock as the mailserver in question. We have a few RBLs at connecttime, but they seem to be holding up well. It's a bit of a stumper... -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Today's Excuse: your keyboard's space bar is generating spurious keycodes. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brent Addis Sent: Monday, November 13, 2006 3:48 PM To: MailScanner discussion Subject: RE: Massive queue buildup if you want to only check spamassassin (generally the slowest part with lots of rules) "time spamassassin -D --lint" is a good start. as long as your mailscanner.cf is in a reasonable place it should pick it up. If you keep an eye on where it seems to take a while, it should help you track down the problem. Or, there is an option within mailscanner to turn on batch process time. I forget the name however its in the last quarter of the config somewhere. are you running bayes? If you are, and its standard db files on the server, I would recommend migrating these to an sql server somewhere. This helped scan times a fair bit too. Another upside is this also means you can have multiple servers using the same db. With RBL's, don't forget spamassassin also does RBL checking so make sure your not doing twice the lookups you need to. 100k a day should be fine on the hardware you have. ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Jay Chandler Sent: Tue 11/14/2006 12:39 PM To: MailScanner discussion Subject: Re: Massive queue buildup On Nov 13, 2006, at 2:42 PM, Brent Addis wrote: Check your not running one of those massive blacklists from SARE. I was running one for a while while testing and a similar thing happened. removing it dropped my average scan time from ~2 1/2 minutes to 11 seconds per message. Where does one determine how long the average scan time is? Other ideas: - Check your dns servers are capable of standing up to the amount of dns requests you are making. Running something like nscd locally is a good idea. I suspect they are, but I'll verify this. - Are you running very many RBL's within mailscanner? Try disabling these and see if it helps. Three or four-- nothing insane. - Are you running any type of recipient verification? (as in, checking that the person being sent the mail actually exists). If not, try turning it on. I am unsure what it is called within postfix as I don't use it. We are. Messages to undefined users fault to a 5xx error. - Check out http://wiki.mailscanner.info/doku.php?id=maq:index#optimization_tips which has a few others as well. Thanks! How much mail are you handling a day? I have a couple of single cpu 3.0 ghz machines comfortably handling many thousands of messages a day. Right now, about 100K a day. Thanks for the help! -- Jay Chandler Network Administrator, Chapman University 714-628-7249 / chandler@chapman.edu "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter Da Silva in a.s.r. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 7654 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061114/19854a1b/attachment.bin From brent.addis at pronet.co.nz Tue Nov 14 00:19:35 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Tue Nov 14 00:21:03 2006 Subject: Massive queue buildup References: <0C941442AC84A8449448BA2207DD4F4D190EBF@core01.workgroupsolutions.com><7EF1F27F7292534D82933F70AB6996CC07AF52@pro-ak-exch01.hosted.pronet.net.nz> <4559084A.6060801@pacific.net> Message-ID: <7EF1F27F7292534D82933F70AB6996CC07AF53@pro-ak-exch01.hosted.pronet.net.nz> you can't guarantee that non suspicious (however urgent) email won't be listed in an rbl or have an invalid HELO at all times. Copied from another list as well: One important thing to watch for is that for larger sites the server that first tries to send your email might not be the one that tries to resend it later. Greylisting sites will thus block the email for a while until the sending site gets lucky and uses the same machine twice in a row. Generating tempfail messages to sending sites is just asking for trouble IMHO. You really can't determine exactly they will act and how long they will take to retry to send the message. Any delay is 100% your fault although most people using greylisting seem keen to push the blame to the sending site. It's the equivalent of ignoring someone when they first email/call you and saying "If it's important they'll ring back" . Not very polite and possibly not providing the best service to customers. ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Ken A Sent: Tue 11/14/2006 1:05 PM To: MailScanner discussion Subject: Re: Massive queue buildup Brent Addis wrote: > greylisting is bad and I will never ever run it. I know of one case where greylisting has very nearly killed someone. Oh, come on.. tell us how!! lol They probably shouldn't have been using email to do what they were, but thats not the point. > > greylisting adds an unnecessary delay to email, and can quite easilly be beaten if a spammer sets his mind to it. There's no reason for it to delay legit mail. Just configure to delay suspicious mail, based on rbl lookup or helo or whatever.. Ken A. Pacific.Net > > ________________________________ > > From: mailscanner-bounces@lists.mailscanner.info on behalf of Damian Mendoza > Sent: Tue 11/14/2006 12:45 PM > To: MailScanner discussion > Subject: RE: Massive queue buildup > > > > Run a DNS server locally, add more memory/CPU, use Greylisting, process mail using sender address verification before SA at the postfix or sendmail level and use RBLs at the postfix or sendmail level. > > > > That should get your server load down to 2.0 or lower to keep up with your traffic. > > > > > > Regards, > > > Damian Mendoza > > Mission Viejo, CA > > 949 586-2200 > > > > > > ________________________________ > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jay Chandler > Sent: Monday, November 13, 2006 2:32 PM > To: mailscanner@lists.mailscanner.info > Subject: Massive queue buildup > > > > Built my first Mailscanner / Postfix box on Friday due to a Sendmail meltdown last week-- was forced to throw this box into production early. > > > > It ran fine over the weekend, but today there's a massive queue buildup when I run an mqueue-- 10K so far and building. > > > > Any idea where to look to sort out where it's coming from? > > > > It's possible the box itself is overloaded, 2 2.4 ghz procs, with a load average of around 13. > > > > Any guidance would be greatly appreciated. > > > > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 6850 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061114/f62ade16/attachment.bin From ssilva at sgvwater.com Tue Nov 14 00:30:11 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Nov 14 00:30:37 2006 Subject: Annoying!!! In-Reply-To: <45585CA7.65ED.00A2.0@plattesheriff.org> References: <45585CA7.65ED.00A2.0@plattesheriff.org> Message-ID: Rob Poe spake the following on 11/13/2006 9:53 AM: > Someone is sending spam as one of my domains (poeweb.com, if you're getting it, it's NOT me!). I'm getting literally hundreds of bounce messages daily. > > I *DO* have a catchall for this domain, and that's getting a lot of the bounceback messages. > > Anyone have any great ideas for at least slowing the delivery failure, bounced for spam, etc messages? > > It's image based stock spam that they're sending. I'd really like them to stop, it's quite annoying. > > > Have you thought about setting up SPF records? At least a system could find out if they are not from you by spf lookups. I know that SPF isn't a spam tool, but it is an IP address spoofing check. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mkettler at evi-inc.com Tue Nov 14 00:35:43 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Tue Nov 14 00:35:51 2006 Subject: Massive queue buildup In-Reply-To: <7EF1F27F7292534D82933F70AB6996CC07AF52@pro-ak-exch01.hosted.pronet.net.nz> References: <0C941442AC84A8449448BA2207DD4F4D190EBF@core01.workgroupsolutions.com> <7EF1F27F7292534D82933F70AB6996CC07AF52@pro-ak-exch01.hosted.pronet.net.nz> Message-ID: <45590F5F.50803@evi-inc.com> Brent Addis wrote: > greylisting is bad and I will never ever run it. I know of one case where greylisting has very nearly killed someone. They probably shouldn't have been using email to do what they were, but thats not the point. But it is the point. If time is in any way critical, email isn't for you. PERIOD. Greylisting didn't nearly kill someone, some person used email where time criticality was a life-or-death issue. That person's bad choice of communication methods nearly killed someone. Greylisting has nothing to do with it. Quite frankly, any spam control technology, like say, SpamAssassin, could have FPed on the message, causing it to possibly be ignored by the recipient. Would you say SA nearly killed someone? Would you stop using it and insist everyone else do the same? What if one of the routers in that email path had crashed or had a hardware failure, would say that Cisco nearly killed someone? Would you stop using Cisco products and insist everyone else do the same? Bad disk on the mailserver? Seagate's a killer? Loss of power? BGE? Yeah, definitely don't use electricity.. it's unreliable and could kill someone. Let's face it, the email user in question is lucky THEY didn't kill someone with their mistake. Greylisting is not to blame here. Keep the life-and-death dramatics of someone's mistakes out of it. > greylisting adds an unnecessary delay to email, and can quite easilly be beaten if a spammer sets his mind to it. It doesn't add unnecessary delay to most messages, Not if you do it *right*. So far this week (today and Sunday) my greylist has: handled 16,493 total messages delayed 12,238 messages. allowed 4,255 messages to be delivered without delay. accepted 330 messages after delay. Of the 330 delayed messages, only 9 were not tagged as spam by SA. Of these 9, 2 were spams that SA failed to tag, 5 were mass-mailed newsletters (delivery speed not important), and only 2 were personal messages. So 2 significant FPs out of 16,493 messages. 0.01% error rate, not too bad. Any spam control technology has it's downfalls. loss, delay, or depriortization of mail will be a side effect of any of these systems in some cases. If you do greylisting right, you can keep the delays down to a sane level and still hack off a lot of spam. Approximately 72.2% of the inbound mail has been eliminated. From ka at pacific.net Tue Nov 14 00:47:44 2006 From: ka at pacific.net (Ken A) Date: Tue Nov 14 00:45:27 2006 Subject: Massive queue buildup In-Reply-To: <7EF1F27F7292534D82933F70AB6996CC07AF53@pro-ak-exch01.hosted.pronet.net.nz> References: <0C941442AC84A8449448BA2207DD4F4D190EBF@core01.workgroupsolutions.com><7EF1F27F7292534D82933F70AB6996CC07AF52@pro-ak-exch01.hosted.pronet.net.nz> <4559084A.6060801@pacific.net> <7EF1F27F7292534D82933F70AB6996CC07AF53@pro-ak-exch01.hosted.pronet.net.nz> Message-ID: <45591230.1000201@pacific.net> Brent Addis wrote: > you can't guarantee that non suspicious (however urgent) email won't be listed in an rbl or have an invalid HELO at all times. true. ymmv with any anti-spam system. I'd love it if we could clone each end user's brain and create a AI based system that simply used each end users' brain's response to the message to determine if each message to was spam or not. That would be pretty foolproof. Sadly, perhaps.. we don't have that ability. :-( > Copied from another list as well: > One important thing to watch for is that for larger sites the server that > first tries to send your email might not be the one that tries to resend > it later. Greylisting sites will thus block the email for a while until > the sending site gets lucky and uses the same machine twice in a row. Not true. You can greylist on IP, MAIL, RCPT, HELO. It doesn't have to be just the IP and RCPT. > Generating tempfail messages to sending sites is just asking for > trouble IMHO. You really can't determine exactly they will act and how > long they will take to retry to send the message. Any delay is 100% > your fault although most people using greylisting seem keen to push the > blame to the sending site. If a site is not RFC compliant, or is listed in several RBLs, they certainly have some responsibility in that - at least 99.99% of the time if you are using a reliable RBL. You can also whitelist any non rfc compliant and/or rbl listed domains as you wish. > It's the equivalent of ignoring someone when they first email/call you and > saying "If it's important they'll ring back" . Not very polite and > possibly not providing the best service to customers. In terms of telephone call, it's more like having your calls screened. Ken A Pacific.Net > > ________________________________ > > From: mailscanner-bounces@lists.mailscanner.info on behalf of Ken A > Sent: Tue 11/14/2006 1:05 PM > To: MailScanner discussion > Subject: Re: Massive queue buildup > > > > > > Brent Addis wrote: >> greylisting is bad and I will never ever run it. I know of one case where greylisting has very nearly killed someone. > > Oh, come on.. tell us how!! lol > > > They probably shouldn't have been using email to do what they were, but > thats not the point. >> greylisting adds an unnecessary delay to email, and can quite easilly be beaten if a spammer sets his mind to it. > > There's no reason for it to delay legit mail. Just configure to delay > suspicious mail, based on rbl lookup or helo or whatever.. > > Ken A. > Pacific.Net > > >> ________________________________ >> >> From: mailscanner-bounces@lists.mailscanner.info on behalf of Damian Mendoza >> Sent: Tue 11/14/2006 12:45 PM >> To: MailScanner discussion >> Subject: RE: Massive queue buildup >> >> >> >> Run a DNS server locally, add more memory/CPU, use Greylisting, process mail using sender address verification before SA at the postfix or sendmail level and use RBLs at the postfix or sendmail level. >> >> >> >> That should get your server load down to 2.0 or lower to keep up with your traffic. >> >> >> >> >> >> Regards, >> >> >> Damian Mendoza >> >> Mission Viejo, CA >> >> 949 586-2200 >> >> >> >> >> >> ________________________________ >> >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jay Chandler >> Sent: Monday, November 13, 2006 2:32 PM >> To: mailscanner@lists.mailscanner.info >> Subject: Massive queue buildup >> >> >> >> Built my first Mailscanner / Postfix box on Friday due to a Sendmail meltdown last week-- was forced to throw this box into production early. >> >> >> >> It ran fine over the weekend, but today there's a massive queue buildup when I run an mqueue-- 10K so far and building. >> >> >> >> Any idea where to look to sort out where it's coming from? >> >> >> >> It's possible the box itself is overloaded, 2 2.4 ghz procs, with a load average of around 13. >> >> >> >> Any guidance would be greatly appreciated. >> >> >> >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > From chandler at chapman.edu Tue Nov 14 00:46:51 2006 From: chandler at chapman.edu (Chandler, Jay) Date: Tue Nov 14 00:46:56 2006 Subject: Massive queue buildup Message-ID: Yeah, we used to run greylisting, but there's no way I'd condone it here. "Almost killed someone" seems a bit over the top, though... :-) -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Today's Excuse: Fluorescent lights are generating negative ions. If turning them off doesn't work, take them out and put tin foil on the ends. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brent Addis Sent: Monday, November 13, 2006 3:49 PM To: MailScanner discussion Subject: RE: Massive queue buildup greylisting is bad and I will never ever run it. I know of one case where greylisting has very nearly killed someone. They probably shouldn't have been using email to do what they were, but thats not the point. greylisting adds an unnecessary delay to email, and can quite easilly be beaten if a spammer sets his mind to it. ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Damian Mendoza Sent: Tue 11/14/2006 12:45 PM To: MailScanner discussion Subject: RE: Massive queue buildup Run a DNS server locally, add more memory/CPU, use Greylisting, process mail using sender address verification before SA at the postfix or sendmail level and use RBLs at the postfix or sendmail level. That should get your server load down to 2.0 or lower to keep up with your traffic. Regards, Damian Mendoza Mission Viejo, CA 949 586-2200 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jay Chandler Sent: Monday, November 13, 2006 2:32 PM To: mailscanner@lists.mailscanner.info Subject: Massive queue buildup Built my first Mailscanner / Postfix box on Friday due to a Sendmail meltdown last week-- was forced to throw this box into production early. It ran fine over the weekend, but today there's a massive queue buildup when I run an mqueue-- 10K so far and building. Any idea where to look to sort out where it's coming from? It's possible the box itself is overloaded, 2 2.4 ghz procs, with a load average of around 13. Any guidance would be greatly appreciated. -- Jay Chandler Network Administrator, Chapman University 714-628-7249 / chandler@chapman.edu "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter Da Silva in a.s.r. From brent.addis at pronet.co.nz Tue Nov 14 00:47:31 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Tue Nov 14 00:49:04 2006 Subject: Massive queue buildup References: <0C941442AC84A8449448BA2207DD4F4D190EBF@core01.workgroupsolutions.com><7EF1F27F7292534D82933F70AB6996CC07AF52@pro-ak-exch01.hosted.pronet.net.nz> <45590F5F.50803@evi-inc.com> Message-ID: <7EF1F27F7292534D82933F70AB6996CC07AF56@pro-ak-exch01.hosted.pronet.net.nz> ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Matt Kettler Sent: Tue 11/14/2006 1:35 PM To: MailScanner discussion Subject: Re: Massive queue buildup Brent Addis wrote: > greylisting is bad and I will never ever run it. I know of one case where greylisting has very nearly killed someone. They probably shouldn't have been using email to do what they were, but thats not the point. >But it is the point. If time is in any way critical, email isn't for you. PERIOD. Unfortunatly, no matter how many times to tell people with this, they will still use email. People have this perception that email is the ultimate communicaton tool. We get complaints when email doesn't appear for more than a minute. Suffice it to say the person sending the email now knows about mail delays. You can't educate every single user about this sort of thing (people come and go very often) , all you can do is reduce the possiblity of it happening. I'm not really willing to enter a flame war on greylisting as I care very little about it. I do however take your below statements on board. This is simply my opinion on greylisting and in no way did I mean to get your panties in a knot. >Greylisting didn't nearly kill someone, some person used email where time >criticality was a life-or-death issue. That person's bad choice of communication >methods nearly killed someone. Greylisting has nothing to do with it. >Quite frankly, any spam control technology, like say, SpamAssassin, could have >FPed on the message, causing it to possibly be ignored by the recipient. Would >you say SA nearly killed someone? Would you stop using it and insist everyone >else do the same? >What if one of the routers in that email path had crashed or had a hardware >failure, would say that Cisco nearly killed someone? Would you stop using Cisco >products and insist everyone else do the same? >Bad disk on the mailserver? Seagate's a killer? >Loss of power? BGE? Yeah, definitely don't use electricity.. it's unreliable and >could kill someone. >Let's face it, the email user in question is lucky THEY didn't kill someone with >their mistake. >Greylisting is not to blame here. Keep the life-and-death dramatics of someone's >mistakes out of it. > greylisting adds an unnecessary delay to email, and can quite easilly be beaten if a spammer sets his mind to it. >It doesn't add unnecessary delay to most messages, Not if you do it *right*. >So far this week (today and Sunday) my greylist has: > handled 16,493 total messages > delayed 12,238 messages. > allowed 4,255 messages to be delivered without delay. > accepted 330 messages after delay. >Of the 330 delayed messages, only 9 were not tagged as spam by SA. Of these 9, 2 >were spams that SA failed to tag, 5 were mass-mailed newsletters (delivery speed >not important), and only 2 were personal messages. >So 2 significant FPs out of 16,493 messages. 0.01% error rate, not too bad. >Any spam control technology has it's downfalls. loss, delay, or depriortization >of mail will be a side effect of any of these systems in some cases. >If you do greylisting right, you can keep the delays down to a sane level and >still hack off a lot of spam. Approximately 72.2% of the inbound mail has been >eliminated. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 6814 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061114/e109c96b/attachment.bin From chandler at chapman.edu Tue Nov 14 00:52:30 2006 From: chandler at chapman.edu (Chandler, Jay) Date: Tue Nov 14 00:52:34 2006 Subject: Massive queue buildup Message-ID: brewer# time spamassassin -C /usr/local/etc/mail/spamassassin/mailscanner.conf --lint 3.092u 0.386s 0:09.71 35.7% 10+37348k 0+0io 0pf+0w brewer# time spamassassin -C /usr/local/etc/mail/spamassassin/ --lint 4.135u 0.318s 0:04.97 89.3% 10+48865k 0+0io 0pf+0w brewer# Looks good from here. -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Today's Excuse: terrorist activities -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brent Addis Sent: Monday, November 13, 2006 4:13 PM To: MailScanner discussion Subject: RE: Massive queue buildup 3 seconds? Not bad! However, are you sure that includes the mailscanner config? (It might be in /etc/spamassassin or /etc/mail/spamassassin) if not, include the config file in your lint (I think its either -C or -P /path/to/spam.assassin.conf) ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Chandler, Jay Sent: Tue 11/14/2006 1:09 PM To: MailScanner discussion Subject: RE: Massive queue buildup Time spamassassin -D --lint takes three point seven seconds-- I don't think that's where the holdup is occuring. Our DNS server is local and on the same netblock as the mailserver in question. We have a few RBLs at connecttime, but they seem to be holding up well. It's a bit of a stumper... -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Today's Excuse: your keyboard's space bar is generating spurious keycodes. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brent Addis Sent: Monday, November 13, 2006 3:48 PM To: MailScanner discussion Subject: RE: Massive queue buildup if you want to only check spamassassin (generally the slowest part with lots of rules) "time spamassassin -D --lint" is a good start. as long as your mailscanner.cf is in a reasonable place it should pick it up. If you keep an eye on where it seems to take a while, it should help you track down the problem. Or, there is an option within mailscanner to turn on batch process time. I forget the name however its in the last quarter of the config somewhere. are you running bayes? If you are, and its standard db files on the server, I would recommend migrating these to an sql server somewhere. This helped scan times a fair bit too. Another upside is this also means you can have multiple servers using the same db. With RBL's, don't forget spamassassin also does RBL checking so make sure your not doing twice the lookups you need to. 100k a day should be fine on the hardware you have. ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Jay Chandler Sent: Tue 11/14/2006 12:39 PM To: MailScanner discussion Subject: Re: Massive queue buildup On Nov 13, 2006, at 2:42 PM, Brent Addis wrote: Check your not running one of those massive blacklists from SARE. I was running one for a while while testing and a similar thing happened. removing it dropped my average scan time from ~2 1/2 minutes to 11 seconds per message. Where does one determine how long the average scan time is? Other ideas: - Check your dns servers are capable of standing up to the amount of dns requests you are making. Running something like nscd locally is a good idea. I suspect they are, but I'll verify this. - Are you running very many RBL's within mailscanner? Try disabling these and see if it helps. Three or four-- nothing insane. - Are you running any type of recipient verification? (as in, checking that the person being sent the mail actually exists). If not, try turning it on. I am unsure what it is called within postfix as I don't use it. We are. Messages to undefined users fault to a 5xx error. - Check out http://wiki.mailscanner.info/doku.php?id=maq:index#optimization_tips which has a few others as well. Thanks! How much mail are you handling a day? I have a couple of single cpu 3.0 ghz machines comfortably handling many thousands of messages a day. Right now, about 100K a day. Thanks for the help! -- Jay Chandler Network Administrator, Chapman University 714-628-7249 / chandler@chapman.edu "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter Da Silva in a.s.r. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From brent.addis at pronet.co.nz Tue Nov 14 00:54:40 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Tue Nov 14 00:57:08 2006 Subject: Massive queue buildup References: Message-ID: <7EF1F27F7292534D82933F70AB6996CC07AF58@pro-ak-exch01.hosted.pronet.net.nz> ok, what about batch processing speed? Try enabling that within MailScanner.conf ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Chandler, Jay Sent: Tue 11/14/2006 1:52 PM To: MailScanner discussion Subject: RE: Massive queue buildup brewer# time spamassassin -C /usr/local/etc/mail/spamassassin/mailscanner.conf --lint 3.092u 0.386s 0:09.71 35.7% 10+37348k 0+0io 0pf+0w brewer# time spamassassin -C /usr/local/etc/mail/spamassassin/ --lint 4.135u 0.318s 0:04.97 89.3% 10+48865k 0+0io 0pf+0w brewer# Looks good from here. -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Today's Excuse: terrorist activities -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brent Addis Sent: Monday, November 13, 2006 4:13 PM To: MailScanner discussion Subject: RE: Massive queue buildup 3 seconds? Not bad! However, are you sure that includes the mailscanner config? (It might be in /etc/spamassassin or /etc/mail/spamassassin) if not, include the config file in your lint (I think its either -C or -P /path/to/spam.assassin.conf) ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Chandler, Jay Sent: Tue 11/14/2006 1:09 PM To: MailScanner discussion Subject: RE: Massive queue buildup Time spamassassin -D --lint takes three point seven seconds-- I don't think that's where the holdup is occuring. Our DNS server is local and on the same netblock as the mailserver in question. We have a few RBLs at connecttime, but they seem to be holding up well. It's a bit of a stumper... -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Today's Excuse: your keyboard's space bar is generating spurious keycodes. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brent Addis Sent: Monday, November 13, 2006 3:48 PM To: MailScanner discussion Subject: RE: Massive queue buildup if you want to only check spamassassin (generally the slowest part with lots of rules) "time spamassassin -D --lint" is a good start. as long as your mailscanner.cf is in a reasonable place it should pick it up. If you keep an eye on where it seems to take a while, it should help you track down the problem. Or, there is an option within mailscanner to turn on batch process time. I forget the name however its in the last quarter of the config somewhere. are you running bayes? If you are, and its standard db files on the server, I would recommend migrating these to an sql server somewhere. This helped scan times a fair bit too. Another upside is this also means you can have multiple servers using the same db. With RBL's, don't forget spamassassin also does RBL checking so make sure your not doing twice the lookups you need to. 100k a day should be fine on the hardware you have. ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Jay Chandler Sent: Tue 11/14/2006 12:39 PM To: MailScanner discussion Subject: Re: Massive queue buildup On Nov 13, 2006, at 2:42 PM, Brent Addis wrote: Check your not running one of those massive blacklists from SARE. I was running one for a while while testing and a similar thing happened. removing it dropped my average scan time from ~2 1/2 minutes to 11 seconds per message. Where does one determine how long the average scan time is? Other ideas: - Check your dns servers are capable of standing up to the amount of dns requests you are making. Running something like nscd locally is a good idea. I suspect they are, but I'll verify this. - Are you running very many RBL's within mailscanner? Try disabling these and see if it helps. Three or four-- nothing insane. - Are you running any type of recipient verification? (as in, checking that the person being sent the mail actually exists). If not, try turning it on. I am unsure what it is called within postfix as I don't use it. We are. Messages to undefined users fault to a 5xx error. - Check out http://wiki.mailscanner.info/doku.php?id=maq:index#optimization_tips which has a few others as well. Thanks! How much mail are you handling a day? I have a couple of single cpu 3.0 ghz machines comfortably handling many thousands of messages a day. Right now, about 100K a day. Thanks for the help! -- Jay Chandler Network Administrator, Chapman University 714-628-7249 / chandler@chapman.edu "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter Da Silva in a.s.r. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 8278 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061114/a0b1bc30/attachment-0001.bin From chandler at chapman.edu Tue Nov 14 01:15:54 2006 From: chandler at chapman.edu (Chandler, Jay) Date: Tue Nov 14 01:15:59 2006 Subject: Massive queue buildup Message-ID: I don't show any match for anything approaching that, other than "log speed," which is set to yes for MRTG. -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Today's Excuse: not approved by the FCC -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brent Addis Sent: Monday, November 13, 2006 4:55 PM To: MailScanner discussion Subject: RE: Massive queue buildup ok, what about batch processing speed? Try enabling that within MailScanner.conf ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Chandler, Jay Sent: Tue 11/14/2006 1:52 PM To: MailScanner discussion Subject: RE: Massive queue buildup brewer# time spamassassin -C /usr/local/etc/mail/spamassassin/mailscanner.conf --lint 3.092u 0.386s 0:09.71 35.7% 10+37348k 0+0io 0pf+0w brewer# time spamassassin -C /usr/local/etc/mail/spamassassin/ --lint 4.135u 0.318s 0:04.97 89.3% 10+48865k 0+0io 0pf+0w brewer# Looks good from here. -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Today's Excuse: terrorist activities -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brent Addis Sent: Monday, November 13, 2006 4:13 PM To: MailScanner discussion Subject: RE: Massive queue buildup 3 seconds? Not bad! However, are you sure that includes the mailscanner config? (It might be in /etc/spamassassin or /etc/mail/spamassassin) if not, include the config file in your lint (I think its either -C or -P /path/to/spam.assassin.conf) ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Chandler, Jay Sent: Tue 11/14/2006 1:09 PM To: MailScanner discussion Subject: RE: Massive queue buildup Time spamassassin -D --lint takes three point seven seconds-- I don't think that's where the holdup is occuring. Our DNS server is local and on the same netblock as the mailserver in question. We have a few RBLs at connecttime, but they seem to be holding up well. It's a bit of a stumper... -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Today's Excuse: your keyboard's space bar is generating spurious keycodes. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brent Addis Sent: Monday, November 13, 2006 3:48 PM To: MailScanner discussion Subject: RE: Massive queue buildup if you want to only check spamassassin (generally the slowest part with lots of rules) "time spamassassin -D --lint" is a good start. as long as your mailscanner.cf is in a reasonable place it should pick it up. If you keep an eye on where it seems to take a while, it should help you track down the problem. Or, there is an option within mailscanner to turn on batch process time. I forget the name however its in the last quarter of the config somewhere. are you running bayes? If you are, and its standard db files on the server, I would recommend migrating these to an sql server somewhere. This helped scan times a fair bit too. Another upside is this also means you can have multiple servers using the same db. With RBL's, don't forget spamassassin also does RBL checking so make sure your not doing twice the lookups you need to. 100k a day should be fine on the hardware you have. ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Jay Chandler Sent: Tue 11/14/2006 12:39 PM To: MailScanner discussion Subject: Re: Massive queue buildup On Nov 13, 2006, at 2:42 PM, Brent Addis wrote: Check your not running one of those massive blacklists from SARE. I was running one for a while while testing and a similar thing happened. removing it dropped my average scan time from ~2 1/2 minutes to 11 seconds per message. Where does one determine how long the average scan time is? Other ideas: - Check your dns servers are capable of standing up to the amount of dns requests you are making. Running something like nscd locally is a good idea. I suspect they are, but I'll verify this. - Are you running very many RBL's within mailscanner? Try disabling these and see if it helps. Three or four-- nothing insane. - Are you running any type of recipient verification? (as in, checking that the person being sent the mail actually exists). If not, try turning it on. I am unsure what it is called within postfix as I don't use it. We are. Messages to undefined users fault to a 5xx error. - Check out http://wiki.mailscanner.info/doku.php?id=maq:index#optimization_tips which has a few others as well. Thanks! How much mail are you handling a day? I have a couple of single cpu 3.0 ghz machines comfortably handling many thousands of messages a day. Right now, about 100K a day. Thanks for the help! -- Jay Chandler Network Administrator, Chapman University 714-628-7249 / chandler@chapman.edu "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter Da Silva in a.s.r. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mkettler at evi-inc.com Tue Nov 14 01:22:14 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Tue Nov 14 01:22:29 2006 Subject: Massive queue buildup In-Reply-To: <7EF1F27F7292534D82933F70AB6996CC07AF56@pro-ak-exch01.hosted.pronet.net.nz> References: <0C941442AC84A8449448BA2207DD4F4D190EBF@core01.workgroupsolutions.com><7EF1F27F7292534D82933F70AB6996CC07AF52@pro-ak-exch01.hosted.pronet.net.nz> <45590F5F.50803@evi-inc.com> <7EF1F27F7292534D82933F70AB6996CC07AF56@pro-ak-exch01.hosted.pronet.net.nz> Message-ID: <45591A46.1050709@evi-inc.com> Brent Addis wrote: > > Brent Addis wrote: >> But it is the point. If time is in any way critical, email isn't for you. PERIOD. > > Unfortunatly, no matter how many times to tell people with this, they will still use email. People have this perception that email is the ultimate communicaton tool. People are unfortunately stupid. > Suffice it to say the person sending the email now knows about mail delays. You can't educate every single user about this sort of thing (people come and go very often) , all you can do is reduce the possiblity of it happening. Agreed, and I go to great lengths to achieve that. My greylist delay numbers in my post are a testament to that. Most of the conditions under which I greylist mail are typically conditions most sites will outright blacklist it. 2hr greylist: envelope FROM is forged system account in my domain (ie: postmaster) 1hr greylist: listed in XBL, or SORBS-DUL 15 minute greylist: listed in SBL 1 minute greylist: listed in SORBS-WEB envelope FROM is forged address in my domain (not from my servers) no reverse DNS reverse DNS hostname variant of "xxx.xxx.unassigned.example.com" reverse DNS hostname "xxx.xxx.unused.example.com" reverse DNS hostname "xxx.xxx.unknown.example.com" any mail to RFC required address (postmaster, hostmaster, etc) any mail to a whois contact address sending IP is in apnic or lacnic a few specific problem ISPs in Europe I have little reason to expect mail from. > I'm not really willing to enter a flame war on greylisting as I care very little about it. Fair enough. > I do however take your below statements on board. This is simply my opinion on greylisting and in no way did I mean to get your panties in a knot. Fair enough, no panties in a knot. I was mostly in a "you've GOT to be kidding me" mode. From brent.addis at pronet.co.nz Tue Nov 14 01:34:57 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Tue Nov 14 01:36:30 2006 Subject: Massive queue buildup References: Message-ID: <7EF1F27F7292534D82933F70AB6996CC07AF5B@pro-ak-exch01.hosted.pronet.net.nz> Thats sounds like the one you want. Check your syslog, it should show you your batch processing speed IE: Nov 14 14:30:10 mx3 MailScanner[5500]: Spam Checks completed at 826 bytes per second Nov 14 14:30:10 mx3 MailScanner[5500]: Virus and Content Scanning: Starting Nov 14 14:30:13 mx3 MailScanner[5500]: Virus Scanning completed at 4633 bytes per second Nov 14 14:30:13 mx3 MailScanner[5500]: Uninfected: Delivered 1 messages Nov 14 14:30:13 mx3 MailScanner[5500]: Virus Processing completed at 692908 bytes per second Nov 14 14:30:13 mx3 MailScanner[5500]: Batch completed at 700 bytes per second Nov 14 14:30:13 mx3 MailScanner[5500]: Batch (1 message) processed in 9.86 seconds Nov 14 14:30:13 mx3 MailScanner[5500]: Logging message 1Gjn7U-0000rl-44 to SQL Nov 14 14:30:13 mx3 MailScanner[5500]: "Always Looked Up Last" took 0.00 seconds Do you have the spamassassin cache enabled? ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Chandler, Jay Sent: Tue 11/14/2006 2:15 PM To: MailScanner discussion Subject: RE: Massive queue buildup I don't show any match for anything approaching that, other than "log speed," which is set to yes for MRTG. -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Today's Excuse: not approved by the FCC -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brent Addis Sent: Monday, November 13, 2006 4:55 PM To: MailScanner discussion Subject: RE: Massive queue buildup ok, what about batch processing speed? Try enabling that within MailScanner.conf ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Chandler, Jay Sent: Tue 11/14/2006 1:52 PM To: MailScanner discussion Subject: RE: Massive queue buildup brewer# time spamassassin -C /usr/local/etc/mail/spamassassin/mailscanner.conf --lint 3.092u 0.386s 0:09.71 35.7% 10+37348k 0+0io 0pf+0w brewer# time spamassassin -C /usr/local/etc/mail/spamassassin/ --lint 4.135u 0.318s 0:04.97 89.3% 10+48865k 0+0io 0pf+0w brewer# Looks good from here. -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Today's Excuse: terrorist activities -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brent Addis Sent: Monday, November 13, 2006 4:13 PM To: MailScanner discussion Subject: RE: Massive queue buildup 3 seconds? Not bad! However, are you sure that includes the mailscanner config? (It might be in /etc/spamassassin or /etc/mail/spamassassin) if not, include the config file in your lint (I think its either -C or -P /path/to/spam.assassin.conf) ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Chandler, Jay Sent: Tue 11/14/2006 1:09 PM To: MailScanner discussion Subject: RE: Massive queue buildup Time spamassassin -D --lint takes three point seven seconds-- I don't think that's where the holdup is occuring. Our DNS server is local and on the same netblock as the mailserver in question. We have a few RBLs at connecttime, but they seem to be holding up well. It's a bit of a stumper... -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Today's Excuse: your keyboard's space bar is generating spurious keycodes. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brent Addis Sent: Monday, November 13, 2006 3:48 PM To: MailScanner discussion Subject: RE: Massive queue buildup if you want to only check spamassassin (generally the slowest part with lots of rules) "time spamassassin -D --lint" is a good start. as long as your mailscanner.cf is in a reasonable place it should pick it up. If you keep an eye on where it seems to take a while, it should help you track down the problem. Or, there is an option within mailscanner to turn on batch process time. I forget the name however its in the last quarter of the config somewhere. are you running bayes? If you are, and its standard db files on the server, I would recommend migrating these to an sql server somewhere. This helped scan times a fair bit too. Another upside is this also means you can have multiple servers using the same db. With RBL's, don't forget spamassassin also does RBL checking so make sure your not doing twice the lookups you need to. 100k a day should be fine on the hardware you have. ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Jay Chandler Sent: Tue 11/14/2006 12:39 PM To: MailScanner discussion Subject: Re: Massive queue buildup On Nov 13, 2006, at 2:42 PM, Brent Addis wrote: Check your not running one of those massive blacklists from SARE. I was running one for a while while testing and a similar thing happened. removing it dropped my average scan time from ~2 1/2 minutes to 11 seconds per message. Where does one determine how long the average scan time is? Other ideas: - Check your dns servers are capable of standing up to the amount of dns requests you are making. Running something like nscd locally is a good idea. I suspect they are, but I'll verify this. - Are you running very many RBL's within mailscanner? Try disabling these and see if it helps. Three or four-- nothing insane. - Are you running any type of recipient verification? (as in, checking that the person being sent the mail actually exists). If not, try turning it on. I am unsure what it is called within postfix as I don't use it. We are. Messages to undefined users fault to a 5xx error. - Check out http://wiki.mailscanner.info/doku.php?id=maq:index#optimization_tips which has a few others as well. Thanks! How much mail are you handling a day? I have a couple of single cpu 3.0 ghz machines comfortably handling many thousands of messages a day. Right now, about 100K a day. Thanks for the help! -- Jay Chandler Network Administrator, Chapman University 714-628-7249 / chandler@chapman.edu "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter Da Silva in a.s.r. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 9842 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061114/8bc653f1/attachment.bin From res at ausics.net Tue Nov 14 05:36:50 2006 From: res at ausics.net (Res) Date: Tue Nov 14 05:36:59 2006 Subject: Massive queue buildup In-Reply-To: References: Message-ID: On Mon, 13 Nov 2006, Jay Chandler wrote: > Built my first Mailscanner / Postfix box on Friday due to a Sendmail meltdown > last week-- was forced to throw this box into production early. Sendmail meltdown? I think it might be your hardware too. ecartis~# ps ax | grep -c sendmail 1103 dual 2.6, 2G mem and its hardly raising an sweat ~# w 15:35:09 up 308 days, 5:08, 1 user, load average: 0.47, 0.49, 0.44 > It ran fine over the weekend, but today there's a massive queue buildup when > I run an mqueue-- 10K so far and building. > enable log speed, ill bet youll discover its SA, do you use dcc? I had to disable dcc a couple weeks ago because of similar issues. > average of around 13. the above is on my list server, so it works hard most of the time, with a load of 13 I'd expact the see 10+K sendmail processes.. I dont know how many sessions you were seeing or are seeing now with postfix, but somthings amiss. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Tue Nov 14 05:41:05 2006 From: res at ausics.net (Res) Date: Tue Nov 14 05:41:13 2006 Subject: Massive queue buildup In-Reply-To: <45590F5F.50803@evi-inc.com> References: <0C941442AC84A8449448BA2207DD4F4D190EBF@core01.workgroupsolutions.com> <7EF1F27F7292534D82933F70AB6996CC07AF52@pro-ak-exch01.hosted.pronet.net.nz> <45590F5F.50803@evi-inc.com> Message-ID: On Mon, 13 Nov 2006, Matt Kettler wrote: > you say SA nearly killed someone? SA doesnt kill people, it kills servers -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From ram at netcore.co.in Tue Nov 14 08:12:23 2006 From: ram at netcore.co.in (Ramprasad) Date: Tue Nov 14 08:12:53 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B581086D886@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B581086D886@isabella.herefordshire.gov.uk> Message-ID: <1163491943.12343.16.camel@darkstar.netcore.co.in> On Mon, 2006-11-13 at 18:34 +0000, Randal, Phil wrote: > grep -c "from= maillog:22 > maillog.1:2421 > maillog.2:2153 > maillog.3:14 > maillog.4:37 > Just take of the last 'h' from your pattern(from= References: <86144ED6CE5B004DA23E1EAC0B569B581086D886@isabella.herefordshire.gov.uk> <1163491943.12343.16.camel@darkstar.netcore.co.in> Message-ID: <223f97700611140151x779e0759m9bc997579d95467f@mail.gmail.com> On 14/11/06, Ramprasad wrote: > On Mon, 2006-11-13 at 18:34 +0000, Randal, Phil wrote: > > grep -c "from= > maillog:22 > > maillog.1:2421 > > maillog.2:2153 > > maillog.3:14 > > maillog.4:37 > > > > Just take of the last 'h' from your pattern(from= are the results > > The senders ids are like /^debora.*/ > > Thanks > Ram > These amounts are well and good, but unless you find a method to use this information _apart_ from an SA rule (meaning: something applicable to SMTP conversation time), they really aren't that interesting... Check if SA doesn't handle them all/the vast majority, and then consider if this meager a fact is enough to build a rule on... In my case, with a broader search, I've seen them since at least mid-October, and all (but a vanishingly small minority) have been correctly handled by SA. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Nov 14 10:06:15 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Nov 14 10:06:18 2006 Subject: Messages passing through Mailscanner lose X-Mailer headers, and turn up as SPAM, but no Mailscanner no problem In-Reply-To: <200611131642.53900.leah@frauerpower.com> References: <200611131642.53900.leah@frauerpower.com> Message-ID: <223f97700611140206x779f51a2m41a1366f96220f92@mail.gmail.com> On 13/11/06, Leah Cunningham wrote: > I have a strange problem. I have a client whose internal user is able to > successfully send messages to me from their old Q-Mail server without a > problem. If the same user, with the same mail client, computer, etc, sends a > message through a newer mail server that I have set up for them that runs > MailScanner (with Postfix), the message is detected by my own mail server > (and many others) as Spam, and has different headers. It seems part of the > reason is that Spamassassin thinks it is a bogus Outlook, maybe because the > X-Mailer header is not there. > > The major difference I notice is that in the one that went through > MailScanner, we are missing these two headers that are in the one that went > through their old mail server, and I want to know why: > > X-Mailer: Microsoft Outlook, Build 10.0.2627 > Importance: Normal > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 > > Here are the headers when the message is sent through their old Qmail based > server: (snip) > Any ideas on why these headers are missing, and what else I might do so that > we can have the new mail server work? Please cc leah@heinous.org on this if > it's not too much trouble. > Hi Leah, Sounds like you should look at two places, where the first is the more likely to be ... erroneous... The first place is in your Postfix header_checks file, where you might have added some fairly intrusive IGNOREs (from securitysage, no less)... Probably something like: /^X-Mailer:/ IGNORE # This drops the mailer or MTA program name on some systems /^X-MimeOLE:/ IGNORE # This drops the MIME type header /^X-MSMail-Priority:/ IGNORE # This drops the Microsoft priority tag header (watch out for the line wrapping) Just comment those out, they are in all likelihood too agressive. The second place to look your MailScanner.conf file where you have: # If any of these headers are included in a a message, they will be deleted. # This is very useful for removing return-receipt requests and any headers # which mean special things to your email client application. # X-Mozilla-Status is bad as it allows spammers to make a message appear to # have already been read, which is believed to bypass some naive spam # filtering systems. # Receipt requests are bad as they give any attacker confirmation that an # account is active and being read. You don't want this sort of information # to leak outside your corporation. So you might want to remove # Disposition-Notification-To and Return-Receipt-To. # If you are having problems with duplicate message-id headers when you # release spam from the quarantine and send it to an Exchange server, then add # Message-Id. # Each header should end in a ":", but MailScanner will add it if you forget. # Headers should be separated by commas or spaces. # This can also be the filename of a ruleset. Remove These Headers = X-Mozilla-Status: X-Mozilla-Status2: ... which likely happens after processing by SA, so likely isn't the problem. But you might have added those X-* headers there:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Nov 14 10:25:10 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Nov 14 10:25:13 2006 Subject: Mail Not Delivering In-Reply-To: References: <1163260360.27853.97.camel@thor.greenbuzz.net> <223f97700611111208o45d37376pf5f42980f601b579@mail.gmail.com> <223f97700611111259v721966fdnb986ef9746653a55@mail.gmail.com> <223f97700611121040k2d3ac16fy6bd6357ac6314100@mail.gmail.com> <223f97700611130119k45a4ba9cm2a7ab87f52c5c1f2@mail.gmail.com> Message-ID: <223f97700611140225x7dc0dee4y17102bc49daccd31@mail.gmail.com> On 14/11/06, Scott Silva wrote: > Glenn Steen spake the following on 11/13/2006 1:19 AM: > > On 13/11/06, Res wrote: > >> On Sun, 12 Nov 2006, Glenn Steen wrote: > >> > >> > Nope, I think it has something to do with general understaffing and > >> > continually jumping from one hot spot to the next (networking > >> > (switches, firewalls, VPN GWs, RSA ACE etc etc), Unix admin (some > >> > hefty AIX boxes, a slew of Suns, a plethora of linuces), backup > >> > >> *snip* what are you a one man NOC ? surely you can delegate, but I > >> know if somthing f2#$#s up it still comes back down to me, thats why > >> competant engineers by my side are a must ;) > > The term there is _understaffed_;-). Then one becomes "key" to > > operations in oh so many ways. Sigh. We're leasing the needed people > > to delegate to, but... It's not the same as a fellow employee. > > > >> > The MX GWs with postfix/MailScanner/etc/etc is what _saves_ me time, > >> > more time to qmail (Q for quirky, right:) or snide^H^H^H^Hendmail if I > >> > >> We are shortly about to remove qmail from equation on all our virtual > >> domain boxes by using sendmail and cyrus, I'm sick to death of > >> spending 2 days > >> patching the usless peice of crap every time we want some other feature > >> thats defaultly in sendmail and has been in it for like 8 years or more. > >> > >> bernstein is right about one thing tho, qmail is secure, afterall how can > >> you exploit somthing that does nothing :D > >> > > Yep:-). > > > Understaffed and underpaid! > That is the sysop's theme song! > Lets all sing along!!! > > It is so easy for my boss to give me 3 or 4 jobs, but I sure can't get payroll > to cut me 3 or 4 paychecks!!!! > > I'll stop sniveling now! I'll just go beat my head against a server. :-/ Ah yes.... Snivelers of the World: Unite! ... Over a beer:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From prandal at herefordshire.gov.uk Tue Nov 14 10:25:16 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Nov 14 10:28:19 2006 Subject: Massive queue buildup Message-ID: <86144ED6CE5B004DA23E1EAC0B569B581086D96B@isabella.herefordshire.gov.uk> I use milter-greylist-3.0rc7 and only greylist (for a very short period) senders who are in the SORBS DUL, SPAMCOP, NJABL DYN, and PSBL blacklists. If they are on any of those blacklists they probably shouldn't be sending email to us anyhow, but greylisting gives them the benefit of the doubt. And email is a store-and-forward system, not an instant messenger. A fifteen minute delay is neither here nor there in the full scheme of things. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK _____ From: Brent Addis [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brent Addis Sent: 13 November 2006 23:49 To: MailScanner discussion Subject: RE: Massive queue buildup greylisting is bad and I will never ever run it. I know of one case where greylisting has very nearly killed someone. They probably shouldn't have been using email to do what they were, but thats not the point. greylisting adds an unnecessary delay to email, and can quite easilly be beaten if a spammer sets his mind to it. _____ From: mailscanner-bounces@lists.mailscanner.info on behalf of Damian Mendoza Sent: Tue 11/14/2006 12:45 PM To: MailScanner discussion Subject: RE: Massive queue buildup Run a DNS server locally, add more memory/CPU, use Greylisting, process mail using sender address verification before SA at the postfix or sendmail level and use RBLs at the postfix or sendmail level. That should get your server load down to 2.0 or lower to keep up with your traffic. Regards, Damian Mendoza Mission Viejo, CA 949 586-2200 _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jay Chandler Sent: Monday, November 13, 2006 2:32 PM To: mailscanner@lists.mailscanner.info Subject: Massive queue buildup Built my first Mailscanner / Postfix box on Friday due to a Sendmail meltdown last week-- was forced to throw this box into production early. It ran fine over the weekend, but today there's a massive queue buildup when I run an mqueue-- 10K so far and building. Any idea where to look to sort out where it's coming from? It's possible the box itself is overloaded, 2 2.4 ghz procs, with a load average of around 13. Any guidance would be greatly appreciated. -- Jay Chandler Network Administrator, Chapman University 714-628-7249 / chandler@chapman.edu "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter Da Silva in a.s.r. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061114/86dad393/attachment.html From glenn.steen at gmail.com Tue Nov 14 10:29:12 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Nov 14 10:29:15 2006 Subject: Annoying!!! In-Reply-To: <45588385.65ED.00A2.0@plattesheriff.org> References: <45585CA7.65ED.00A2.0@plattesheriff.org> <223f97700611131005l5cea595ahe4d74c0a7f89c373@mail.gmail.com> <45588385.65ED.00A2.0@plattesheriff.org> Message-ID: <223f97700611140229o4f847950sd19a1d769fb556f1@mail.gmail.com> On 13/11/06, Rob Poe wrote: > >Why do you "catch all"? Reject unknown instead. > > Catch all, because it's used for family, but I use the rob- prefix .. When I sign up for a site, i use a code that I know I used on each site .. makes it easier to filter out spam if/when the email address gets sold.. > Yes, well... But you could do this without a catch-all, just some forward planning... Generate a few extra aliases, is all. When you run out, generate a few more...:-). Had pretty much the same effect, without the downside of actually accepting all that bogus crap you really don't want to bounce anyway... makes it possible to reject unknowns... -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From prandal at herefordshire.gov.uk Tue Nov 14 10:35:02 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Nov 14 10:38:02 2006 Subject: Massive queue buildup Message-ID: <86144ED6CE5B004DA23E1EAC0B569B581086D97C@isabella.herefordshire.gov.uk> "One important thing to watch for is that for larger sites the server that first tries to send your email might not be the one that tries to resend it later. Greylisting sites will thus block the email for a while until the sending site gets lucky and uses the same machine twice in a row. Generating tempfail messages to sending sites is just asking for trouble IMHO. You really can't determine exactly they will act and how long they will take to retry to send the message. Any delay is 100% your fault although most people using greylisting seem keen to push the blame to the sending site. It's the equivalent of ignoring someone when they first email/call you and saying "If it's important they'll ring back" . Not very polite and possibly not providing the best service to customers." That's precisely why milter-greylist has a whitelist of non-conformant hosts / subnets. FUD. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061114/375545a0/attachment.html From glenn.steen at gmail.com Tue Nov 14 10:39:25 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Nov 14 10:39:28 2006 Subject: Massive queue buildup In-Reply-To: References: Message-ID: <223f97700611140239v672f41d1m17d8076ab83535c9@mail.gmail.com> On 14/11/06, Chandler, Jay wrote: > Time spamassassin -D --lint takes three point seven seconds-- I don't > think that's where the holdup is occuring. > > Our DNS server is local and on the same netblock as the mailserver in > question. > > We have a few RBLs at connecttime, but they seem to be holding up well. > > It's a bit of a stumper... > If this is SA 3.1.7, remember that the lint test doesn't actually run any network tests anymore, so to get the real times, run a small (real!) message through it with spamassassin -t < /path/to/mail/file My money is on this being slow RBLs or digest checks:-)... And you'll likely not see any 3 seconds for those:-D -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From prandal at herefordshire.gov.uk Tue Nov 14 10:31:50 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Nov 14 10:39:33 2006 Subject: Debora is a huge spammers!!!! Message-ID: <86144ED6CE5B004DA23E1EAC0B569B581086D976@isabella.herefordshire.gov.uk> Not here they weren't. A simple grep leads to double-counting (because I run milter-greylist), but my point still stands. Was handled well by my setup without any additional response needed. Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Ramprasad > Sent: 14 November 2006 08:12 > To: MailScanner discussion > Subject: RE: Debora is a huge spammers!!!! > > On Mon, 2006-11-13 at 18:34 +0000, Randal, Phil wrote: > > grep -c "from= > maillog:22 > > maillog.1:2421 > > maillog.2:2153 > > maillog.3:14 > > maillog.4:37 > > > > Just take of the last 'h' from your pattern(from= and see what > are the results > > The senders ids are like /^debora.*/ > > Thanks > Ram > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From sk at foundationcenter.org Tue Nov 14 12:20:26 2006 From: sk at foundationcenter.org (Sukh Khehra) Date: Tue Nov 14 12:18:57 2006 Subject: mailscanner bug? In-Reply-To: <200611140059.kAE0xEUU023209@bkserver.blacknight.ie> Message-ID: <7B644D3DEEE2594981C2B8FFAC1737D189F6F1@fcmail.nycnt1a.fdncenter.org> In my 4.54.6 installation, I had to unset SpamAssassin Local State Dir" to get it to see my rules in /var/lib/spamassassin/3.001007/. This seems to be the opposite behavior of what the conf file suggests. From martinh at solidstatelogic.com Tue Nov 14 13:41:54 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Nov 14 13:42:13 2006 Subject: mailscanner bug? In-Reply-To: <7B644D3DEEE2594981C2B8FFAC1737D189F6F1@fcmail.nycnt1a.fdncenter.org> References: <7B644D3DEEE2594981C2B8FFAC1737D189F6F1@fcmail.nycnt1a.fdncenter.org> Message-ID: <4559C7A2.4020404@solidstatelogic.com> Sukh Khehra wrote: > In my 4.54.6 installation, I had to unset SpamAssassin Local State Dir" > to get it to see my rules in /var/lib/spamassassin/3.001007/. This seems > to be the opposite behavior of what the conf file suggests. This should be set to /var/lib if you're using sa-update...have you got this set somewhere else???? -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From filip.nollet at hogent.be Tue Nov 14 13:52:37 2006 From: filip.nollet at hogent.be (Filip Nollet) Date: Tue Nov 14 13:52:46 2006 Subject: Filename.rules.conf (attachment filename scanning) not working after upgrade Message-ID: <002d01c707f4$251c3a10$9fe21005@hogent.be> Hi all, Upgraded to latest release of MailScanner 4.56.8-1. But after a while I noted that I didn't receive any notifications anymore of files being quarantined because of bad filenames. Checked the upgraded configfile and the necessary options were still there (I am just showing the obvious config options): Scan Messages = yes Reject Message = no Maximum Attachments Per Message = 200 Expand TNEF = yes Use TNEF Contents = replace Deliver Unparsable TNEF = yes TNEF Expander = /usr/bin/tnef --maxsize=100000000 TNEF Timeout = 120 Maximum Message Size = 0 Maximum Attachment Size = -1 Minimum Attachment Size = -1 Maximum Archive Depth = 0 Find Archives By Content = no Virus Scanning = yes Virus Scanners = trend Virus Scanner Timeout = 300 Deliver Disinfected Files = no Silent Viruses = All-Viruses Still Deliver Silent Viruses = no Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ Zip-Password eicar Block Encrypted Messages = no Block Unencrypted Messages = no Allow Password-Protected Archives = no Dangerous Content Scanning = no Allow Partial Messages = no Allow External Message Bodies = yes Find Phishing Fraud = yes Also Find Numeric Phishing = yes Use Stricter Phishing Net = yes Highlight Phishing Fraud = yes Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf Country Sub-Domains List = %etc-dir%/country.domains.conf Allow IFrame Tags = yes Allow Form Tags = yes Allow Script Tags = yes Allow WebBugs = yes Ignored Web Bug Filenames = Web Bug Replacement = http://www.sng.ecs.soton.ac.uk/mailscanner/images/1x1spacer.gif Allow Object Codebase Tags = yes Convert Dangerous HTML To Text = no Convert HTML To Text = no Allow Filenames = Deny Filenames = Filename Rules = %etc-dir%/filename.rules.conf Allow Filetypes = Deny Filetypes = Filetype Rules = Quarantine Infections = yes Quarantine Silent Viruses = no Quarantine Modified Body = no Quarantine Whole Message = yes Quarantine Whole Messages As Queue Files = yes MailScanner Version Number = 4.56.8 The filename.rules.conf file is the new file from the rpm package with one change in it: zip files get a "deny" and are thus not allowed. MailScanner logs show no errors, warnings etc at all; all the attachments are just not scanned for bad names Virus scanning, TNEF expansion etc is working fine however. Am I looking over something here? I have been using MailScanner for some years now on 5 different e-mail servers and have no idea why it is acting so strange after an upgrade? It is happening on 3 of the upgraded servers (the other 2 do not do filename scanning). Has it something to do with the new filename options? Regards, Filip Nollet ====================================== Filip Nollet System & Network Management Hogeschool Gent Department ICT Schoonmeersstraat 52 9000 Gent Belgium Tel: +32 (0)9 248 88 87 Fax: +32 (0)9 243 87 70 E-Mail: filip.nollet@hogent.be GPG info: ED892C1B Fingerprint: 265E CFDE 6880 A968 64F4 85E6 4DC4 353C ED89 2C1B From glenn.steen at gmail.com Tue Nov 14 14:05:11 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Nov 14 14:05:13 2006 Subject: mailscanner bug? In-Reply-To: <4559C7A2.4020404@solidstatelogic.com> References: <7B644D3DEEE2594981C2B8FFAC1737D189F6F1@fcmail.nycnt1a.fdncenter.org> <4559C7A2.4020404@solidstatelogic.com> Message-ID: <223f97700611140605m5e99b0b6tf0df31945d37a8a8@mail.gmail.com> On 14/11/06, Martin Hepworth wrote: > Sukh Khehra wrote: > > In my 4.54.6 installation, I had to unset SpamAssassin Local State Dir" > > to get it to see my rules in /var/lib/spamassassin/3.001007/. This seems > > to be the opposite behavior of what the conf file suggests. > > This should be set to /var/lib if you're using sa-update...have you got > this set somewhere else???? > Apart from being detfaults in SpamAssassin.pm?! As I've said before, I've never needed to set this, it Just Works(tm)... # egrep "^SpamAssassin .* Dir =" /etc/MailScanner/MailScanner.conf SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin SpamAssassin Site Rules Dir = /etc/mail/spamassassin SpamAssassin Local Rules Dir = SpamAssassin Local State Dir = # /var/lib SpamAssassin Default Rules Dir = # egrep -r "/var/lib" /usr/lib/perl5/site_perl/5.8.7/Mail/ /usr/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin.pm:C. Defaults to "/var/lib/spamassassin". /usr/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin.pm: $self->{LOCAL_STATE_DIR} ||= '/var/lib/spamassassin'; # -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Nov 14 14:18:25 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Nov 14 14:18:29 2006 Subject: Filename.rules.conf (attachment filename scanning) not working after upgrade In-Reply-To: <002d01c707f4$251c3a10$9fe21005@hogent.be> References: <002d01c707f4$251c3a10$9fe21005@hogent.be> Message-ID: <223f97700611140618n4b0e1cb9ha7b292be739c101d@mail.gmail.com> On 14/11/06, Filip Nollet wrote: > Hi all, > > > > Upgraded to latest release of MailScanner 4.56.8-1. But after a while I > noted that I didn't receive any notifications anymore of files being > quarantined because of bad filenames. > > Checked the upgraded configfile and the necessary options were still there > (I am just showing the obvious config options): > (snip) > > The filename.rules.conf file is the new file from the rpm package with one > change in it: zip files get a "deny" and are thus not allowed. > MailScanner logs show no errors, warnings etc at all; all the attachments > are just not scanned for bad names > Virus scanning, TNEF expansion etc is working fine however. > > Am I looking over something here? I have been using MailScanner for some > years now on 5 different e-mail servers and have no idea why it is acting so > strange after an upgrade? It is happening on 3 of the upgraded servers (the > other 2 do not do filename scanning). > > Has it something to do with the new filename options? > Probably not. Try MailScanner --lint MailScanner --changed MailScanner --debug where the first runs through a syntax check (likely will find your problem:-), the second lists what options you've changed from the default setting (might help "detect" some inconsistencies), and the thisrd (which you should run when MailScanner is stopped) will run through a "one message debug run". -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From rpoe at plattesheriff.org Tue Nov 14 15:11:57 2006 From: rpoe at plattesheriff.org (Rob Poe) Date: Tue Nov 14 15:12:47 2006 Subject: Annoying!!! In-Reply-To: References: <45585CA7.65ED.00A2.0@plattesheriff.org> Message-ID: <4559885E.65ED.00A2.0@plattesheriff.org> It's not me that's getting the stock spams. Someone is sending them AS my domain, and my catchall is grabbing the Undeliverables. :) >>> "Douglas Ward" 11/13/2006 2:45 PM >>> I have started rejecting the .gif extension in postfix. That has taken care of the majority of the image based stock spam (for now). On 11/13/06, Rob Poe wrote: > > Someone is sending spam as one of my domains (poeweb.com, if you're > getting it, it's NOT me!). I'm getting literally hundreds of bounce > messages daily. > > I *DO* have a catchall for this domain, and that's getting a lot of the > bounceback messages. > > Anyone have any great ideas for at least slowing the delivery failure, > bounced for spam, etc messages? > > It's image based stock spam that they're sending. I'd really like them to > stop, it's quite annoying. > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From steinkel at pa.net Tue Nov 14 15:30:56 2006 From: steinkel at pa.net (Leland J. Steinke) Date: Tue Nov 14 15:31:10 2006 Subject: clamav 0.88.5 problems? Message-ID: <4559E130.4070001@pa.net> Has anybody else noticed clamscan taking up a lot more CPU and memory resources in the last several days? I checked the clamav-users list archive on gmane; all I found were references to erroneous "OUTDATED" messages. No, there is not more than one version of clamav on the servers. I did finally finish upgrading to 0.88.5 last Thursday, but there were no problems on Friday. They only started yesterday. Maybe it's just time to throw more hardware at this particular section of our mail server farm... Thanks, Leland From matt at coders.co.uk Tue Nov 14 15:41:03 2006 From: matt at coders.co.uk (Matt Hampton) Date: Tue Nov 14 15:41:37 2006 Subject: Annoying!!! In-Reply-To: <4559885E.65ED.00A2.0@plattesheriff.org> References: <45585CA7.65ED.00A2.0@plattesheriff.org> <4559885E.65ED.00A2.0@plattesheriff.org> Message-ID: <4559E38F.1090101@coders.co.uk> Rob Poe wrote: > It's not me that's getting the stock spams. Someone is sending them AS my domain, and my catchall is grabbing the Undeliverables. :) > Please, please, please look at milter-null. Has saved one of my users (also with a catchall) getting 40 a minute. matt From alex at nkpanama.com Tue Nov 14 15:44:40 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Tue Nov 14 15:45:28 2006 Subject: clamav 0.88.5 problems? In-Reply-To: <4559E130.4070001@pa.net> References: <4559E130.4070001@pa.net> Message-ID: <4559E468.2050202@nkpanama.com> Isn't it up to 88.6? Leland J. Steinke wrote: > Has anybody else noticed clamscan taking up a lot more CPU and memory > resources in the last several days? I checked the clamav-users list > archive on gmane; all I found were references to erroneous "OUTDATED" > messages. No, there is not more than one version of clamav on the servers. > > I did finally finish upgrading to 0.88.5 last Thursday, but there were > no problems on Friday. They only started yesterday. > > Maybe it's just time to throw more hardware at this particular section > of our mail server farm... > > > Thanks, > Leland From steinkel at pa.net Tue Nov 14 15:58:27 2006 From: steinkel at pa.net (Leland J. Steinke) Date: Tue Nov 14 15:59:31 2006 Subject: clamav 0.88.5 problems? In-Reply-To: <4559E468.2050202@nkpanama.com> References: <4559E130.4070001@pa.net> <4559E468.2050202@nkpanama.com> Message-ID: <4559E7A3.3040506@pa.net> Alex Neuman van der Hans wrote: > Isn't it up to 88.6? Yes, but that was also the case last Friday, after I completed the 0.88.5 upgrade. The current problems didn't start until Monday morning. From glenn.steen at gmail.com Tue Nov 14 16:31:24 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Nov 14 16:31:27 2006 Subject: Annoying!!! In-Reply-To: <4559885E.65ED.00A2.0@plattesheriff.org> References: <45585CA7.65ED.00A2.0@plattesheriff.org> <4559885E.65ED.00A2.0@plattesheriff.org> Message-ID: <223f97700611140831m24203e68w6d785f4c525060da@mail.gmail.com> On 14/11/06, Rob Poe wrote: > It's not me that's getting the stock spams. Someone is sending them AS my domain, and my catchall is grabbing the Undeliverables. :) > Doesn't matter. You shouldn't accept them anyway (just find another way to be lazy.... That is what a good sysadm should have as his/her motto/mantra;). Matts suggestion to use milter-null seems like a sane compromise though:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Nov 14 16:39:17 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Nov 14 16:39:22 2006 Subject: clamav 0.88.5 problems? In-Reply-To: <4559E7A3.3040506@pa.net> References: <4559E130.4070001@pa.net> <4559E468.2050202@nkpanama.com> <4559E7A3.3040506@pa.net> Message-ID: <223f97700611140839y693d0049je6a481a034cbcf71@mail.gmail.com> On 14/11/06, Leland J. Steinke wrote: > Alex Neuman van der Hans wrote: > > Isn't it up to 88.6? > > Yes, but that was also the case last Friday, after I completed the > 0.88.5 upgrade. The current problems didn't start until Monday morning. Um, why does it sound like updating ClamAV would be such a chore? Either a very simple build-install (if you use the official source) or an even easier unpack->install.sh if using Jules excellent clam+SA package... repeat on all MS hosts...:-) Haven't noted anything special myself... Do you use any extra sigs? Might be there was some problem with somesuch... Do a search on this list, ISTR something about that:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From chandler at chapman.edu Tue Nov 14 17:12:12 2006 From: chandler at chapman.edu (Chandler, Jay) Date: Tue Nov 14 17:12:16 2006 Subject: Massive queue buildup Message-ID: Actually, I can do one better than that-- I've got Mailscanner MRTG installed. Right now it's right around 1700 bytes a second, and it's been pretty consistently there. -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Today's Excuse: We are Microsoft. What you are experiencing is not a problem; it is an undocumented feature. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brent Addis Sent: Monday, November 13, 2006 5:35 PM To: MailScanner discussion Subject: RE: Massive queue buildup Thats sounds like the one you want. Check your syslog, it should show you your batch processing speed IE: Nov 14 14:30:10 mx3 MailScanner[5500]: Spam Checks completed at 826 bytes per second Nov 14 14:30:10 mx3 MailScanner[5500]: Virus and Content Scanning: Starting Nov 14 14:30:13 mx3 MailScanner[5500]: Virus Scanning completed at 4633 bytes per second Nov 14 14:30:13 mx3 MailScanner[5500]: Uninfected: Delivered 1 messages Nov 14 14:30:13 mx3 MailScanner[5500]: Virus Processing completed at 692908 bytes per second Nov 14 14:30:13 mx3 MailScanner[5500]: Batch completed at 700 bytes per second Nov 14 14:30:13 mx3 MailScanner[5500]: Batch (1 message) processed in 9.86 seconds Nov 14 14:30:13 mx3 MailScanner[5500]: Logging message 1Gjn7U-0000rl-44 to SQL Nov 14 14:30:13 mx3 MailScanner[5500]: "Always Looked Up Last" took 0.00 seconds Do you have the spamassassin cache enabled? ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Chandler, Jay Sent: Tue 11/14/2006 2:15 PM To: MailScanner discussion Subject: RE: Massive queue buildup I don't show any match for anything approaching that, other than "log speed," which is set to yes for MRTG. -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Today's Excuse: not approved by the FCC -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brent Addis Sent: Monday, November 13, 2006 4:55 PM To: MailScanner discussion Subject: RE: Massive queue buildup ok, what about batch processing speed? Try enabling that within MailScanner.conf ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Chandler, Jay Sent: Tue 11/14/2006 1:52 PM To: MailScanner discussion Subject: RE: Massive queue buildup brewer# time spamassassin -C /usr/local/etc/mail/spamassassin/mailscanner.conf --lint 3.092u 0.386s 0:09.71 35.7% 10+37348k 0+0io 0pf+0w brewer# time spamassassin -C /usr/local/etc/mail/spamassassin/ --lint 4.135u 0.318s 0:04.97 89.3% 10+48865k 0+0io 0pf+0w brewer# Looks good from here. -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Today's Excuse: terrorist activities -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brent Addis Sent: Monday, November 13, 2006 4:13 PM To: MailScanner discussion Subject: RE: Massive queue buildup 3 seconds? Not bad! However, are you sure that includes the mailscanner config? (It might be in /etc/spamassassin or /etc/mail/spamassassin) if not, include the config file in your lint (I think its either -C or -P /path/to/spam.assassin.conf) ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Chandler, Jay Sent: Tue 11/14/2006 1:09 PM To: MailScanner discussion Subject: RE: Massive queue buildup Time spamassassin -D --lint takes three point seven seconds-- I don't think that's where the holdup is occuring. Our DNS server is local and on the same netblock as the mailserver in question. We have a few RBLs at connecttime, but they seem to be holding up well. It's a bit of a stumper... -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Today's Excuse: your keyboard's space bar is generating spurious keycodes. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brent Addis Sent: Monday, November 13, 2006 3:48 PM To: MailScanner discussion Subject: RE: Massive queue buildup if you want to only check spamassassin (generally the slowest part with lots of rules) "time spamassassin -D --lint" is a good start. as long as your mailscanner.cf is in a reasonable place it should pick it up. If you keep an eye on where it seems to take a while, it should help you track down the problem. Or, there is an option within mailscanner to turn on batch process time. I forget the name however its in the last quarter of the config somewhere. are you running bayes? If you are, and its standard db files on the server, I would recommend migrating these to an sql server somewhere. This helped scan times a fair bit too. Another upside is this also means you can have multiple servers using the same db. With RBL's, don't forget spamassassin also does RBL checking so make sure your not doing twice the lookups you need to. 100k a day should be fine on the hardware you have. ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Jay Chandler Sent: Tue 11/14/2006 12:39 PM To: MailScanner discussion Subject: Re: Massive queue buildup On Nov 13, 2006, at 2:42 PM, Brent Addis wrote: Check your not running one of those massive blacklists from SARE. I was running one for a while while testing and a similar thing happened. removing it dropped my average scan time from ~2 1/2 minutes to 11 seconds per message. Where does one determine how long the average scan time is? Other ideas: - Check your dns servers are capable of standing up to the amount of dns requests you are making. Running something like nscd locally is a good idea. I suspect they are, but I'll verify this. - Are you running very many RBL's within mailscanner? Try disabling these and see if it helps. Three or four-- nothing insane. - Are you running any type of recipient verification? (as in, checking that the person being sent the mail actually exists). If not, try turning it on. I am unsure what it is called within postfix as I don't use it. We are. Messages to undefined users fault to a 5xx error. - Check out http://wiki.mailscanner.info/doku.php?id=maq:index#optimization_tips which has a few others as well. Thanks! How much mail are you handling a day? I have a couple of single cpu 3.0 ghz machines comfortably handling many thousands of messages a day. Right now, about 100K a day. Thanks for the help! -- Jay Chandler Network Administrator, Chapman University 714-628-7249 / chandler@chapman.edu "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter Da Silva in a.s.r. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From chandler at chapman.edu Tue Nov 14 17:16:41 2006 From: chandler at chapman.edu (Chandler, Jay) Date: Tue Nov 14 17:16:44 2006 Subject: Massive queue buildup Message-ID: Howdy. 1. It's on different hardware, so I'm not convinced it's a hardware based fault. 2. Running Postfix here, so a ps ax | grep -c postfix returns 1. 3. I am running DCC, as well as Razor. -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Today's Excuse: We are Microsoft. What you are experiencing is not a problem; it is an undocumented feature. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Res Sent: Monday, November 13, 2006 9:37 PM To: MailScanner discussion Subject: Re: Massive queue buildup On Mon, 13 Nov 2006, Jay Chandler wrote: > Built my first Mailscanner / Postfix box on Friday due to a Sendmail > meltdown last week-- was forced to throw this box into production early. Sendmail meltdown? I think it might be your hardware too. ecartis~# ps ax | grep -c sendmail 1103 dual 2.6, 2G mem and its hardly raising an sweat ~# w 15:35:09 up 308 days, 5:08, 1 user, load average: 0.47, 0.49, 0.44 > It ran fine over the weekend, but today there's a massive queue > buildup when I run an mqueue-- 10K so far and building. > enable log speed, ill bet youll discover its SA, do you use dcc? I had to disable dcc a couple weeks ago because of similar issues. > average of around 13. the above is on my list server, so it works hard most of the time, with a load of 13 I'd expact the see 10+K sendmail processes.. I dont know how many sessions you were seeing or are seeing now with postfix, but somthings amiss. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From martinh at solidstatelogic.com Tue Nov 14 17:21:01 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Nov 14 17:21:11 2006 Subject: clamav 0.88.5 problems? In-Reply-To: <4559E7A3.3040506@pa.net> References: <4559E130.4070001@pa.net> <4559E468.2050202@nkpanama.com> <4559E7A3.3040506@pa.net> Message-ID: <4559FAFD.6070308@solidstatelogic.com> Leland J. Steinke wrote: > Alex Neuman van der Hans wrote: >> Isn't it up to 88.6? > > Yes, but that was also the case last Friday, after I completed the > 0.88.5 upgrade. The current problems didn't start until Monday morning. 0.88.5 was 'pulled' due a network/update issues.....hence why you're seeing the outdated I guess. 0.88.6 was released November 5th as a fix to these freshclam issues -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From ugob at camo-route.com Tue Nov 14 17:20:26 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Tue Nov 14 17:21:24 2006 Subject: noticesizeinfected in language translation file Message-ID: Hi, I get this error on some of my servers (4.56.8). I looked in /etc/MailScanner/reports/en and I can't find an rpmnew file or this string in the current languages.conf file. Looked up unknown string noticesizeinfected in language translation file /etc/MailScanner/reports/en/languages.conf Has it been ommited? Regards, Ugo From danc at bluestarshows.com Tue Nov 14 18:24:56 2006 From: danc at bluestarshows.com (Dan Carl) Date: Tue Nov 14 18:29:07 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches it References: <00a901c704e0$f9a257e0$0200000a@danc3><223f97700611100901ma3d4061gba655c7ea5a6db15@mail.gmail.com><016401c70509$72f609c0$0200000a@danc3><223f97700611110026t75fe5f9cte6b654fc68c40e2c@mail.gmail.com> <013301c70739$c57359f0$0200000a@danc3><01f501c7074d$b0296e90$0200000a@danc3> <029501c7076c$0a099110$0200000a@danc3> <02d601c70777$216cf580$0200000a@danc3> Message-ID: <017601c7081a$302dd370$0200000a@danc3> [snip] > > That's an option on MS, look for "Always Include SpamAssassin Report". > Thanks, missed it in the conf. Now I can do some testing [snip] I've been analyzing messages all morning. It seems that spamassassin runs through all of the rules all the time but mailscanner rules erratically.(example below) FROM SPAMASSASSIN Content analysis details: (13.8 points, 5.0 required) pts rule name description ---- ---------------------- ------------------------------------------------ -- 1.4 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) [SPF failed: Please see http://www.openspf.org/why.html?sender=sondraiszmcgrathly%40charter.net&ip=85.69.182.160&receiver=mail.bluestarshows.com] 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines 3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99% [score: 0.9598] 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [85.69.182.160 listed in dnsbl.sorbs.net] 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see ] 3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL [85.69.182.160 listed in sbl-xbl.spamhaus.org] 1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP [85.69.182.160 listed in combined.njabl.org] FROM MAILSCANNER X-Bluestar-MScan-SpamCheck: not spam, SpamAssassin (not cached, score=5.844, required 6, RCVD_IN_NJABL_DUL 1.95, RCVD_IN_XBL 3.90, UNPARSEABLE_RELAY 0.00) X-Bluestar-SpamScore: sssss This is the exact same message. Why didn't Mailscanner use Bayes, SORBS or SPAMCOP? It's not like there not working here's proof of one caught a few minutes ago. spamcop is not here but bayes and sorbs are. X-Bluestar-MScan-SpamCheck: spam, SpamAssassin (not cached, score=9.284, required 6, BAYES_60 1.00, DCC_CHECK 2.17, DIGEST_MULTIPLE 0.77, MSGID_FROM_MTA_ID 1.39, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CHECK 0.50, RCVD_IN_SORBS_WEB 1.46) Rene hope you or someone else can help. From ssilva at sgvwater.com Tue Nov 14 19:33:35 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Nov 14 19:34:28 2006 Subject: Mail Not Delivering In-Reply-To: <223f97700611140225x7dc0dee4y17102bc49daccd31@mail.gmail.com> References: <1163260360.27853.97.camel@thor.greenbuzz.net> <223f97700611111208o45d37376pf5f42980f601b579@mail.gmail.com> <223f97700611111259v721966fdnb986ef9746653a55@mail.gmail.com> <223f97700611121040k2d3ac16fy6bd6357ac6314100@mail.gmail.com> <223f97700611130119k45a4ba9cm2a7ab87f52c5c1f2@mail.gmail.com> <223f97700611140225x7dc0dee4y17102bc49daccd31@mail.gmail.com> Message-ID: Glenn Steen spake the following on 11/14/2006 2:25 AM: > On 14/11/06, Scott Silva wrote: >> Glenn Steen spake the following on 11/13/2006 1:19 AM: >> > On 13/11/06, Res wrote: >> >> On Sun, 12 Nov 2006, Glenn Steen wrote: >> >> >> >> > Nope, I think it has something to do with general understaffing and >> >> > continually jumping from one hot spot to the next (networking >> >> > (switches, firewalls, VPN GWs, RSA ACE etc etc), Unix admin (some >> >> > hefty AIX boxes, a slew of Suns, a plethora of linuces), backup >> >> >> >> *snip* what are you a one man NOC ? surely you can delegate, but I >> >> know if somthing f2#$#s up it still comes back down to me, thats why >> >> competant engineers by my side are a must ;) >> > The term there is _understaffed_;-). Then one becomes "key" to >> > operations in oh so many ways. Sigh. We're leasing the needed people >> > to delegate to, but... It's not the same as a fellow employee. >> > >> >> > The MX GWs with postfix/MailScanner/etc/etc is what _saves_ me time, >> >> > more time to qmail (Q for quirky, right:) or snide^H^H^H^Hendmail >> if I >> >> >> >> We are shortly about to remove qmail from equation on all our virtual >> >> domain boxes by using sendmail and cyrus, I'm sick to death of >> >> spending 2 days >> >> patching the usless peice of crap every time we want some other >> feature >> >> thats defaultly in sendmail and has been in it for like 8 years or >> more. >> >> >> >> bernstein is right about one thing tho, qmail is secure, afterall >> how can >> >> you exploit somthing that does nothing :D >> >> >> > Yep:-). >> > >> Understaffed and underpaid! >> That is the sysop's theme song! >> Lets all sing along!!! >> >> It is so easy for my boss to give me 3 or 4 jobs, but I sure can't get >> payroll >> to cut me 3 or 4 paychecks!!!! >> >> I'll stop sniveling now! I'll just go beat my head against a server. :-/ > > Ah yes.... Snivelers of the World: Unite! ... Over a beer:-). > I drank to that!!! Maybe a little too much! Don't need to beat my head against a server, because it feels like I already did.:-D -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From steinkel at pa.net Tue Nov 14 20:22:15 2006 From: steinkel at pa.net (Leland J. Steinke) Date: Tue Nov 14 20:22:12 2006 Subject: clamav 0.88.5 problems? In-Reply-To: <4559FAFD.6070308@solidstatelogic.com> References: <4559E130.4070001@pa.net> <4559E468.2050202@nkpanama.com> <4559E7A3.3040506@pa.net> <4559FAFD.6070308@solidstatelogic.com> Message-ID: <455A2577.4010605@pa.net> Martin Hepworth wrote: > Leland J. Steinke wrote: >> Alex Neuman van der Hans wrote: >>> Isn't it up to 88.6? >> >> Yes, but that was also the case last Friday, after I completed the >> 0.88.5 upgrade. The current problems didn't start until Monday morning. > > 0.88.5 was 'pulled' due a network/update issues.....hence why you're > seeing the outdated I guess. > > 0.88.6 was released November 5th as a fix to these freshclam issues > Well, I upgraded to 0.88.6 and, for good measure, changed /tmp to a tmpfs partition. No difference. We are not doing spam scanning on these boxes (our outbound mail servers). I found that clamav is taking 10-20 seconds to check eicar or any other small files. We do not do any special clamav signature files on these servers. The inbound mail servers that do spam-scanning and special (MSRBL-Images.hdb) clamav signature files are not having any of these issues (/me knocks wood). If nobody else is seeing anything like this on similarly configured servers (MS 4.56.8 with postfix running on dual PIII 500s with 512M RAM on one server and single PIII 1266 with 1G RAM on the other), then I'll just assume it's a hardware issue and we hit a performance bottleneck over the weekend. Leland From daniel.maher at ubisoft.com Tue Nov 14 20:27:30 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Tue Nov 14 20:27:35 2006 Subject: MailScanner totally missing SA rules... Message-ID: <1E293D3FF63A3740B10AD5AAD88535D203B25128@UBIMAIL1.ubisoft.org> Hello all, I, too, am experiencing a similar problem to another member of the list; specifically, MailScanner seems to be totally missing (or, at best, randomly using) SpamAssassin rules. This is a fairly serious issue, since the amount of un-tagged spam now getting through the filters is becoming problematic. For example, consider the following email message: Subject: test From: wahtever To: daniel.maher@ubisoft.com Content-Type: text/plain Message-Id: <1154034241.23136.34.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.6.1 Date: Fri, 15 Sep 2006 14:54:44 -0400 X-Evolution-Format: text/plain Content-Transfer-Encoding: 8bit PHxxARMACY V1xxAGRA C1xxALIS lose weight now, melt the extra pounds. The exact message, passed through MailScanner via SMTP (Postfix): Nov 14 15:16:15 ad-postfix MailScanner[14220]: Message 2EAFC1A65DB.C9579 from 127.0.0.1 (hihi@gmail.com) to ubisoft.com is not spam, SpamAssassin (score=1.572, required 6, DATE_IN_PAST_96_XX 1.57) Now passed through SpamAssassin via the commandline, as the MTA user: Content analysis details: (12.1 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 NO_RELAYS Informational: message was not relayed via SMTP 6.0 UBI_PHARMSTRNG01 BODY: Pharmacy string (01) 0.1 UBI_FINDME BODY: test string 3.0 UBI_LOSEFAT10 BODY: Weightloss hits (string) (10) 2.0 UBI_PHARMPILL02 Pharmacy hits (02) 1.0 UBI_LOSEFAT01 Weightloss hits (01) -0.0 NO_RECEIVED Informational: message has no Received headers As you can see, the triggered rules are completely different, which is worrisome. I have tested numerous examples where MS would trigger some SA rules, but not others (very bizarre). I recently upgraded to MailScanner 4.57.3 and SpamAssassin 3.1.7 . Before the upgrade, everything worked perfectly. I didn't change any config files, with the exception of the following line in mailscanner.conf : Max SpamAssassin Size = 80000 trackback Does anybody have any ideas or insight? Thanks! -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061114/3e709736/attachment.html From ohlund at woodwrecker.com Tue Nov 14 20:34:40 2006 From: ohlund at woodwrecker.com (ohlund@woodwrecker.com) Date: Tue Nov 14 20:34:40 2006 Subject: FreeBSD 4.11 Ports Issue In-Reply-To: References: Message-ID: <47593.66.179.233.5.1163536480.squirrel@www.woodwrecker.com> I'm trying to rebuild MailScanner under FreeBSD 4.11 and I get the following: ===> Verifying install for /usr/local/lib/perl5/site_perl/5.6.2/mach/Filesys/Df.pm in /usr/ports/sysutils/p5-Filesys-Df ===> p5-Filesys-Df-0.92 requires statvfs() which is not available before FreeBSD-5*. *** Error code 1 Stop in /usr/ports/sysutils/p5-Filesys-Df. *** Error code 1 Stop in /usr/ports/mail/mailscanner. Looks like some of the ports expect the code to have V5 routines available although I'm only updating from RELENG-4. The error message is originating from the Makefile which is specifically checking for an OS version >= 5.0. Any ideas? > You can also make such adjustments via email by sending a message to: > > MailScanner-request@lists.mailscanner.info > > with the word `help' in the subject or body (don't include the > quotes), and you will get back a message with instructions. > > You must know your password to change your options (including changing > the password, itself) or to unsubscribe. It is: > > Str8Line > > Normally, Mailman will remind you of your lists.mailscanner.info > mailing list passwords once every month, although you can disable this > if you prefer. This reminder will also include instructions on how to > unsubscribe or change your account options. There is also a button on > your options page that will email your current password to you. > From mikej at rogers.com Tue Nov 14 20:52:27 2006 From: mikej at rogers.com (Mike Jakubik) Date: Tue Nov 14 20:52:24 2006 Subject: FreeBSD 4.11 Ports Issue In-Reply-To: <47593.66.179.233.5.1163536480.squirrel@www.woodwrecker.com> References: <47593.66.179.233.5.1163536480.squirrel@www.woodwrecker.com> Message-ID: <455A2C8B.3060305@rogers.com> ohlund@woodwrecker.com wrote: > I'm trying to rebuild MailScanner under FreeBSD 4.11 and I get the following: > > ===> Verifying install for > /usr/local/lib/perl5/site_perl/5.6.2/mach/Filesys/Df.pm in > /usr/ports/sysutils/p5-Filesys-Df > ===> p5-Filesys-Df-0.92 requires statvfs() which is not available before > FreeBSD-5*. > *** Error code 1 > > Stop in /usr/ports/sysutils/p5-Filesys-Df. > *** Error code 1 > > Stop in /usr/ports/mail/mailscanner. > > Looks like some of the ports expect the code to have V5 routines available > although I'm only updating from RELENG-4. The error message is originating > from the Makefile which is specifically checking for an OS version >= 5.0. > > Any ideas? > First of all, you should have posted to the freebsd-ports mailing list, not here. I would recommend you get with time and consider updating to FreeBSD 6. As a last resort, you can try using the MS packages available on the website instead of the port. From ohlund at woodwrecker.com Tue Nov 14 21:02:19 2006 From: ohlund at woodwrecker.com (ohlund@woodwrecker.com) Date: Tue Nov 14 21:02:22 2006 Subject: FreeBSD 4.11 Ports Issue In-Reply-To: <455A2C8B.3060305@rogers.com> References: <47593.66.179.233.5.1163536480.squirrel@www.woodwrecker.com> <455A2C8B.3060305@rogers.com> Message-ID: <14980.66.179.233.5.1163538139.squirrel@www.woodwrecker.com> > ohlund@woodwrecker.com wrote: > First of all, you should have posted to the freebsd-ports mailing list, > not here. First of all, I did post to FreeBSD list. They suggested that I post here. Apparently there is a BSD expert that lurks here. > I would recommend you get with time and consider updating to FreeBSD 6. Jumping to a new major release isn't guaranteed to resolve my problem, is it? 4.11 is still supported so there's some other issue. Ultimately I will upgrade to 6, but right now I have this issue to resolve. > As a last resort, you can try using the MS packages available > on the website instead of the port. As a last resort, I will resort to the package, but I was hoping to gain some insight as to why the port didn't build. ~Mark. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From campbell at cnpapers.com Tue Nov 14 21:31:15 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Nov 14 21:31:34 2006 Subject: MailScanner totally missing SA rules... References: <1E293D3FF63A3740B10AD5AAD88535D203B25128@UBIMAIL1.ubisoft.org> Message-ID: <003c01c70834$36e223a0$0705000a@DDF5DW71> Daniel, Setting the MailScanner.conf set as below resolved all of my problems: SpamAssassin Local Rules Dir = /etc/mail/spamassassin I am running an old 4.52.2 version that is completely functioning properly. Steve ----- Original Message ----- From: "Daniel Maher" To: "MailScanner discussion" Sent: Tuesday, November 14, 2006 3:27 PM Subject: MailScanner totally missing SA rules... Hello all, I, too, am experiencing a similar problem to another member of the list; specifically, MailScanner seems to be totally missing (or, at best, randomly using) SpamAssassin rules. This is a fairly serious issue, since the amount of un-tagged spam now getting through the filters is becoming problematic. For example, consider the following email message: Subject: test From: wahtever To: daniel.maher@ubisoft.com Content-Type: text/plain Message-Id: <1154034241.23136.34.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.6.1 Date: Fri, 15 Sep 2006 14:54:44 -0400 X-Evolution-Format: text/plain Content-Transfer-Encoding: 8bit PHxxARMACY V1xxAGRA C1xxALIS lose weight now, melt the extra pounds. The exact message, passed through MailScanner via SMTP (Postfix): Nov 14 15:16:15 ad-postfix MailScanner[14220]: Message 2EAFC1A65DB.C9579 from 127.0.0.1 (hihi@gmail.com) to ubisoft.com is not spam, SpamAssassin (score=1.572, required 6, DATE_IN_PAST_96_XX 1.57) Now passed through SpamAssassin via the commandline, as the MTA user: Content analysis details: (12.1 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 NO_RELAYS Informational: message was not relayed via SMTP 6.0 UBI_PHARMSTRNG01 BODY: Pharmacy string (01) 0.1 UBI_FINDME BODY: test string 3.0 UBI_LOSEFAT10 BODY: Weightloss hits (string) (10) 2.0 UBI_PHARMPILL02 Pharmacy hits (02) 1.0 UBI_LOSEFAT01 Weightloss hits (01) -0.0 NO_RECEIVED Informational: message has no Received headers As you can see, the triggered rules are completely different, which is worrisome. I have tested numerous examples where MS would trigger some SA rules, but not others (very bizarre). I recently upgraded to MailScanner 4.57.3 and SpamAssassin 3.1.7 . Before the upgrade, everything worked perfectly. I didn't change any config files, with the exception of the following line in mailscanner.conf : Max SpamAssassin Size = 80000 trackback Does anybody have any ideas or insight? Thanks! -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. -------------------------------------------------------------------------------- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From mikej at rogers.com Tue Nov 14 21:32:26 2006 From: mikej at rogers.com (Mike Jakubik) Date: Tue Nov 14 21:32:23 2006 Subject: FreeBSD 4.11 Ports Issue In-Reply-To: <14980.66.179.233.5.1163538139.squirrel@www.woodwrecker.com> References: <47593.66.179.233.5.1163536480.squirrel@www.woodwrecker.com> <455A2C8B.3060305@rogers.com> <14980.66.179.233.5.1163538139.squirrel@www.woodwrecker.com> Message-ID: <455A35EA.6080105@rogers.com> ohlund@woodwrecker.com wrote: >> First of all, you should have posted to the freebsd-ports mailing list, >> not here. >> > > First of all, I did post to FreeBSD list. They suggested that I post here. > Apparently there is a BSD expert that lurks here. > I guess i missed that post then, as i cant see any recent posts about this.. > >> I would recommend you get with time and consider updating to FreeBSD 6. >> > > Jumping to a new major release isn't guaranteed to resolve my problem, is > it? Yes it is, as the port compiles correctly on 6. > 4.11 is still supported so there's some other issue. Ultimately I will > upgrade to 6, but right now I have this issue to resolve. > Only by the security officer. > >> As a last resort, you can try using the MS packages available >> on the website instead of the port. >> > > As a last resort, I will resort to the package, but I was hoping to gain > some insight as to why the port didn't build. > I think the p5-Filesys-Df port made that quite clear, "requires statvfs() which is not available before FreeBSD-5*" From daniel.maher at ubisoft.com Tue Nov 14 21:46:14 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Tue Nov 14 21:46:19 2006 Subject: MailScanner totally missing SA rules... In-Reply-To: <003c01c70834$36e223a0$0705000a@DDF5DW71> Message-ID: <1E293D3FF63A3740B10AD5AAD88535D203B252BC@UBIMAIL1.ubisoft.org> Hi Steve, Thanks for the tip - unfortunately, this did not help the issue. It is worth noting that /downgrading/ to the previous version I was running (4.51), in fact, totally solves the problem. There would appear to be a bug afoot... -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Steve Campbell > Sent: November 14, 2006 4:31 PM > To: MailScanner discussion > Subject: Re: MailScanner totally missing SA rules... > > Daniel, > > Setting the MailScanner.conf set as below resolved all of my problems: > > SpamAssassin Local Rules Dir = /etc/mail/spamassassin > > I am running an old 4.52.2 version that is completely functioning > properly. > > Steve > > ----- Original Message ----- > From: "Daniel Maher" > To: "MailScanner discussion" > Sent: Tuesday, November 14, 2006 3:27 PM > Subject: MailScanner totally missing SA rules... > > > Hello all, > > > > I, too, am experiencing a similar problem to another member of the list; > specifically, MailScanner seems to be totally missing (or, at best, > randomly > using) SpamAssassin rules. This is a fairly serious issue, since the > amount > of un-tagged spam now getting through the filters is becoming problematic. > > > > For example, consider the following email message: > > > > Subject: test > > From: wahtever > > To: daniel.maher@ubisoft.com > > Content-Type: text/plain > > Message-Id: <1154034241.23136.34.camel@localhost.localdomain> > > Mime-Version: 1.0 > > X-Mailer: Evolution 2.6.1 > > Date: Fri, 15 Sep 2006 14:54:44 -0400 > > X-Evolution-Format: text/plain > > Content-Transfer-Encoding: 8bit > > > > PHxxARMACY V1xxAGRA C1xxALIS lose weight now, melt the extra pounds. > > > > > > The exact message, passed through MailScanner via SMTP (Postfix): > > > > Nov 14 15:16:15 ad-postfix MailScanner[14220]: Message 2EAFC1A65DB.C9579 > from 127.0.0.1 (hihi@gmail.com) to ubisoft.com is not spam, SpamAssassin > (score=1.572, required 6, DATE_IN_PAST_96_XX 1.57) > > > > > > Now passed through SpamAssassin via the commandline, as the MTA user: > > > > Content analysis details: (12.1 points, 5.0 required) > > > > pts rule name description > > ---- ---------------------- ---------------------------------------------- > ---- > > -0.0 NO_RELAYS Informational: message was not relayed via > SMTP > > 6.0 UBI_PHARMSTRNG01 BODY: Pharmacy string (01) > > 0.1 UBI_FINDME BODY: test string > > 3.0 UBI_LOSEFAT10 BODY: Weightloss hits (string) (10) > > 2.0 UBI_PHARMPILL02 Pharmacy hits (02) > > 1.0 UBI_LOSEFAT01 Weightloss hits (01) > > -0.0 NO_RECEIVED Informational: message has no Received headers > > > > > > As you can see, the triggered rules are completely different, which is > worrisome. I have tested numerous examples where MS would trigger some SA > rules, but not others (very bizarre). I recently upgraded to MailScanner > 4.57.3 and SpamAssassin 3.1.7 . Before the upgrade, everything worked > perfectly. I didn't change any config files, with the exception of the > following line in mailscanner.conf : > > > > Max SpamAssassin Size = 80000 trackback > > > > > > Does anybody have any ideas or insight? Thanks! > > > > -- > > _ > ?v? Daniel Maher > /(_)\ Administrateur Syst?me Unix > > ^ ^ Unix System Administrator > > > > Sentio aliquos togatos contra me conspirare. > > > > > > > -------------------------------------------------------------------------- > ------ > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From r.berber at computer.org Tue Nov 14 21:54:30 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Tue Nov 14 21:54:46 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches it In-Reply-To: <017601c7081a$302dd370$0200000a@danc3> References: <00a901c704e0$f9a257e0$0200000a@danc3><223f97700611100901ma3d4061gba655c7ea5a6db15@mail.gmail.com><016401c70509$72f609c0$0200000a@danc3><223f97700611110026t75fe5f9cte6b654fc68c40e2c@mail.gmail.com> <013301c70739$c57359f0$0200000a@danc3><01f501c7074d$b0296e90$0200000a@danc3> <029501c7076c$0a099110$0200000a@danc3> <02d601c70777$216cf580$0200000a@danc3> <017601c7081a$302dd370$0200000a@danc3> Message-ID: Dan Carl wrote: [snip] > I've been analyzing messages all morning. > It seems that spamassassin runs through all of the rules all the time but > mailscanner rules erratically.(example below) > > FROM SPAMASSASSIN > Content analysis details: (13.8 points, 5.0 required) ... > 3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99% > [score: 0.9598] > 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP > address ... > FROM MAILSCANNER > X-Bluestar-MScan-SpamCheck: not spam, SpamAssassin (not cached, score=5.844, > required 6, RCVD_IN_NJABL_DUL 1.95, RCVD_IN_XBL 3.90, > UNPARSEABLE_RELAY 0.00) > > This is the exact same message. > Why didn't Mailscanner use Bayes, SORBS or SPAMCOP? That's a tough one... timeouts perhaps? Slow DNS response would explain an occasional RBL test timeout, but Bayes will only timeout if the computer has a high load. Anyway, it's only a theory, I haven't seen this problem before. > It's not like there not working here's proof of one caught a few minutes > ago. > spamcop is not here but bayes and sorbs are. > > X-Bluestar-MScan-SpamCheck: spam, SpamAssassin (not cached, score=9.284, > required 6, BAYES_60 1.00, DCC_CHECK 2.17, DIGEST_MULTIPLE 0.77, > MSGID_FROM_MTA_ID 1.39, RAZOR2_CF_RANGE_51_100 0.50, > RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CHECK 0.50, > RCVD_IN_SORBS_WEB 1.46) Perhaps a real expert could show us how to debug this. From the SA.pm code I see there is a debug setting, but I don't know how to turn it on; it may be enough to see the parameters to SA (SA.pm uses fork-and-run). -- Ren? Berber From campbell at cnpapers.com Tue Nov 14 21:54:41 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Nov 14 21:55:02 2006 Subject: MailScanner totally missing SA rules... References: <1E293D3FF63A3740B10AD5AAD88535D203B252BC@UBIMAIL1.ubisoft.org> Message-ID: <000f01c70837$7d17be40$0705000a@DDF5DW71> Daniel, I only set this last week as I was seeing some of the more popular spams slipping through. I added Sare stocks, thinking it would resolve the problem, but realized that it was even using the new rule set. Mailwatch would update the rule list as though it were, so I had a false sense of security. It was only after trying a report in mailwatch showing all mail that was triggering the stock rule that I discovered it was using it. I guess the blank config line was added during an update and I assumed blank was OK, much like the sendmail lock config option that has caused so much trouble. I also set the Site Rules option the same. You may try that. Steve ----- Original Message ----- From: "Daniel Maher" To: "MailScanner discussion" Sent: Tuesday, November 14, 2006 4:46 PM Subject: RE: MailScanner totally missing SA rules... > Hi Steve, > > Thanks for the tip - unfortunately, this did not help the issue. It is > worth noting that /downgrading/ to the previous version I was running > (4.51), in fact, totally solves the problem. > > There would appear to be a bug afoot... > > -- > _ > ?v? Daniel Maher > /(_)\ Administrateur Syst?me Unix > ^ ^ Unix System Administrator > > Sentio aliquos togatos contra me conspirare. > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Steve Campbell >> Sent: November 14, 2006 4:31 PM >> To: MailScanner discussion >> Subject: Re: MailScanner totally missing SA rules... >> >> Daniel, >> >> Setting the MailScanner.conf set as below resolved all of my problems: >> >> SpamAssassin Local Rules Dir = /etc/mail/spamassassin >> >> I am running an old 4.52.2 version that is completely functioning >> properly. >> >> Steve >> >> ----- Original Message ----- >> From: "Daniel Maher" >> To: "MailScanner discussion" >> Sent: Tuesday, November 14, 2006 3:27 PM >> Subject: MailScanner totally missing SA rules... >> >> >> Hello all, >> >> >> >> I, too, am experiencing a similar problem to another member of the list; >> specifically, MailScanner seems to be totally missing (or, at best, >> randomly >> using) SpamAssassin rules. This is a fairly serious issue, since the >> amount >> of un-tagged spam now getting through the filters is becoming >> problematic. >> >> >> >> For example, consider the following email message: >> >> >> >> Subject: test >> >> From: wahtever >> >> To: daniel.maher@ubisoft.com >> >> Content-Type: text/plain >> >> Message-Id: <1154034241.23136.34.camel@localhost.localdomain> >> >> Mime-Version: 1.0 >> >> X-Mailer: Evolution 2.6.1 >> >> Date: Fri, 15 Sep 2006 14:54:44 -0400 >> >> X-Evolution-Format: text/plain >> >> Content-Transfer-Encoding: 8bit >> >> >> >> PHxxARMACY V1xxAGRA C1xxALIS lose weight now, melt the extra pounds. >> >> >> >> >> >> The exact message, passed through MailScanner via SMTP (Postfix): >> >> >> >> Nov 14 15:16:15 ad-postfix MailScanner[14220]: Message 2EAFC1A65DB.C9579 >> from 127.0.0.1 (hihi@gmail.com) to ubisoft.com is not spam, SpamAssassin >> (score=1.572, required 6, DATE_IN_PAST_96_XX 1.57) >> >> >> >> >> >> Now passed through SpamAssassin via the commandline, as the MTA user: >> >> >> >> Content analysis details: (12.1 points, 5.0 required) >> >> >> >> pts rule name description >> >> ---- ---------------------- ---------------------------------------------- >> ---- >> >> -0.0 NO_RELAYS Informational: message was not relayed via >> SMTP >> >> 6.0 UBI_PHARMSTRNG01 BODY: Pharmacy string (01) >> >> 0.1 UBI_FINDME BODY: test string >> >> 3.0 UBI_LOSEFAT10 BODY: Weightloss hits (string) (10) >> >> 2.0 UBI_PHARMPILL02 Pharmacy hits (02) >> >> 1.0 UBI_LOSEFAT01 Weightloss hits (01) >> >> -0.0 NO_RECEIVED Informational: message has no Received >> headers >> >> >> >> >> >> As you can see, the triggered rules are completely different, which is >> worrisome. I have tested numerous examples where MS would trigger some >> SA >> rules, but not others (very bizarre). I recently upgraded to MailScanner >> 4.57.3 and SpamAssassin 3.1.7 . Before the upgrade, everything worked >> perfectly. I didn't change any config files, with the exception of the >> following line in mailscanner.conf : >> >> >> >> Max SpamAssassin Size = 80000 trackback >> >> >> >> >> >> Does anybody have any ideas or insight? Thanks! >> >> >> >> -- >> >> _ >> ?v? Daniel Maher >> /(_)\ Administrateur Syst?me Unix >> >> ^ ^ Unix System Administrator >> >> >> >> Sentio aliquos togatos contra me conspirare. >> >> >> >> >> >> >> -------------------------------------------------------------------------- >> ------ >> >> >> > -- >> > MailScanner mailing list >> > mailscanner@lists.mailscanner.info >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > >> > Before posting, read http://wiki.mailscanner.info/posting >> > >> > Support MailScanner development - buy the book off the website! >> > >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From res at ausics.net Tue Nov 14 22:15:25 2006 From: res at ausics.net (Res) Date: Tue Nov 14 22:15:35 2006 Subject: Massive queue buildup In-Reply-To: References: Message-ID: Hi Jay, On Tue, 14 Nov 2006, Chandler, Jay wrote: > 3. I am running DCC, as well as Razor. What did log speed = yes show? Did disabling dcc improve things? Razor was not a problem here nor all the SA rules from the fsl guys, i disabled all one, one by one put them back in, did not take long to see dcc was the culprit, since ive disabled it, it's all good. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Tue Nov 14 22:18:21 2006 From: res at ausics.net (Res) Date: Tue Nov 14 22:18:30 2006 Subject: Mail Not Delivering In-Reply-To: References: <1163260360.27853.97.camel@thor.greenbuzz.net> <223f97700611111208o45d37376pf5f42980f601b579@mail.gmail.com> <223f97700611111259v721966fdnb986ef9746653a55@mail.gmail.com> <223f97700611121040k2d3ac16fy6bd6357ac6314100@mail.gmail.com> <223f97700611130119k45a4ba9cm2a7ab87f52c5c1f2@mail.gmail.com> <223f97700611140225x7dc0dee4y17102bc49daccd31@mail.gmail.com> Message-ID: On Tue, 14 Nov 2006, Scott Silva wrote: > I drank to that!!! Maybe a little too much! hehe done that before > Don't need to beat my head against a server, because it feels like I already > did.:-D Swearing at it profusely might not help either, but by god it feels good :) -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From vlad at mazek.com Tue Nov 14 23:18:57 2006 From: vlad at mazek.com (Vlad Mazek) Date: Tue Nov 14 23:19:17 2006 Subject: Massive queue buildup In-Reply-To: References: Message-ID: <455A4EE1.5030905@mazek.com> Not to hijack a thread here, but what are the optimal batch size numbers? We're averaging 60-70 seconds per 10 message batch, not sure what is eating up the resources but where are everyone elses numbers at? -Vlad Chandler, Jay wrote: > Actually, I can do one better than that-- I've got Mailscanner MRTG > installed. > > Right now it's right around 1700 bytes a second, and it's been pretty > consistently there. > > > -- > Jay Chandler > Network Administrator, Chapman University > 714.628.7249 / chandler@chapman.edu > Today's Excuse: We are Microsoft. What you are experiencing is not a > problem; it is an undocumented feature. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brent > Addis > Sent: Monday, November 13, 2006 5:35 PM > To: MailScanner discussion > Subject: RE: Massive queue buildup > > Thats sounds like the one you want. > > Check your syslog, it should show you your batch processing speed > > IE: > > Nov 14 14:30:10 mx3 MailScanner[5500]: Spam Checks completed at 826 > bytes per second Nov 14 14:30:10 mx3 MailScanner[5500]: Virus and > Content Scanning: Starting Nov 14 14:30:13 mx3 MailScanner[5500]: Virus > Scanning completed at 4633 bytes per second Nov 14 14:30:13 mx3 > MailScanner[5500]: Uninfected: Delivered 1 messages Nov 14 14:30:13 mx3 > MailScanner[5500]: Virus Processing completed at 692908 bytes per second > Nov 14 14:30:13 mx3 MailScanner[5500]: Batch completed at 700 bytes per > second Nov 14 14:30:13 mx3 MailScanner[5500]: Batch (1 message) > processed in 9.86 seconds Nov 14 14:30:13 mx3 MailScanner[5500]: Logging > message 1Gjn7U-0000rl-44 to SQL Nov 14 14:30:13 mx3 MailScanner[5500]: > "Always Looked Up Last" took 0.00 seconds > > Do you have the spamassassin cache enabled? > > > > ________________________________ > > From: mailscanner-bounces@lists.mailscanner.info on behalf of Chandler, > Jay > Sent: Tue 11/14/2006 2:15 PM > To: MailScanner discussion > Subject: RE: Massive queue buildup > > > > I don't show any match for anything approaching that, other than "log > speed," which is set to yes for MRTG. > > > > > -- > Jay Chandler > Network Administrator, Chapman University > 714.628.7249 / chandler@chapman.edu > Today's Excuse: not approved by the FCC > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brent > Addis > Sent: Monday, November 13, 2006 4:55 PM > To: MailScanner discussion > Subject: RE: Massive queue buildup > > ok, what about batch processing speed? Try enabling that within > MailScanner.conf > > ________________________________ > > From: mailscanner-bounces@lists.mailscanner.info on behalf of Chandler, > Jay > Sent: Tue 11/14/2006 1:52 PM > To: MailScanner discussion > Subject: RE: Massive queue buildup > > > > brewer# time spamassassin -C > /usr/local/etc/mail/spamassassin/mailscanner.conf --lint > 3.092u 0.386s 0:09.71 35.7% 10+37348k 0+0io 0pf+0w > brewer# time spamassassin -C /usr/local/etc/mail/spamassassin/ --lint > 4.135u 0.318s 0:04.97 89.3% 10+48865k 0+0io 0pf+0w > brewer# > > Looks good from here. > > -- > Jay Chandler > Network Administrator, Chapman University > 714.628.7249 / chandler@chapman.edu > Today's Excuse: terrorist activities > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brent > Addis > Sent: Monday, November 13, 2006 4:13 PM > To: MailScanner discussion > Subject: RE: Massive queue buildup > > 3 seconds? > > Not bad! > > However, are you sure that includes the mailscanner config? (It might be > in /etc/spamassassin or /etc/mail/spamassassin) > > if not, include the config file in your lint (I think its either -C or > -P /path/to/spam.assassin.conf) > > ________________________________ > > From: mailscanner-bounces@lists.mailscanner.info on behalf of Chandler, > Jay > Sent: Tue 11/14/2006 1:09 PM > To: MailScanner discussion > Subject: RE: Massive queue buildup > > > > Time spamassassin -D --lint takes three point seven seconds-- I don't > think that's where the holdup is occuring. > > Our DNS server is local and on the same netblock as the mailserver in > question. > > We have a few RBLs at connecttime, but they seem to be holding up well. > > It's a bit of a stumper... > > > -- > Jay Chandler > Network Administrator, Chapman University > 714.628.7249 / chandler@chapman.edu > Today's Excuse: your keyboard's space bar is generating spurious > keycodes. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brent > Addis > Sent: Monday, November 13, 2006 3:48 PM > To: MailScanner discussion > Subject: RE: Massive queue buildup > > if you want to only check spamassassin (generally the slowest part with > lots of rules) "time spamassassin -D --lint" is a good start. as long as > your mailscanner.cf is in a reasonable place it should pick it up. If > you keep an eye on where it seems to take a while, it should help you > track down the problem. > > Or, there is an option within mailscanner to turn on batch process time. > I forget the name however its in the last quarter of the config > somewhere. > > are you running bayes? If you are, and its standard db files on the > server, I would recommend migrating these to an sql server somewhere. > This helped scan times a fair bit too. Another upside is this also means > you can have multiple servers using the same db. > > With RBL's, don't forget spamassassin also does RBL checking so make > sure your not doing twice the lookups you need to. > > 100k a day should be fine on the hardware you have. > > > > ________________________________ > > From: mailscanner-bounces@lists.mailscanner.info on behalf of Jay > Chandler > Sent: Tue 11/14/2006 12:39 PM > To: MailScanner discussion > Subject: Re: Massive queue buildup > > > > On Nov 13, 2006, at 2:42 PM, Brent Addis wrote: > > > Check your not running one of those massive blacklists from > SARE. > > I was running one for a while while testing and a similar thing > happened. removing it dropped my average scan time from ~2 1/2 minutes > to 11 seconds per message. > > > Where does one determine how long the average scan time is? > > > Other ideas: > > - Check your dns servers are capable of standing up to the > amount of dns requests you are making. Running something like nscd > locally is a good idea. > > > I suspect they are, but I'll verify this. > > > - Are you running very many RBL's within mailscanner? Try > disabling these and see if it helps. > > > Three or four-- nothing insane. > > > - Are you running any type of recipient verification? (as in, > checking that the person being sent the mail actually exists). If not, > try turning it on. I am unsure what it is called within postfix as I > don't use it. > > > We are. Messages to undefined users fault to a 5xx error. > > > - Check out > http://wiki.mailscanner.info/doku.php?id=maq:index#optimization_tips > which has a few others as well. > > > Thanks! > > > How much mail are you handling a day? I have a couple of single > cpu 3.0 ghz machines comfortably handling many thousands of messages a > day. > > > > Right now, about 100K a day. > > > Thanks for the help! > > > > -- > Jay Chandler > Network Administrator, Chapman University > 714-628-7249 / chandler@chapman.edu > "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never > does quite what I want. I wish Christopher Robin was here." -- Peter Da > Silva in a.s.r. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > From chandler at chapman.edu Wed Nov 15 04:58:18 2006 From: chandler at chapman.edu (Chandler, Jay) Date: Wed Nov 15 04:58:24 2006 Subject: Massive queue buildup Message-ID: I've checked the log, and it seems reasonable. I'm not seeing any deferral messages. Two relevant points: 1. The log with the crapton of messages in it is the Hold queue, implying that MailScanner is the bottleneck for one reason or another. 2. Said queue was at 15K last night, this morning it was at 5K, so that implies that a second box SHOULD allieviate the problem. In theory. -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Today's Excuse: Someone is standing on the ethernet cable, causing a kink in the cable -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Raymond Dijkxhoorn Sent: Monday, November 13, 2006 2:55 PM To: MailScanner discussion Subject: Re: Massive queue buildup Hi! > Built my first Mailscanner / Postfix box on Friday due to a Sendmail > meltdown last week-- was forced to throw this box into production early. > > It ran fine over the weekend, but today there's a massive queue > buildup when I run an mqueue-- 10K so far and building. > > Any idea where to look to sort out where it's coming from? I know this sounds silly, but what about your mail log? > It's possible the box itself is overloaded, 2 2.4 ghz procs, with a > load average of around 13. Slow DNS lookups? Large bayes db's ect ect ... Bye, Raymond. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From chandler at chapman.edu Wed Nov 15 05:42:57 2006 From: chandler at chapman.edu (Chandler, Jay) Date: Wed Nov 15 05:43:01 2006 Subject: Massive queue buildup Message-ID: ov 14 20:07:42 brewer MailScanner[37903]: Batch (30 messages) processed in 328.23 seconds Nov 14 20:07:51 brewer MailScanner[38335]: Batch (30 messages) processed in 670.92 seconds Nov 14 20:08:37 brewer MailScanner[38125]: Batch (30 messages) processed in 643.34 seconds That's not good. Disabled DCC, Razor, and Pyzor, and I'm still seeing batch times in the same general range. I've got RAM to burn, so I kicked up the number of children to 30, and I'm still seeing the same batch times, but the queue is decrementing. Finally, I built up a box that's blazingly fast in processors, and woefully short of RAM, and put that ahead of this one in the mailserver precedence list. We'll see how it handles tomorrow. Thanks for the assist, folks-- I appreciate it. -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Today's Excuse: It must have been the lightning storm we had (yesterday) (last week) (last month) -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Res Sent: Tuesday, November 14, 2006 2:15 PM To: MailScanner discussion Subject: RE: Massive queue buildup Hi Jay, On Tue, 14 Nov 2006, Chandler, Jay wrote: > 3. I am running DCC, as well as Razor. What did log speed = yes show? Did disabling dcc improve things? Razor was not a problem here nor all the SA rules from the fsl guys, i disabled all one, one by one put them back in, did not take long to see dcc was the culprit, since ive disabled it, it's all good. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From res at ausics.net Wed Nov 15 06:17:25 2006 From: res at ausics.net (Res) Date: Wed Nov 15 06:17:33 2006 Subject: Massive queue buildup In-Reply-To: References: Message-ID: On Tue, 14 Nov 2006, Chandler, Jay wrote: > ov 14 20:07:42 brewer MailScanner[37903]: Batch (30 messages) processed > in 328.23 seconds > Nov 14 20:07:51 brewer MailScanner[38335]: Batch (30 messages) processed > in 670.92 seconds > Nov 14 20:08:37 brewer MailScanner[38125]: Batch (30 messages) processed > in 643.34 seconds > > That's not good. > No :) If you nee dit sorted , disable spam assassin, leave spam checks on, but disable SA, you'll find it will clear the queue in no time. Also do you RBL in MS or MTA? MTA is far better > Disabled DCC, Razor, and Pyzor, and I'm still seeing batch times in the > same general range. I've got RAM to burn, so I kicked up the number of > children to 30, and I'm still seeing the same batch times, but the queue > is decrementing. Finally, I built up a box that's blazingly fast in > processors, and woefully short of RAM, and put that ahead of this one in > the mailserver precedence list. We'll see how it handles tomorrow. > > Thanks for the assist, folks-- I appreciate it. > > -- > Jay Chandler > Network Administrator, Chapman University > 714.628.7249 / chandler@chapman.edu > Today's Excuse: It must have been the lightning storm we had (yesterday) > (last week) (last month) > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Res > Sent: Tuesday, November 14, 2006 2:15 PM > To: MailScanner discussion > Subject: RE: Massive queue buildup > > Hi Jay, > > On Tue, 14 Nov 2006, Chandler, Jay wrote: > >> 3. I am running DCC, as well as Razor. > > What did log speed = yes show? > Did disabling dcc improve things? > > Razor was not a problem here nor all the SA rules from the fsl guys, i > disabled all one, one by one put them back in, did not take long to see > dcc was the culprit, since ive disabled it, it's all good. > > > -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From glenn.steen at gmail.com Wed Nov 15 08:56:48 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 15 08:56:51 2006 Subject: Massive queue buildup In-Reply-To: References: Message-ID: <223f97700611150056l19654a16m3eb9b03f42dbfadc@mail.gmail.com> On 15/11/06, Res wrote: > On Tue, 14 Nov 2006, Chandler, Jay wrote: > > > ov 14 20:07:42 brewer MailScanner[37903]: Batch (30 messages) processed > > in 328.23 seconds > > Nov 14 20:07:51 brewer MailScanner[38335]: Batch (30 messages) processed > > in 670.92 seconds > > Nov 14 20:08:37 brewer MailScanner[38125]: Batch (30 messages) processed > > in 643.34 seconds > > > > That's not good. > > > > No :) Have to agree here. More below. > If you nee dit sorted , disable spam assassin, leave spam checks on, but > disable SA, you'll find it will clear the queue in no time. Might not be the culprit after all. Well, it still might bet....:-) > Also do you RBL in MS or MTA? MTA is far better In one of Jays earlier responses (to Brent Addis) he mentioned doing 3-4 BLs in MS, which he found to be "nothing insane". Well, he just might be wrong, taken that those would _serialize_, much like most MTAs but unlike SA, and with some poor choices made on which lists to check in MS... Voila, bad performance here we come:-). At least a theory worth exploring;-). As you all know, the MTA (for early rejection) or SA (for parallellism) is the place to do this (and possibly one or two in MS...:-). Martin has posted his list of SA RBLs he disables (by setting score to 0) a few times, which might be interesting to you Jay, if you go the SA route. > > > Disabled DCC, Razor, and Pyzor, and I'm still seeing batch times in the > > same general range. I've got RAM to burn, so I kicked up the number of > > children to 30, and I'm still seeing the same batch times, but the queue > > is decrementing. Finally, I built up a box that's blazingly fast in > > processors, and woefully short of RAM, and put that ahead of this one in > > the mailserver precedence list. We'll see how it handles tomorrow. > > > > Thanks for the assist, folks-- I appreciate it. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From martinh at solidstatelogic.com Wed Nov 15 09:02:15 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Nov 15 09:02:27 2006 Subject: FreeBSD 4.11 Ports Issue In-Reply-To: <455A35EA.6080105@rogers.com> References: <47593.66.179.233.5.1163536480.squirrel@www.woodwrecker.com> <455A2C8B.3060305@rogers.com> <14980.66.179.233.5.1163538139.squirrel@www.woodwrecker.com> <455A35EA.6080105@rogers.com> Message-ID: <455AD797.2020306@solidstatelogic.com> Mike Jakubik wrote: > ohlund@woodwrecker.com wrote: >>> First of all, you should have posted to the freebsd-ports mailing list, >>> not here. >>> >> >> First of all, I did post to FreeBSD list. They suggested that I post >> here. >> Apparently there is a BSD expert that lurks here. >> > > I guess i missed that post then, as i cant see any recent posts about > this.. > this was to the freebsd-users list, and I asked him to re-post here, so JPK can take a peek.. >> >>> I would recommend you get with time and consider updating to FreeBSD 6. >>> >> >> Jumping to a new major release isn't guaranteed to resolve my problem, is >> it? > > Yes it is, as the port compiles correctly on 6. Might be worthwhile scouring the list archives. I;m sure someone mentioned a fix/workaround for this.. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From glenn.steen at gmail.com Wed Nov 15 09:20:25 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 15 09:20:30 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches it In-Reply-To: <017601c7081a$302dd370$0200000a@danc3> References: <00a901c704e0$f9a257e0$0200000a@danc3> <223f97700611110026t75fe5f9cte6b654fc68c40e2c@mail.gmail.com> <013301c70739$c57359f0$0200000a@danc3> <01f501c7074d$b0296e90$0200000a@danc3> <029501c7076c$0a099110$0200000a@danc3> <02d601c70777$216cf580$0200000a@danc3> <017601c7081a$302dd370$0200000a@danc3> Message-ID: <223f97700611150120j54b0448cv61cd54e4581ea914@mail.gmail.com> On 14/11/06, Dan Carl wrote: > [snip] > > > > That's an option on MS, look for "Always Include SpamAssassin Report". > > > Thanks, missed it in the conf. > Now I can do some testing > [snip] > > I've been analyzing messages all morning. > It seems that spamassassin runs through all of the rules all the time but > mailscanner rules erratically.(example below) > > FROM SPAMASSASSIN > Content analysis details: (13.8 points, 5.0 required) > > pts rule name description > ---- ---------------------- ------------------------------------------------ > -- > 1.4 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) > [SPF failed: Please see > http://www.openspf.org/why.html?sender=sondraiszmcgrathly%40charter.net&ip=85.69.182.160&receiver=mail.bluestarshows.com] > 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay > lines > 3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99% > [score: 0.9598] > 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP > address > [85.69.182.160 listed in dnsbl.sorbs.net] > 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net > [Blocked - see > ] > 3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL > [85.69.182.160 listed in sbl-xbl.spamhaus.org] > 1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP > [85.69.182.160 listed in combined.njabl.org] > > FROM MAILSCANNER > X-Bluestar-MScan-SpamCheck: not spam, SpamAssassin (not cached, score=5.844, > required 6, RCVD_IN_NJABL_DUL 1.95, RCVD_IN_XBL 3.90, > UNPARSEABLE_RELAY 0.00) > X-Bluestar-SpamScore: sssss > > This is the exact same message. > Why didn't Mailscanner use Bayes, SORBS or SPAMCOP? > > It's not like there not working here's proof of one caught a few minutes > ago. > spamcop is not here but bayes and sorbs are. Sorry if you posted this already, but how do you do your Bayes expiry? How big is your Bayes db? I'm thinking expiry problems here... Do you get bayes_toks.expire* files (where you have your bayes DB files)? SpamCop and Sorbs could be slow responses... > X-Bluestar-MScan-SpamCheck: spam, SpamAssassin (not cached, score=9.284, > required 6, BAYES_60 1.00, DCC_CHECK 2.17, DIGEST_MULTIPLE 0.77, > MSGID_FROM_MTA_ID 1.39, RAZOR2_CF_RANGE_51_100 0.50, > RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CHECK 0.50, > RCVD_IN_SORBS_WEB 1.46) > > Rene hope you or someone else can help. We'll do our best:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From evanderleun at hal9000.nl Wed Nov 15 14:26:25 2006 From: evanderleun at hal9000.nl (Erik van der Leun) Date: Wed Nov 15 14:26:29 2006 Subject: pyzor functionality Message-ID: <455B2391.2060401@hal9000.nl> Hi, On several servers, PYZOR seems to work every now and then... I can't seem to find a reason why... no errormessages when checking with --lint To be honest, I don't have much of a clue... What would be a good way of testing whether the online request gets a proper answer? Kind regards, Erik van der Leun # for log in `ls /var/log/maillog*`; do echo -n $log: `zgrep PYZOR $log | wc -l`; echo ; done /var/log/maillog: 145 /var/log/maillog.1.gz: 0 /var/log/maillog.10.gz: 30 /var/log/maillog.11.gz: 33 /var/log/maillog.12.gz: 8 /var/log/maillog.13.gz: 11 /var/log/maillog.14.gz: 32 /var/log/maillog.2.gz: 0 /var/log/maillog.3.gz: 0 /var/log/maillog.4.gz: 0 /var/log/maillog.5.gz: 0 /var/log/maillog.6.gz: 0 /var/log/maillog.7.gz: 0 /var/log/maillog.8.gz: 2 /var/log/maillog.9.gz: 15 (another machine) # for log in `ls /var/log/maillog*`; do echo -n $log: `zgrep PYZOR $log | wc -l`; ech o ; done /var/log/maillog: 0 /var/log/maillog.10.gz: 0 /var/log/maillog.11.gz: 0 /var/log/maillog.12.gz: 0 /var/log/maillog.13.gz: 0 /var/log/maillog.14.gz: 0 /var/log/maillog.15.gz: 0 /var/log/maillog.16.gz: 0 /var/log/maillog.17.gz: 0 /var/log/maillog.18.gz: 0 /var/log/maillog.19.gz: 0 /var/log/maillog.1.gz: 0 /var/log/maillog.20.gz: 88 /var/log/maillog.21.gz: 2244 /var/log/maillog.22.gz: 5383 /var/log/maillog.23.gz: 7514 /var/log/maillog.24.gz: 9014 /var/log/maillog.25.gz: 9489 /var/log/maillog.26.gz: 8963 /var/log/maillog.27.gz: 9829 /var/log/maillog.28.gz: 7890 /var/log/maillog.29.gz: 6974 /var/log/maillog.2.gz: 0 /var/log/maillog.30.gz: 6130 /var/log/maillog.3.gz: 4418 /var/log/maillog.4.gz: 7598 /var/log/maillog.5.gz: 7746 /var/log/maillog.6.gz: 8109 /var/log/maillog.7.gz: 8110 /var/log/maillog.8.gz: 10490 /var/log/maillog.9.gz: 5243 /var/log/maillog.old: 210213 # spamassassin --lint -D 2>&1 | grep -i pyzor [16257] dbg: config: read file /usr/share/spamassassin/25_pyzor.cf [16257] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC [16257] dbg: pyzor: network tests on, attempting Pyzor [16257] dbg: plugin: registered Mail::SpamAssassin::Plugin::Pyzor=HASH(0x158ffe00) [16257] dbg: plugin: registering glue method for check_pyzor (Mail::SpamAssassin::Plugin::Pyzor=HASH(0x158ffe00)) [16257] dbg: pyzor: pyzor is available: /usr/bin/pyzor [16257] dbg: pyzor: opening pipe: /usr/bin/pyzor check < /tmp/.spamassassin16257UZ6Czhtmp [16257] dbg: pyzor: killed stale helper [16322] [16257] dbg: pyzor: [16322] terminated: exit=0x000f [16257] dbg: pyzor: check timed out after 5 seconds -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061115/f7aacd0a/attachment.html From steve.swaney at fsl.com Wed Nov 15 15:17:46 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Wed Nov 15 15:17:50 2006 Subject: pyzor functionality In-Reply-To: <455B2391.2060401@hal9000.nl> Message-ID: <004901c708c9$34877610$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Erik van der Leun > Sent: Wednesday, November 15, 2006 9:26 AM > To: MailScanner discussion > Subject: pyzor functionality > > Hi, > > On several servers, PYZOR seems to work every now and then... > I can't seem to find a reason why... no errormessages when checking with - > -lint > > To be honest, I don't have much of a clue... > > What would be a good way of testing whether the online request gets a > proper answer? > > Kind regards, > Erik van der Leun > Eric, The Pyzor server or servers if there is more than one are often off line. Pyzor has not been updated since September 7, 2002. It's become unreliable at best. Attempts to contact the author with offers of help and servers have failed. Pyzor timeouts simply slow down SpamAssassin processing. Pyzor should not be used on a busy server. Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com> From mikea at mikea.ath.cx Wed Nov 15 15:32:17 2006 From: mikea at mikea.ath.cx (mikea) Date: Wed Nov 15 15:32:21 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B581086D976@isabella.herefordshire.gov.uk>; from prandal@herefordshire.gov.uk on Tue, Nov 14, 2006 at 10:31:50AM -0000 References: <86144ED6CE5B004DA23E1EAC0B569B581086D976@isabella.herefordshire.gov.uk> Message-ID: <20061115093217.I48256@mikea.ath.cx> On Tue, Nov 14, 2006 at 10:31:50AM -0000, Randal, Phil wrote: > Not here they weren't. > > A simple grep leads to double-counting (because I run milter-greylist), > but my point still stands. Was handled well by my setup without any > additional response needed. I've found that a lot of the "debora" spam, as well as a fair amount of other spam, matches /6c822ecf/ in one or more of Message-ID and Content-ID headers. I have yet to see a false positive. It's just as good as the /From: akstc.*@/ signature, which is nailing a bunch even now. If you run milter-regex, it's trivial to build rules for these. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From martinh at solidstatelogic.com Wed Nov 15 15:34:39 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Nov 15 15:34:49 2006 Subject: pyzor functionality In-Reply-To: <455B2391.2060401@hal9000.nl> References: <455B2391.2060401@hal9000.nl> Message-ID: <455B338F.8000507@solidstatelogic.com> Erik van der Leun wrote: > Hi, > > On several servers, PYZOR seems to work every now and then... > I can't seem to find a reason why... no errormessages when checking with > --lint > > To be honest, I don't have much of a clue... > > What would be a good way of testing whether the online request gets a > proper answer? > > Kind regards, > Erik van der Leun > > # for log in `ls /var/log/maillog*`; do echo -n $log: `zgrep PYZOR $log > | wc -l`; echo ; done > /var/log/maillog: 145 > /var/log/maillog.1.gz: 0 > /var/log/maillog.10.gz: 30 > /var/log/maillog.11.gz: 33 > /var/log/maillog.12.gz: 8 > /var/log/maillog.13.gz: 11 > /var/log/maillog.14.gz: 32 > /var/log/maillog.2.gz: 0 > /var/log/maillog.3.gz: 0 > /var/log/maillog.4.gz: 0 > /var/log/maillog.5.gz: 0 > /var/log/maillog.6.gz: 0 > /var/log/maillog.7.gz: 0 > /var/log/maillog.8.gz: 2 > /var/log/maillog.9.gz: 15 > > (another machine) > # for log in `ls /var/log/maillog*`; do echo -n $log: `zgrep PYZOR $log > | wc -l`; ech > o ; done > /var/log/maillog: 0 > /var/log/maillog.10.gz: 0 > /var/log/maillog.11.gz: 0 > /var/log/maillog.12.gz: 0 > /var/log/maillog.13.gz: 0 > /var/log/maillog.14.gz: 0 > /var/log/maillog.15.gz: 0 > /var/log/maillog.16.gz: 0 > /var/log/maillog.17.gz: 0 > /var/log/maillog.18.gz: 0 > /var/log/maillog.19.gz: 0 > /var/log/maillog.1.gz: 0 > /var/log/maillog.20.gz: 88 > /var/log/maillog.21.gz: 2244 > /var/log/maillog.22.gz: 5383 > /var/log/maillog.23.gz: 7514 > /var/log/maillog.24.gz: 9014 > /var/log/maillog.25.gz: 9489 > /var/log/maillog.26.gz: 8963 > /var/log/maillog.27.gz: 9829 > /var/log/maillog.28.gz: 7890 > /var/log/maillog.29.gz: 6974 > /var/log/maillog.2.gz: 0 > /var/log/maillog.30.gz: 6130 > /var/log/maillog.3.gz: 4418 > /var/log/maillog.4.gz: 7598 > /var/log/maillog.5.gz: 7746 > /var/log/maillog.6.gz: 8109 > /var/log/maillog.7.gz: 8110 > /var/log/maillog.8.gz: 10490 > /var/log/maillog.9.gz: 5243 > /var/log/maillog.old: 210213 > > # spamassassin --lint -D 2>&1 | grep -i pyzor > [16257] dbg: config: read file /usr/share/spamassassin/25_pyzor.cf > [16257] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC > [16257] dbg: pyzor: network tests on, attempting Pyzor > [16257] dbg: plugin: registered > Mail::SpamAssassin::Plugin::Pyzor=HASH(0x158ffe00) > [16257] dbg: plugin: registering glue method for check_pyzor > (Mail::SpamAssassin::Plugin::Pyzor=HASH(0x158ffe00)) > [16257] dbg: pyzor: pyzor is available: /usr/bin/pyzor > [16257] dbg: pyzor: opening pipe: /usr/bin/pyzor check < > /tmp/.spamassassin16257UZ6Czhtmp > [16257] dbg: pyzor: killed stale helper [16322] > [16257] dbg: pyzor: [16322] terminated: exit=0x000f > [16257] dbg: pyzor: check timed out after 5 seconds > Erik I'd echo what Steve S just said. remove it from your configs. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From alex at nkpanama.com Wed Nov 15 15:38:29 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Wed Nov 15 15:39:11 2006 Subject: pyzor functionality In-Reply-To: <004901c708c9$34877610$287ba8c0@office.fsl> References: <004901c708c9$34877610$287ba8c0@office.fsl> Message-ID: <455B3475.3030103@nkpanama.com> Have you tried adding another server like they mention in this thread: https://sourceforge.net/mailarchive/forum.php?thread_id=30601945&forum_id=8711 also http://tinyurl.com/y963e7 for broken mailers... Stephen Swaney wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Erik van der Leun >> Sent: Wednesday, November 15, 2006 9:26 AM >> To: MailScanner discussion >> Subject: pyzor functionality >> >> Hi, >> >> On several servers, PYZOR seems to work every now and then... >> I can't seem to find a reason why... no errormessages when checking with - >> -lint >> >> To be honest, I don't have much of a clue... >> >> What would be a good way of testing whether the online request gets a >> proper answer? >> >> Kind regards, >> Erik van der Leun >> > > Eric, > > The Pyzor server or servers if there is more than one are often off line. > Pyzor has not been updated since September 7, 2002. It's become unreliable > at best. Attempts to contact the author with offers of help and servers have > failed. > > Pyzor timeouts simply slow down SpamAssassin processing. Pyzor should not be > used on a busy server. > > Steve > > Stephen Swaney > Fort Systems Ltd. > stephen.swaney@fsl.com > www.fsl.com> > > From evanderleun at hal9000.nl Wed Nov 15 15:42:13 2006 From: evanderleun at hal9000.nl (Erik van der Leun) Date: Wed Nov 15 15:42:14 2006 Subject: pyzor functionality In-Reply-To: <004901c708c9$34877610$287ba8c0@office.fsl> References: <004901c708c9$34877610$287ba8c0@office.fsl> Message-ID: <455B3555.6010801@hal9000.nl> Thank you both for the response... I had seen the lack of updates... but pyzor still helped me in spamfiltering... (without, more spam comes through) (yes, I do have DCC and Razor too, gocr patch for SpamAssassin too, but that's somewhat relying on Pyzor) I guess I'll have to do without :) >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Erik van der Leun >> Sent: Wednesday, November 15, 2006 9:26 AM >> To: MailScanner discussion >> Subject: pyzor functionality >> >> Hi, >> >> On several servers, PYZOR seems to work every now and then... >> I can't seem to find a reason why... no errormessages when checking with - >> -lint >> >> To be honest, I don't have much of a clue... >> >> What would be a good way of testing whether the online request gets a >> proper answer? >> >> Kind regards, >> Erik van der Leun >> >> > > Eric, > > The Pyzor server or servers if there is more than one are often off line. > Pyzor has not been updated since September 7, 2002. It's become unreliable > at best. Attempts to contact the author with offers of help and servers have > failed. > > Pyzor timeouts simply slow down SpamAssassin processing. Pyzor should not be > used on a busy server. > > Steve > > Stephen Swaney > Fort Systems Ltd. > stephen.swaney@fsl.com > www.fsl.com> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061115/f266714c/attachment.html From bpumphrey at woodmclaw.com Wed Nov 15 15:48:16 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Wed Nov 15 15:48:32 2006 Subject: pyzor functionality In-Reply-To: <455B3475.3030103@nkpanama.com> Message-ID: <04D932B0071FE34FA63EBB1977B48D1501C14121@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Alex Neuman van der Hans > Sent: Wednesday, November 15, 2006 10:38 AM > To: MailScanner discussion > Subject: Re: pyzor functionality > > Have you tried adding another server like they mention in this thread: > https://sourceforge.net/mailarchive/forum.php?thread_id=30601945&forum_i d= > 8711 > > also http://tinyurl.com/y963e7 for broken mailers... > Stephen Swaney wrote: > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > >> bounces@lists.mailscanner.info] On Behalf Of Erik van der Leun > >> Sent: Wednesday, November 15, 2006 9:26 AM > >> To: MailScanner discussion > >> Subject: pyzor functionality > >> > >> Hi, > >> > >> On several servers, PYZOR seems to work every now and then... > >> I can't seem to find a reason why... no errormessages when checking > with - > >> -lint > >> > >> To be honest, I don't have much of a clue... > >> > >> What would be a good way of testing whether the online request gets a > >> proper answer? > >> > >> Kind regards, > >> Erik van der Leun > >> > > > > Eric, > > > > The Pyzor server or servers if there is more than one are often off > line. > > Pyzor has not been updated since September 7, 2002. It's become > unreliable > > at best. Attempts to contact the author with offers of help and servers > have > > failed. > > > > Pyzor timeouts simply slow down SpamAssassin processing. Pyzor should > not be > > used on a busy server. > > > > Steve > > > > Stephen Swaney > > Fort Systems Ltd. > > stephen.swaney@fsl.com > > www.fsl.com> > > > > > > -- I noticed that sa-update seemingly has pyzor files: 0.00023 [21954] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_pyzor.cf 0.00111 [21954] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_pyzor.cf" for included file Does this load because the pyzor plugin is on? I do have it turned on. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dhawal at netmagicsolutions.com Wed Nov 15 15:55:15 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Wed Nov 15 15:55:36 2006 Subject: pyzor functionality In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1501C14121@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D1501C14121@woodenex.woodmaclaw.local> Message-ID: <455B3863.5020004@netmagicsolutions.com> Billy A. Pumphrey wrote: [SNIP] > I noticed that sa-update seemingly has pyzor files: > 0.00023 > [21954] dbg: plugin: fixed relative path: > /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_pyzor.cf > 0.00111 > [21954] dbg: config: using > "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_pyzor.cf" > for included file > > Does this load because the pyzor plugin is on? I do have it turned on. Notice the use of an 'ifplugin .. blah .. endif' in the pyzor.cf.. it is loaded only if it finds the plugin enabled in one of the '.pre' files. - dhawal From t.d.lee at durham.ac.uk Wed Nov 15 15:59:46 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Wed Nov 15 16:00:06 2006 Subject: pyzor functionality In-Reply-To: <455B338F.8000507@solidstatelogic.com> References: <455B2391.2060401@hal9000.nl> <455B338F.8000507@solidstatelogic.com> Message-ID: On Wed, 15 Nov 2006, Martin Hepworth wrote: > Erik van der Leun wrote: > > Hi, > > > > On several servers, PYZOR seems to work every now and then... > > I can't seem to find a reason why... no errormessages when checking with > > --lint > > > > To be honest, I don't have much of a clue... > > > > What would be a good way of testing whether the online request gets a > > proper answer? > > [...] > > # spamassassin --lint -D 2>&1 | grep -i pyzor > > [16257] dbg: config: read file /usr/share/spamassassin/25_pyzor.cf > > [16257] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC > > [16257] dbg: pyzor: network tests on, attempting Pyzor > > [16257] dbg: plugin: registered > > Mail::SpamAssassin::Plugin::Pyzor=HASH(0x158ffe00) > > [16257] dbg: plugin: registering glue method for check_pyzor > > (Mail::SpamAssassin::Plugin::Pyzor=HASH(0x158ffe00)) > > [16257] dbg: pyzor: pyzor is available: /usr/bin/pyzor > > [16257] dbg: pyzor: opening pipe: /usr/bin/pyzor check < > > /tmp/.spamassassin16257UZ6Czhtmp > > [16257] dbg: pyzor: killed stale helper [16322] > > [16257] dbg: pyzor: [16322] terminated: exit=0x000f > > [16257] dbg: pyzor: check timed out after 5 seconds > > > Erik > > I'd echo what Steve S just said. remove it from your configs. But pyzor is a useful item in the spam/ham discrimination battle, and nice to keep if reasonably possible. A few weeks ago there was a thread here on the MailScanner list which suggested that the default pyzor server was in some sort of long-term trouble, but that someone else was maintaining another pyzor server. See: http://lists.mailscanner.info/pipermail/mailscanner/2006-September/065292.html So before removing pyzor, it might be worth trying that alternative server. You probably have a ".pyzor" directory (possible in root's home directory) containing a file "servers", itself containing the old IP:port as "66.250.40.33:24441". The new one seems to be "82.94.255.100:24441". (The issue of local trust of, and reliance upon, such remote services (whether pyzor, Razor, DCC, the various RBLs etc.) is another matter...) -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From clacroix at cegep-ste-foy.qc.ca Wed Nov 15 16:02:52 2006 From: clacroix at cegep-ste-foy.qc.ca (Charles Lacroix) Date: Wed Nov 15 16:02:56 2006 Subject: FreeBSD 4.11 Ports Issue In-Reply-To: <455AD797.2020306@solidstatelogic.com> References: <455A35EA.6080105@rogers.com> <455AD797.2020306@solidstatelogic.com> Message-ID: <200611151102.53036.clacroix@cegep-ste-foy.qc.ca> Just use portdowngrade and use an older version of p5-Filesys-Df On Wednesday 15 November 2006 04:02, Martin Hepworth wrote: > Mike Jakubik wrote: > > ohlund@woodwrecker.com wrote: > >>> First of all, you should have posted to the freebsd-ports mailing list, > >>> not here. > >> > >> First of all, I did post to FreeBSD list. They suggested that I post > >> here. > >> Apparently there is a BSD expert that lurks here. > > > > I guess i missed that post then, as i cant see any recent posts about > > this.. > > this was to the freebsd-users list, and I asked him to re-post here, so > JPK can take a peek.. > > >>> I would recommend you get with time and consider updating to FreeBSD 6. > >> > >> Jumping to a new major release isn't guaranteed to resolve my problem, > >> is it? > > > > Yes it is, as the port compiles correctly on 6. > > Might be worthwhile scouring the list archives. I;m sure someone > mentioned a fix/workaround for this.. > > > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** -- Charles Lacroix, Administrateur UNIX. Service des t?l?communications et des technologies C?gep de Sainte-Foy (418) 659-6600 # 4266 From bpumphrey at woodmclaw.com Wed Nov 15 16:12:13 2006 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Wed Nov 15 16:12:24 2006 Subject: pyzor functionality In-Reply-To: Message-ID: <04D932B0071FE34FA63EBB1977B48D1501C14124@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of David Lee > Sent: Wednesday, November 15, 2006 11:00 AM > To: MailScanner discussion > Subject: Re: pyzor functionality > > On Wed, 15 Nov 2006, Martin Hepworth wrote: > > > Erik van der Leun wrote: > > > Hi, > > > > > > On several servers, PYZOR seems to work every now and then... > > > I can't seem to find a reason why... no errormessages when checking > with > > > --lint > > > > > > To be honest, I don't have much of a clue... > > > > > > What would be a good way of testing whether the online request gets a > > > proper answer? > > > [...] > > > # spamassassin --lint -D 2>&1 | grep -i pyzor > > > [16257] dbg: config: read file /usr/share/spamassassin/25_pyzor.cf > > > [16257] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from > @INC > > > [16257] dbg: pyzor: network tests on, attempting Pyzor > > > [16257] dbg: plugin: registered > > > Mail::SpamAssassin::Plugin::Pyzor=HASH(0x158ffe00) > > > [16257] dbg: plugin: registering glue method for check_pyzor > > > (Mail::SpamAssassin::Plugin::Pyzor=HASH(0x158ffe00)) > > > [16257] dbg: pyzor: pyzor is available: /usr/bin/pyzor > > > [16257] dbg: pyzor: opening pipe: /usr/bin/pyzor check < > > > /tmp/.spamassassin16257UZ6Czhtmp > > > [16257] dbg: pyzor: killed stale helper [16322] > > > [16257] dbg: pyzor: [16322] terminated: exit=0x000f > > > [16257] dbg: pyzor: check timed out after 5 seconds > > > > > Erik > > > > I'd echo what Steve S just said. remove it from your configs. > > But pyzor is a useful item in the spam/ham discrimination battle, and nice > to keep if reasonably possible. > > A few weeks ago there was a thread here on the MailScanner list which > suggested that the default pyzor server was in some sort of long-term > trouble, but that someone else was maintaining another pyzor server. > See: > http://lists.mailscanner.info/pipermail/mailscanner/2006- > September/065292.html > > So before removing pyzor, it might be worth trying that alternative > server. You probably have a ".pyzor" directory (possible in root's home > directory) containing a file "servers", itself containing the old IP:port > as "66.250.40.33:24441". The new one seems to be "82.94.255.100:24441". > > (The issue of local trust of, and reliance upon, such remote services > (whether pyzor, Razor, DCC, the various RBLs etc.) is another matter...) > > -- > > : David Lee I.T. Service : > : Senior Systems Programmer Computer Centre : > : Durham University : > : http://www.dur.ac.uk/t.d.lee/ South Road : > : Durham DH1 3LE : > : Phone: +44 191 334 2752 U.K. : > -- Noted. I updated mine and the path you gave was correct. I also thought that there was a pyzor2? I guess that is just razor2 that I am thinking of. Billy Pumphrey IT Manager Wooden & McLaughlin http://www.billypumphrey.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solidstatelogic.com Wed Nov 15 16:17:07 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Nov 15 16:18:27 2006 Subject: pyzor functionality In-Reply-To: References: <455B2391.2060401@hal9000.nl> <455B338F.8000507@solidstatelogic.com> Message-ID: <455B3D83.3090204@solidstatelogic.com> David Lee wrote: > On Wed, 15 Nov 2006, Martin Hepworth wrote: > >> Erik van der Leun wrote: >>> Hi, >>> >>> On several servers, PYZOR seems to work every now and then... >>> I can't seem to find a reason why... no errormessages when checking with >>> --lint >>> >>> To be honest, I don't have much of a clue... >>> >>> What would be a good way of testing whether the online request gets a >>> proper answer? >>> [...] >>> # spamassassin --lint -D 2>&1 | grep -i pyzor >>> [16257] dbg: config: read file /usr/share/spamassassin/25_pyzor.cf >>> [16257] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC >>> [16257] dbg: pyzor: network tests on, attempting Pyzor >>> [16257] dbg: plugin: registered >>> Mail::SpamAssassin::Plugin::Pyzor=HASH(0x158ffe00) >>> [16257] dbg: plugin: registering glue method for check_pyzor >>> (Mail::SpamAssassin::Plugin::Pyzor=HASH(0x158ffe00)) >>> [16257] dbg: pyzor: pyzor is available: /usr/bin/pyzor >>> [16257] dbg: pyzor: opening pipe: /usr/bin/pyzor check < >>> /tmp/.spamassassin16257UZ6Czhtmp >>> [16257] dbg: pyzor: killed stale helper [16322] >>> [16257] dbg: pyzor: [16322] terminated: exit=0x000f >>> [16257] dbg: pyzor: check timed out after 5 seconds >>> >> Erik >> >> I'd echo what Steve S just said. remove it from your configs. > > But pyzor is a useful item in the spam/ham discrimination battle, and nice > to keep if reasonably possible. > > A few weeks ago there was a thread here on the MailScanner list which > suggested that the default pyzor server was in some sort of long-term > trouble, but that someone else was maintaining another pyzor server. > See: > http://lists.mailscanner.info/pipermail/mailscanner/2006-September/065292.html > > So before removing pyzor, it might be worth trying that alternative > server. You probably have a ".pyzor" directory (possible in root's home > directory) containing a file "servers", itself containing the old IP:port > as "66.250.40.33:24441". The new one seems to be "82.94.255.100:24441". > > (The issue of local trust of, and reliance upon, such remote services > (whether pyzor, Razor, DCC, the various RBLs etc.) is another matter...) > David cool, I'll that a go.... -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From ssilva at sgvwater.com Wed Nov 15 16:18:42 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Nov 15 16:19:28 2006 Subject: Massive queue buildup In-Reply-To: <223f97700611150056l19654a16m3eb9b03f42dbfadc@mail.gmail.com> References: <223f97700611150056l19654a16m3eb9b03f42dbfadc@mail.gmail.com> Message-ID: Glenn Steen spake the following on 11/15/2006 12:56 AM: > On 15/11/06, Res wrote: >> On Tue, 14 Nov 2006, Chandler, Jay wrote: >> >> > ov 14 20:07:42 brewer MailScanner[37903]: Batch (30 messages) processed >> > in 328.23 seconds >> > Nov 14 20:07:51 brewer MailScanner[38335]: Batch (30 messages) >> processed >> > in 670.92 seconds >> > Nov 14 20:08:37 brewer MailScanner[38125]: Batch (30 messages) >> processed >> > in 643.34 seconds >> > >> > That's not good. >> > >> >> No :) > Have to agree here. More below. > >> If you nee dit sorted , disable spam assassin, leave spam checks on, but >> disable SA, you'll find it will clear the queue in no time. > Might not be the culprit after all. Well, it still might bet....:-) > >> Also do you RBL in MS or MTA? MTA is far better > In one of Jays earlier responses (to Brent Addis) he mentioned doing > 3-4 BLs in MS, which he found to be "nothing insane". Well, he just > might be wrong, taken that those would _serialize_, much like most > MTAs but unlike SA, and with some poor choices made on which lists to > check in MS... Voila, bad performance here we come:-). At least a > theory worth exploring;-). > As you all know, the MTA (for early rejection) or SA (for > parallellism) is the place to do this (and possibly one or two in > MS...:-). > I have to agree totally. BL's in mailscanner will be the slowest. I just ran across Net-DNSBL-MultiDaemon on CPAN, and I am thinking about experimenting with it. You can add it as a zone in bind and make one lookup. It seems to even drop BLs that timeout or get slow for a short period of time. http://search.cpan.org/~miker/Net-DNSBL-MultiDaemon-0.17/MultiDaemon.pm I just have to think out a plan to give it a workout. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From help at intuitiveisp.com Wed Nov 15 16:59:06 2006 From: help at intuitiveisp.com (jason Lingnau) Date: Wed Nov 15 16:59:35 2006 Subject: No outbound spam testing Message-ID: <8020D2B9-B1DE-43FE-B3C3-F9D6FE2922D5@intuitiveisp.com> What is the best way to configure MailScanner/ Spamassin , to NOT test outbound mail for spam? We are running MailScanner 4.51.5 with Spamassassin 3.1.1 I have had poor luck at using a ruleset like; Spam Checks = %rules-dir%/nocklocal.sa.rules #Dont use SA on these entries From: 67.121.x.x no ( our networks outbound IP ) From: thisserver.domain.com no FromOrTo: default yes Any ideas! jason intuitiveisp From ssilva at sgvwater.com Wed Nov 15 17:04:05 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Nov 15 17:04:36 2006 Subject: pyzor functionality In-Reply-To: <455B3D83.3090204@solidstatelogic.com> References: <455B2391.2060401@hal9000.nl> <455B338F.8000507@solidstatelogic.com> <455B3D83.3090204@solidstatelogic.com> Message-ID: Martin Hepworth spake the following on 11/15/2006 8:17 AM: > David Lee wrote: >> On Wed, 15 Nov 2006, Martin Hepworth wrote: >> >>> Erik van der Leun wrote: >>>> Hi, >>>> >>>> On several servers, PYZOR seems to work every now and then... >>>> I can't seem to find a reason why... no errormessages when checking >>>> with >>>> --lint >>>> >>>> To be honest, I don't have much of a clue... >>>> >>>> What would be a good way of testing whether the online request gets a >>>> proper answer? >>>> [...] >>>> # spamassassin --lint -D 2>&1 | grep -i pyzor >>>> [16257] dbg: config: read file /usr/share/spamassassin/25_pyzor.cf >>>> [16257] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from >>>> @INC >>>> [16257] dbg: pyzor: network tests on, attempting Pyzor >>>> [16257] dbg: plugin: registered >>>> Mail::SpamAssassin::Plugin::Pyzor=HASH(0x158ffe00) >>>> [16257] dbg: plugin: registering glue method for check_pyzor >>>> (Mail::SpamAssassin::Plugin::Pyzor=HASH(0x158ffe00)) >>>> [16257] dbg: pyzor: pyzor is available: /usr/bin/pyzor >>>> [16257] dbg: pyzor: opening pipe: /usr/bin/pyzor check < >>>> /tmp/.spamassassin16257UZ6Czhtmp >>>> [16257] dbg: pyzor: killed stale helper [16322] >>>> [16257] dbg: pyzor: [16322] terminated: exit=0x000f >>>> [16257] dbg: pyzor: check timed out after 5 seconds >>>> >>> Erik >>> >>> I'd echo what Steve S just said. remove it from your configs. >> >> But pyzor is a useful item in the spam/ham discrimination battle, and >> nice >> to keep if reasonably possible. >> >> A few weeks ago there was a thread here on the MailScanner list which >> suggested that the default pyzor server was in some sort of long-term >> trouble, but that someone else was maintaining another pyzor server. >> See: >> >> http://lists.mailscanner.info/pipermail/mailscanner/2006-September/065292.html >> >> >> So before removing pyzor, it might be worth trying that alternative >> server. You probably have a ".pyzor" directory (possible in root's home >> directory) containing a file "servers", itself containing the old IP:port >> as "66.250.40.33:24441". The new one seems to be "82.94.255.100:24441". >> >> (The issue of local trust of, and reliance upon, such remote services >> (whether pyzor, Razor, DCC, the various RBLs etc.) is another matter...) >> > David > > cool, I'll that a go.... > I just have the following in cron.daily; #!/bin/bash pyzor discover echo 82.94.255.100:24441 >>/.pyzor/servers -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From martinh at solidstatelogic.com Wed Nov 15 17:06:19 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Nov 15 17:06:33 2006 Subject: No outbound spam testing In-Reply-To: <8020D2B9-B1DE-43FE-B3C3-F9D6FE2922D5@intuitiveisp.com> References: <8020D2B9-B1DE-43FE-B3C3-F9D6FE2922D5@intuitiveisp.com> Message-ID: <455B490B.10706@solidstatelogic.com> jason Lingnau wrote: > What is the best way to configure MailScanner/ Spamassin , to NOT test > outbound mail for spam? > > We are running MailScanner 4.51.5 with Spamassassin 3.1.1 > > I have had poor luck at using a ruleset like; > Spam Checks = %rules-dir%/nocklocal.sa.rules > > #Dont use SA on these entries > From: 67.121.x.x no ( our networks outbound IP ) > From: thisserver.domain.com no > FromOrTo: default yes > > > Any ideas! > > yeah try From: 67.121. no From: 127.0.0.1 no FromOrTo: default yes -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From danc at bluestarshows.com Wed Nov 15 17:12:45 2006 From: danc at bluestarshows.com (Dan Carl) Date: Wed Nov 15 17:17:17 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches it References: <00a901c704e0$f9a257e0$0200000a@danc3><223f97700611110026t75fe5f9cte6b654fc68c40e2c@mail.gmail.com><013301c70739$c57359f0$0200000a@danc3><01f501c7074d$b0296e90$0200000a@danc3> <029501c7076c$0a099110$0200000a@danc3> <02d601c70777$216cf580$0200000a@danc3> <017601c7081a$302dd370$0200000a@danc3> <223f97700611150120j54b0448cv61cd54e4581ea914@mail.gmail.com> Message-ID: <001601c708d9$44a41d40$0200000a@danc3> ----- Original Message ----- From: "Glenn Steen" To: "MailScanner discussion" Sent: Wednesday, November 15, 2006 3:20 AM Subject: Re: Mailscanner not catching SPAM but manual run via SA catches it > On 14/11/06, Dan Carl wrote: > > [snip] > > > > > > That's an option on MS, look for "Always Include SpamAssassin Report". > > > > > Thanks, missed it in the conf. > > Now I can do some testing > > [snip] > > > > I've been analyzing messages all morning. > > It seems that spamassassin runs through all of the rules all the time but > > mailscanner rules erratically.(example below) > > > > FROM SPAMASSASSIN > > Content analysis details: (13.8 points, 5.0 required) > > > > pts rule name description > > ---- ---------------------- ---------------------------------------------- -- > > -- > > 1.4 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) > > [SPF failed: Please see > > http://www.openspf.org/why.html?sender=sondraiszmcgrathly%40charter.net&ip=85.69.182.160&receiver=mail.bluestarshows.com] > > 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay > > lines > > 3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99% > > [score: 0.9598] > > 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP > > address > > [85.69.182.160 listed in dnsbl.sorbs.net] > > 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net > > [Blocked - see > > ] > > 3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL > > [85.69.182.160 listed in sbl-xbl.spamhaus.org] > > 1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP > > [85.69.182.160 listed in combined.njabl.org] > > > > FROM MAILSCANNER > > X-Bluestar-MScan-SpamCheck: not spam, SpamAssassin (not cached, score=5.844, > > required 6, RCVD_IN_NJABL_DUL 1.95, RCVD_IN_XBL 3.90, > > UNPARSEABLE_RELAY 0.00) > > X-Bluestar-SpamScore: sssss > > > > This is the exact same message. > > Why didn't Mailscanner use Bayes, SORBS or SPAMCOP? > > > > It's not like there not working here's proof of one caught a few minutes > > ago. > > spamcop is not here but bayes and sorbs are. > > Sorry if you posted this already, but how do you do your Bayes expiry? I used to have it as a cronjob, but just used the line in Mailscanner.conf > How big is your Bayes db? 5.2M bayes_seen 2.9M bayes_toks > I'm thinking expiry problems here... Do you get bayes_toks.expire* no > files (where you have your bayes DB files)? /root/.spamassassin Question? My auto-whitelist is 82M is this normal? If it is and I have Always Include SpamAssassin Report = yes will it show up in the header as being whitelist? I know my spam.whitelist.rules are displayed in the header. > SpamCop and Sorbs could be slow responses... I've been logging speed today and most batches take less than 10seconds I set my Spam List Timeout = 60 Is there anything else I can try? Not as concerned about how long it takes to deliver a message as I am about reducing spam. > > > X-Bluestar-MScan-SpamCheck: spam, SpamAssassin (not cached, score=9.284, > > required 6, BAYES_60 1.00, DCC_CHECK 2.17, DIGEST_MULTIPLE 0.77, > > MSGID_FROM_MTA_ID 1.39, RAZOR2_CF_RANGE_51_100 0.50, > > RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CHECK 0.50, > > RCVD_IN_SORBS_WEB 1.46) > > > > Rene hope you or someone else can help. > We'll do our best:-). Thanks > > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From steve.swaney at fsl.com Wed Nov 15 17:19:56 2006 From: steve.swaney at fsl.com (Stephen Swaney) Date: Wed Nov 15 17:19:58 2006 Subject: pyzor functionality In-Reply-To: Message-ID: <006b01c708da$4587f820$287ba8c0@office.fsl> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Scott Silva > Sent: Wednesday, November 15, 2006 12:04 PM > To: mailscanner@lists.mailscanner.info > Subject: Re: pyzor functionality > > Martin Hepworth spake the following on 11/15/2006 8:17 AM: > > David Lee wrote: > >> On Wed, 15 Nov 2006, Martin Hepworth wrote: > >> > >>> Erik van der Leun wrote: > >>>> Hi, > >>>> > >>>> On several servers, PYZOR seems to work every now and then... > >>>> I can't seem to find a reason why... no errormessages when checking > >>>> with > >>>> --lint > >>>> > >>>> To be honest, I don't have much of a clue... > >>>> > >>>> What would be a good way of testing whether the online request gets a > >>>> proper answer? > >>>> [...] > >>>> # spamassassin --lint -D 2>&1 | grep -i pyzor > >>>> [16257] dbg: config: read file /usr/share/spamassassin/25_pyzor.cf > >>>> [16257] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from > >>>> @INC > >>>> [16257] dbg: pyzor: network tests on, attempting Pyzor > >>>> [16257] dbg: plugin: registered > >>>> Mail::SpamAssassin::Plugin::Pyzor=HASH(0x158ffe00) > >>>> [16257] dbg: plugin: registering glue method for check_pyzor > >>>> (Mail::SpamAssassin::Plugin::Pyzor=HASH(0x158ffe00)) > >>>> [16257] dbg: pyzor: pyzor is available: /usr/bin/pyzor > >>>> [16257] dbg: pyzor: opening pipe: /usr/bin/pyzor check < > >>>> /tmp/.spamassassin16257UZ6Czhtmp > >>>> [16257] dbg: pyzor: killed stale helper [16322] > >>>> [16257] dbg: pyzor: [16322] terminated: exit=0x000f > >>>> [16257] dbg: pyzor: check timed out after 5 seconds > >>>> > >>> Erik > >>> > >>> I'd echo what Steve S just said. remove it from your configs. > >> > >> But pyzor is a useful item in the spam/ham discrimination battle, and > >> nice > >> to keep if reasonably possible. > >> > >> A few weeks ago there was a thread here on the MailScanner list which > >> suggested that the default pyzor server was in some sort of long-term > >> trouble, but that someone else was maintaining another pyzor server. > >> See: > >> > >> http://lists.mailscanner.info/pipermail/mailscanner/2006- > September/065292.html > >> > >> > >> So before removing pyzor, it might be worth trying that alternative > >> server. You probably have a ".pyzor" directory (possible in root's > home > >> directory) containing a file "servers", itself containing the old > IP:port > >> as "66.250.40.33:24441". The new one seems to be > "82.94.255.100:24441". > >> > >> (The issue of local trust of, and reliance upon, such remote services > >> (whether pyzor, Razor, DCC, the various RBLs etc.) is another > matter...) > >> > > David > > > > cool, I'll that a go.... > > > I just have the following in cron.daily; > > #!/bin/bash > pyzor discover > echo 82.94.255.100:24441 >>/.pyzor/servers > > > -- I can confirm: 82.94.255.100:24441 seems to be responding right now `echo 82.94.255.100:24441 >> /root/.pyzor/servers` corrects the host that Pyzor uses Running `Pyzor discover` writes the bad data ""66.250.40.33:24441" to .pyzor/servers "66.250.40.33:24441" :( Steve Stephen Swaney Fort Systems Ltd. stephen.swaney@fsl.com www.fsl.com From ylacan at teicam.com Wed Nov 15 17:38:53 2006 From: ylacan at teicam.com (Youri LACAN-BARTLEY) Date: Wed Nov 15 17:39:21 2006 Subject: pyzor functionality In-Reply-To: References: <455B2391.2060401@hal9000.nl> <455B338F.8000507@solidstatelogic.com> <455B3D83.3090204@solidstatelogic.com> Message-ID: <455B50AD.2050102@teicam.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I just have the following in cron.daily; > > #!/bin/bash > pyzor discover > echo 82.94.255.100:24441 >>/.pyzor/servers > > What exactly is the point of adding the "old" invalid ip in .pyzor/servers ? Wouldn't echo 82.94.255.100:24441 > ~/.pyzor/servers be enough ? - -- Cordialement, Youri LACAN-BARTLEY PCAM Espace HERVANN 641 Chemin des terriers 06600 ANTIBES Tel: 04.93.33.26.25 Fax: 04.93.33.73.45 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) iD8DBQFFW1CtWC9/YPePNU4RAodcAJ9KIvxHqQQK0OXmfxC8Hl2iaiJXUQCdGWbs AamQu97shlr6RlGEkZT7ojQ= =hZqQ -----END PGP SIGNATURE----- -- Ce message a ?t? v?rifi? par MailScanner pour des virus ou des polluriels et rien de suspect n'a ?t? trouv?. From t.d.lee at durham.ac.uk Wed Nov 15 17:39:19 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Wed Nov 15 17:39:38 2006 Subject: SA 3.1.7 returning no result to MS? In-Reply-To: References: <4554A39C.1050404@evi-inc.com> <45589620.2010900@evi-inc.com> Message-ID: On Mon, 13 Nov 2006, David Lee wrote: > On Mon, 13 Nov 2006, Matt Kettler wrote: > > > [...] > > Check your mail logs for messages along the lines of "SpamAssassin timed out and > > was killed" > > There are a few "... was killed, failure of 20" but they don't appear > near the emtpy SA returns, and although they build in series, the "" > don't seem to reach anywhere near the "20". > > There's nothing else nearby in the log that seems linked. There are some > "SpamAssassin cache hit for message XXX" next to the failures, but that > same process both before after returns non-empty with such incidents (as > if these incidents are sporadic, rather than an MS process going long-term > bad/corrupt). > > If someone who knows SA (3.1.7) or MS (4.56.8) internals can dream up some > debug/log statements, I'd be happy to try to patch them in and watch what > happens. Anyone? Julian? Matt? Looking a little deeper, it seems that in the "MailScanner/SA.pm" module at the "eval { ...}" near line 800 (MS 4.56.8) all the results from: $pipe->reader(); local $SIG{ALRM} = sub { die "Command Timed Out" }; alarm MailScanner::Config::Value('spamassassintimeout'); $SAHits = <$pipe>; #print STDERR "Read SAHits = $SAHits " . scalar(localtime) . "\n"; $AutoLearn = <$pipe>; $SAHitList = <$pipe>; $SAReport = <$pipe>; #print STDERR "Read SAHitList = $SAHitList " . scalar(localtime) . "\n"; # Not sure if next 2 lines should be this way round... waitpid $pid, 0; $pipe->close(); $PipeReturn = $?; are coming back empty. Hence the syslog entry: Message ... is not spam, SpamAssassin (cached, score=0, required 6, autolearn=) This suggests that SA's expected behaviour would be that a 'good' return would always be accompanied by real, non-empty, data. This, I presume, is what has always happened historically. But it now seems, after upgrade to SA 3.1.7, that SA occasionally provides empty data on a 'good' return: inconsistent. If this is the case, it suggests a likely bug in SA. Now I'll readily acknowledge that the place to fix that properly would be SA. But right now that still leaves us with a very live, very nasty problem of SA sometimes (randomly?) failing to work under MS, which is dire for sites which rely on SA. Is there some workaround we can put into MS to try to confirm this debugging) to detect this inconsistent return ('good' return code but empty data)? (If this really is an SA 3.1.7 bug, then it is still prudent for MS to try to handle it if reasonably possible because of the latent delay both of SA releases and of end-user sites upgrading after that.) Meanwhile, are there any SA folk here with whom I could work to try to get this taken up with the SA maintainers? -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From daniel.maher at ubisoft.com Wed Nov 15 17:44:52 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Wed Nov 15 17:44:57 2006 Subject: default rules vs. sa-update'd ones? Message-ID: <1E293D3FF63A3740B10AD5AAD88535D203B258AC@UBIMAIL1.ubisoft.org> Hi all, I'm wondering what the priority is between the default rules contained in /usr/share/spamassassin/, and those which are updated via sa-update (/var/lib/spamassassin/)? For example, if the rules obtained via sa-update are different from those in the default dir, which one is actually used? Finally, does MailScanner need to be made aware of the existence of the sa-update rules directory? If so, what configuration directive is used? Thank you, all! -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061115/41cab9a1/attachment.html From ssilva at sgvwater.com Wed Nov 15 17:46:41 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Nov 15 17:49:41 2006 Subject: pyzor functionality In-Reply-To: <006b01c708da$4587f820$287ba8c0@office.fsl> References: <006b01c708da$4587f820$287ba8c0@office.fsl> Message-ID: Stephen Swaney spake the following on 11/15/2006 9:19 AM: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Scott Silva >> Sent: Wednesday, November 15, 2006 12:04 PM >> To: mailscanner@lists.mailscanner.info >> Subject: Re: pyzor functionality >> >> Martin Hepworth spake the following on 11/15/2006 8:17 AM: >>> David Lee wrote: >>>> On Wed, 15 Nov 2006, Martin Hepworth wrote: >>>> >>>>> Erik van der Leun wrote: >>>>>> Hi, >>>>>> >>>>>> On several servers, PYZOR seems to work every now and then... >>>>>> I can't seem to find a reason why... no errormessages when checking >>>>>> with >>>>>> --lint >>>>>> >>>>>> To be honest, I don't have much of a clue... >>>>>> >>>>>> What would be a good way of testing whether the online request gets a >>>>>> proper answer? >>>>>> [...] >>>>>> # spamassassin --lint -D 2>&1 | grep -i pyzor >>>>>> [16257] dbg: config: read file /usr/share/spamassassin/25_pyzor.cf >>>>>> [16257] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from >>>>>> @INC >>>>>> [16257] dbg: pyzor: network tests on, attempting Pyzor >>>>>> [16257] dbg: plugin: registered >>>>>> Mail::SpamAssassin::Plugin::Pyzor=HASH(0x158ffe00) >>>>>> [16257] dbg: plugin: registering glue method for check_pyzor >>>>>> (Mail::SpamAssassin::Plugin::Pyzor=HASH(0x158ffe00)) >>>>>> [16257] dbg: pyzor: pyzor is available: /usr/bin/pyzor >>>>>> [16257] dbg: pyzor: opening pipe: /usr/bin/pyzor check < >>>>>> /tmp/.spamassassin16257UZ6Czhtmp >>>>>> [16257] dbg: pyzor: killed stale helper [16322] >>>>>> [16257] dbg: pyzor: [16322] terminated: exit=0x000f >>>>>> [16257] dbg: pyzor: check timed out after 5 seconds >>>>>> >>>>> Erik >>>>> >>>>> I'd echo what Steve S just said. remove it from your configs. >>>> But pyzor is a useful item in the spam/ham discrimination battle, and >>>> nice >>>> to keep if reasonably possible. >>>> >>>> A few weeks ago there was a thread here on the MailScanner list which >>>> suggested that the default pyzor server was in some sort of long-term >>>> trouble, but that someone else was maintaining another pyzor server. >>>> See: >>>> >>>> http://lists.mailscanner.info/pipermail/mailscanner/2006- >> September/065292.html >>>> >>>> So before removing pyzor, it might be worth trying that alternative >>>> server. You probably have a ".pyzor" directory (possible in root's >> home >>>> directory) containing a file "servers", itself containing the old >> IP:port >>>> as "66.250.40.33:24441". The new one seems to be >> "82.94.255.100:24441". >>>> (The issue of local trust of, and reliance upon, such remote services >>>> (whether pyzor, Razor, DCC, the various RBLs etc.) is another >> matter...) >>> David >>> >>> cool, I'll that a go.... >>> >> I just have the following in cron.daily; >> >> #!/bin/bash >> pyzor discover >> echo 82.94.255.100:24441 >>/.pyzor/servers >> >> >> -- > > I can confirm: > > 82.94.255.100:24441 seems to be responding right now > > `echo 82.94.255.100:24441 >> /root/.pyzor/servers` corrects the host that > Pyzor uses > > Running `Pyzor discover` writes the bad data ""66.250.40.33:24441" to > .pyzor/servers "66.250.40.33:24441" :( > > Steve > > Stephen Swaney > Fort Systems Ltd. > stephen.swaney@fsl.com > www.fsl.com > I have not had a lot of problems with the default server, but added the second address as a fallback. I didn't look at the pyzor code to see if it would hurt anything, but I had noticed that the pyzor hits have been decreasing before I added this. Maybe I will run for a while with just the other server. Razor and DCC are responsible for far more tagging than pyzor ever was. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From martinh at solidstatelogic.com Wed Nov 15 18:00:07 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Nov 15 18:00:40 2006 Subject: default rules vs. sa-update'd ones? In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D203B258AC@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D203B258AC@UBIMAIL1.ubisoft.org> Message-ID: <455B55A7.2070900@solidstatelogic.com> Daniel Maher wrote: > Hi all, > > > > I?m wondering what the priority is between the default rules contained > in /usr/share/spamassassin/, and those which are updated via sa-update > (/var/lib/spamassassin/)? For example, if the rules obtained > via sa-update are different from those in the default dir, which one is > actually used? > > > > Finally, does MailScanner need to be made aware of the existence of the > sa-update rules directory? If so, what configuration directive is used? > > > > Thank you, all! > > > > -- > > _ > ?v? Daniel Maher > /(_)\ Administrateur Syst?me Unix > > ^ ^ Unix System Administrator > > > > //Sentio aliquos togatos contra me conspirare.// > > > the /var/lib from sa-update will take over from the /usr/share ones. Seems SA in last couple of versions will use these automatically if found and no chnages are required anymore in mailScanner -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From Jan-Peter.Koopmann at seceidos.de Wed Nov 15 18:15:01 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Wed Nov 15 18:15:02 2006 Subject: FreeBSD 4.11 Ports Issue In-Reply-To: <200611151102.53036.clacroix@cegep-ste-foy.qc.ca> Message-ID: On Wednesday, November 15, 2006 5:03 PM Charles Lacroix wrote: > Just use portdowngrade and use an older version of p5-Filesys-Df :-) I was just about to suggest a similar thing. Thanks Charles. Kind regards Jan-Peter Koopmann Dipl.-Wirtschaftsinformatiker Gesch?ftsf?hrer -- Seceidos GmbH&Co. KG | Tel: +49 6151 66843-43 Robert-Bosch-Str. 7 | Fax: +49 6151 66843-52 64293 Darmstadt / Germany | IAX: guest@voip.seceidos.de/43 http://www.seceidos.de | SIP: 43@voip.seceidos.de From jase at sensis.com Wed Nov 15 18:17:55 2006 From: jase at sensis.com (Desai, Jason) Date: Wed Nov 15 18:19:20 2006 Subject: default rules vs. sa-update'd ones? Message-ID: <1951DC816E1A9F469307B05FA183F4385FF732@corpatsmail1.corp.sensis.com> > the /var/lib from sa-update will take over from the /usr/share ones. > > Seems SA in last couple of versions will use these automatically if > found and no chnages are required anymore in mailScanner And I think this is causing problems with MCP. Is there a way to tell MailScanner not to use the sa-update rules when doing MCP? Or should there be a "MCP SpamAssassin Local State Dir" option? Jase From Denis.Beauchemin at USherbrooke.ca Wed Nov 15 18:45:04 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Nov 15 18:45:41 2006 Subject: Razor and Pyzor problems... Message-ID: <455B6030.7010105@USherbrooke.ca> Hello everybody, The emails exchanged today prompted me to look at my logs to see how I was doing. It turns out that I was not doing so well with Pyzor: no hits in more than 30 hours... I then tried the alternate server with the following errors (taken from a debug MS run): [1361] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC [1361] dbg: pyzor: network tests on, attempting Pyzor [1361] dbg: plugin: registered Mail::SpamAssassin::Plugin::Pyzor=HASH(0x9f2c8b4) [1361] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_pyzor.cf [1361] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_pyzor.cf" for included file [1361] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_pyzor.cf [1361] dbg: pyzor: pyzor is available: /usr/bin/pyzor [1361] dbg: pyzor: opening pipe: /usr/bin/pyzor check < /tmp/.spamassassin1361PABAvHtmp [1361] dbg: pyzor: [1376] finished: exit=0x0100 [1361] dbg: pyzor: got response: 66.250.40.33:24441 TimeoutError: \n82.94.255.100:24441 (200, 'OK') 0 0 [1361] dbg: pyzor: failure to parse response "66.250.40.33:24441 TimeoutError: " [1442] dbg: pyzor: pyzor is available: /usr/bin/pyzor [1442] dbg: pyzor: opening pipe: /usr/bin/pyzor check < /tmp/.spamassassin14426gamI0tmp [1442] dbg: pyzor: [1453] finished: exit=0x0100 [1442] dbg: pyzor: got response: Traceback (most recent call last):\n File "/usr/bin/pyzor", line 4, in ?\n py zor.client.run()\n File "/usr/lib/python2.3/site-packages/pyzor/client.py", line 934, in run\n ExecCall().run( )\n File "/usr/lib/python2.3/site-packages/pyzor/client.py", line 188, in run\n if not apply(dispatch, (self, args)):\n File "/usr/lib/python2.3/site-packages/pyzor/client.py", line 262, in check\n for digest in FileDige ster(sys.stdin, self.digest_spec):\n File "/usr/lib/python2.3/site-packages/pyzor/client.py", line 615, in __i nit__\n self.digester = iter(get_file_digester(fp, spec, mbox))\n File "/usr/lib/python2.3/site-packages/pyzor /client.py", line 633, in get_file_digester\n spec, seekable).get_digest(),)\n File "/usr/lib/python2.3/site-p ackages/pyzor/client.py", line 467, in __init__\n (fp, offsets) = self.get_line_offsets(fp)\n File "/usr/lib/p ython2.3/site-packages/pyzor/client.py", line 531, in get_line_offsets\n for line in fp:\n File "/usr/lib/pyth on2.3/site-packages/pyzor/client.py", line 702, in next\n l = self.readline()\n File "/usr/lib/python2.3/site- packages/pyzor/client.py", line 694, in readline\n self.curfile = self.__class__(self.multifile)\n File "/usr/ lib/python2.3/site-packages/pyzor/client.py", line 671, in __init__\n mimetools.decode(msg.fp, self.curfile, e ncoding)\n File "/usr/lib/python2.3/mimetools.py", line 152, in decode\n return quopri.decode(input, output)\n File "/usr/lib/python2.3/quopri.py", line 122, in decode\n data = input.read()\n File "/usr/lib/python2.3/mul tifile.py", line 118, in read\n return ''.join(self.readlines())\n File "/usr/lib/python2.3/multifile.py", lin e 112, in readlines\n line = self.readline()\n File "/usr/lib/python2.3/multifile.py", line 80, in readline\n raise Error, 'sudden EOF in MultiFile.readline()'\nmultifile.Error: sudden EOF in MultiFile.readline() pyzor: check failed: internal error The traceback doesn't look good and nor does the following: [1361] dbg: pyzor: got response: 66.250.40.33:24441 TimeoutError: \n82.94.255.100:24441 (200, 'OK') 0 0 Looks like it tried the original server and it timed out... but why is it prepending the \n in front of the IP address? I flushed the second server from my /root/.pyzor/server (it had the 2 servers each on a separate line) and reran it. I still got a traceback but no timeout this time... Now for Razor. I installed it (wasn't running it yet) and enabled it but I get no hit. Here are the excerpts from my MS debug run: [1361] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [1361] dbg: razor2: razor2 is available, version 2.82 [1361] dbg: plugin: registered Mail::SpamAssassin::Plugin::Razor2=HASH(0x9d19b6c) [1361] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [1361] dbg: razor2: razor2 is available, version 2.82 [1361] dbg: plugin: did not register Mail::SpamAssassin::Plugin::Razor2=HASH(0x9e07954), already registered [1361] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_razor2.cf [1361] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_razor2.cf" for includedfile [1361] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_razor2.cf Looks like it's finding it OK but it doesn't call it. What could I have missed? My system is using iptables and can open outgoing connections to wherever it pleases. Same setup on our external firewall... Oh! SA is 3.1.7. Thanks! Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061115/634473ed/smime.bin From dhawal at netmagicsolutions.com Wed Nov 15 20:25:56 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Wed Nov 15 20:26:14 2006 Subject: Razor and Pyzor problems... In-Reply-To: <455B6030.7010105@USherbrooke.ca> References: <455B6030.7010105@USherbrooke.ca> Message-ID: <20061116015556.ladf6e6exw0scckg@mail.netmagicsolutions.com> Quoting Denis Beauchemin : [snip] > [1361] dbg: pyzor: got response: 66.250.40.33:24441 TimeoutError: > \n82.94.255.100:24441 (200, 'OK') 0 0 pyzor doesn't understand multiple entries in the servers file.. see my reply to the previous thread. > Now for Razor. I installed it (wasn't running it yet) and enabled it > but I get no hit. Here are the excerpts from my MS debug run: > > [1361] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC > [1361] dbg: razor2: razor2 is available, version 2.82 > [1361] dbg: plugin: registered > Mail::SpamAssassin::Plugin::Razor2=HASH(0x9d19b6c) > [1361] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC > [1361] dbg: razor2: razor2 is available, version 2.82 > [1361] dbg: plugin: did not register > Mail::SpamAssassin::Plugin::Razor2=HASH(0x9e07954), already registered > [1361] dbg: plugin: fixed relative path: > /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_razor2.cf > [1361] dbg: config: using > "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_razor2.cf" > for includedfile > [1361] dbg: config: read file > /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_razor2.cf > > Looks like it's finding it OK but it doesn't call it. What could I > have missed? My system is using iptables and can open outgoing > connections to wherever it pleases. Same setup on our external > firewall... Oh! SA is 3.1.7. SA 3.1.7 doesn't lint network tests.. to see razor in action run 'spamassassin -D < sometestmessage' - dhawal From dhawal at netmagicsolutions.com Wed Nov 15 20:25:42 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Wed Nov 15 20:26:17 2006 Subject: pyzor functionality In-Reply-To: <455B50AD.2050102@teicam.com> References: <455B2391.2060401@hal9000.nl> <455B338F.8000507@solidstatelogic.com> <455B3D83.3090204@solidstatelogic.com> <455B50AD.2050102@teicam.com> Message-ID: <20061116015542.zuyo450e8wsw4g4c@mail.netmagicsolutions.com> Quoting Youri LACAN-BARTLEY : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > >> I just have the following in cron.daily; >> >> #!/bin/bash >> pyzor discover >> echo 82.94.255.100:24441 >>/.pyzor/servers >> >> > > What exactly is the point of adding the "old" invalid ip in .pyzor/servers ? > Wouldn't echo 82.94.255.100:24441 > ~/.pyzor/servers be > enough ? precisely, that is the default behavior.. pyzor is not designed to work with multiple pyzord servers. However a recently posted SA patch can use both servers.. not a fallback but a 2 individual queries. Both patches are attached in the bugzilla page.. first one will take the best result and the other will use a sum of the 2 results. See http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5148 - dhawal From r.berber at computer.org Wed Nov 15 20:26:06 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Wed Nov 15 20:26:58 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches it In-Reply-To: <001601c708d9$44a41d40$0200000a@danc3> References: <00a901c704e0$f9a257e0$0200000a@danc3><223f97700611110026t75fe5f9cte6b654fc68c40e2c@mail.gmail.com><013301c70739$c57359f0$0200000a@danc3><01f501c7074d$b0296e90$0200000a@danc3> <029501c7076c$0a099110$0200000a@danc3> <02d601c70777$216cf580$0200000a@danc3> <017601c7081a$302dd370$0200000a@danc3> <223f97700611150120j54b0448cv61cd54e4581ea914@mail.gmail.com> <001601c708d9$44a41d40$0200000a@danc3> Message-ID: Dan Carl wrote: [snip] >> Sorry if you posted this already, but how do you do your Bayes expiry? > I used to have it as a cronjob, but just used the line in Mailscanner.conf >> How big is your Bayes db? > 5.2M bayes_seen > 2.9M bayes_toks >> I'm thinking expiry problems here... Do you get bayes_toks.expire* > no >> files (where you have your bayes DB files)? > /root/.spamassassin > Question? > My auto-whitelist is 82M is this normal? No (640k in my case). I'm not sure how SA cleans this data base, I see no options other than "use_auto_whitelist", "auto_whitelist_path", and "auto_whitelist_file_mode". > If it is and I have Always Include SpamAssassin Report = yes > will it show up in the header as being whitelist? Yes, it appears as an optional score then AWL. > I know my spam.whitelist.rules are displayed in the header. Only the word "whitelisted" not the rule. >> SpamCop and Sorbs could be slow responses... > I've been logging speed today and most batches take less than 10seconds > I set my Spam List Timeout = 60 > Is there anything else I can try? > Not as concerned about how long it takes to deliver a message as I am about > reducing spam. Do you use sa-update? If you do, have you tried setting MS' "SpamAssassin Local State Dir"? -- Ren? Berber From glenn.steen at gmail.com Wed Nov 15 20:37:57 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 15 20:38:04 2006 Subject: Razor and Pyzor problems... In-Reply-To: <455B6030.7010105@USherbrooke.ca> References: <455B6030.7010105@USherbrooke.ca> Message-ID: <223f97700611151237u195a534du5b1907afa82e2f7e@mail.gmail.com> On 15/11/06, Denis Beauchemin wrote: > Hello everybody, > > The emails exchanged today prompted me to look at my logs to see how I > was doing. It turns out that I was not doing so well with Pyzor: no > hits in more than 30 hours... I then tried the alternate server with > the following errors (taken from a debug MS run): > (snip) > [1361] dbg: pyzor: pyzor is available: /usr/bin/pyzor > [1361] dbg: pyzor: opening pipe: /usr/bin/pyzor check < > /tmp/.spamassassin1361PABAvHtmp > [1361] dbg: pyzor: [1376] finished: exit=0x0100 > [1361] dbg: pyzor: got response: 66.250.40.33:24441 TimeoutError: > \n82.94.255.100:24441 (200, 'OK') 0 0 > [1361] dbg: pyzor: failure to parse response "66.250.40.33:24441 > TimeoutError: " Seems you are trying "the old, nonfunctional, official server" still. Just remove it and replace it with the new one mentioned in the other thread and things should start hopping along. (I had the same behaviour... that it trues both servers, and the "combined result" kind of seems to baffle pyzor to no end:-) (snip) > > The traceback doesn't look good and nor does the following: > [1361] dbg: pyzor: got response: 66.250.40.33:24441 TimeoutError: > \n82.94.255.100:24441 (200, 'OK') 0 0 As said... baffled and bewildered... Not the state one wants one software to be in:-) > Looks like it tried the original server and it timed out... but why is > it prepending the \n in front of the IP address? I flushed the second > server from my /root/.pyzor/server (it had the 2 servers each on a > separate line) and reran it. I still got a traceback but no timeout > this time... In my testing, it worked with just the one. > Now for Razor. I installed it (wasn't running it yet) and enabled it > but I get no hit. Here are the excerpts from my MS debug run: > > [1361] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC > [1361] dbg: razor2: razor2 is available, version 2.82 > [1361] dbg: plugin: registered > Mail::SpamAssassin::Plugin::Razor2=HASH(0x9d19b6c) > [1361] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC > [1361] dbg: razor2: razor2 is available, version 2.82 > [1361] dbg: plugin: did not register > Mail::SpamAssassin::Plugin::Razor2=HASH(0x9e07954), already registered > [1361] dbg: plugin: fixed relative path: > /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_razor2.cf > [1361] dbg: config: using > "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_razor2.cf" > for includedfile > [1361] dbg: config: read file > /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_razor2.cf > > Looks like it's finding it OK but it doesn't call it. What could I have > missed? My system is using iptables and can open outgoing connections > to wherever it pleases. Same setup on our external firewall... Oh! SA > is 3.1.7. Did you do all the mumbo-jumbo (yeah, I'm really to tired to be typing this:-) to configure it (mentione in the wiki, BTW;)? So that it finds a server, have somewhere to put its logs etc? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Denis.Beauchemin at USherbrooke.ca Wed Nov 15 20:36:48 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Nov 15 20:39:46 2006 Subject: Razor and Pyzor problems... In-Reply-To: <20061116015556.ladf6e6exw0scckg@mail.netmagicsolutions.com> References: <455B6030.7010105@USherbrooke.ca> <20061116015556.ladf6e6exw0scckg@mail.netmagicsolutions.com> Message-ID: <455B7A60.1020304@USherbrooke.ca> Dhawal Doshy a ?crit : > >> Now for Razor. I installed it (wasn't running it yet) and enabled it >> but I get no hit. Here are the excerpts from my MS debug run: >> >> [1361] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC >> [1361] dbg: razor2: razor2 is available, version 2.82 >> [1361] dbg: plugin: registered >> Mail::SpamAssassin::Plugin::Razor2=HASH(0x9d19b6c) >> [1361] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC >> [1361] dbg: razor2: razor2 is available, version 2.82 >> [1361] dbg: plugin: did not register >> Mail::SpamAssassin::Plugin::Razor2=HASH(0x9e07954), already registered >> [1361] dbg: plugin: fixed relative path: >> /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_razor2.cf >> [1361] dbg: config: using >> "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_razor2.cf" >> for includedfile >> [1361] dbg: config: read file >> /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_razor2.cf >> >> Looks like it's finding it OK but it doesn't call it. What could I >> have missed? My system is using iptables and can open outgoing >> connections to wherever it pleases. Same setup on our external >> firewall... Oh! SA is 3.1.7. > > SA 3.1.7 doesn't lint network tests.. to see razor in action run > 'spamassassin -D < sometestmessage' > This was not taken from a --lint call but from a debug call from MS. It should be the real thing! Nonetheless I tested it with your recommemded command and got the same messages. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061115/a286d65e/smime.bin From res at ausics.net Wed Nov 15 20:48:32 2006 From: res at ausics.net (Res) Date: Wed Nov 15 20:48:43 2006 Subject: Massive queue buildup In-Reply-To: <223f97700611150056l19654a16m3eb9b03f42dbfadc@mail.gmail.com> References: <223f97700611150056l19654a16m3eb9b03f42dbfadc@mail.gmail.com> Message-ID: On Wed, 15 Nov 2006, Glenn Steen wrote: >> If you nee dit sorted , disable spam assassin, leave spam checks on, but >> disable SA, you'll find it will clear the queue in no time. > Might not be the culprit after all. Well, it still might bet....:-) hehe yeah everytime we had an issue disabled SA and all those 10's of K messages have been processed in under 10 mins :) without it, it grew and grew and grew > As you all know, the MTA (for early rejection) or SA (for > parallellism) is the place to do this (and possibly one or two in > MS...:-). Well, the MTA is the place to do it, if he had 15K msgs good chance a great deal may be trash that would have been prevented from adding to MS's clogging issue -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From Denis.Beauchemin at USherbrooke.ca Wed Nov 15 20:52:57 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Nov 15 20:53:18 2006 Subject: Razor and Pyzor problems... In-Reply-To: <223f97700611151237u195a534du5b1907afa82e2f7e@mail.gmail.com> References: <455B6030.7010105@USherbrooke.ca> <223f97700611151237u195a534du5b1907afa82e2f7e@mail.gmail.com> Message-ID: <455B7E29.6040909@USherbrooke.ca> Glenn Steen a ?crit : > On 15/11/06, Denis Beauchemin wrote: >> Now for Razor. I installed it (wasn't running it yet) and enabled it >> but I get no hit. Here are the excerpts from my MS debug run: >> >> [1361] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC >> [1361] dbg: razor2: razor2 is available, version 2.82 >> [1361] dbg: plugin: registered >> Mail::SpamAssassin::Plugin::Razor2=HASH(0x9d19b6c) >> [1361] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC >> [1361] dbg: razor2: razor2 is available, version 2.82 >> [1361] dbg: plugin: did not register >> Mail::SpamAssassin::Plugin::Razor2=HASH(0x9e07954), already registered >> [1361] dbg: plugin: fixed relative path: >> /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_razor2.cf >> [1361] dbg: config: using >> "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_razor2.cf" >> for includedfile >> [1361] dbg: config: read file >> /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_razor2.cf >> >> Looks like it's finding it OK but it doesn't call it. What could I have >> missed? My system is using iptables and can open outgoing connections >> to wherever it pleases. Same setup on our external firewall... Oh! SA >> is 3.1.7. > Did you do all the mumbo-jumbo (yeah, I'm really to tired to be typing > this:-) to configure it (mentione in the wiki, BTW;)? So that it finds > a server, have somewhere to put its logs etc? > Yes, I did the following: # perl Makefile.PL make make test make install razor-admin -create razor-admin -register vi /etc/MailScanner/spam.assassin.prefs.conf use_razor2 1 service MailScanner reload (even tried a restart) BTW I couldn't find anything about use_razor2 on SA's website. Is it still needed? Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From Denis.Beauchemin at USherbrooke.ca Wed Nov 15 20:57:21 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Nov 15 20:57:50 2006 Subject: Razor and Pyzor problems... In-Reply-To: <20061116015556.ladf6e6exw0scckg@mail.netmagicsolutions.com> References: <455B6030.7010105@USherbrooke.ca> <20061116015556.ladf6e6exw0scckg@mail.netmagicsolutions.com> Message-ID: <455B7F31.1070604@USherbrooke.ca> Dhawal Doshy a ?crit : > > Quoting Denis Beauchemin : > [snip] >> [1361] dbg: pyzor: got response: 66.250.40.33:24441 TimeoutError: >> \n82.94.255.100:24441 (200, 'OK') 0 0 > > pyzor doesn't understand multiple entries in the servers file.. see my > reply to the previous thread. > I did not answer this part of your reply in my previous message because I hadn't seen your other reply then. It seems to confirm the results I had with both IP addresses in my server file. I now only use the alternate one and I get a lot of PYZOR hits. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061115/6c97f547/smime.bin From chandler at chapman.edu Wed Nov 15 20:58:14 2006 From: chandler at chapman.edu (Chandler, Jay) Date: Wed Nov 15 21:01:37 2006 Subject: Massive queue buildup References: <223f97700611150056l19654a16m3eb9b03f42dbfadc@mail.gmail.com> Message-ID: *deadpan* A workout? If only I had a massive queue for it to process. :-D The new box was apparently specced somewhere in the third world (Like Maine), so right now I have two boxes running mail: An older box that keeps screaming under the load, and has the massive buildup or A new box that has an incompatible NIC that crashes the server every two hours (new one overnighted, will be in tomorrow), an issue where it hangs on reboot, and a paltry 1 gig of RAM. And to think, I could have been a plumber... -- Jay Chandler Network Administrator, Chapman University 714-628-7249 / chandler@chapman.edu ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Scott Silva Sent: Wed 11/15/2006 8:18 AM To: mailscanner@lists.mailscanner.info Subject: Re: Massive queue buildup Glenn Steen spake the following on 11/15/2006 12:56 AM: > On 15/11/06, Res wrote: >> On Tue, 14 Nov 2006, Chandler, Jay wrote: >> >> > ov 14 20:07:42 brewer MailScanner[37903]: Batch (30 messages) processed >> > in 328.23 seconds >> > Nov 14 20:07:51 brewer MailScanner[38335]: Batch (30 messages) >> processed >> > in 670.92 seconds >> > Nov 14 20:08:37 brewer MailScanner[38125]: Batch (30 messages) >> processed >> > in 643.34 seconds >> > >> > That's not good. >> > >> >> No :) > Have to agree here. More below. > >> If you nee dit sorted , disable spam assassin, leave spam checks on, but >> disable SA, you'll find it will clear the queue in no time. > Might not be the culprit after all. Well, it still might bet....:-) > >> Also do you RBL in MS or MTA? MTA is far better > In one of Jays earlier responses (to Brent Addis) he mentioned doing > 3-4 BLs in MS, which he found to be "nothing insane". Well, he just > might be wrong, taken that those would _serialize_, much like most > MTAs but unlike SA, and with some poor choices made on which lists to > check in MS... Voila, bad performance here we come:-). At least a > theory worth exploring;-). > As you all know, the MTA (for early rejection) or SA (for > parallellism) is the place to do this (and possibly one or two in > MS...:-). > I have to agree totally. BL's in mailscanner will be the slowest. I just ran across Net-DNSBL-MultiDaemon on CPAN, and I am thinking about experimenting with it. You can add it as a zone in bind and make one lookup. It seems to even drop BLs that timeout or get slow for a short period of time. http://search.cpan.org/~miker/Net-DNSBL-MultiDaemon-0.17/MultiDaemon.pm I just have to think out a plan to give it a workout. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 6566 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061115/ab715bb4/attachment.bin From mkettler at evi-inc.com Wed Nov 15 21:01:31 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Nov 15 21:03:14 2006 Subject: Razor and Pyzor problems... In-Reply-To: <455B7E29.6040909@USherbrooke.ca> References: <455B6030.7010105@USherbrooke.ca> <223f97700611151237u195a534du5b1907afa82e2f7e@mail.gmail.com> <455B7E29.6040909@USherbrooke.ca> Message-ID: <455B802B.8010505@evi-inc.com> Denis Beauchemin wrote: > Yes, I did the following: > # > > perl Makefile.PL > make > make test > make install > razor-admin -create > razor-admin -register > vi /etc/MailScanner/spam.assassin.prefs.conf > use_razor2 1 > service MailScanner reload (even tried a restart) > > BTW I couldn't find anything about use_razor2 on SA's website. Is it > still needed? Razor is a plugin now, so use_razor2 would be in the plugin docs, not the top-level SpamAssassin::Conf docs. See: http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Plugin_Razor2.html That said, you shouldn't need to declare use_razor. Now that it's a plugin, this defaults to 1 (enabled). Check your /etc/mail/spamassassin/v310.pre and make sure the razor plugin isn't disabled. This was disabled by default in early releases of SA 3.1.x, but is now enabled. From help at intuitiveisp.com Wed Nov 15 22:51:03 2006 From: help at intuitiveisp.com (jason Lingnau) Date: Wed Nov 15 22:51:33 2006 Subject: No outbound spam testing In-Reply-To: <455B490B.10706@solidstatelogic.com> References: <8020D2B9-B1DE-43FE-B3C3-F9D6FE2922D5@intuitiveisp.com> <455B490B.10706@solidstatelogic.com> Message-ID: Thanks! It is now working , I may have had good results before but I was testing with lint and getting bunk output ( or giving bunk input ?!) spamassassin -D --lint -p /etc/MailScanner/rules/nocklocal.sa.rules 24762] warn: config: failed to parse line, skipping: From: 67.121.71. no [24762] warn: config: failed to parse line, skipping: From: 127.0.0.1_no [24762] warn: config: failed to parse line, skipping: From: 207.145.49. no [24762] warn: config: failed to parse line, skipping: FromOrTo: default yes This has not changed, but it is working. jason On Nov 15, 2006, at 9:06 AM, Martin Hepworth wrote: > jason Lingnau wrote: >> What is the best way to configure MailScanner/ Spamassin , to NOT >> test outbound mail for spam? >> We are running MailScanner 4.51.5 with Spamassassin 3.1.1 >> I have had poor luck at using a ruleset like; >> Spam Checks = %rules-dir%/nocklocal.sa.rules >> #Dont use SA on these entries >> From: 67.121.x.x no ( our networks outbound IP ) >> From: thisserver.domain.com no >> FromOrTo: default yes >> Any ideas! >> > > yeah try > > From: 67.121. no > From: 127.0.0.1 no > FromOrTo: default yes > > > > > > -- > Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From admin at thenamegame.com Thu Nov 16 03:54:08 2006 From: admin at thenamegame.com (Michael S.) Date: Thu Nov 16 03:46:51 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: <20061115093217.I48256@mikea.ath.cx> Message-ID: <200611160346.kAG3kmX6020205@bkserver.blacknight.ie> Where did you add these rules and what do they look like? The debora*.* spam is such a huge problem at the moment!! They must be pumping out millions of these spam messages. Anyone have Exim rules to stop this? I would like to add it to exim to kill it at smtp time instead of waiting for it too get to mailscanner. Thanks -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of mikea Sent: Wednesday, November 15, 2006 10:32 AM To: MailScanner discussion Subject: Re: Debora is a huge spammers!!!! On Tue, Nov 14, 2006 at 10:31:50AM -0000, Randal, Phil wrote: > Not here they weren't. > > A simple grep leads to double-counting (because I run milter-greylist), > but my point still stands. Was handled well by my setup without any > additional response needed. I've found that a lot of the "debora" spam, as well as a fair amount of other spam, matches /6c822ecf/ in one or more of Message-ID and Content-ID headers. I have yet to see a false positive. It's just as good as the /From: akstc.*@/ signature, which is nailing a bunch even now. If you run milter-regex, it's trivial to build rules for these. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From taz at taz-mania.com Thu Nov 16 05:39:28 2006 From: taz at taz-mania.com (Dennis Willson) Date: Thu Nov 16 05:39:32 2006 Subject: Annoying!!! In-Reply-To: <4559E38F.1090101@coders.co.uk> References: <45585CA7.65ED.00A2.0@plattesheriff.org> <4559885E.65ED.00A2.0@plattesheriff.org> <4559E38F.1090101@coders.co.uk> Message-ID: <455BF990.2010603@taz-mania.com> I looked at this, but assumes your outgoing mail server is sendmail. My incoming is multiple sendmail systems, but not my outgoing Matt Hampton wrote: > Rob Poe wrote: > >> It's not me that's getting the stock spams. Someone is sending them AS my domain, and my catchall is grabbing the Undeliverables. :) >> >> > > Please, please, please look at milter-null. > > Has saved one of my users (also with a catchall) getting 40 a minute. > > matt > From jimc at laridian.com Thu Nov 16 06:59:50 2006 From: jimc at laridian.com (Jim Coates) Date: Thu Nov 16 07:03:29 2006 Subject: Max Children and List Server Lagging Message-ID: <008d01c7094c$cfd55e60$6401a8c0@zorak> Hey all; I just installed a couple days ago MailWatch for my MailScanner box.. great tool. However, I've noticed now that I can see the # of children MailScanner has running that it seems to be ignoring my Max Children setting. I have Max Children set to "5", but recently we were doing a large mailing (we house a few mailing lists) and I noticed that it said there were 20+ SendMail procs and 11 MailScanner children. I've read here in the past that too many children will slow a box down if it doesn't have the memory and CPU to handle it, which I think is exactly the case going on with me. We were sending out a large mailing today and it is taking an extraordinary amount of time (going on 14 hours of trying to send out a total of 25,000 emails). We do run grey listing, but our IP is white listed for the milter-greylist and in the white list within MailScanner, so I'm not sure what is causing the deep delays or the extra children showing from MailScanner. Any ideas as to what might be happening or what I could look for? I searched back through the threads and saw on related to single versus queued sending with SendMail.. perhaps something relating to that? Thanks in advance for any help you can give me. Jim Coates -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061116/66fdb2ea/attachment.html From raymond at prolocation.net Thu Nov 16 07:55:05 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Thu Nov 16 07:55:07 2006 Subject: Max Children and List Server Lagging In-Reply-To: <008d01c7094c$cfd55e60$6401a8c0@zorak> References: <008d01c7094c$cfd55e60$6401a8c0@zorak> Message-ID: Hi! > I just installed a couple days ago MailWatch for my MailScanner box.. great > tool. > > However, I've noticed now that I can see the # of children MailScanner has > running that it seems to be ignoring my Max Children setting. > > I have Max Children set to "5", but recently we were doing a large mailing > (we house a few mailing lists) and I noticed that it said there were 20+ > SendMail procs and 11 MailScanner children. I have seen this also where a box started swapping like crazy, the max MS # was set to 10, but if i was looking i had at least 30 MS childeren in the SA stage... Julian, does this sound familliar? Bye, Raymond. From glenn.steen at gmail.com Thu Nov 16 08:06:18 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 16 08:06:27 2006 Subject: No outbound spam testing In-Reply-To: References: <8020D2B9-B1DE-43FE-B3C3-F9D6FE2922D5@intuitiveisp.com> <455B490B.10706@solidstatelogic.com> Message-ID: <223f97700611160006r493a0f6bg7e290386ac4127e@mail.gmail.com> On 15/11/06, jason Lingnau wrote: > Thanks! > It is now working , I may have had good results before but I was > testing with lint and getting bunk output ( or giving bunk input ?!) > > spamassassin -D --lint -p /etc/MailScanner/rules/nocklocal.sa.rules > > 24762] warn: config: failed to parse line, skipping: From: 67.121.71. no > [24762] warn: config: failed to parse line, skipping: From: 127.0.0.1_no > [24762] warn: config: failed to parse line, skipping: From: > 207.145.49. no > [24762] warn: config: failed to parse line, skipping: FromOrTo: > default yes > > This has not changed, but it is working. > > jason > Why are you using SpamAssassin to lint MailScanner syntax? It will never do;-). Use "MailScanner --lint" if you want to test your MS config files. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From uck2rok at hotmail.com Thu Nov 16 09:12:19 2006 From: uck2rok at hotmail.com (Oliver Weinmann) Date: Thu Nov 16 09:12:24 2006 Subject: HTML blocking Message-ID: Hi, Some of our html emails are being converted to text. I checked our mailscanner config and found out that "Convert Dangerous HTML Emails" is set to yes. Is there a way to specifiy a list (white list) of email senders that are not being converted to text? Regards, Oliver Weinmann _________________________________________________________________ Die neue MSN Suche Toolbar mit Windows-Desktopsuche. Suchen Sie gleichzeitig im Web, Ihren E-Mails und auf Ihrem PC! Jetzt neu! http://desktop.msn.de/ Jetzt gratis downloaden! From jen at ah.dk Thu Nov 16 09:48:23 2006 From: jen at ah.dk (Jan Elmqvist Nielsen) Date: Thu Nov 16 09:49:51 2006 Subject: MailScanner miss several Regning.exe files In-Reply-To: <455BF990.2010603@taz-mania.com> Message-ID: <41EA997496BB5542BDA52CFA44FE78FC9A6C48@AHMAIL.ah.ahnet.local> The virus Trojan-Downloader.Win32.Nurech.h (kaspersky) comes as a exe file. I have to my horror notice that serveral of these mails with the exe file attached not have been stop!!! I using MailScanner ver. 4.54.6 with mailwatch Attached are 2 screen dumps /Jan Elmqvist Nielsen -------------- next part -------------- A non-text attachment was scrubbed... Name: regning1.png Type: image/png Size: 25192 bytes Desc: regning1.png Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061116/455e40fe/regning1.png -------------- next part -------------- A non-text attachment was scrubbed... Name: regning2.png Type: image/png Size: 9289 bytes Desc: regning2.png Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061116/455e40fe/regning2.png From martinh at solidstatelogic.com Thu Nov 16 09:58:53 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Thu Nov 16 09:59:04 2006 Subject: MailScanner miss several Regning.exe files In-Reply-To: <41EA997496BB5542BDA52CFA44FE78FC9A6C48@AHMAIL.ah.ahnet.local> References: <41EA997496BB5542BDA52CFA44FE78FC9A6C48@AHMAIL.ah.ahnet.local> Message-ID: <455C365D.7080602@solidstatelogic.com> Jan Elmqvist Nielsen wrote: > The virus Trojan-Downloader.Win32.Nurech.h (kaspersky) comes as a exe > file. > > I have to my horror notice that serveral of these mails with the exe > file attached not have been stop!!! > > I using MailScanner ver. 4.54.6 with mailwatch > > Attached are 2 screen dumps > > /Jan Elmqvist Nielsen > > > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ > Hmm and you deliver high scoring spam???? what does the 'file' command say about these (that what MS uses to show it's an executable). Also does your filename.rules.conf file or filetype/ruless.conf say to block these?? Are there any exceptions (whitelists) on filenames or types? -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at solidstatelogic.com Thu Nov 16 10:00:29 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Thu Nov 16 10:00:39 2006 Subject: HTML blocking In-Reply-To: References: Message-ID: <455C36BD.2020007@solidstatelogic.com> Oliver Weinmann wrote: > Hi, > > Some of our html emails are being converted to text. I checked our > mailscanner config and found out that "Convert Dangerous HTML Emails" is > set to yes. Is there a way to specifiy a list (white list) of email > senders that are not being converted to text? > > Regards, > > Oliver Weinmann > > _________________________________________________________________ > Die neue MSN Suche Toolbar mit Windows-Desktopsuche. Suchen Sie > gleichzeitig im Web, Ihren E-Mails und auf Ihrem PC! Jetzt neu! > http://desktop.msn.de/ Jetzt gratis downloaden! > Olviver yes you can can make this a ruleset (rather than yes) which decides what to do. have a look in the rules/EXAMPLES and README files for examples. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From glenn.steen at gmail.com Thu Nov 16 10:30:54 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 16 10:31:03 2006 Subject: Max Children and List Server Lagging In-Reply-To: References: <008d01c7094c$cfd55e60$6401a8c0@zorak> Message-ID: <223f97700611160230s40889819y1a5419174f9e046e@mail.gmail.com> On 16/11/06, Raymond Dijkxhoorn wrote: > Hi! > > > I just installed a couple days ago MailWatch for my MailScanner box.. great > > tool. > > > > However, I've noticed now that I can see the # of children MailScanner has > > running that it seems to be ignoring my Max Children setting. > > > > I have Max Children set to "5", but recently we were doing a large mailing > > (we house a few mailing lists) and I noticed that it said there were 20+ > > SendMail procs and 11 MailScanner children. > > I have seen this also where a box started swapping like crazy, the max MS > # was set to 10, but if i was looking i had at least 30 MS childeren in > the SA stage... > > Julian, does this sound familliar? > > Bye, > Raymond. "Worker" processes? Doing BL lookups? After all the Max Children are more like "pre-fork this amount of children, and let them hav as many worker-children as they need"... -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Nov 16 10:39:09 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 16 10:39:13 2006 Subject: MailScanner miss several Regning.exe files In-Reply-To: <41EA997496BB5542BDA52CFA44FE78FC9A6C48@AHMAIL.ah.ahnet.local> References: <455BF990.2010603@taz-mania.com> <41EA997496BB5542BDA52CFA44FE78FC9A6C48@AHMAIL.ah.ahnet.local> Message-ID: <223f97700611160239p55d4366egabe7d76dc5e12cd0@mail.gmail.com> On 16/11/06, Jan Elmqvist Nielsen wrote: > The virus Trojan-Downloader.Win32.Nurech.h (kaspersky) comes as a exe > file. > > I have to my horror notice that serveral of these mails with the exe > file attached not have been stop!!! > > I using MailScanner ver. 4.54.6 with mailwatch > > Attached are 2 screen dumps > > /Jan Elmqvist Nielsen > Hi Jan, A couple of notes: - Rechnung/R?kningen/Regning/etc/etc/etc is actually sold as a "Do it yourself Malware-kit", complete with all you need to be able to generate your own virus... This makes it pretty darned common for new variants to pop up. - You either have something up with your filenam/filetype detection, or you aren't running it at all. Perhaps a badly come-together ruleset (by email address or somesuch)? - It does get detected as high-scoring spam, which shouldn't be delivered (policy-dependant, I know:) The above is one of the reasons filename/filetype blocking is really important... You can have however many AVs in MS, you will still run the risk of being the first one receiving a new (variant of a) virus. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jen at ah.dk Thu Nov 16 10:36:37 2006 From: jen at ah.dk (Jan Elmqvist Nielsen) Date: Thu Nov 16 10:40:36 2006 Subject: {Filename?} SV: MailScanner miss several Regning.exe files In-Reply-To: <455C365D.7080602@solidstatelogic.com> Message-ID: <41EA997496BB5542BDA52CFA44FE78FC9A6C4C@AHMAIL.ah.ahnet.local> Warning: This message has had one or more attachments removed Warning: (the entire message). Warning: Please read the "VirusWarning.txt" attachment(s) for more information. Dette er en meddelelse fra MailScanner e-post virus beskyttelses tjenesten -------------------------------------------------------------------------- Det originale e-brevs bilag "the entire message" er p? listen over u?nskede bilag og er blevet erstattet af en advarsel. Hvis du ?nsker at modtage en kopi af det originale bilag, send da venligst et e-brev til informationstjeneste (support/helpdesk) og medsend hele denne medelelse. Virusskanneren skrev f?lgende (Thu Nov 16 11:36:38 2006): MailScanner: Executable DOS/Windows programs are dangerous in email (Regning.exe) Note til informationstjenesten: Kig p? i (besked id kAGAablG031708). -- Postmester Aalborg Handelsskole www.ah.dk From raymond at prolocation.net Thu Nov 16 10:47:59 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Thu Nov 16 10:48:00 2006 Subject: Max Children and List Server Lagging In-Reply-To: <223f97700611160230s40889819y1a5419174f9e046e@mail.gmail.com> References: <008d01c7094c$cfd55e60$6401a8c0@zorak> <223f97700611160230s40889819y1a5419174f9e046e@mail.gmail.com> Message-ID: Hi! >> > However, I've noticed now that I can see the # of children MailScanner >> > running that it seems to be ignoring my Max Children setting. >> > I have Max Children set to "5", but recently we were doing a large >> > (we house a few mailing lists) and I noticed that it said there were 20+ >> > SendMail procs and 11 MailScanner children. >> I have seen this also where a box started swapping like crazy, the max MS >> # was set to 10, but if i was looking i had at least 30 MS childeren in >> the SA stage... >> >> Julian, does this sound familliar? > "Worker" processes? Doing BL lookups? > After all the Max Children are more like "pre-fork this amount of > children, and let them hav as many worker-children as they need"... > BL lookups, they are all in the spamassasin state. I certainly hope not that each worker can shoot away as many as it likes. I limit it to 10 for a reason :) And, it always worked that way also. So somehow sometimes its ignored. Seen that more then once lately. Only a MailScanner restart seems to fix it after the strange status. I only confirm someone else also saw, so it happenes elswhere also :) Bye, Raymond. From t.d.lee at durham.ac.uk Thu Nov 16 09:31:34 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Thu Nov 16 11:02:18 2006 Subject: Max Children and List Server Lagging In-Reply-To: <008d01c7094c$cfd55e60$6401a8c0@zorak> References: <008d01c7094c$cfd55e60$6401a8c0@zorak> Message-ID: On Thu, 16 Nov 2006, Jim Coates wrote: > [...] > However, I've noticed now that I can see the # of children MailScanner has > running that it seems to be ignoring my Max Children setting. > > I have Max Children set to "5", but recently we were doing a large mailing > (we house a few mailing lists) and I noticed that it said there were 20+ > SendMail procs and 11 MailScanner children. What follows is from (possibly faulty) memory, from a non-expert. I think it is correct, but I may be wrong. Looking at just the MS processes (not sendmail): I seem to recall that this behaviour is actually to be expected. Let's represent the "Max Children" as "N". There will always be a parent process, which will start up the "N" children each of which lives for several hours. So even on a quiet system there will be "N+1" MailScanner processes. When incoming emails are discovered, it seems that one of the children itself spawns a child (so, overall, a grandchild) to handle it, for a short time. So on a very busy system, if each child itself has a child there could be up to "2N+1" MS processes. In your case N=5. The 11 you observe is this "2N+1". On a reasonable system you would expect to exceed "N+1" (6 or more on yours). But if it is regularly close to "2N+1" (close to 11 on yours) then you probably do have problems. Julian recommends setting "Max Children" (i.e. our "N") to 5 per CPU on the box. So your system it is probably about right as a starting point. BUT... > I've read here in the past that too many children will slow a box down if it > doesn't have the memory and CPU to handle it, which I think is exactly the > case going on with me. We were sending out a large mailing today and it is > taking an extraordinary amount of time (going on 14 hours of trying to send > out a total of 25,000 emails). CPU: I understand that an apparently high load average might not be a problem, if your "Max Children" is right. (Which yours seems to be.) Memory: Things are memory hungry. The more memory you have, the better. In "MailScanner.conf" near the "Max Children" setting is a comment about MS needing about 20MB per MS process. My own view is that this is way too small (the comment is probably old and in need of revision) especially if SpamAssassin is being run. > We do run grey listing, but our IP is white listed for the milter-greylist > and in the white list within MailScanner, so I'm not sure what is causing > the deep delays or the extra children showing from MailScanner. I recently tried milter-greylist. For us, that was a real CPU hog, and I had to back out of it. (I understand the development version will have a major efficiency improvement.) [Extra MS children: as discussed above: to be expected, up to "2N+1".] Another thing to investigate: How well is your DNS resolution performing? We recently had a misconfiguration so that every DNS attempt was made to a local (127.0.0.1) server, but there wasn't a local server! Long timeouts. As soon as I made this consistent, things improved dramatically. Some folk advise running a caching DNS server within your MS box. That's nice if you can do it, but far important is to check that the first "/etc/resolv.conf" entry has a well-running server. Summary: 1. "Max Children": Set to 5 is OK. Seeing up to 11 MS processes is OK. 2. Memory: The more the merrier. You probably want at least 1GB. 3. Check that your DNS resolution is OK. In particular that all the servers, and especially the first, listed in "/etc/resolv.conf" are running well. Hope something there is of help. -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From jen at ah.dk Thu Nov 16 11:08:32 2006 From: jen at ah.dk (Jan Elmqvist Nielsen) Date: Thu Nov 16 11:16:06 2006 Subject: SV: MailScanner miss several Regning.exe files In-Reply-To: <455C365D.7080602@solidstatelogic.com> Message-ID: <41EA997496BB5542BDA52CFA44FE78FC9A6C4D@AHMAIL.ah.ahnet.local> No I deliver spam - not high spam :-) File kAFGMu026001 kAFGMu026001: smtp mail text /Jan Elmqvist Nielsen -----Oprindelig meddelelse----- Fra: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] P? vegne af Martin Hepworth Sendt: 16. november 2006 10:59 Til: MailScanner discussion Emne: Re: MailScanner miss several Regning.exe files Jan Elmqvist Nielsen wrote: > The virus Trojan-Downloader.Win32.Nurech.h (kaspersky) comes as a exe > file. > > I have to my horror notice that serveral of these mails with the exe > file attached not have been stop!!! > > I using MailScanner ver. 4.54.6 with mailwatch > > Attached are 2 screen dumps > > /Jan Elmqvist Nielsen > > > ---------------------------------------------------------------------- > -- > > > ---------------------------------------------------------------------- > -- > Hmm and you deliver high scoring spam???? what does the 'file' command say about these (that what MS uses to show it's an executable). Also does your filename.rules.conf file or filetype/ruless.conf say to block these?? Are there any exceptions (whitelists) on filenames or types? -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Howard at harper-adams.ac.uk Thu Nov 16 11:19:01 2006 From: Howard at harper-adams.ac.uk (Howard Robinson) Date: Thu Nov 16 11:19:54 2006 Subject: Filtering problem Message-ID: Dear list This (coincidentally) is another filter query. I have looked at EXAMPLES & README and it appears to confirm what I have set. I am having a problem trying to stop MailScanner filtering out HTML & script I am sending myself an email with html script in it for testing. In my MailScanner.conf I have included Allow Script Tags = %rules-dir%/script.rules Non Spam Actions = %rules-dir%/striphtml.rules note %rules-dir% = /etc/MailScanner/rules in /etc/MailScanner/rules/script.rules I have To: hrobinson@harper-adams.ac.uk yes To: howard@harper-adams.ac.uk yes # I tried FromOrTo: on both these with no different result FromOrTo: default no in /etc/MailScanner/rules/striphtml.rules I have To: hrobinson@harper-adams.ac.uk deliver To: howard@harper-adams.ac.uk deliver # I tried FromOrTo: on both these with no different result FromOrTo: default striphtml deliver (spaces are tabs by the way) In Maillog the following lines relate to the email, Validipdaddress & Validrelay changed from real one. Nov 15 16:25:17 blackhole2 MailScanner[29444]: Message kAFGOisP029475 from VALIDIPADDRESS (hrobinson@harper-adams.ac.uk) to harper-adams.ac.uk is not spam, SpamAssassin (score=-2.53, required 5, autolearn=not spam, ALL_TRUSTED -3.30, BAYES_00 -0.05, HTML_80_90 0.15, HTML_MESSAGE 0.00, HTML_NONELEMENT_00_10 0.00, NO_REAL_NAME 0.01, SUBJ_ALL_CAPS 0.67) A few lines later Nov 15 16:27:22 blackhole2 MailScanner[29444]: Content Checks: Detected and will convert HTML message to plain text in kAFGOisP029475 A few lines later Nov 15 16:28:30 blackhole2 sendmail[30284]: kAFGOisP029475: to=howard@gw.harper-adams.ac.uk, delay=00:03:46, xdelay=00:00:00, mailer=esmtp, pri=125149, relay=VALIDRELAY. [VALIDIPADDRESS], dsn=2.0.0, stat=Sent (Ok) On Mailwatch the details of the message has the line kAFGOisP029475 Non Spam Actions = %rules-dir%/striphtml.rules It must have html in as it's being picked up in Maillog. Mailscanner is using the striphtml.rules as mailwatch says it is and that's confirmed in maillog but so it should follow the rule! I can't help feeling I am missing something that will be blatently obvious but so far it remains a mistery. Am I right in thinking that the filters will be carried out before it looks at the aliases list. Logically I can't see it working otherwise. Any ideas on what else could be amiss. Thanks Regards Howard Robinson, (Senior Technical Development Officer), Harper Adams University College, Edgmond, Newport, Shropshire , TF10 8NB. Tel. Direct 01952 815253 Tel. Switch Board 01952 820280 Fax 01952 814783 Email hrobinson@harper-adams.ac.uk Web www.harper-adams.ac.uk From klaas at dezigner.nl Thu Nov 16 11:15:02 2006 From: klaas at dezigner.nl (D321) Date: Thu Nov 16 11:20:11 2006 Subject: Debora is a huge spammers!!!! References: <200611121954.kACJs8mT030323@bkserver.blacknight.ie> Message-ID: i get deborah mail practicly every minute.. how do i stop this? this has been happenening since i submitted my site to a bunch of sites that rank it higher in search engines...is there a conection here?? From martinh at solidstatelogic.com Thu Nov 16 11:25:19 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Thu Nov 16 11:25:31 2006 Subject: Filtering problem In-Reply-To: References: Message-ID: <455C4A9F.2060308@solidstatelogic.com> Howard Robinson wrote: > Dear list > This (coincidentally) is another filter query. I have looked at EXAMPLES & README and it appears to confirm what I have set. > > I am having a problem trying to stop MailScanner filtering out HTML & script > I am sending myself an email with html script in it for testing. > In my MailScanner.conf I have included > > Allow Script Tags = %rules-dir%/script.rules > Non Spam Actions = %rules-dir%/striphtml.rules > note %rules-dir% = /etc/MailScanner/rules > > in /etc/MailScanner/rules/script.rules I have > > To: hrobinson@harper-adams.ac.uk yes > To: howard@harper-adams.ac.uk yes > # I tried FromOrTo: on both these with no different result > FromOrTo: default no > > in /etc/MailScanner/rules/striphtml.rules I have > > To: hrobinson@harper-adams.ac.uk deliver > To: howard@harper-adams.ac.uk deliver > # I tried FromOrTo: on both these with no different result > FromOrTo: default striphtml deliver > (spaces are tabs by the way) > > In Maillog the following lines relate to the email, Validipdaddress & Validrelay changed from real one. > > Nov 15 16:25:17 blackhole2 MailScanner[29444]: Message kAFGOisP029475 from VALIDIPADDRESS (hrobinson@harper-adams.ac.uk) to harper-adams.ac.uk is not spam, SpamAssassin (score=-2.53, required 5, autolearn=not spam, ALL_TRUSTED -3.30, BAYES_00 -0.05, HTML_80_90 0.15, HTML_MESSAGE 0.00, HTML_NONELEMENT_00_10 0.00, NO_REAL_NAME 0.01, SUBJ_ALL_CAPS 0.67) > A few lines later > Nov 15 16:27:22 blackhole2 MailScanner[29444]: Content Checks: Detected and will convert HTML message to plain text in kAFGOisP029475 > A few lines later > Nov 15 16:28:30 blackhole2 sendmail[30284]: kAFGOisP029475: to=howard@gw.harper-adams.ac.uk, delay=00:03:46, xdelay=00:00:00, mailer=esmtp, pri=125149, relay=VALIDRELAY. [VALIDIPADDRESS], dsn=2.0.0, stat=Sent (Ok) > > On Mailwatch the details of the message has the line kAFGOisP029475 > Non Spam Actions = %rules-dir%/striphtml.rules > > It must have html in as it's being picked up in Maillog. > Mailscanner is using the striphtml.rules as mailwatch says it is and that's confirmed in maillog but so it should follow the rule! > I can't help feeling I am missing something that will be blatently obvious but so far it remains a mistery. > Am I right in thinking that the filters will be carried out before it looks at the aliases list. Logically I can't see it working otherwise. > Any ideas on what else could be amiss. > Thanks > > Howard I think the default action action on striphtml.rules is invalid. See the comments above the "Non Spam Actions" for valid actions -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at solidstatelogic.com Thu Nov 16 11:28:16 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Thu Nov 16 11:28:26 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: References: <200611121954.kACJs8mT030323@bkserver.blacknight.ie> Message-ID: <455C4B50.1000607@solidstatelogic.com> D321 wrote: > i get deborah mail practicly every minute.. how do i stop this? this has been > happenening since i submitted my site to a bunch of sites that rank it higher > in search engines...is there a conection here?? > Seems to have moved to other names now..... but the following rules hit for me.. 5.40 BAYES_99 Bayesian spam probability is 99 to 100% 1.96 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date 4.00 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 0.77 DIGEST_MULTIPLE Message hits more than one network digest check 3.70 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) 1.56 RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net 1.66 SARE_MLB_Stock4 1.12 SARE_RMML_Stock26 1.66 STOCK_NAME_FVGT1 for the SARE and FVG1 ones at the bottom of this list are from the SARE_stock and 'freds' rules from www.rulesemporium.com -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From glenn.steen at gmail.com Thu Nov 16 11:34:22 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 16 11:34:29 2006 Subject: {Filename?} SV: MailScanner miss several Regning.exe files In-Reply-To: <41EA997496BB5542BDA52CFA44FE78FC9A6C4C@AHMAIL.ah.ahnet.local> References: <455C365D.7080602@solidstatelogic.com> <41EA997496BB5542BDA52CFA44FE78FC9A6C4C@AHMAIL.ah.ahnet.local> Message-ID: <223f97700611160334v3c3fcb3lde292a43ff849789@mail.gmail.com> On 16/11/06, Jan Elmqvist Nielsen wrote: > Warning: This message has had one or more attachments removed > Warning: (the entire message). > Warning: Please read the "VirusWarning.txt" attachment(s) for more information. > > Dette er en meddelelse fra MailScanner e-post virus beskyttelses tjenesten > -------------------------------------------------------------------------- > Det originale e-brevs bilag "the entire message" > er p? listen over u?nskede bilag og er blevet erstattet af en advarsel. > > Hvis du ?nsker at modtage en kopi af det originale bilag, send da venligst > et e-brev til informationstjeneste (support/helpdesk) og medsend hele > denne medelelse. > > Virusskanneren skrev f?lgende (Thu Nov 16 11:36:38 2006): > MailScanner: Executable DOS/Windows programs are dangerous in email (Regning.exe) > > > Note til informationstjenesten: Kig p? i (besked id kAGAablG031708). > > -- > Postmester > Aalborg Handelsskole > www.ah.dk > Hey Jan! Seems to be working OK outbound:-). You didn't happen to "invert" the sense of this option? So that you do filename-blocking only for outbound, not inbound, mails?:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Nov 16 11:51:34 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 16 11:51:37 2006 Subject: Filtering problem In-Reply-To: <455C4A9F.2060308@solidstatelogic.com> References: <455C4A9F.2060308@solidstatelogic.com> Message-ID: <223f97700611160351g6c119d03le64a22ce2a95f6de@mail.gmail.com> On 16/11/06, Martin Hepworth wrote: > Howard Robinson wrote: > > Dear list > > This (coincidentally) is another filter query. I have looked at EXAMPLES & README and it appears to confirm what I have set. > > > > I am having a problem trying to stop MailScanner filtering out HTML & script > > I am sending myself an email with html script in it for testing. > > In my MailScanner.conf I have included > > > > Allow Script Tags = %rules-dir%/script.rules > > Non Spam Actions = %rules-dir%/striphtml.rules > > note %rules-dir% = /etc/MailScanner/rules > > > > in /etc/MailScanner/rules/script.rules I have > > > > To: hrobinson@harper-adams.ac.uk yes > > To: howard@harper-adams.ac.uk yes Note that the above address.... > > # I tried FromOrTo: on both these with no different result > > FromOrTo: default no > > > > in /etc/MailScanner/rules/striphtml.rules I have > > > > To: hrobinson@harper-adams.ac.uk deliver > > To: howard@harper-adams.ac.uk deliver ... as well as the one above here... > > # I tried FromOrTo: on both these with no different result > > FromOrTo: default striphtml deliver > > (spaces are tabs by the way) > > > > In Maillog the following lines relate to the email, Validipdaddress & Validrelay changed from real one. > > > > Nov 15 16:25:17 blackhole2 MailScanner[29444]: Message kAFGOisP029475 from VALIDIPADDRESS (hrobinson@harper-adams.ac.uk) to harper-adams.ac.uk is not spam, SpamAssassin (score=-2.53, required 5, autolearn=not spam, ALL_TRUSTED -3.30, BAYES_00 -0.05, HTML_80_90 0.15, HTML_MESSAGE 0.00, HTML_NONELEMENT_00_10 0.00, NO_REAL_NAME 0.01, SUBJ_ALL_CAPS 0.67) > > A few lines later > > Nov 15 16:27:22 blackhole2 MailScanner[29444]: Content Checks: Detected and will convert HTML message to plain text in kAFGOisP029475 > > A few lines later > > Nov 15 16:28:30 blackhole2 sendmail[30284]: kAFGOisP029475: to=howard@gw.harper-adams.ac.uk, delay=00:03:46, xdelay=00:00:00, mailer=esmtp, pri=125149, relay=VALIDRELAY. [VALIDIPADDRESS], dsn=2.0.0, stat=Sent (Ok) ... don't match with the recipient (envelope) address here. So I'm guessing this is why you are seeing this behavior (just another case of it doing exactly what you tell it to do...:-) > > On Mailwatch the details of the message has the line kAFGOisP029475 > > Non Spam Actions = %rules-dir%/striphtml.rules > > > > It must have html in as it's being picked up in Maillog. > > Mailscanner is using the striphtml.rules as mailwatch says it is and that's confirmed in maillog but so it should follow the rule! > > I can't help feeling I am missing something that will be blatently obvious but so far it remains a mistery. > > Am I right in thinking that the filters will be carried out before it looks at the aliases list. Logically I can't see it working otherwise. > > Any ideas on what else could be amiss. > > Thanks > > > > > > Howard > > I think the default action action on striphtml.rules is invalid. See the > comments above the "Non Spam Actions" for valid actions > Haven't looked, so this might be true too:-). But first see to it that howard@harper-adams.ac.uk and howard@gw.harper-adams.ac.uk match up better... Then look at Martins suggestion;-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Nov 16 11:53:46 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 16 11:53:53 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: References: <200611121954.kACJs8mT030323@bkserver.blacknight.ie> Message-ID: <223f97700611160353q7790519fke3d31a02606e58bb@mail.gmail.com> On 16/11/06, D321 wrote: > i get deborah mail practicly every minute.. how do i stop this? this has been > happenening since i submitted my site to a bunch of sites that rank it higher > in search engines...is there a conection here?? > Perhaps... If the address-harvester robots have a more easy job of finding your site... Needn't be more sinister than that:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From kgilpin at lrgs.org.uk Thu Nov 16 12:20:10 2006 From: kgilpin at lrgs.org.uk (K Gilpin) Date: Thu Nov 16 12:15:40 2006 Subject: Outlook In-Reply-To: <223f97700611160353q7790519fke3d31a02606e58bb@mail.gmail.com> Message-ID: <00c801c70979$8f5c1d60$be65fea9@lrgs.org.uk> Hi, I have Mailscanner installed with postfix. A client has been sending mails using out look. Outlook has gone a bit wild and has kept sending the same message to another person. I have shutdown the machine. I have looked in /var/spool/postfix/incoming/ to get rid of any more out going messages, they are all empty. Could would any one else know where to look to delete these out going messages the user keeps getting. Thanks Kevin -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Thu Nov 16 12:23:36 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 16 12:23:38 2006 Subject: Outlook In-Reply-To: <00c801c70979$8f5c1d60$be65fea9@lrgs.org.uk> References: <223f97700611160353q7790519fke3d31a02606e58bb@mail.gmail.com> <00c801c70979$8f5c1d60$be65fea9@lrgs.org.uk> Message-ID: <223f97700611160423v2f14c2abtee006de995363334@mail.gmail.com> On 16/11/06, K Gilpin wrote: > > Hi, > > I have Mailscanner installed with postfix. > > A client has been sending mails using out look. Outlook has gone a bit wild > and has kept sending the same message to another person. > I have shutdown the machine. > > I have looked in /var/spool/postfix/incoming/ to get rid of any more out > going messages, they are all empty. > > Could would any one else know where to look to delete these out going > messages the user keeps getting. > > Thanks > > Kevin > >From the logs, you should be able to see it the LookOut-using klient is continually reconnecting to send that broken message. If so, start by clearing it from the LookOut Outbox folder. If it is the same postfix queue file that is stuck in the hold directory, one might suspect that the queue file is somehow broken (in a way undetectable to postfix)... Or perhaps it is MailScanner having problems reading/understanding it. One solution here would be to simply clear the queue file out (with rm). BTW, what versions are you running (PF, MS, OL ...)? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From kgilpin at lrgs.org.uk Thu Nov 16 12:39:37 2006 From: kgilpin at lrgs.org.uk (K Gilpin) Date: Thu Nov 16 12:35:08 2006 Subject: Outlook In-Reply-To: <223f97700611160423v2f14c2abtee006de995363334@mail.gmail.com> Message-ID: <00cd01c7097c$474de370$be65fea9@lrgs.org.uk> > Hi, > > I have Mailscanner installed with postfix. > > A client has been sending mails using out look. Outlook has gone a bit wild > and has kept sending the same message to another person. > I have shutdown the machine. > > I have looked in /var/spool/postfix/incoming/ to get rid of any more out > going messages, they are all empty. > > Could would any one else know where to look to delete these out going > messages the user keeps getting. > > Thanks > > Kevin > >From the logs, you should be able to see it the LookOut-using klient >is continually reconnecting to send that broken message. If so, start >by clearing it from the LookOut Outbox folder. >If it is the same postfix queue file that is stuck in the hold >directory, one might suspect that the queue file is somehow broken (in >a way undetectable to postfix)... Or perhaps it is MailScanner having >problems reading/understanding it. One solution here would be to >simply clear the queue file out (with rm). >BTW, what versions are you running (PF, MS, OL ...)? I have managed to sort it out thanks using the command postsuper -d ALL Cheers Kevin -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From filip.nollet at hogent.be Thu Nov 16 12:54:21 2006 From: filip.nollet at hogent.be (Filip Nollet) Date: Thu Nov 16 12:54:25 2006 Subject: Filename.rules.conf (attachment filename scanning) not working after upgrade Message-ID: <002901c7097e$56321300$9fe21005@hogent.be> Hi, I have seen and corrected the problem. The option "dangerouscontentscanning" was set to "no". I thought this would only scan the inline text/images/html code of the email message, and did not apply to the attachments. I was wrong apparantly. Thanks for all the help. Greetings, Filip ====================================== Filip Nollet System & Network Management Hogeschool Gent Department ICT Schoonmeersstraat 52 9000 Gent Belgium Tel: +32 (0)9 248 88 87 Fax: +32 (0)9 243 87 70 E-Mail: filip.nollet@hogent.be GPG info: ED892C1B Fingerprint: 265E CFDE 6880 A968 64F4 85E6 4DC4 353C ED89 2C1B From rcooper at dwford.com Thu Nov 16 13:06:18 2006 From: rcooper at dwford.com (Rick Cooper) Date: Thu Nov 16 13:06:29 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: <200611160346.kAG3kmX6020205@bkserver.blacknight.ie> Message-ID: <01d901c70980$02282e00$0301a8c0@SAHOMELT> A little scary blocking debora@* but: In your exim rcpt acl (change the denial message to suit you): deny message = $sender_address has been specifically blocked from this site - bye bye! senders = wildlsearch;/somedir/Mail_Sender_Block.conf The format of /somedir/Mail_Sender_Block.conf would be ^\Ndebora@*\N name@domain.com ^debora@*\.com The way it works : if the line in the file begins with a circumflex (^) then the line is treated as a regular expression otherwise it has to match exactly. So line one and three are regex and line two must be name@domain.com exactly. As the keys in the search are subject to expansion you may want to stick to the syntax: ^\Ndebora@*\N The \N{expression}\N means "do not expand anything between the \N pairs" to prevent expansion within the key (debora@|debora*@). If you just use ^debora@* then it will look for debora@, then debora*@ which would match debora or deborah or deborackleter@. You could certainly use a match condition instead, but by using the external file you can add, subtract or modify the data without having to touch the running exim process. I would put this before anything in the acl except any host white listing and you might want to add some sanity checks for one of your hosts and users like (if you use authentication): !authenticated = * And hosts = !/somedir/Mail_local_net (which would contain your local network like 10.10.10.0/24) So the whole acl would be deny message = $sender_address has been specifically blocked from this site - bye bye! !authenticated = * hosts = !/somedir/Mail_local_net senders = wildlsearch;/somedir/Mail_Sender_Block.conf So the denial would require the host not belong to you, the sender is not authenticated and the address must appear in the file listing bad address, or address regexs Rick > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Michael S. > Sent: Wednesday, November 15, 2006 10:54 PM > To: 'MailScanner discussion' > Subject: RE: Debora is a huge spammers!!!! > > Where did you add these rules and what do they look like? > > The debora*.* spam is such a huge problem at the moment!! They must be > pumping out millions of these spam messages. > > Anyone have Exim rules to stop this? I would like to add it > to exim to kill > it at smtp time instead of waiting for it too get to mailscanner. > > Thanks > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of mikea > Sent: Wednesday, November 15, 2006 10:32 AM > To: MailScanner discussion > Subject: Re: Debora is a huge spammers!!!! > > On Tue, Nov 14, 2006 at 10:31:50AM -0000, Randal, Phil wrote: > > Not here they weren't. > > > > A simple grep leads to double-counting (because I run > milter-greylist), > > but my point still stands. Was handled well by my setup without any > > additional response needed. > > I've found that a lot of the "debora" spam, as well as a fair amount > of other spam, matches /6c822ecf/ in one or more of Message-ID and > Content-ID headers. I have yet to see a false positive. It's just as > good as the /From: akstc.*@/ signature, which is nailing a bunch even > now. > > If you run milter-regex, it's trivial to build rules for these. > > -- > Mike Andrews, W5EGO > mikea@mikea.ath.cx > Tired old sysadmin > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Thu Nov 16 13:06:44 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 16 13:06:48 2006 Subject: Outlook In-Reply-To: <00cd01c7097c$474de370$be65fea9@lrgs.org.uk> References: <223f97700611160423v2f14c2abtee006de995363334@mail.gmail.com> <00cd01c7097c$474de370$be65fea9@lrgs.org.uk> Message-ID: <223f97700611160506r1d77e2e4id5beb217214eda9@mail.gmail.com> On 16/11/06, K Gilpin wrote: > > Hi, > > > > I have Mailscanner installed with postfix. > > > > A client has been sending mails using out look. Outlook has gone a bit > wild > > and has kept sending the same message to another person. > > I have shutdown the machine. > > > > I have looked in /var/spool/postfix/incoming/ to get rid of any more out > > going messages, they are all empty. > > > > Could would any one else know where to look to delete these out going > > messages the user keeps getting. > > > > Thanks > > > > Kevin > > > >From the logs, you should be able to see it the LookOut-using klient > >is continually reconnecting to send that broken message. If so, start > >by clearing it from the LookOut Outbox folder. > > >If it is the same postfix queue file that is stuck in the hold > >directory, one might suspect that the queue file is somehow broken (in > >a way undetectable to postfix)... Or perhaps it is MailScanner having > >problems reading/understanding it. One solution here would be to > >simply clear the queue file out (with rm). > >BTW, what versions are you running (PF, MS, OL ...)? > > I have managed to sort it out thanks using the command postsuper -d ALL > > Cheers > > Kevin I hope you stopped MailScanner (or at least postfix) before doing that... The reason to use the hold queue is that the only other processes that ever operates on it is manually calling postsuper... so (since there is no locking) to ensure that the one doesn't interfere with the other (postsuper and MailScanner) you need stop MailScanner first... and (for some other reasons) postfix itself. And I suppose you checked that there was no _other_ incoming mail in hold before clearing it? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Denis.Beauchemin at USherbrooke.ca Thu Nov 16 13:19:30 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Nov 16 13:19:55 2006 Subject: Razor and Pyzor problems... In-Reply-To: <455B802B.8010505@evi-inc.com> References: <455B6030.7010105@USherbrooke.ca> <223f97700611151237u195a534du5b1907afa82e2f7e@mail.gmail.com> <455B7E29.6040909@USherbrooke.ca> <455B802B.8010505@evi-inc.com> Message-ID: <455C6562.4030200@USherbrooke.ca> Matt Kettler a ?crit : > Denis Beauchemin wrote: > > >> Yes, I did the following: >> # >> >> perl Makefile.PL >> make >> make test >> make install >> razor-admin -create >> razor-admin -register >> vi /etc/MailScanner/spam.assassin.prefs.conf >> use_razor2 1 >> service MailScanner reload (even tried a restart) >> >> BTW I couldn't find anything about use_razor2 on SA's website. Is it >> still needed? >> > > > Razor is a plugin now, so use_razor2 would be in the plugin docs, not the > top-level SpamAssassin::Conf docs. > > See: > > http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Plugin_Razor2.html > > That said, you shouldn't need to declare use_razor. Now that it's a plugin, this > defaults to 1 (enabled). > > Check your /etc/mail/spamassassin/v310.pre and make sure the razor plugin isn't > disabled. This was disabled by default in early releases of SA 3.1.x, but is now > enabled. > > It is enabled: loadplugin Mail::SpamAssassin::Plugin::Razor2 Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061116/0de73ad3/smime.bin From Howard at harper-adams.ac.uk Thu Nov 16 13:47:53 2006 From: Howard at harper-adams.ac.uk (Howard Robinson) Date: Thu Nov 16 13:49:46 2006 Subject: Filtering problem Message-ID: Hello again - thanks for the replies so far. Re the Non spam actions. The mailscanner book says that deliver is needed after striphtml. But that part of the rule is working anyway! It's stripping and delivery every thing that is not spam. It's the non default that does not appear to work. Re the recipient address. That has been derived from the aliases list on my mailserver AFTER it has been scanned. So if I was sending that mail off site that line would be on the receivers mailllog - wouldn't it? Or I have I got this wrong! I added the line anyway but still not working. Parts snipped to reduce size ** snipped ** > > > > Allow Script Tags = %rules-dir%/script.rules > > Non Spam Actions = %rules-dir%/striphtml.rules > > note %rules-dir% = /etc/MailScanner/rules > > > > in /etc/MailScanner/rules/script.rules I have > > > > To: hrobinson@harper-adams.ac.uk yes > > To: howard@harper-adams.ac.uk yes ..Note that the above address.... > > # I tried FromOrTo: on both these with no different result > > FromOrTo: default no > > > > in /etc/MailScanner/rules/striphtml.rules I have > > > > To: hrobinson@harper-adams.ac.uk deliver > > To: howard@harper-adams.ac.uk deliver ... as well as the one above here... > > Nov 15 16:25:17 blackhole2 MailScanner[29444]: Message kAFGOisP029475 from VALIDIPADDRESS (hrobinson@harper-adams.ac.uk) to harper-adams.ac.uk is not spam, .SpamAssassin (score=-2.53, required 5, autolearn=not spam, ALL_TRUSTED -3.30, BAYES_00 -0.05, HTML_80_90 0.15, HTML_MESSAGE 0.00, HTML_NONELEMENT_00_10 .0.00, NO_REAL_NAME 0.01, SUBJ_ALL_CAPS 0.67) > > A few lines later > > Nov 15 16:27:22 blackhole2 MailScanner[29444]: Content Checks: Detected and will convert HTML message to plain text in kAFGOisP029475 > > A few lines later > > Nov 15 16:28:30 blackhole2 sendmail[30284]: kAFGOisP029475: to=howard@gw.harper-adams.ac.uk, delay=00:03:46, xdelay=00:00:00, mailer=esmtp, pri=125149, relay=VALIDRELAY. [VALIDIPADDRESS], dsn=2.0.0, stat=Sent (Ok) .... don't match with the recipient (envelope) address here. So I'm .guessing this is why you are seeing this behavior (just another case .of it doing exactly what you tell it to do...:-) > > Howard > > I think the default action action on striphtml.rules is invalid. See the > comments above the "Non Spam Actions" for valid actions > .Haven't looked, so this might be true too:-). .But first see to it that howard@harper-adams.ac.uk and .howard@gw.harper-adams.ac.uk match up better... Then look at Martins .suggestion;-). Regards Howard Robinson, (Senior Technical Development Officer), Harper Adams University College, Edgmond, Newport, Shropshire , TF10 8NB. Tel. Direct 01952 815253 Tel. Switch Board 01952 820280 Fax 01952 814783 Email hrobinson@harper-adams.ac.uk Web www.harper-adams.ac.uk From dhawal at netmagicsolutions.com Thu Nov 16 14:19:43 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Thu Nov 16 14:19:58 2006 Subject: Razor and Pyzor problems... In-Reply-To: <455C6562.4030200@USherbrooke.ca> References: <455B6030.7010105@USherbrooke.ca> <223f97700611151237u195a534du5b1907afa82e2f7e@mail.gmail.com> <455B7E29.6040909@USherbrooke.ca> <455B802B.8010505@evi-inc.com> <455C6562.4030200@USherbrooke.ca> Message-ID: <455C737F.1040608@netmagicsolutions.com> Denis Beauchemin wrote: > Matt Kettler a ?crit : >> Denis Beauchemin wrote: >> >> >>> Yes, I did the following: >>> # >>> >>> perl Makefile.PL >>> make >>> make test >>> make install >>> razor-admin -create >>> razor-admin -register >>> vi /etc/MailScanner/spam.assassin.prefs.conf >>> use_razor2 1 >>> service MailScanner reload (even tried a restart) >>> >>> BTW I couldn't find anything about use_razor2 on SA's website. Is it >>> still needed? >> >> Razor is a plugin now, so use_razor2 would be in the plugin docs, not the >> top-level SpamAssassin::Conf docs. >> >> See: >> >> http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Plugin_Razor2.html >> >> >> That said, you shouldn't need to declare use_razor. Now that it's a >> plugin, this >> defaults to 1 (enabled). >> >> Check your /etc/mail/spamassassin/v310.pre and make sure the razor >> plugin isn't >> disabled. This was disabled by default in early releases of SA 3.1.x, >> but is now >> enabled. >> >> > It is enabled: > loadplugin Mail::SpamAssassin::Plugin::Razor2 > > Denis Can you check your razor-agent.log? maybe a clue lies in there. - dhawal From glenn.steen at gmail.com Thu Nov 16 14:59:48 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 16 14:59:52 2006 Subject: Filtering problem In-Reply-To: References: Message-ID: <223f97700611160659y3b5ce8ddv563f8adc41467474@mail.gmail.com> On 16/11/06, Howard Robinson wrote: > Hello again - thanks for the replies so far. > Re the Non spam actions. The mailscanner book says that deliver is needed after striphtml. But that part of the rule is working anyway! It's stripping and delivery every thing that is not spam. It's the non default that does not appear to work. > Re the recipient address. > That has been derived from the aliases list on my mailserver AFTER it has been scanned. > So if I was sending that mail off site that line would be on the receivers mailllog - wouldn't it? > Or I have I got this wrong! > I added the line anyway but still not working. > Parts snipped to reduce size > Hm, ok. Well, it was worth a shot:-). I suppose you know what address you sent your test mail to...:-). Just a "duh" kind of check more: Do you edit the files on a windoze box? In that case your files might have gotten a few spurious CR/LF terminated lines, which might confuse things. Solution is then to use a *nix editor:-). (snip) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From cgi at bytesinteractive.com Thu Nov 16 15:56:33 2006 From: cgi at bytesinteractive.com (David Jourard) Date: Thu Nov 16 15:56:46 2006 Subject: Question regarding spam wrt general user names In-Reply-To: References: <000001c6fe8a$8573ab50$0301a8c0@SAHOMELT> Message-ID: <455C8A31.3050007@bytesinteractive.com> Hi, I hope this question is relevant to this list. If not pls pt me to another list. I have a small server for web hosting and I have been using MailScanner for a while to handle the spam assassin and the virus scanners. I'm very pleased. I have spam which is directed to users such as root, mail uucp etc. wrt any domain. Because the e-mail address does not exist it is directed to root and eventually to me. Is is possible through mailscanner somehow to reject e-mail from root@somedomain1.com, root@somedomain2.com ..., mail@somedomain1.com , mail@somedomain2.com, ... etc. Thank-you in advance. David J. From admin at thenamegame.com Thu Nov 16 16:08:38 2006 From: admin at thenamegame.com (Michael S.) Date: Thu Nov 16 16:00:48 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: <01d901c70980$02282e00$0301a8c0@SAHOMELT> Message-ID: <200611161600.kAGG0lBZ030248@bkserver.blacknight.ie> Thanks a lot for that information. Now we can block about 25k in Debora spam at smtp time instead of allowing it too filter via MS which kicks up loads. This is the only smart way of dealing with Debora. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rick Cooper Sent: Thursday, November 16, 2006 8:06 AM To: 'MailScanner discussion' Subject: RE: Debora is a huge spammers!!!! A little scary blocking debora@* but: In your exim rcpt acl (change the denial message to suit you): deny message = $sender_address has been specifically blocked from this site - bye bye! senders = wildlsearch;/somedir/Mail_Sender_Block.conf The format of /somedir/Mail_Sender_Block.conf would be ^\Ndebora@*\N name@domain.com ^debora@*\.com The way it works : if the line in the file begins with a circumflex (^) then the line is treated as a regular expression otherwise it has to match exactly. So line one and three are regex and line two must be name@domain.com exactly. As the keys in the search are subject to expansion you may want to stick to the syntax: ^\Ndebora@*\N The \N{expression}\N means "do not expand anything between the \N pairs" to prevent expansion within the key (debora@|debora*@). If you just use ^debora@* then it will look for debora@, then debora*@ which would match debora or deborah or deborackleter@. You could certainly use a match condition instead, but by using the external file you can add, subtract or modify the data without having to touch the running exim process. I would put this before anything in the acl except any host white listing and you might want to add some sanity checks for one of your hosts and users like (if you use authentication): !authenticated = * And hosts = !/somedir/Mail_local_net (which would contain your local network like 10.10.10.0/24) So the whole acl would be deny message = $sender_address has been specifically blocked from this site - bye bye! !authenticated = * hosts = !/somedir/Mail_local_net senders = wildlsearch;/somedir/Mail_Sender_Block.conf So the denial would require the host not belong to you, the sender is not authenticated and the address must appear in the file listing bad address, or address regexs Rick > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Michael S. > Sent: Wednesday, November 15, 2006 10:54 PM > To: 'MailScanner discussion' > Subject: RE: Debora is a huge spammers!!!! > > Where did you add these rules and what do they look like? > > The debora*.* spam is such a huge problem at the moment!! They must be > pumping out millions of these spam messages. > > Anyone have Exim rules to stop this? I would like to add it > to exim to kill > it at smtp time instead of waiting for it too get to mailscanner. > > Thanks > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of mikea > Sent: Wednesday, November 15, 2006 10:32 AM > To: MailScanner discussion > Subject: Re: Debora is a huge spammers!!!! > > On Tue, Nov 14, 2006 at 10:31:50AM -0000, Randal, Phil wrote: > > Not here they weren't. > > > > A simple grep leads to double-counting (because I run > milter-greylist), > > but my point still stands. Was handled well by my setup without any > > additional response needed. > > I've found that a lot of the "debora" spam, as well as a fair amount > of other spam, matches /6c822ecf/ in one or more of Message-ID and > Content-ID headers. I have yet to see a false positive. It's just as > good as the /From: akstc.*@/ signature, which is nailing a bunch even > now. > > If you run milter-regex, it's trivial to build rules for these. > > -- > Mike Andrews, W5EGO > mikea@mikea.ath.cx > Tired old sysadmin > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mkettler at evi-inc.com Thu Nov 16 16:35:06 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Nov 16 16:35:40 2006 Subject: Question regarding spam wrt general user names In-Reply-To: <455C8A31.3050007@bytesinteractive.com> References: <000001c6fe8a$8573ab50$0301a8c0@SAHOMELT> <455C8A31.3050007@bytesinteractive.com> Message-ID: <455C933A.4010304@evi-inc.com> David Jourard wrote: > Hi, > > I hope this question is relevant to this list. If not pls pt me to > another list. > > I have a small server for web hosting and I have been using MailScanner > for a while to handle the spam assassin and the > virus scanners. I'm very pleased. > > I have spam which is directed to users such as root, mail uucp etc. wrt > any domain. Because the e-mail address does not exist it is directed to > root and eventually to me. > > Is is possible through mailscanner somehow to reject e-mail from > root@somedomain1.com, root@somedomain2.com ..., > mail@somedomain1.com , mail@somedomain2.com, ... etc. It's not possible to reject anything through mailscanner. Reject implies generating a 550 at SMTP delivery time, but MailScanner doesn't get called until after delivery. Of course, you can force the message to be tagged as spam in SA by using blacklist_from. From glenn.steen at gmail.com Thu Nov 16 16:35:37 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 16 16:35:48 2006 Subject: Question regarding spam wrt general user names In-Reply-To: <455C8A31.3050007@bytesinteractive.com> References: <000001c6fe8a$8573ab50$0301a8c0@SAHOMELT> <455C8A31.3050007@bytesinteractive.com> Message-ID: <223f97700611160835n29375433g39dbbc71eb898b45@mail.gmail.com> On 16/11/06, David Jourard wrote: > Hi, > > I hope this question is relevant to this list. If not pls pt me to > another list. > > I have a small server for web hosting and I have been using MailScanner > for a while to handle the spam assassin and the > virus scanners. I'm very pleased. > > I have spam which is directed to users such as root, mail uucp etc. wrt > any domain. Because the e-mail address does not exist it is directed to > root and eventually to me. > > Is is possible through mailscanner somehow to reject e-mail from > root@somedomain1.com, root@somedomain2.com ..., > mail@somedomain1.com , mail@somedomain2.com, ... etc. Reject, as in reject during SMTP conversation: No, that would be a job for the MTA (and handled via some form of access file/list, in most cases). Reject as in delete or quarantine after receiving it? Sure, do that by blacklisting it using the "Is Definitely Spam" and "Definite Spam Is High Scoring" settings. At least the first need be a ruleset... Could look something like Is Definitely Spam = %rules-dir%/spam.blacklist.rules Definite Spam Is High Scoring = yes ... in MailScanner.conf, and FromOrTo: root@somedomain1.com yes FromOrTo: root@somedomain2.com yes FromOrTo: root@somedomain3.com yes .... etc .... FromOrTo: default no .... in spam.blacklist.rules > Thank-you in advance. > > David J. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Kevin_Miller at ci.juneau.ak.us Thu Nov 16 16:45:17 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Nov 16 16:45:23 2006 Subject: MailScanner miss several Regning.exe files In-Reply-To: <41EA997496BB5542BDA52CFA44FE78FC9A6C48@AHMAIL.ah.ahnet.local> Message-ID: Jan Elmqvist Nielsen wrote: > The virus Trojan-Downloader.Win32.Nurech.h (kaspersky) comes as a exe > file. > > I have to my horror notice that serveral of these mails with the exe > file attached not have been stop!!! > > I using MailScanner ver. 4.54.6 with mailwatch > > Attached are 2 screen dumps > > /Jan Elmqvist Nielsen In your high scoring spam actions you have 'attachment,, store, striphtml That is, two commmas after attachment. Don't know if that is having any affect or not, but perhaps it's causing "unpredictable results" as they say in the trade. You might also want to enable the keep quarantine clean switch... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From dyioulos at firstbhph.com Thu Nov 16 16:53:08 2006 From: dyioulos at firstbhph.com (Dimitri Yioulos) Date: Thu Nov 16 16:53:23 2006 Subject: SA scoring my domain mail Message-ID: <200611161153.08415.dyioulos@firstbhph.com> Hi all. Recently, I upgraded from spamassassin-3.0.4 to spamassassin-3.1.7. ?Whereas previously I had whitelisted my domain so that SA wouldn't score mail coming from my domain, after the upgrade it is. ?How can I correct this? Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From danc at bluestarshows.com Thu Nov 16 16:55:43 2006 From: danc at bluestarshows.com (Dan Carl) Date: Thu Nov 16 17:00:14 2006 Subject: Question regarding spam wrt general user names References: <000001c6fe8a$8573ab50$0301a8c0@SAHOMELT> <455C8A31.3050007@bytesinteractive.com> Message-ID: <010401c709a0$0ef73d90$0200000a@danc3> not sure exactly wht your asking but if the message is tagged as{?SPAM} and you don't want it to be delivered use spam.action.rules like this. To: mail@* delete To: adm@* delete To: webmaster@* delete To: info@* delete To: root@* delete Look in your rules directory for examples. ----- Original Message ----- From: "David Jourard" To: "MailScanner discussion" Sent: Thursday, November 16, 2006 9:56 AM Subject: Question regarding spam wrt general user names > Hi, > > I hope this question is relevant to this list. If not pls pt me to > another list. > > I have a small server for web hosting and I have been using MailScanner > for a while to handle the spam assassin and the > virus scanners. I'm very pleased. > > I have spam which is directed to users such as root, mail uucp etc. wrt > any domain. Because the e-mail address does not exist it is directed to > root and eventually to me. If it your own server and your running linux these addresses are list in your /etc/aliases file > Is is possible through mailscanner somehow to reject e-mail from > root@somedomain1.com, root@somedomain2.com ..., > mail@somedomain1.com , mail@somedomain2.com, ... etc. not a good idea to just reject all email to these. you are actually required to have postmaster@somedomain.com and suppose to accpet mail to abuse@somedomain.com > Thank-you in advance. > > David J. > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From brett at wrl.org Thu Nov 16 17:03:33 2006 From: brett at wrl.org (Brett Charbeneau) Date: Thu Nov 16 17:04:48 2006 Subject: Sendmail reject trumps whitelist? Message-ID: Greetings all, I've set up sendmail to reject incoming messages with a 554 error if they are listed in dnsbl.sorbs.net by sticking this line in my sendmail.mc file: FEATURE(`dnsbl',`dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} > " BLACKLISTED found in dnsbl.sorbs.net"')dnl Now this list tends to get mad a AOL and Hotmail mail servers for obvious reasons and therefore ALL mail from these domains, legit or not, gets rejected. I'm trying to figure out if a sender's address is specifically whitelisted in MS *AND* their server is on dnsbl.sorbs.net if the sender will get rejected or allowed for delivery. I'm betting the Sendmail reject comes first in the process, but I'm asking those in the know to be sure... -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From cgi at bytesinteractive.com Thu Nov 16 17:05:02 2006 From: cgi at bytesinteractive.com (David Jourard) Date: Thu Nov 16 17:05:13 2006 Subject: Question regarding spam wrt general user names In-Reply-To: <010401c709a0$0ef73d90$0200000a@danc3> References: <000001c6fe8a$8573ab50$0301a8c0@SAHOMELT> <455C8A31.3050007@bytesinteractive.com> <010401c709a0$0ef73d90$0200000a@danc3> Message-ID: <455C9A3E.2010702@bytesinteractive.com> Dan Carl wrote: > not sure exactly wht your asking but if the message is tagged as{?SPAM} > some are and some aren't. Thanks David J. From garry at glendown.de Thu Nov 16 17:16:04 2006 From: garry at glendown.de (Garry Glendown) Date: Thu Nov 16 17:16:15 2006 Subject: MS started crashing ... Message-ID: <455C9CD4.7030403@glendown.de> Today, MS started piling up messages - checking the system, I noticed continuous zombie-MS, running it with --debug/--debug-sa, I found that MS keeps crashing, probably caused by a message ... how can I find what is causing this? Here's the last couple lines, the "format error" lines repeated something like 50 times ... format error: can't find EOCD signature at /usr/sbin/MailScanner line 820 format error: can't find EOCD signature at /usr/sbin/MailScanner line 820 Reference to nonexistent group in regex; marked by <-- HERE in m/????>Mx???jm???B???\6 <-- HERE w?????Q????????????????????#????????????????????????D???-r???h?????????\.?????????H!??????d??????D???U???IWW??????????????????U\[eB4??????T??????m?????h???b???1D?????????????~i?????=??????|4????????????Rke3??????Gj???\.???3\^??????bi/N?????????/???\???/????????????~D??????V????????????????????\]??????rp???\????u???/???\^:/ at /usr/lib/MailScanner/MailScanner/Message.pm line 3304, line 2. WTF? From glenn.steen at gmail.com Thu Nov 16 17:25:32 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 16 17:25:35 2006 Subject: Sendmail reject trumps whitelist? In-Reply-To: References: Message-ID: <223f97700611160925h397c21cdr4ed8e5e2379c5724@mail.gmail.com> On 16/11/06, Brett Charbeneau wrote: > Greetings all, > > I've set up sendmail to reject incoming messages with a 554 error if > they are listed in dnsbl.sorbs.net by sticking this line in my sendmail.mc file: > > FEATURE(`dnsbl',`dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} > " > BLACKLISTED found in dnsbl.sorbs.net"')dnl > > Now this list tends to get mad a AOL and Hotmail mail servers for > obvious reasons and therefore ALL mail from these domains, legit or not, gets > rejected. > I'm trying to figure out if a sender's address is specifically > whitelisted in MS *AND* their server is on dnsbl.sorbs.net if the sender will > get rejected or allowed for delivery. > I'm betting the Sendmail reject comes first in the process, but I'm > asking those in the know to be sure... > Since MailScanner happens after the MTA has accepted the mail, and the BL reject you have there happens before the MTA has accepted it, the sendmail config "wins" every time. You need figure out how to "whitelist" in sendmail to defeat that, or use a less aggressive BL. Since I?m not a sendmail guru, someone else'll have to help you with any "whitelisting" there:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Kevin_Miller at ci.juneau.ak.us Thu Nov 16 17:28:11 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Nov 16 17:28:22 2006 Subject: Sendmail reject trumps whitelist? In-Reply-To: Message-ID: Brett Charbeneau wrote: > Greetings all, > > I've set up sendmail to reject incoming messages with a 554 error if > they are listed in dnsbl.sorbs.net by sticking this line in my > sendmail.mc file: > > FEATURE(`dnsbl',`dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} > " > BLACKLISTED found in dnsbl.sorbs.net"')dnl > > Now this list tends to get mad a AOL and Hotmail mail servers for > obvious reasons and therefore ALL mail from these domains, legit or > not, gets rejected. > I'm trying to figure out if a sender's address is specifically > whitelisted in MS *AND* their server is on dnsbl.sorbs.net if the > sender will get rejected or allowed for delivery. > I'm betting the Sendmail reject comes first in the process, but I'm > asking those in the know to be sure... Sendmail comes first. The process is sendmail is contacted by external servers. It accepts or rejects the message based on how it's configured and stores it in /var/spool/mqueue.in (if accepted). MS then runs its test on it, where it's accepted or rejected, and moves it to /var/spool/mqueue where it's again picked up by sendmail and sent to the appropriate internal server/user. Highly recommend the MailScanner book for a good understanding of the process. Understanding the flow of the mail is important to tweaking your system. Since spammers are constantly changing their tactics, mail admins also have to... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From ugob at camo-route.com Thu Nov 16 17:35:24 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Thu Nov 16 17:35:47 2006 Subject: MS started crashing ... In-Reply-To: <455C9CD4.7030403@glendown.de> References: <455C9CD4.7030403@glendown.de> Message-ID: Garry Glendown wrote: > Today, MS started piling up messages - checking the system, I noticed > continuous zombie-MS, running it with --debug/--debug-sa, I found that > MS keeps crashing, probably caused by a message ... how can I find what > is causing this? > > Here's the last couple lines, the "format error" lines repeated > something like 50 times ... > > format error: can't find EOCD signature > at /usr/sbin/MailScanner line 820 > format error: can't find EOCD signature > at /usr/sbin/MailScanner line 820 > Reference to nonexistent group in regex; marked by <-- HERE in > m/????>Mx???jm???B???\6 <-- HERE > w?????Q????????????????????#????????????????????????D???-r???h?????????\.?????????H!??????d??????D???U???IWW??????????????????U\[eB4??????T??????m?????h???b???1D?????????????~i?????=??????|4????????????Rke3??????Gj???\.???3\^??????bi/N?????????/???\???/????????????~D??????V????????????????????\]??????rp???\????u???/???\^:/ > at /usr/lib/MailScanner/MailScanner/Message.pm line 3304, line 2. > > WTF? Check in the logs first to see if there is one message that keeps on coming over and over again. Another idea would be to stop your MTA then let MailScanner run for a while and see what remains in the incoming queue. If you can't tell, move all queue files to another directory and re-move them one by one. Ugo From prandal at herefordshire.gov.uk Thu Nov 16 18:08:22 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Nov 16 18:08:56 2006 Subject: Sendmail reject trumps whitelist? Message-ID: <86144ED6CE5B004DA23E1EAC0B569B581086E036@isabella.herefordshire.gov.uk> In /etc/mail/sendmail.mc, after FEATURE(`access_db,...: FEATURE(`delay_checks',`friend')dnl and then, in your /etc/mail/access: Spam:joe@blogs.example.com FRIEND or Spam:example.com FRIEND etc Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Brett Charbeneau > Sent: 16 November 2006 17:04 > To: mailscanner@lists.mailscanner.info > Subject: Sendmail reject trumps whitelist? > > Greetings all, > > I've set up sendmail to reject incoming messages with a > 554 error if > they are listed in dnsbl.sorbs.net by sticking this line in > my sendmail.mc file: > > FEATURE(`dnsbl',`dnsbl.sorbs.net',`"554 Rejected " > $&{client_addr} > " > BLACKLISTED found in dnsbl.sorbs.net"')dnl > > Now this list tends to get mad a AOL and Hotmail mail > servers for > obvious reasons and therefore ALL mail from these domains, > legit or not, gets > rejected. > I'm trying to figure out if a sender's address is specifically > whitelisted in MS *AND* their server is on dnsbl.sorbs.net if > the sender will > get rejected or allowed for delivery. > I'm betting the Sendmail reject comes first in the > process, but I'm > asking those in the know to be sure... > > -- > ******************************************************************** > Brett Charbeneau > Network Administrator > Williamsburg Regional Library > 7770 Croaker Road > Williamsburg, VA 23188-7064 > (757)259-4044 www.wrl.org > (757)259-4079 (fax) brett@wrl.org > ******************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From mkettler at evi-inc.com Thu Nov 16 18:24:21 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Nov 16 18:24:39 2006 Subject: Sendmail reject trumps whitelist? In-Reply-To: References: Message-ID: <455CACD5.7040702@evi-inc.com> Brett Charbeneau wrote: > Greetings all, > > I've set up sendmail to reject incoming messages with a 554 error if > they are listed in dnsbl.sorbs.net by sticking this line in my > sendmail.mc file: > > FEATURE(`dnsbl',`dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} > " > BLACKLISTED found in dnsbl.sorbs.net"')dnl Anything at the sendmail level will completely trump MailScanner. MailScanner doesn't even see the message until after Sendmail is done receiving it, so it would be impossible for it to have any effect. From prandal at herefordshire.gov.uk Thu Nov 16 18:24:03 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Nov 16 18:26:40 2006 Subject: Sendmail reject trumps whitelist? Message-ID: <86144ED6CE5B004DA23E1EAC0B569B581086E038@isabella.herefordshire.gov.uk> Here's a more detailed guide: http://www.technoids.org/dnsbl.html Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Randal, Phil > Sent: 16 November 2006 18:08 > To: MailScanner discussion > Subject: RE: Sendmail reject trumps whitelist? > > In /etc/mail/sendmail.mc, after FEATURE(`access_db,...: > > FEATURE(`delay_checks',`friend')dnl > > and then, in your /etc/mail/access: > > Spam:joe@blogs.example.com FRIEND > > or > > Spam:example.com FRIEND > > etc > > Cheers, > > Phil > -- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > > Of Brett Charbeneau > > Sent: 16 November 2006 17:04 > > To: mailscanner@lists.mailscanner.info > > Subject: Sendmail reject trumps whitelist? > > > > Greetings all, > > > > I've set up sendmail to reject incoming messages with a > > 554 error if > > they are listed in dnsbl.sorbs.net by sticking this line in > > my sendmail.mc file: > > > > FEATURE(`dnsbl',`dnsbl.sorbs.net',`"554 Rejected " > > $&{client_addr} > " > > BLACKLISTED found in dnsbl.sorbs.net"')dnl > > > > Now this list tends to get mad a AOL and Hotmail mail > > servers for > > obvious reasons and therefore ALL mail from these domains, > > legit or not, gets > > rejected. > > I'm trying to figure out if a sender's address is specifically > > whitelisted in MS *AND* their server is on dnsbl.sorbs.net if > > the sender will > > get rejected or allowed for delivery. > > I'm betting the Sendmail reject comes first in the > > process, but I'm > > asking those in the know to be sure... > > > > -- > > ******************************************************************** > > Brett Charbeneau > > Network Administrator > > Williamsburg Regional Library > > 7770 Croaker Road > > Williamsburg, VA 23188-7064 > > (757)259-4044 www.wrl.org > > (757)259-4079 (fax) brett@wrl.org > > ******************************************************************** > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From ard at pergamentum.com Thu Nov 16 18:46:05 2006 From: ard at pergamentum.com (Alisdair Davey) Date: Thu Nov 16 18:46:35 2006 Subject: Sendmail reject trumps whitelist? In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B581086E038@isabella.herefordshire.gov.uk> Message-ID: <200611161846.kAGIk5Zd027528@www4.pergamentum.com> > > Here's a more detailed guide: > > http://www.technoids.org/dnsbl.html > > Cheers, > > Phil I'd also recommend this link, which also details how to create a dnsbl whitelist. http://patrick.vande-walle.eu/software/spam-fighting-techniques-using-sendmail/ Cheers Alisdair -- Dr Alisdair Davey ard@pergamentum.com Pergamentum Solutions Tel: 1-303-981-9838 2066 Dailey Lane Superior, CO 80027 From garry at glendown.de Thu Nov 16 18:51:04 2006 From: garry at glendown.de (Garry Glendown) Date: Thu Nov 16 18:51:15 2006 Subject: MS started crashing ... In-Reply-To: References: <455C9CD4.7030403@glendown.de> Message-ID: <455CB318.5080204@glendown.de> Ugo Bellavance wrote: > Garry Glendown wrote: >> Today, MS started piling up messages - checking the system, I noticed >> continuous zombie-MS, running it with --debug/--debug-sa, I found that >> MS keeps crashing, probably caused by a message ... how can I find what >> is causing this? >> >> Here's the last couple lines, the "format error" lines repeated >> something like 50 times ... >> >> format error: can't find EOCD signature >> at /usr/sbin/MailScanner line 820 >> format error: can't find EOCD signature >> at /usr/sbin/MailScanner line 820 >> Reference to nonexistent group in regex; marked by <-- HERE in >> m/????>Mx???jm???B???\6 <-- HERE >> w?????Q????????????????????#????????????????????????D???-r???h?????????\.?????????H!??????d??????D???U???IWW??????????????????U\[eB4??????T??????m?????h???b???1D?????????????~i?????=??????|4????????????Rke3??????Gj???\.???3\^??????bi/N?????????/???\???/????????????~D??????V????????????????????\]??????rp???\????u???/???\^:/ >> >> at /usr/lib/MailScanner/MailScanner/Message.pm line 3304, >> line 2. >> >> WTF? > > Check in the logs first to see if there is one message that keeps on > coming over and over again. > > Another idea would be to stop your MTA then let MailScanner run for a > while and see what remains in the incoming queue. If you can't tell, > move all queue files to another directory and re-move them one by one. > > Ugo > Had that idea, too ... I've located multiple spam messages that cause this ... here's the mail.log: Nov 16 19:41:19 mr-01 MailScanner[11412]: MailScanner E-Mail Virus Scanner version 4.56.7 starting... Nov 16 19:41:21 mr-01 MailScanner[11412]: Using SpamAssassin results cache Nov 16 19:41:21 mr-01 MailScanner[11412]: Connected to SpamAssassin cache database Nov 16 19:41:23 mr-01 MailScanner[11412]: ClamAV scanner using unrar command /usr/bin/unrar Nov 16 19:41:23 mr-01 MailScanner[11412]: Using locktype = posix Nov 16 19:41:23 mr-01 MailScanner[11412]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Nov 16 19:41:23 mr-01 MailScanner[11412]: New Batch: Scanning 1 messages, 52528 bytes Nov 16 19:41:23 mr-01 MailScanner[11412]: Spam Checks: Starting Nov 16 19:41:25 mr-01 MailScanner[11412]: SpamAssassin cache hit for message kAGHiHlV016647 Nov 16 19:41:25 mr-01 MailScanner[11412]: Spam Checks completed at 20666 bytes per second Nov 16 19:41:25 mr-01 MailScanner[11412]: Virus and Content Scanning: Starting Nov 16 19:41:27 mr-01 MailScanner[11412]: HTML-Form tag found in message kAGHiHlV016647 from bounce-epzgisiswhzcyz@send.smartbrief.com Nov 16 19:41:27 mr-01 MailScanner[11412]: HTML Img tag found in message kAGHiHlV016647 from bounce-epzgisiswhzcyz@send.smartbrief.com Nov 16 19:41:27 mr-01 MailScanner[11412]: Content Checks: Detected HTML-specific exploits in kAGHiHlV016647 Nov 16 19:41:27 mr-01 MailScanner[11412]: Content Checks: Found 1 problems Nov 16 19:41:27 mr-01 MailScanner[11412]: Virus Scanning completed at 25384 bytes per second Nov 16 19:41:27 mr-01 MailScanner[11412]: Content Checks: Detected and have disarmed web bug tags in HTML message in kAGHiHlV016647 from bounce-epzgisiswhzcyz@send.smartbrief.com Nov 16 19:41:27 mr-01 MailScanner[11412]: Saved entire message to /var/spool/MailScanner/quarantine/20061116/kAGHiHlV016647 Nov 16 19:41:28 mr-01 MailScanner[11412]: Saved infected "msg-11412-1.html" to /var/spool/MailScanner/quarantine/20061116/kAGHiHlV016647 --------------------------------------------- Debug-Output: mr-01:~ # MailScanner --debug --debug-sa In Debugging mode, not forking... [12080] dbg: logger: adding facilities: all [12080] dbg: logger: logging level is DBG [12080] dbg: generic: SpamAssassin version 3.1.0 [12080] dbg: config: score set 0 chosen. [12080] dbg: util: running in taint mode? no [12080] dbg: dns: is Net::DNS::Resolver available? yes [12080] dbg: dns: Net::DNS version: 0.48 [12080] dbg: dns: name server: 195.158.60.24, family: 2, ipv6: 0 [12080] dbg: ignore: test message to precompile patterns and load modules [12080] dbg: config: using "/etc/mail/spamassassin" for site rules pre files [12080] dbg: config: read file /etc/mail/spamassassin/init.pre [12080] dbg: config: read file /etc/mail/spamassassin/v310.pre [12080] dbg: config: read file /etc/mail/spamassassin/v312.pre [12080] dbg: config: using "/usr/share/spamassassin" for sys rules pre files [12080] dbg: config: using "/usr/share/spamassassin" for default rules dir [12080] dbg: config: read file /usr/share/spamassassin/10_misc.cf [12080] dbg: config: read file /usr/share/spamassassin/20_advance_fee.cf [12080] dbg: config: read file /usr/share/spamassassin/20_anti_ratware.cf [12080] dbg: config: read file /usr/share/spamassassin/20_body_tests.cf [12080] dbg: config: read file /usr/share/spamassassin/20_compensate.cf [12080] dbg: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf [12080] dbg: config: read file /usr/share/spamassassin/20_drugs.cf [12080] dbg: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf [12080] dbg: config: read file /usr/share/spamassassin/20_head_tests.cf [12080] dbg: config: read file /usr/share/spamassassin/20_html_tests.cf [12080] dbg: config: read file /usr/share/spamassassin/20_meta_tests.cf [12080] dbg: config: read file /usr/share/spamassassin/20_net_tests.cf [12080] dbg: config: read file /usr/share/spamassassin/20_phrases.cf [12080] dbg: config: read file /usr/share/spamassassin/20_porn.cf [12080] dbg: config: read file /usr/share/spamassassin/20_ratware.cf [12080] dbg: config: read file /usr/share/spamassassin/20_uri_tests.cf [12080] dbg: config: read file /usr/share/spamassassin/23_bayes.cf [12080] dbg: config: read file /usr/share/spamassassin/25_accessdb.cf [12080] dbg: config: read file /usr/share/spamassassin/25_antivirus.cf [12080] dbg: config: read file /usr/share/spamassassin/25_body_tests_es.cf [12080] dbg: config: read file /usr/share/spamassassin/25_body_tests_pl.cf [12080] dbg: config: read file /usr/share/spamassassin/25_dcc.cf [12080] dbg: config: read file /usr/share/spamassassin/25_domainkeys.cf [12080] dbg: config: read file /usr/share/spamassassin/25_hashcash.cf [12080] dbg: config: read file /usr/share/spamassassin/25_pyzor.cf [12080] dbg: config: read file /usr/share/spamassassin/25_razor2.cf [12080] dbg: config: read file /usr/share/spamassassin/25_replace.cf [12080] dbg: config: read file /usr/share/spamassassin/25_spf.cf [12080] dbg: config: read file /usr/share/spamassassin/25_textcat.cf [12080] dbg: config: read file /usr/share/spamassassin/30_text_de.cf [12080] dbg: config: read file /usr/share/spamassassin/30_text_fr.cf [12080] dbg: config: read file /usr/share/spamassassin/30_text_it.cf [12080] dbg: config: read file /usr/share/spamassassin/30_text_nl.cf [12080] dbg: config: read file /usr/share/spamassassin/30_text_pl.cf [12080] dbg: config: read file /usr/share/spamassassin/30_text_pt_br.cf [12080] dbg: config: read file /usr/share/spamassassin/50_scores.cf [12080] dbg: config: read file /usr/share/spamassassin/60_awl.cf [12080] dbg: config: read file /usr/share/spamassassin/60_whitelist.cf [12080] dbg: config: read file /usr/share/spamassassin/60_whitelist_spf.cf [12080] dbg: config: read file /usr/share/spamassassin/60_whitelist_subject.cf [12080] dbg: config: using "/etc/mail/spamassassin" for site rules dir [12080] dbg: config: read file /etc/mail/spamassassin/10_local_report.cf [12080] dbg: config: read file /etc/mail/spamassassin/70_sare_adult.cf [12080] dbg: config: read file /etc/mail/spamassassin/70_sare_bayes_poison_nxm.cf [12080] dbg: config: read file /etc/mail/spamassassin/70_sare_evilnum0.cf [12080] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj0.cf [12080] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj1.cf [12080] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj2.cf [12080] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj3.cf [12080] dbg: config: read file /etc/mail/spamassassin/70_sare_html.cf [12080] dbg: config: read file /etc/mail/spamassassin/70_sare_html0.cf [12080] dbg: config: read file /etc/mail/spamassassin/70_sare_html1.cf [12080] dbg: config: read file /etc/mail/spamassassin/70_sare_html2.cf [12080] dbg: config: read file /etc/mail/spamassassin/70_sare_html3.cf [12080] dbg: config: read file /etc/mail/spamassassin/70_sare_oem.cf [12080] dbg: config: read file /etc/mail/spamassassin/70_sare_random.cf [12080] dbg: config: read file /etc/mail/spamassassin/70_sare_specific.cf [12080] dbg: config: read file /etc/mail/spamassassin/70_sare_spoof.cf [12080] dbg: config: read file /etc/mail/spamassassin/70_sare_stocks.cf [12080] dbg: config: read file /etc/mail/spamassassin/70_sare_unsub.cf [12080] dbg: config: read file /etc/mail/spamassassin/70_sare_uri0.cf [12080] dbg: config: read file /etc/mail/spamassassin/70_sare_uri1.cf [12080] dbg: config: read file /etc/mail/spamassassin/70_sare_uri3.cf [12080] dbg: config: read file /etc/mail/spamassassin/70_sare_whitelist_rcvd.cf [12080] dbg: config: read file /etc/mail/spamassassin/70_sare_whitelist_spf.cf [12080] dbg: config: read file /etc/mail/spamassassin/70_zmi_german.cf [12080] dbg: config: read file /etc/mail/spamassassin/72_sare_bml_post25x.cf [12080] dbg: config: read file /etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf [12080] dbg: config: read file /etc/mail/spamassassin/88_mangled.cf [12080] dbg: config: read file /etc/mail/spamassassin/88_weeds.cf [12080] dbg: config: read file /etc/mail/spamassassin/99_sare_fraud_post25x.cf [12080] dbg: config: read file /etc/mail/spamassassin/local.cf [12080] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf [12080] dbg: config: read file /etc/mail/spamassassin/nazi.cf [12080] dbg: config: read file /etc/mail/spamassassin/tripwire.cf [12080] dbg: config: using "/root/.spamassassin/user_prefs" for user prefs file [12080] dbg: config: read file /root/.spamassassin/user_prefs [12080] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [12080] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x9aeacb8) [12080] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC [12080] dbg: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x9afad04) [12080] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [12080] dbg: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x9ad2410) [12080] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC [12080] dbg: pyzor: network tests on, attempting Pyzor [12080] dbg: plugin: registered Mail::SpamAssassin::Plugin::Pyzor=HASH(0x9b27420) [12080] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC [12080] dbg: reporter: network tests on, attempting SpamCop [12080] dbg: plugin: registered Mail::SpamAssassin::Plugin::SpamCop=HASH(0x9b88c2c) [12080] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC [12080] dbg: plugin: registered Mail::SpamAssassin::Plugin::AWL=HASH(0x9ba164c) [12080] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC [12080] dbg: plugin: registered Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0x9b4e498) [12080] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC [12080] dbg: plugin: registered Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0x9b4ef0c) [12080] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC [12080] dbg: plugin: registered Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0x9b4fbb4) [12080] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC [12080] dbg: plugin: registered Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x9b50c40) [12080] dbg: config: adding redirector regex: /^http:\/\/chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i [12080] dbg: config: adding redirector regex: /^http:\/\/www(?:\d+)?\.nate\.com\/r\/\w+\/(.*)$/i [12080] dbg: config: adding redirector regex: /^http:\/\/.+\.gov\/(?:.*\/)?externalLink\.jhtml\?.*url=(.*?)(?:&.*)?$/i [12080] dbg: config: adding redirector regex: /^http:\/\/redir\.internet\.com\/.+?\/.+?\/(.*)$/i [12080] dbg: config: adding redirector regex: /^http:\/\/(?:.*?\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i [12080] dbg: config: adding redirector regex: m'^http.*?/redirect\.php\?.*(?<=[?&])goto=(.*?)(?:$|[&\#])'i [12080] dbg: config: adding redirector regex: m'^https?:/*(?:[^/]+\.)?emf\d\.com/r\.cfm.*?&r=(.*)'i [12080] info: config: failed to parse, now a plugin, skipping: ok_languages all [12080] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x9b50c40) implements 'finish_parsing_end' [12080] dbg: replacetags: replacing tags [12080] dbg: replacetags: done replacing tags [12080] dbg: bayes: tie-ing to DB file R/O /etc/MailScanner/bayes/bayes_toks [12080] dbg: bayes: tie-ing to DB file R/O /etc/MailScanner/bayes/bayes_seen [12080] dbg: bayes: found bayes db version 3 [12080] dbg: bayes: DB journal sync: last sync: 1163701803 [12080] dbg: config: score set 3 chosen. [12080] dbg: message: ---- MIME PARSER START ---- [12080] dbg: message: main message type: text/plain [12080] dbg: message: parsing normal part [12080] dbg: message: added part, type: text/plain [12080] dbg: message: ---- MIME PARSER END ---- [12080] dbg: dns: dns_available set to yes in config file, skipping test [12080] dbg: metadata: X-Spam-Relays-Trusted: [12080] dbg: metadata: X-Spam-Relays-Untrusted: [12080] dbg: message: no encoding detected [12080] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x9aeacb8) implements 'parsed_metadata' [12080] dbg: uridnsbl: domains to query: [12080] dbg: check: running tests for priority: 0 [12080] dbg: rules: running header regexp tests; score so far=0 [12080] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" [12080] dbg: rules: ran header rule __SARE_WHITELIST_FLAG ======> got hit: "i" [12080] dbg: rules: ran header rule __SANE_MSGID ======> got hit: "<1163702653.21238@spamassassin_spamd_init> [12080] dbg: rules: " [12080] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: "@spamassassin_spamd_init>" [12080] dbg: rules: ran header rule __ZMISOBER_P_MSGID ======> got hit: "<1163702653.21238@" [12080] dbg: rules: ran header rule NO_REAL_NAME ======> got hit: "ignore@compiling.spamassassin.taint.org [12080] dbg: rules: " [12080] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: "1163702653" [12080] dbg: plugin: registering glue method for check_hashcash_double_spend (Mail::SpamAssassin::Plugin::Hashcash=HASH(0x9afad04)) [12080] dbg: plugin: registering glue method for check_for_spf_helo_pass (Mail::SpamAssassin::Plugin::SPF=HASH(0x9ad2410)) [12080] dbg: spf: message was delivered entirely via trusted relays, not required [12080] dbg: eval: all '*From' addrs: ignore@compiling.spamassassin.taint.org [12080] dbg: plugin: registering glue method for check_subject_in_blacklist (Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0x9b4ef0c)) [12080] dbg: plugin: registering glue method for check_hashcash_value (Mail::SpamAssassin::Plugin::Hashcash=HASH(0x9afad04)) [12080] dbg: eval: all '*To' addrs: [12080] dbg: plugin: registering glue method for check_for_spf_neutral (Mail::SpamAssassin::Plugin::SPF=HASH(0x9ad2410)) [12080] dbg: spf: message was delivered entirely via trusted relays, not required [12080] dbg: plugin: registering glue method for check_for_spf_softfail (Mail::SpamAssassin::Plugin::SPF=HASH(0x9ad2410)) [12080] dbg: rules: ran eval rule NO_RELAYS ======> got hit [12080] dbg: plugin: registering glue method for check_for_spf_pass (Mail::SpamAssassin::Plugin::SPF=HASH(0x9ad2410)) [12080] dbg: plugin: registering glue method for check_for_spf_helo_softfail (Mail::SpamAssassin::Plugin::SPF=HASH(0x9ad2410)) [12080] dbg: plugin: registering glue method for check_for_def_spf_whitelist_from (Mail::SpamAssassin::Plugin::SPF=HASH(0x9ad2410)) [12080] dbg: spf: cannot get Envelope-From, cannot use SPF [12080] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender [12080] dbg: plugin: registering glue method for check_for_spf_fail (Mail::SpamAssassin::Plugin::SPF=HASH(0x9ad2410)) [12080] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit [12080] dbg: plugin: registering glue method for check_subject_in_whitelist (Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0x9b4ef0c)) [12080] dbg: plugin: registering glue method for check_for_spf_whitelist_from (Mail::SpamAssassin::Plugin::SPF=HASH(0x9ad2410)) [12080] dbg: spf: spf_whitelist_from: could not find useable envelope sender [12080] dbg: rules: running body-text per-line regexp tests; score so far=0.96 [12080] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" [12080] dbg: uri: running uri tests; score so far=0.96 [12080] dbg: rules: running raw-body-text per-line regexp tests; score so far=0.96 [12080] dbg: rules: running full-text regexp tests; score so far=0.96 [12080] dbg: plugin: registering glue method for check_pyzor (Mail::SpamAssassin::Plugin::Pyzor=HASH(0x9b27420)) [12080] dbg: util: current PATH is: /sbin:/bin:/usr/sbin:/usr/bin [12080] dbg: pyzor: pyzor is not available: no pyzor executable found [12080] dbg: pyzor: no pyzor found, disabling Pyzor [12080] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x9aeacb8) implements 'check_tick' [12080] dbg: check: running tests for priority: 500 [12080] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x9aeacb8) implements 'check_post_dnsbl' [12080] dbg: rules: running meta tests; score so far=0.96 [12080] dbg: rules: running header regexp tests; score so far=2.906 [12080] dbg: rules: running body-text per-line regexp tests; score so far=2.906 [12080] dbg: uri: running uri tests; score so far=2.906 [12080] dbg: rules: running raw-body-text per-line regexp tests; score so far=2.906 [12080] dbg: rules: running full-text regexp tests; score so far=2.906 [12080] dbg: check: running tests for priority: 1000 [12080] dbg: rules: running meta tests; score so far=2.906 [12080] dbg: rules: running header regexp tests; score so far=2.906 [12080] dbg: plugin: registering glue method for check_from_in_auto_whitelist (Mail::SpamAssassin::Plugin::AWL=HASH(0x9ba164c)) [12080] dbg: locker: safe_lock: created /var/spool/MailScanner/spamassassin/auto-whitelist.mutex [12080] dbg: locker: safe_lock: trying to get lock on /var/spool/MailScanner/spamassassin/auto-whitelist with 30 timeout [12080] dbg: locker: safe_lock: link to /var/spool/MailScanner/spamassassin/auto-whitelist.mutex: link ok [12080] dbg: auto-whitelist: tie-ing to DB file of type DB_File R/W in /var/spool/MailScanner/spamassassin/auto-whitelist [12080] dbg: auto-whitelist: db-based ignore@compiling.spamassassin.taint.org|ip=none scores 0/0 [12080] dbg: auto-whitelist: AWL active, pre-score: 2.906, autolearn score: 2.906, mean: undef, IP: undef [12080] dbg: auto-whitelist: DB addr list: untie-ing and unlocking [12080] dbg: auto-whitelist: DB addr list: file locked, breaking lock [12080] dbg: locker: safe_unlock: unlocked /var/spool/MailScanner/spamassassin/auto-whitelist.mutex [12080] dbg: auto-whitelist: post auto-whitelist score: 2.906 [12080] dbg: rules: running body-text per-line regexp tests; score so far=2.906 [12080] dbg: uri: running uri tests; score so far=2.906 [12080] dbg: rules: running raw-body-text per-line regexp tests; score so far=2.906 [12080] dbg: rules: running full-text regexp tests; score so far=2.906 [12080] dbg: check: is spam? score=2.906 required=5 [12080] dbg: check: tests=MISSING_SUBJECT,NO_REAL_NAME,NO_RECEIVED,NO_RELAYS,TO_CC_NONE [12080] dbg: check: subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__NONEMPTY_BODY,__SANE_MSGID,__SARE_WHITELIST_FLAG,__UNUSABLE_MSGID,__ZMISOBER_P_MSGID [12080] dbg: bayes: untie-ing [12080] dbg: bayes: untie-ing db_toks [12080] dbg: bayes: untie-ing db_seen max message size is '90000' Ignore errors about failing to find EOCD signature format error: can't find EOCD signature at /usr/sbin/MailScanner line 820 Reference to nonexisb?1D????~p in regex; marked by <-- HERE in m/??>Mxjm??B\6 <-- HERE w???Q?????????#???????D?-rh????\.?H!??dDU??IWW????U\[eB4??T??m???h? i???=??|4???Rke3??Gj?\.?3\^bi/N???/?\?/?????~D??V???????\]??rp ?\??u?/?\^:/ at /usr/lib/MailScanner/MailScanner/Message.pm line 3304, line 2. All messages that cause this crash seem to be spam from what I can see ... never happened before ... I'm running MS 4.56.7-2, SA 3.1.7 ... any idea? From Denis.Beauchemin at USherbrooke.ca Thu Nov 16 19:21:21 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Nov 16 19:21:49 2006 Subject: Razor and Pyzor problems... In-Reply-To: <455C737F.1040608@netmagicsolutions.com> References: <455B6030.7010105@USherbrooke.ca> <223f97700611151237u195a534du5b1907afa82e2f7e@mail.gmail.com> <455B7E29.6040909@USherbrooke.ca> <455B802B.8010505@evi-inc.com> <455C6562.4030200@USherbrooke.ca> <455C737F.1040608@netmagicsolutions.com> Message-ID: <455CBA31.402@USherbrooke.ca> Dhawal Doshy a ?crit : > Denis Beauchemin wrote: >> Matt Kettler a ?crit : >>> Denis Beauchemin wrote: >>> >>> >>>> Yes, I did the following: >>>> # >>>> >>>> perl Makefile.PL >>>> make >>>> make test >>>> make install >>>> razor-admin -create >>>> razor-admin -register >>>> vi /etc/MailScanner/spam.assassin.prefs.conf >>>> use_razor2 1 >>>> service MailScanner reload (even tried a restart) >>>> >>>> BTW I couldn't find anything about use_razor2 on SA's website. Is it >>>> still needed? >>> >>> Razor is a plugin now, so use_razor2 would be in the plugin docs, >>> not the >>> top-level SpamAssassin::Conf docs. >>> >>> See: >>> >>> http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Plugin_Razor2.html >>> >>> >>> That said, you shouldn't need to declare use_razor. Now that it's a >>> plugin, this >>> defaults to 1 (enabled). >>> >>> Check your /etc/mail/spamassassin/v310.pre and make sure the razor >>> plugin isn't >>> disabled. This was disabled by default in early releases of SA >>> 3.1.x, but is now >>> enabled. >>> >>> >> It is enabled: >> loadplugin Mail::SpamAssassin::Plugin::Razor2 >> >> Denis > > Can you check your razor-agent.log? maybe a clue lies in there. > > - dhawal It's almost empty: Nov 15 11:09:35.266367 admin[2215]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:/root/.razor/razor-agent.log Nov 15 11:09:35.266976 admin[2215]: [ 2] Razor-Agents v2.82 starting razor-admin -register Nov 15 11:09:36.063472 admin[2215]: [ 3] Attempting to register. Nov 15 11:09:36.468352 admin[2215]: [ 3] Register successful. Identity stored in /root/.razor/identity-xxxx Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061116/fd611304/smime.bin From ugob at camo-route.com Thu Nov 16 19:57:40 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Thu Nov 16 19:58:17 2006 Subject: MS started crashing ... In-Reply-To: <455CB318.5080204@glendown.de> References: <455C9CD4.7030403@glendown.de> <455CB318.5080204@glendown.de> Message-ID: Garry Glendown wrote: > Ugo Bellavance wrote: >> Garry Glendown wrote: >>> Today, MS started piling up messages - checking the system, I noticed >>> continuous zombie-MS, running it with --debug/--debug-sa, I found that >>> MS keeps crashing, probably caused by a message ... how can I find what >>> is causing this? >>> >>> Here's the last couple lines, the "format error" lines repeated >>> something like 50 times ... >>> >>> format error: can't find EOCD signature >>> at /usr/sbin/MailScanner line 820 >>> format error: can't find EOCD signature >>> at /usr/sbin/MailScanner line 820 >>> Reference to nonexistent group in regex; marked by <-- HERE in >>> m/????>Mx???jm???B???\6 <-- HERE >>> w?????Q????????????????????#????????????????????????D???-r???h?????????\.?????????H!??????d??????D???U???IWW??????????????????U\[eB4??????T??????m?????h???b???1D?????????????~i?????=??????|4????????????Rke3??????Gj???\.???3\^??????bi/N?????????/???\???/????????????~D??????V????????????????????\]??????rp???\????u???/???\^:/ >>> >>> at /usr/lib/MailScanner/MailScanner/Message.pm line 3304, >>> line 2. >>> >>> WTF? >> Check in the logs first to see if there is one message that keeps on >> coming over and over again. >> >> Another idea would be to stop your MTA then let MailScanner run for a >> while and see what remains in the incoming queue. If you can't tell, >> move all queue files to another directory and re-move them one by one. >> >> Ugo >> > > > Had that idea, too ... I've located multiple spam messages that cause > this ... here's the mail.log: > > > Nov 16 19:41:19 mr-01 MailScanner[11412]: MailScanner E-Mail Virus > Scanner version 4.56.7 starting... > max message size is '90000' > Ignore errors about failing to find EOCD signature > format error: can't find EOCD signature > at /usr/sbin/MailScanner line 820 > Reference to nonexisb?1D????~p in regex; marked by <-- HERE in > m/??>Mxjm??B\6 <-- HERE > w???Q?????????#???????D?-rh????\.?H!??dDU??IWW????U\[eB4??T??m???h? > i???=??|4???Rke3??Gj?\.?3\^bi/N???/?\?/?????~D??V???????\]??rp > ?\??u?/?\^:/ at /usr/lib/MailScanner/MailScanner/Message.pm line 3304, > line 2. > > > > All messages that cause this crash seem to be spam from what I can see > ... never happened before ... > > I'm running MS 4.56.7-2, SA 3.1.7 ... any idea? Upgrade, then check. The stable version is 4.56.8.1. From rob at dido.ca Thu Nov 16 20:25:52 2006 From: rob at dido.ca (Rob Morin) Date: Thu Nov 16 20:26:09 2006 Subject: Darn, i forgot where that website was with SA rule... Message-ID: <455CC950.6060205@dido.ca> ... definitions? meaning what does FM_N0N0_WORDS mean.... there was a website that explained it, i lost my bookmarks... Any help Appreciated.... Thanks... -- Rob Morin Dido InterNet Inc. Montreal, Canada Http://www.dido.ca 514-990-4444 From dhawal at netmagicsolutions.com Thu Nov 16 20:30:27 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Thu Nov 16 20:30:50 2006 Subject: Razor and Pyzor problems... In-Reply-To: <455CBA31.402@USherbrooke.ca> References: <455B6030.7010105@USherbrooke.ca> <223f97700611151237u195a534du5b1907afa82e2f7e@mail.gmail.com> <455B7E29.6040909@USherbrooke.ca> <455B802B.8010505@evi-inc.com> <455C6562.4030200@USherbrooke.ca> <455C737F.1040608@netmagicsolutions.com> <455CBA31.402@USherbrooke.ca> Message-ID: <20061117020027.k3qjloq7ko800c8k@mail.netmagicsolutions.com> Quoting Denis Beauchemin : > Dhawal Doshy a ?crit : >> Denis Beauchemin wrote: >>> Matt Kettler a ?crit : >>>> Denis Beauchemin wrote: >>>> >>>> >>>>> Yes, I did the following: >>>>> # >>>>> >>>>> perl Makefile.PL >>>>> make >>>>> make test >>>>> make install >>>>> razor-admin -create >>>>> razor-admin -register >>>>> vi /etc/MailScanner/spam.assassin.prefs.conf >>>>> use_razor2 1 >>>>> service MailScanner reload (even tried a restart) >>>>> >>>>> BTW I couldn't find anything about use_razor2 on SA's website. Is it >>>>> still needed? >>>> >>>> Razor is a plugin now, so use_razor2 would be in the plugin docs, not the >>>> top-level SpamAssassin::Conf docs. >>>> >>>> See: >>>> >>>> http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Plugin_Razor2.html That said, you shouldn't need to declare use_razor. Now that it's a plugin, >>>> this >>>> defaults to 1 (enabled). >>>> >>>> Check your /etc/mail/spamassassin/v310.pre and make sure the >>>> razor plugin isn't >>>> disabled. This was disabled by default in early releases of SA >>>> 3.1.x, but is now >>>> enabled. >>>> >>>> >>> It is enabled: >>> loadplugin Mail::SpamAssassin::Plugin::Razor2 >>> >>> Denis >> >> Can you check your razor-agent.log? maybe a clue lies in there. >> >> - dhawal > It's almost empty: > Nov 15 11:09:35.266367 admin[2215]: [ 2] [bootup] Logging initiated > LogDebugLevel=3 to file:/root/.razor/razor-agent.log > Nov 15 11:09:35.266976 admin[2215]: [ 2] Razor-Agents v2.82 starting > razor-admin -register > Nov 15 11:09:36.063472 admin[2215]: [ 3] Attempting to register. > Nov 15 11:09:36.468352 admin[2215]: [ 3] Register successful. Identity > stored in /root/.razor/identity-xxxx Final ideas / thoughts (since i have run out of them).. your razor appears to have registered but not discovered the cloudmark servers.. do you see files like server.*.cloudmark.conf? If not you need to run a 'razor-admin -discover' once and try out the 'sa -D < testmesg' again. - dhawal From brett at wrl.org Thu Nov 16 20:39:53 2006 From: brett at wrl.org (Brett Charbeneau) Date: Thu Nov 16 20:40:42 2006 Subject: Sendmail reject trumps whitelist? Message-ID: MANY thanks to all those who responded to my quesstion! As usual for this list, excellent and generous responses all. Especially to Phil Randal and Alisdair Davey to whom I say, as Nathan said to King David (2 Samuel 12:7), "You are the man!" -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From brett at wrl.org Thu Nov 16 20:49:13 2006 From: brett at wrl.org (Brett Charbeneau) Date: Thu Nov 16 20:50:04 2006 Subject: Sendmail reject trumps whitelist? In-Reply-To: References: Message-ID: On Thu, 16 Nov 2006, Brett Charbeneau wrote: BC> MANY thanks to all those who responded to my quesstion! As usual for BC> this list, excellent and generous responses all. BC> Especially to Phil Randal and Alisdair Davey to whom I say, as BC> Nathan said to King David (2 Samuel 12:7), "You are the man!" Okay, off-topic here and please tell me to go away if I'm asking in the wrong place but I think this may help MailScanner users in the future: For Sendmail, in the /etc/mail/access file there is reference to whitelisted users in this format: Spam:postmaster@ FRIEND and in my install of MS, in /opt/MailScanner/etc/MailScanner.conf there is Is Definitely Not Spam = /opt/MailScanner/etc/spam.whitelist.rules any chance I can get Sendmail to refer to this file as well so I only have one whitelist to maintain? -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From mkettler at evi-inc.com Thu Nov 16 20:52:09 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Nov 16 20:52:31 2006 Subject: Darn, i forgot where that website was with SA rule... In-Reply-To: <455CC950.6060205@dido.ca> References: <455CC950.6060205@dido.ca> Message-ID: <455CCF79.90405@evi-inc.com> Rob Morin wrote: > ... definitions? meaning what does FM_N0N0_WORDS mean.... there was a > website that explained it, i lost my bookmarks... > > Any help Appreciated.... > > Thanks... > http://www.google.com/search?hl=en&q=FM_N0N0_WORDS&btnG=Google+Search Yields this as the first hit: http://www.rulesemporium.com/rules/99_FVGT_meta.cf Looks like it's trying to detect porn words using 0 or 1 instead of o or i. Unfortunately, some of the words aren't porn-exclusive, and since 0 is directly above o on the keyboard it's a common typo for lousy typists. From alex at nkpanama.com Thu Nov 16 21:11:36 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Nov 16 21:12:16 2006 Subject: Sendmail reject trumps whitelist? In-Reply-To: References: Message-ID: <455CD408.3020500@nkpanama.com> Brett Charbeneau wrote: > On Thu, 16 Nov 2006, Brett Charbeneau wrote: > > BC> MANY thanks to all those who responded to my quesstion! As usual for > BC> this list, excellent and generous responses all. > BC> Especially to Phil Randal and Alisdair Davey to whom I say, as > BC> Nathan said to King David (2 Samuel 12:7), "You are the man!" > > Okay, off-topic here and please tell me to go away if I'm asking in the > wrong place but I think this may help MailScanner users in the future: > For Sendmail, in the /etc/mail/access file there is reference to > whitelisted users in this format: > > Spam:postmaster@ FRIEND > > and in my install of MS, in /opt/MailScanner/etc/MailScanner.conf there > is > > Is Definitely Not Spam = /opt/MailScanner/etc/spam.whitelist.rules > > any chance I can get Sendmail to refer to this file as well so I only > have one whitelist to maintain? > > Not that I know of... You can always create a small bash script that does both. From Kevin_Miller at ci.juneau.ak.us Thu Nov 16 21:13:53 2006 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Nov 16 21:14:01 2006 Subject: Sendmail reject trumps whitelist? In-Reply-To: Message-ID: Brett Charbeneau wrote: > On Thu, 16 Nov 2006, Brett Charbeneau wrote: > >> MANY thanks to all those who responded to my quesstion! As usual for >> this list, excellent and generous responses all. >> Especially to Phil Randal and Alisdair Davey to whom I say, as >> Nathan said to King David (2 Samuel 12:7), "You are the man!" > > Okay, off-topic here and please tell me to go away if I'm asking in > the wrong place but I think this may help MailScanner users in the > future: For Sendmail, in the /etc/mail/access file there is > reference to whitelisted users in this format: > > Spam:postmaster@ FRIEND > > and in my install of MS, in /opt/MailScanner/etc/MailScanner.conf > there is > > Is Definitely Not Spam = /opt/MailScanner/etc/spam.whitelist.rules > > any chance I can get Sendmail to refer to this file as well so I only > have one whitelist to maintain? Nope. The have completely different formats. Also, the sendmail access file must be made into a hashed database file. Sendmail doesn't actually read it, it reads access.db. To make the access.db file you need to issue the following command: #makemap hash access < access in your /etc/mail directory. ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From rob at dido.ca Thu Nov 16 21:15:07 2006 From: rob at dido.ca (Rob Morin) Date: Thu Nov 16 21:15:12 2006 Subject: Darn, i forgot where that website was with SA rule... In-Reply-To: <455CCF79.90405@evi-inc.com> References: <455CC950.6060205@dido.ca> <455CCF79.90405@evi-inc.com> Message-ID: <455CD4DB.6020002@dido.ca> Weird as here is the body of the message that generated a score of 18! This is too messed up, it looks legit to me??? here is the score.... Nov 16 11:48:59 peter MailScanner[4750]: Message 3A21F69008A.53354 from 207.99.47.70 (dplatt@domain.com) to reboxcorp.com is spam, SpamAssassin (score=18.497, required 4, BAYES_80 2.00, FB_4WORD_DOLLARe 1.28, FB_SINGLE_0WORD 0.34, FB_SINGLE_1WORD 1.01, FB_WORD2_END_DOLLAR 1.39, FB_WORD_01DOLLAR1 0.90, FM_MULTI_ODD2 1.10, FM_MULTI_ODD3 0.70, FM_MULTI_ODD4 0.70, FM_MULTI_ODD5 0.90, FM_N0N0_WORDS 3.20, OBSCURED_EMAIL 2.10, SARE_RAND_2 2.50, UPPERCASE_50_75 0.37) Nov 16 11:48:59 peter MailScanner[4750]: Spam Actions: message 3A21F69008A.53354 actions are delete Rick, Attached is your quote on the PLP-2150 machine with optional top platen holder. Prices are list CDN$ MSP will have a 25% discount from these. Expect about a 5-6 week leadtime from PO. NOTE: Labour is not covered under the Phoenix parts warranty. This is part of the responsability of the distributors selling the machines with 25% discount. Call me if there is anything else. Rgs, Derek Platt CAPS-Phoenix 514-555-1212 Rob Morin Dido InterNet Inc. Montreal, Canada Http://www.dido.ca 514-990-4444 Matt Kettler wrote: > Rob Morin wrote: > >> ... definitions? meaning what does FM_N0N0_WORDS mean.... there was a >> website that explained it, i lost my bookmarks... >> >> Any help Appreciated.... >> >> Thanks... >> >> > > http://www.google.com/search?hl=en&q=FM_N0N0_WORDS&btnG=Google+Search > > Yields this as the first hit: > http://www.rulesemporium.com/rules/99_FVGT_meta.cf > > Looks like it's trying to detect porn words using 0 or 1 instead of o or i. > > Unfortunately, some of the words aren't porn-exclusive, and since 0 is directly > above o on the keyboard it's a common typo for lousy typists. > From Denis.Beauchemin at USherbrooke.ca Thu Nov 16 21:16:25 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Nov 16 21:16:55 2006 Subject: Razor and Pyzor problems... In-Reply-To: <20061117020027.k3qjloq7ko800c8k@mail.netmagicsolutions.com> References: <455B6030.7010105@USherbrooke.ca> <223f97700611151237u195a534du5b1907afa82e2f7e@mail.gmail.com> <455B7E29.6040909@USherbrooke.ca> <455B802B.8010505@evi-inc.com> <455C6562.4030200@USherbrooke.ca> <455C737F.1040608@netmagicsolutions.com> <455CBA31.402@USherbrooke.ca> <20061117020027.k3qjloq7ko800c8k@mail.netmagicsolutions.com> Message-ID: <455CD529.3050004@USherbrooke.ca> Dhawal Doshy a ?crit : > > Quoting Denis Beauchemin : > >> Dhawal Doshy a ?crit : >>> Denis Beauchemin wrote: >>>> Matt Kettler a ?crit : >>>>> Denis Beauchemin wrote: >>>>> >>>>> >>>>>> Yes, I did the following: >>>>>> # >>>>>> >>>>>> perl Makefile.PL >>>>>> make >>>>>> make test >>>>>> make install >>>>>> razor-admin -create >>>>>> razor-admin -register >>>>>> vi /etc/MailScanner/spam.assassin.prefs.conf >>>>>> use_razor2 1 >>>>>> service MailScanner reload (even tried a restart) >>>>>> >>>>>> BTW I couldn't find anything about use_razor2 on SA's website. >>>>>> Is it >>>>>> still needed? >>>>> >>>>> Razor is a plugin now, so use_razor2 would be in the plugin docs, >>>>> not the >>>>> top-level SpamAssassin::Conf docs. >>>>> >>>>> See: >>>>> >>>>> http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Plugin_Razor2.html >>>>> That said, you shouldn't need to declare use_razor. Now that it's >>>>> a plugin, this >>>>> defaults to 1 (enabled). >>>>> >>>>> Check your /etc/mail/spamassassin/v310.pre and make sure the >>>>> razor plugin isn't >>>>> disabled. This was disabled by default in early releases of SA >>>>> 3.1.x, but is now >>>>> enabled. >>>>> >>>>> >>>> It is enabled: >>>> loadplugin Mail::SpamAssassin::Plugin::Razor2 >>>> >>>> Denis >>> >>> Can you check your razor-agent.log? maybe a clue lies in there. >>> >>> - dhawal >> It's almost empty: >> Nov 15 11:09:35.266367 admin[2215]: [ 2] [bootup] Logging initiated >> LogDebugLevel=3 to file:/root/.razor/razor-agent.log >> Nov 15 11:09:35.266976 admin[2215]: [ 2] Razor-Agents v2.82 starting >> razor-admin -register >> Nov 15 11:09:36.063472 admin[2215]: [ 3] Attempting to register. >> Nov 15 11:09:36.468352 admin[2215]: [ 3] Register successful. Identity >> stored in /root/.razor/identity-xxxx > > > Final ideas / thoughts (since i have run out of them).. your razor > appears to have registered but not discovered the cloudmark servers.. > do you see files like server.*.cloudmark.conf? > > If not you need to run a 'razor-admin -discover' once and try out the > 'sa -D < testmesg' again. > I had written a long explanation of all things I had checked and finally found something that made it work: I have a user_prefs file in my "SpamAssassin User State Dir" that had the following very old entries: use_razor2 1 razor_config /root/.razor/razor-agent.conf razor_timeout 10 Usually this file is a copy of my spam.assassin.prefs.conf that I use to test things out before pushing them into production but I forgot SA uses it... and I didn't know MS used it either... By commenting the lines out and restarting MS it finally worked! I now see RAZOR hits in my maillog! :-) Thanks to all that helped! Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061116/f178316c/smime.bin From mkettler at evi-inc.com Thu Nov 16 21:26:10 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Nov 16 21:26:18 2006 Subject: Darn, i forgot where that website was with SA rule... In-Reply-To: <455CD4DB.6020002@dido.ca> References: <455CC950.6060205@dido.ca> <455CCF79.90405@evi-inc.com> <455CD4DB.6020002@dido.ca> Message-ID: <455CD772.2050104@evi-inc.com> Rob Morin wrote: > Weird as here is the body of the message that generated a score of 18! > This is too messed up, it looks legit to me??? Yes, the parts of the message you quoted look legit. However, you quoted just the body text, post-rendering by your client. If it's a multi-part/alternative message, there's more to the body than what you quoted. The FM_MULTI_ODD* also doesn't seem to match the text you quoted. > > here is the score.... > > Nov 16 11:48:59 peter MailScanner[4750]: Message 3A21F69008A.53354 from > 207.99.47.70 (dplatt@domain.com) to reboxcorp.com is spam, SpamAssassin > (score=18.497, required 4, BAYES_80 2.00, FB_4WORD_DOLLARe 1.28, > FB_SINGLE_0WORD 0.34, FB_SINGLE_1WORD 1.01, FB_WORD2_END_DOLLAR 1.39, > FB_WORD_01DOLLAR1 0.90, FM_MULTI_ODD2 1.10, FM_MULTI_ODD3 0.70, > FM_MULTI_ODD4 0.70, FM_MULTI_ODD5 0.90, FM_N0N0_WORDS 3.20, > OBSCURED_EMAIL 2.10, SARE_RAND_2 2.50, UPPERCASE_50_75 0.37) > Nov 16 11:48:59 peter MailScanner[4750]: Spam Actions: message > 3A21F69008A.53354 actions are delete > > From ssilva at sgvwater.com Thu Nov 16 23:16:58 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 16 23:17:15 2006 Subject: MailScanner miss several Regning.exe files In-Reply-To: <41EA997496BB5542BDA52CFA44FE78FC9A6C48@AHMAIL.ah.ahnet.local> References: <455BF990.2010603@taz-mania.com> <41EA997496BB5542BDA52CFA44FE78FC9A6C48@AHMAIL.ah.ahnet.local> Message-ID: Jan Elmqvist Nielsen spake the following on 11/16/2006 1:48 AM: > The virus Trojan-Downloader.Win32.Nurech.h (kaspersky) comes as a exe > file. > > I have to my horror notice that serveral of these mails with the exe > file attached not have been stop!!! > > I using MailScanner ver. 4.54.6 with mailwatch > > Attached are 2 screen dumps > > /Jan Elmqvist Nielsen > > > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ > Another reason to not allow exe files. Users need to zip them, or not mail them on my servers. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From res at ausics.net Fri Nov 17 02:28:54 2006 From: res at ausics.net (Res) Date: Fri Nov 17 02:29:05 2006 Subject: Sendmail reject trumps whitelist? In-Reply-To: References: Message-ID: On Thu, 16 Nov 2006, Brett Charbeneau wrote: > Greetings all, > > I've set up sendmail to reject incoming messages with a 554 error if > they are listed in dnsbl.sorbs.net by sticking this line in my sendmail.mc > file: > > FEATURE(`dnsbl',`dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} > " > BLACKLISTED found in dnsbl.sorbs.net"')dnl > > Now this list tends to get mad a AOL and Hotmail mail servers for > obvious reasons and therefore ALL mail from these domains, legit or not, gets Have sendmail "OK" aol.com and hotmail.com and let mailscanner deal with what is spam or not for those two domains > -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From garry at glendown.de Fri Nov 17 04:58:19 2006 From: garry at glendown.de (Garry Glendown) Date: Fri Nov 17 04:58:30 2006 Subject: MS started crashing ... In-Reply-To: References: <455C9CD4.7030403@glendown.de> <455CB318.5080204@glendown.de> Message-ID: <455D416B.3070107@glendown.de> > Upgrade, then check. The stable version is 4.56.8.1. I did last night, same ... From martinh at solidstatelogic.com Fri Nov 17 09:11:48 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Fri Nov 17 09:12:19 2006 Subject: MailScanner miss several Regning.exe files In-Reply-To: References: <455BF990.2010603@taz-mania.com> <41EA997496BB5542BDA52CFA44FE78FC9A6C48@AHMAIL.ah.ahnet.local> Message-ID: <455D7CD4.4000606@solidstatelogic.com> Scott Silva wrote: > Jan Elmqvist Nielsen spake the following on 11/16/2006 1:48 AM: >> The virus Trojan-Downloader.Win32.Nurech.h (kaspersky) comes as a exe >> file. >> >> I have to my horror notice that serveral of these mails with the exe >> file attached not have been stop!!! >> >> I using MailScanner ver. 4.54.6 with mailwatch >> >> Attached are 2 screen dumps >> >> /Jan Elmqvist Nielsen >> >> >> ------------------------------------------------------------------------ >> >> >> ------------------------------------------------------------------------ >> > Another reason to not allow exe files. Users need to zip them, or not mail > them on my servers. > of course MS scans inside zip files as well - after a certain virus started spreading itself in them.... -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From glenn.steen at gmail.com Fri Nov 17 09:43:18 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 17 09:43:23 2006 Subject: MailScanner miss several Regning.exe files In-Reply-To: <455D7CD4.4000606@solidstatelogic.com> References: <455BF990.2010603@taz-mania.com> <41EA997496BB5542BDA52CFA44FE78FC9A6C48@AHMAIL.ah.ahnet.local> <455D7CD4.4000606@solidstatelogic.com> Message-ID: <223f97700611170143i5c583e05r63a8fbc65f939624@mail.gmail.com> On 17/11/06, Martin Hepworth wrote: > Scott Silva wrote: > > Jan Elmqvist Nielsen spake the following on 11/16/2006 1:48 AM: > >> The virus Trojan-Downloader.Win32.Nurech.h (kaspersky) comes as a exe > >> file. > >> > >> I have to my horror notice that serveral of these mails with the exe > >> file attached not have been stop!!! > >> > >> I using MailScanner ver. 4.54.6 with mailwatch > >> > >> Attached are 2 screen dumps > >> > >> /Jan Elmqvist Nielsen > >> > >> > >> ------------------------------------------------------------------------ > >> > >> > >> ------------------------------------------------------------------------ > >> > > Another reason to not allow exe files. Users need to zip them, or not mail > > them on my servers. > > > > of course MS scans inside zip files as well - after a certain virus > started spreading itself in them.... ... and the beauty of it is that it is totally configurable, even in this respect... So it is easy to make it follow your policy, not the other way around:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Howard at harper-adams.ac.uk Fri Nov 17 11:33:50 2006 From: Howard at harper-adams.ac.uk (Howard Robinson) Date: Fri Nov 17 11:34:40 2006 Subject: HTML filtering (still) Message-ID: Dear list I am still having problem getting MailScanner not to strip HTML (see previous email from me for details if you wish) However when looking through maillog I saw this (multiple entires different dates & times obviously):- Nov 17 11:25:39 blackhole2 MailScanner[29601]: Unrar command /usr/bin/unrar does not exist or is not executable, please either install it or remove the setting from MailScanner.conf However in MailScanner .conf I have the following as I don't have unrar install. # Where the "unrar" command is installed. # If you haven't got this command, look at www.rarlab.com. # # This is used for unpacking rar archives so that the contents can be # checked for banned filenames and filetypes, and also that the # archive can be tested to see if it is password-protected. # Virus scanning the contents of rar archives is still left to the virus # scanner, with one exception: # If using the clavavmodule virus scanner, this adds external RAR checking # to that scanner which is needed for archives which are RAR version 3. # Unrar Command = /usr/bin/unrar # The maximum length of time the "unrar" command is allowed to run for 1 # RAR archive (in seconds) # Unrar Timeout = 50 There are no other references to unrar in MailScanner.conf. I altered some of the header texts in MailScanner.conf so that I could look at a recieved email and see if the headers we reflecting the changes. They were which suggest that MailScanner is using the .conf file I have been editing . Is the syntax for unrar correct. Is there a MailScanner.conf 'systax tester' that would highlight any rouge characters that may have crept in? Thanks Regards Howard Robinson, (Senior Technical Development Officer), Harper Adams University College, Edgmond, Newport, Shropshire , TF10 8NB. Tel. Direct 01952 815253 Tel. Switch Board 01952 820280 Fax 01952 814783 Email hrobinson@harper-adams.ac.uk Web www.harper-adams.ac.uk From glenn.steen at gmail.com Fri Nov 17 12:34:41 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 17 12:34:44 2006 Subject: HTML filtering (still) In-Reply-To: References: Message-ID: <223f97700611170434t6063de6fm51130b52e3584c4e@mail.gmail.com> On 17/11/06, Howard Robinson wrote: > Dear list > I am still having problem getting MailScanner not to strip HTML > (see previous email from me for details if you wish) > > However when looking through maillog I saw this (multiple entires different dates & times obviously):- > > Nov 17 11:25:39 blackhole2 MailScanner[29601]: Unrar command /usr/bin/unrar does not exist or is not executable, please either install it or remove the setting from MailScanner.conf > > However in MailScanner .conf I have the following as I don't have unrar install. > > # Where the "unrar" command is installed. > # If you haven't got this command, look at www.rarlab.com. > # > # This is used for unpacking rar archives so that the contents can be > # checked for banned filenames and filetypes, and also that the > # archive can be tested to see if it is password-protected. > # Virus scanning the contents of rar archives is still left to the virus > # scanner, with one exception: > # If using the clavavmodule virus scanner, this adds external RAR checking > # to that scanner which is needed for archives which are RAR version 3. > # Unrar Command = /usr/bin/unrar > > # The maximum length of time the "unrar" command is allowed to run for 1 > # RAR archive (in seconds) > # Unrar Timeout = 50 > > There are no other references to unrar in MailScanner.conf. Then it'll default to something (am to lazy to check what:-). Just get it, set it and be done.:-) > I altered some of the header texts in MailScanner.conf so that I could look at a recieved email and see if the headers we reflecting the changes. They were which suggest that MailScanner is using the .conf file I have been editing . > Is the syntax for unrar correct. > Is there a MailScanner.conf 'systax tester' that would highlight any rouge characters that may have crept in? Yes, you can run "MailScanner --lint" for a syntax check, and "MailScanner --changed" to see what you've changed from the defaults. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From brett at wrl.org Fri Nov 17 13:00:33 2006 From: brett at wrl.org (Brett Charbeneau) Date: Fri Nov 17 13:01:31 2006 Subject: Sendmail reject trumps whitelist? In-Reply-To: <200611171200.kAHC0Lil009905@bkserver.blacknight.ie> References: <200611171200.kAHC0Lil009905@bkserver.blacknight.ie> Message-ID: > > Greetings all, > > > > I've set up sendmail to reject incoming messages with a 554 error if > > they are listed in dnsbl.sorbs.net by sticking this line in my sendmail.mc > > file: > > > > FEATURE(`dnsbl',`dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} > " > > BLACKLISTED found in dnsbl.sorbs.net"')dnl > > > > Now this list tends to get mad a AOL and Hotmail mail servers for > > obvious reasons and therefore ALL mail from these domains, legit or not, > > > Have sendmail "OK" aol.com and hotmail.com and let mailscanner deal > with what is spam or not for those two domains Ah, so! Good idea, Res - many thanks. Sendmail took my Spam:*aol.com FRIEND so I think I'm in business. Thanks to all who offered suggestions and ideas! -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From brett at wrl.org Fri Nov 17 13:07:22 2006 From: brett at wrl.org (Brett Charbeneau) Date: Fri Nov 17 13:08:12 2006 Subject: Debian users: anyone greylisting? Message-ID: At Julian's and other's fine subscribers suggestions I've been trying to implement milter-gris on my Debian 3.1 box using sendmail as the MTA. I downloaded libsnert-1.62.tar.gz and milter-gris-0.19.tar.gz from snertsoft.com and ran into a bizarre version mis-match with makemap: milter-gris claims the hash version of /etc/mail/access.db is unsupported. I posted to the milter list, but the problem seems unique to the Debian distribution, so I can't expect them to offer much help there. I can't find makemap in the repository search at debian.org so I can't tell what package provided it nor will man makemap allow me to determine its version, so I'm stuck. Is anyone out there using Debian and MS and sendmail *and* doing greylisting? If so, what's the drill? Google offers up "relaydelay" and it gets good coverage here: http://www.thing.dyndns.org/debian/grey.htm but milter-gris comes so highly recommended on this list that I wanted to see if any other Debian user conquered the makemap goofiness. -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From ugob at camo-route.com Fri Nov 17 13:23:57 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Nov 17 13:25:08 2006 Subject: MS started crashing ... In-Reply-To: <455D416B.3070107@glendown.de> References: <455C9CD4.7030403@glendown.de> <455CB318.5080204@glendown.de> <455D416B.3070107@glendown.de> Message-ID: Garry Glendown wrote: >> Upgrade, then check. The stable version is 4.56.8.1. > > I did last night, same ... Have you tried setting the TNEF expander to internal? From Denis.Beauchemin at USherbrooke.ca Fri Nov 17 13:50:04 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Nov 17 13:50:33 2006 Subject: HTML filtering (still) In-Reply-To: References: Message-ID: <455DBE0C.1050105@USherbrooke.ca> Howard Robinson a ?crit : > Dear list > I am still having problem getting MailScanner not to strip HTML > (see previous email from me for details if you wish) > > However when looking through maillog I saw this (multiple entires different dates & times obviously):- > > Nov 17 11:25:39 blackhole2 MailScanner[29601]: Unrar command /usr/bin/unrar does not exist or is not executable, please either install it or remove the setting from MailScanner.conf > > However in MailScanner .conf I have the following as I don't have unrar install. > > # Where the "unrar" command is installed. > # If you haven't got this command, look at www.rarlab.com. > # > # This is used for unpacking rar archives so that the contents can be > # checked for banned filenames and filetypes, and also that the > # archive can be tested to see if it is password-protected. > # Virus scanning the contents of rar archives is still left to the virus > # scanner, with one exception: > # If using the clavavmodule virus scanner, this adds external RAR checking > # to that scanner which is needed for archives which are RAR version 3. > # Unrar Command = /usr/bin/unrar > > # The maximum length of time the "unrar" command is allowed to run for 1 > # RAR archive (in seconds) > # Unrar Timeout = 50 > If you don't want to use it you have to write: Unrar Command = # /usr/bin/unrar Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061117/0e749011/smime.bin From glenn.steen at gmail.com Fri Nov 17 14:09:41 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 17 14:09:44 2006 Subject: Debian users: anyone greylisting? In-Reply-To: References: Message-ID: <223f97700611170609r72d747feqa6c6c57a5f7b530@mail.gmail.com> On 17/11/06, Brett Charbeneau wrote: > At Julian's and other's fine subscribers suggestions I've been trying to > implement milter-gris on my Debian 3.1 box using sendmail as the MTA. > I downloaded libsnert-1.62.tar.gz and milter-gris-0.19.tar.gz from > snertsoft.com and ran into a bizarre version mis-match with makemap: milter-gris > claims the hash version of /etc/mail/access.db is unsupported. > I posted to the milter list, but the problem seems unique to the Debian > distribution, so I can't expect them to offer much help there. > I can't find makemap in the repository search at debian.org so I can't > tell what package provided it nor will man makemap allow me to determine its > version, so I'm stuck. How about doing a dpkg-query --search $(which makemap) ... Should yield the "owning" package (likely something like sendmail or sendmail-base). > Is anyone out there using Debian and MS and sendmail *and* doing > greylisting? If so, what's the drill? Unfortunately no, not me at least:). > Google offers up "relaydelay" and it gets good coverage here: > > http://www.thing.dyndns.org/debian/grey.htm > > but milter-gris comes so highly recommended on this list that I wanted > to see if any other Debian user conquered the makemap goofiness. > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From steve.freegard at fsl.com Fri Nov 17 14:22:39 2006 From: steve.freegard at fsl.com (Steve Freegard) Date: Fri Nov 17 14:22:54 2006 Subject: Sendmail reject trumps whitelist? In-Reply-To: References: <200611171200.kAHC0Lil009905@bkserver.blacknight.ie> Message-ID: <455DC5AF.4080309@fsl.com> Hi Brett, Brett Charbeneau wrote: >> Have sendmail "OK" aol.com and hotmail.com and let mailscanner deal >> with what is spam or not for those two domains > > Ah, so! > Good idea, Res - many thanks. Sendmail took my > > Spam:*aol.com FRIEND > > so I think I'm in business. > Thanks to all who offered suggestions and ideas! > Nope - that entry is incorrect. Sendmail doesn't support wildcards, it does the following: Example from address = abc@abc.def.com Sendmail will do the following lookups (in order): Spam:abc@abc.def.com Spam:abc.def.com Spam:def.com Spam:com So for your entry you would need: Spam:aol.com FRIEND Regards, Steve. From t.d.lee at durham.ac.uk Fri Nov 17 16:09:15 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Fri Nov 17 16:09:33 2006 Subject: MailScanner bug [Was: Re: SA 3.1.7 returning no result to MS?] In-Reply-To: References: <4554A39C.1050404@evi-inc.com> <45589620.2010900@evi-inc.com> Message-ID: On Wed, 15 Nov 2006, David Lee wrote: > [...] > Looking a little deeper, it seems that in the "MailScanner/SA.pm" module > at the "eval { ...}" near line 800 (MS 4.56.8) all the results from: > > $pipe->reader(); > local $SIG{ALRM} = sub { die "Command Timed Out" }; > alarm MailScanner::Config::Value('spamassassintimeout'); > $SAHits = <$pipe>; > #print STDERR "Read SAHits = $SAHits " . scalar(localtime) . "\n"; > $AutoLearn = <$pipe>; > $SAHitList = <$pipe>; > $SAReport = <$pipe>; > #print STDERR "Read SAHitList = $SAHitList " . scalar(localtime) . "\n"; > # Not sure if next 2 lines should be this way round... > waitpid $pid, 0; > $pipe->close(); > $PipeReturn = $?; > > are coming back empty. Hence the syslog entry: > Message ... is not spam, SpamAssassin (cached, score=0, required 6, autolearn=) > > This suggests that SA's expected behaviour would be that a 'good' return > would always be accompanied by real, non-empty, data. This, I presume, is > what has always happened historically. > > But it now seems, after upgrade to SA 3.1.7, that SA occasionally provides > empty data on a 'good' return: inconsistent. I've probably slightly mis-read the detail there. But the same principle still applies. I think we have an MS bug. The "MailScanner/SA.pm" code (my comments "##TDL##") does: my $pid = fork(); [...] if ($pid == 0) { # In the child ##TDL## Child does the SpamAssassin call $pipe->writer(); [...] $spamness = $Test->check($mail); [ ... print SA results into $pipe ...] $pipe->close(); exit 0; # $SAResult; } ##TDL## Note: child has finished. ##TDL## In MailScanner parent only. eval { $pipe->reader(); [... read SA results ...] ##TDL## from the SA call in child above. $pipe->close(); $PipeReturn = $?; [...] } ##TDL## "$PipeReturn" never used Now suppose that SA (from the fork's child) crashes. Ideally, this "shouldn't happen"(TM). But we all know reality to be non-ideal, don't we? And in my own environment, from a different context, I have seen such SA-3.1.7 crashes actually happen. (If anyone is curious, I can provide further info and core files.) Then the parent (i.e. inside that "eval {}") will get empty data from SA, and the parent will continue to run. Worse, the existing code of MS fails to distinguish whether the SA/child terminated cleanly (with real data from SA/child/pipe) or crashed (no data from SA/child/pipe). The parent stores a return code in "$PipeReturn". Would that particular code distinguish the crash from the normal termination? Even if it does potentially distinguish the various return types (success, fail, crash) of the SA/child, the subsequent code doesn't ever use it (except merely printing it as a low-priority debugging message 100 lines later). I suggest therefore, that there is a MailScanner bug: MS BUG: If MS's call to SA fails (e.g. crash/segfault), MS is unable to distinguish this from a successful return. RESOLUTION: The code immediately following the "eval {}" ought to check the return (e.g "$PipeReturn") to detect SA/child failures. Such failures may reaonably be expected to be rare, but should nevertheless be handled, perhaps by leaving the email where it is, and doing a high-priority (e.g. "error") syslog message. NOTE: Might the SA/child itself need an enclosing "eval {}"? -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From ugob at camo-route.com Fri Nov 17 16:46:34 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Nov 17 16:49:31 2006 Subject: noticesizeinfected in language translation file In-Reply-To: References: Message-ID: Ugo Bellavance wrote: > Hi, > > I get this error on some of my servers (4.56.8). I looked in > /etc/MailScanner/reports/en and I can't find an rpmnew file or this > string in the current languages.conf file. > > Looked up unknown string noticesizeinfected in language translation file > /etc/MailScanner/reports/en/languages.conf > > Has it been ommited? > > Regards, > > Ugo > Can anyone check that on their system? Ugo From Howard at harper-adams.ac.uk Fri Nov 17 16:53:56 2006 From: Howard at harper-adams.ac.uk (Howard Robinson) Date: Fri Nov 17 16:56:05 2006 Subject: HTML filtering (still) Message-ID: Denis, you are correct it is now not reporting this in Mailllog. Thanks. Further to the question I posted earlier re syntax checking MailScanner.conf Running MailScanner --lint still gives the following error [root@blackhole2 sbin]# MailScanner --lint Cannot open config file --lint, No such file or directory at /usr/lib/MailScanner/MailScanner/Config.pm line 592. Compilation failed in require at /usr/sbin/MailScanner line 65. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 65. Looking at the MailScanner lists I came across these two commands [root@blackhole2 MailScanner]# grep MailScannerVersion /usr/sbin/MailScanner | head -1 $MailScanner::Config::MailScannerVersion = '4.48.4'; & [root@blackhole2 MailScanner]#grep -A 20 GetOptions /usr/sbin/MailScanner which produced nothing! . On the particular question on the list it was traced to CustomConfig.pm being the wrong file. Even though it mentions Config.pm! CustomConfig.rpmnew when renamed correcting the fault. This hasn't work on my installation. I intend to upgrade to the latest version of MailScanner on Monday afternoon but is there a fault in MailScanner.conf or is it that --lint does not work for the version I am using? If there ia fault will the update correct this or simply perpetuate it? Thanks once again .>>> Denis.Beauchemin@USherbrooke.ca 17/11/06 13:50:04 >>> .Howard Robinson a ?crit : .> Dear list .> I am still having problem getting MailScanner not to strip HTML .> (see previous email from me for details if you wish) .> .> However when looking through maillog I saw this (multiple entires different dates & times obviously):- .> .> Nov 17 11:25:39 blackhole2 MailScanner[29601]: Unrar command /usr/bin/unrar does not exist or is not executable, please either install it or remove the setting from .MailScanner.conf .> .> However in MailScanner .conf I have the following as I don't have unrar install. .> .> # Where the "unrar" command is installed. .> # If you haven't got this command, look at www.rarlab.com. .> # .> # This is used for unpacking rar archives so that the contents can be .> # checked for banned filenames and filetypes, and also that the .> # archive can be tested to see if it is password-protected. .> # Virus scanning the contents of rar archives is still left to the virus .> # scanner, with one exception: .> # If using the clavavmodule virus scanner, this adds external RAR checking .> # to that scanner which is needed for archives which are RAR version 3. .> # Unrar Command = /usr/bin/unrar .> .> # The maximum length of time the "unrar" command is allowed to run for 1 .> # RAR archive (in seconds) .> # Unrar Timeout = 50 .> .>If you don't want to use it you have to write: .Unrar Command = # /usr/bin/unrar .Denis .-- _ . ?v? Denis Beauchemin, analyste ./(_)\ Universit? de Sherbrooke, S.T.I. . ^ ^ T: 819.821.8000x62252 F: 819.821.8045 Regards Howard Robinson, (Senior Technical Development Officer), Harper Adams University College, Edgmond, Newport, Shropshire , TF10 8NB. Tel. Direct 01952 815253 Tel. Switch Board 01952 820280 Fax 01952 814783 Email hrobinson@harper-adams.ac.uk Web www.harper-adams.ac.uk From rabellino at di.unito.it Fri Nov 17 16:59:59 2006 From: rabellino at di.unito.it (Rabellino Sergio) Date: Fri Nov 17 17:00:08 2006 Subject: Information about latest release of Mailscanner Message-ID: <455DEA8F.7090606@di.unito.it> In the latest releases of MS the option Ignore Spam Whitelist If Recipients Exceed can be set to a ruleset ? In my actual installation (4.50.4) the log tells me " Value of whitelistmaxrecips cannot be a ruleset, only a simple value" . Thanks. -- Ing. Sergio Rabellino Head of ICT Services Department of Computer Science University of Torino (Italy) http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 From jase at sensis.com Fri Nov 17 17:00:38 2006 From: jase at sensis.com (Desai, Jason) Date: Fri Nov 17 17:02:17 2006 Subject: noticesizeinfected in language translation file Message-ID: <1951DC816E1A9F469307B05FA183F4385FF788@corpatsmail1.corp.sensis.com> > Ugo Bellavance wrote: > > Hi, > > > > I get this error on some of my servers (4.56.8). I looked in > > /etc/MailScanner/reports/en and I can't find an rpmnew file or this > > string in the current languages.conf file. > > > > Looked up unknown string noticesizeinfected in language > translation file > > /etc/MailScanner/reports/en/languages.conf > > > > Has it been ommited? > > > > Regards, > > > > Ugo > > > > Can anyone check that on their system? > > Ugo It is missing from my system. Running 4.56.8 from the tar distribution. Jase From mikea at mikea.ath.cx Fri Nov 17 17:09:14 2006 From: mikea at mikea.ath.cx (mikea) Date: Fri Nov 17 17:09:19 2006 Subject: Debian users: anyone greylisting? In-Reply-To: ; from brett@wrl.org on Fri, Nov 17, 2006 at 08:07:22AM -0500 References: Message-ID: <20061117110914.H2424@mikea.ath.cx> On Fri, Nov 17, 2006 at 08:07:22AM -0500, Brett Charbeneau wrote: > At Julian's and other's fine subscribers suggestions I've been trying to > implement milter-gris on my Debian 3.1 box using sendmail as the MTA. > I downloaded libsnert-1.62.tar.gz and milter-gris-0.19.tar.gz from > snertsoft.com and ran into a bizarre version mis-match with makemap: milter-gris > claims the hash version of /etc/mail/access.db is unsupported. > I posted to the milter list, but the problem seems unique to the Debian > distribution, so I can't expect them to offer much help there. > I can't find makemap in the repository search at debian.org so I can't > tell what package provided it nor will man makemap allow me to determine its > version, so I'm stuck. > Is anyone out there using Debian and MS and sendmail *and* doing > greylisting? If so, what's the drill? > Google offers up "relaydelay" and it gets good coverage here: > > http://www.thing.dyndns.org/debian/grey.htm > > but milter-gris comes so highly recommended on this list that I wanted > to see if any other Debian user conquered the makemap goofiness. Makemap is a part of the sendmail package: /usr/src/contrib/sendmail/makemap I'm very interested in seeing the messages milter-gris generated, either privately or to the list. I'm quite certain that Anthony Howe (the author, yes?) will be interested, too. What level sendmail are you running? Run "`which sendmail` -d0.1 < /dev/null", without the exterior "", to see. Increasing the debug level n (-d0.n) will give you increasingly more information, as you probably know. Max useful is -d0.99. I use the graymilter code from acme.com, which isn't as flexible as milter-gris, but gets the job done. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From ugob at camo-route.com Fri Nov 17 18:24:04 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Nov 17 18:24:39 2006 Subject: noticesizeinfected in language translation file In-Reply-To: <1951DC816E1A9F469307B05FA183F4385FF788@corpatsmail1.corp.sensis.com> References: <1951DC816E1A9F469307B05FA183F4385FF788@corpatsmail1.corp.sensis.com> Message-ID: Desai, Jason wrote: > >> Ugo Bellavance wrote: >>> Hi, >>> >>> I get this error on some of my servers (4.56.8). I looked in >>> /etc/MailScanner/reports/en and I can't find an rpmnew file or this >>> string in the current languages.conf file. >>> >>> Looked up unknown string noticesizeinfected in language >> translation file >>> /etc/MailScanner/reports/en/languages.conf >>> >>> Has it been ommited? >>> >>> Regards, >>> >>> Ugo >>> >> Can anyone check that on their system? >> >> Ugo > > It is missing from my system. Running 4.56.8 from the tar distribution. > > Jase Do you have errors in your logs about this string? From r.berber at computer.org Fri Nov 17 19:03:42 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Fri Nov 17 19:04:05 2006 Subject: Debian users: anyone greylisting? In-Reply-To: References: Message-ID: Brett Charbeneau wrote: > At Julian's and other's fine subscribers suggestions I've been > trying to implement milter-gris on my Debian 3.1 box using sendmail as > the MTA. > I downloaded libsnert-1.62.tar.gz and milter-gris-0.19.tar.gz from > snertsoft.com and ran into a bizarre version mis-match with makemap: > milter-gris claims the hash version of /etc/mail/access.db is unsupported. > I posted to the milter list, but the problem seems unique to the > Debian distribution, so I can't expect them to offer much help there. The problem is simple: sendmail was compiled using a different version of Berkeley DB. You probably have more than one version of the library, that's why sendmail is using one and your compiled milter-gris is using another. If you have sendmail's file devtools/Site/site.config.m4, just look at the section that defines confMAPDEF, it will include a couple of lines with the paths to the headers and library. Another way is to do a `ldd sendmail` to see what library it is using (i.e. my output includes "libdb-4.2.so"). Then try the same with milter-gris and see what library it is using. > I can't find makemap in the repository search at debian.org so I > can't tell what package provided it nor will man makemap allow me to > determine its version, so I'm stuck. > Is anyone out there using Debian and MS and sendmail *and* doing > greylisting? If so, what's the drill? > Google offers up "relaydelay" and it gets good coverage here: > > http://www.thing.dyndns.org/debian/grey.htm > > but milter-gris comes so highly recommended on this list that I > wanted to see if any other Debian user conquered the makemap goofiness. > -- Ren? Berber From res at ausics.net Fri Nov 17 20:04:08 2006 From: res at ausics.net (Res) Date: Fri Nov 17 20:04:16 2006 Subject: HTML filtering (still) In-Reply-To: References: Message-ID: Howard, On Fri, 17 Nov 2006, Howard Robinson wrote: > $MailScanner::Config::MailScannerVersion = '4.48.4'; This is so ancient, I suggest you spend the 3 minutes it takes to upgrade we are now at version 4.56.8 Many things like --lint never existed that long ago. Also remember that you should never comment out an option if you are not using it, you need it to be there, but just blank, else it will default to a hard coded failsafe backup option (as you found out with rar) -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Fri Nov 17 20:15:51 2006 From: res at ausics.net (Res) Date: Fri Nov 17 20:16:02 2006 Subject: Sendmail reject trumps whitelist? In-Reply-To: References: <200611171200.kAHC0Lil009905@bkserver.blacknight.ie> Message-ID: On Fri, 17 Nov 2006, Brett Charbeneau wrote: >> > Greetings all, >> > >> > I've set up sendmail to reject incoming messages with a 554 error >> if >> > they are listed in dnsbl.sorbs.net by sticking this line in my >> sendmail.mc >> > file: >> > >> > FEATURE(`dnsbl',`dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} > " >> > BLACKLISTED found in dnsbl.sorbs.net"')dnl >> > >> > Now this list tends to get mad a AOL and Hotmail mail servers for >> > obvious reasons and therefore ALL mail from these domains, legit or not, >> >> Have sendmail "OK" aol.com and hotmail.com and let mailscanner deal >> with what is spam or not for those two domains > > Ah, so! > Good idea, Res - many thanks. Sendmail took my > > Spam:*aol.com FRIEND aol.com OK would also work if you did not include the friends in delay checks :) SORBS is very good, but it's also by nature a non forgiving RBL as we all know of the half a dozen MX's hotmail have, there are 4 or so ip's per MX, and one of the ip's associated with an MX is all it takes to upset people and its hard to explain to non techies that thats why when you do an rbl test agaisnt mx1.hotmail.com mx2... and so on and it shows them nothing that there is a problem. whitelisting it at MTA was best solition and its not bene a problem since. I was asked to do same with yahoo, but all the yahoo stuff *is* spam that i've seen, so to hell with them :) -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From dstraka at caspercollege.edu Fri Nov 17 20:19:46 2006 From: dstraka at caspercollege.edu (Daniel Straka) Date: Fri Nov 17 20:20:34 2006 Subject: Anything similar to debora* out there? In-Reply-To: References: Message-ID: <455DB6F3.61A4.0000.0@caspercollege.edu> Just wondering...I'm sure the name will change to something else soon. Dan Straka Systems Coordinator Casper College -- This message has been scanned for viruses and dangerous content by MailScanner at caspercollege.edu and is believed to be clean. From alex at nkpanama.com Fri Nov 17 20:37:13 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Fri Nov 17 20:38:10 2006 Subject: Anything similar to debora* out there? In-Reply-To: <455DB6F3.61A4.0000.0@caspercollege.edu> References: <455DB6F3.61A4.0000.0@caspercollege.edu> Message-ID: <455E1D79.8020400@nkpanama.com> Daniel Straka wrote: > Just wondering...I'm sure the name will change to something else soon. > > > Dan Straka > Systems Coordinator > Casper College > > Still catching quite a bunch of these, some with greet_pause, some with rbls, some with sender-address-verification, some with spf, some with greylisting, some with spamassassin (razor|pyzor|dcc|imageinfo|fuzzyocr), and so on. I've been using it to (unscientifically, sort of like sticking your hand out the window to see how much it's raining) see how effective each method is. From ssilva at sgvwater.com Fri Nov 17 22:21:43 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Nov 17 22:22:09 2006 Subject: MailScanner miss several Regning.exe files In-Reply-To: <455D7CD4.4000606@solidstatelogic.com> References: <455BF990.2010603@taz-mania.com> <41EA997496BB5542BDA52CFA44FE78FC9A6C48@AHMAIL.ah.ahnet.local> <455D7CD4.4000606@solidstatelogic.com> Message-ID: Martin Hepworth spake the following on 11/17/2006 1:11 AM: > Scott Silva wrote: >> Jan Elmqvist Nielsen spake the following on 11/16/2006 1:48 AM: >>> The virus Trojan-Downloader.Win32.Nurech.h (kaspersky) comes as a exe >>> file. >>> >>> I have to my horror notice that serveral of these mails with the exe >>> file attached not have been stop!!! >>> >>> I using MailScanner ver. 4.54.6 with mailwatch >>> >>> Attached are 2 screen dumps >>> >>> /Jan Elmqvist Nielsen >>> >>> ------------------------------------------------------------------------ >>> >>> >>> ------------------------------------------------------------------------ >>> >> Another reason to not allow exe files. Users need to zip them, or not >> mail >> them on my servers. >> > > of course MS scans inside zip files as well - after a certain virus > started spreading itself in them.... > Nothing works as well as larting ... I mean educating users to the evils of the internet. Don't let your children go out after dark by themselves, and don't let your PC touch the internet without adequate protection! Maybe I need to change my tag line; MailScanner ... like a condom for your e-mail server! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From redhat at techspace.nl Fri Nov 17 22:22:22 2006 From: redhat at techspace.nl (redhat@techspace.nl) Date: Fri Nov 17 22:22:45 2006 Subject: log is flotting with messages Message-ID: <20061117232222.he2i3uhkysw0k4cc@www.intranet> i have installed mailscanner and spamassassin with clamed with the script that i'v downloaded at the site. Running on fedora core 6 now my log is villing up with messages what is wrong???? if i use the opting use spamassassin = no it stopes log: Nov 17 23:18:47 localhost MailScanner[3342]: Read 719 hostnames from the phishing whitelist Nov 17 23:18:48 localhost MailScanner[3342]: Using SpamAssassin results cache Nov 17 23:18:48 localhost MailScanner[3342]: Connected to SpamAssassin cache database Nov 17 23:18:58 localhost MailScanner[3344]: MailScanner E-Mail Virus Scanner version 4.54.6 starting... Nov 17 23:18:58 localhost MailScanner[3344]: Read 719 hostnames from the phishing whitelist Nov 17 23:18:59 localhost MailScanner[3344]: Using SpamAssassin results cache Nov 17 23:18:59 localhost MailScanner[3344]: Connected to SpamAssassin cache database Nov 17 23:19:09 localhost MailScanner[3345]: MailScanner E-Mail Virus Scanner version 4.54.6 starting... Nov 17 23:19:09 localhost MailScanner[3345]: Read 719 hostnames from the phishing whitelist Nov 17 23:19:11 localhost MailScanner[3345]: Using SpamAssassin results cache Nov 17 23:19:11 localhost MailScanner[3345]: Connected to SpamAssassin cache database Nov 17 23:19:20 localhost MailScanner[3347]: MailScanner E-Mail Virus Scanner version 4.54.6 starting... Nov 17 23:19:20 localhost MailScanner[3347]: Read 719 hostnames from the phishing whitelist Nov 17 23:19:21 localhost MailScanner[3347]: Using SpamAssassin results cache Nov 17 23:19:21 localhost MailScanner[3347]: Connected to SpamAssassin cache database Nov 17 23:19:31 localhost MailScanner[3348]: MailScanner E-Mail Virus Scanner version 4.54.6 starting... Nov 17 23:19:31 localhost MailScanner[3348]: Read 719 hostnames from the phishing whitelist Nov 17 23:19:33 localhost MailScanner[3348]: Using SpamAssassin results cache Nov 17 23:19:33 localhost MailScanner[3348]: Connected to SpamAssassin cache database Nov 17 23:19:42 localhost MailScanner[3350]: MailScanner E-Mail Virus Scanner version 4.54.6 starting... Nov 17 23:19:42 localhost MailScanner[3350]: Read 719 hostnames from the phishing whitelist Nov 17 23:19:44 localhost MailScanner[3350]: Using SpamAssassin results cache Nov 17 23:19:44 localhost MailScanner[3350]: Connected to SpamAssassin cache database Nov 17 23:19:53 localhost MailScanner[3353]: MailScanner E-Mail Virus Scanner version 4.54.6 starting... Nov 17 23:19:53 localhost MailScanner[3353]: Read 719 hostnames from the phishing whitelist Nov 17 23:19:55 localhost MailScanner[3353]: Using SpamAssassin results cache Nov 17 23:19:55 localhost MailScanner[3353]: Connected to SpamAssassin cache database Nov 17 23:20:04 localhost MailScanner[3360]: MailScanner E-Mail Virus Scanner version 4.54.6 starting... Nov 17 23:20:04 localhost MailScanner[3360]: Read 719 hostnames from the phishing whitelist Nov 17 23:20:07 localhost MailScanner[3360]: Using SpamAssassin results cache Nov 17 23:20:07 localhost MailScanner[3360]: Connected to SpamAssassin cache database Nov 17 23:20:15 localhost MailScanner[3369]: MailScanner E-Mail Virus Scanner version 4.54.6 starting... Nov 17 23:20:16 localhost MailScanner[3369]: Read 719 hostnames from the phishing whitelist Nov 17 23:20:18 localhost MailScanner[3369]: Using SpamAssassin results cache Nov 17 23:20:18 localhost MailScanner[3369]: Connected to SpamAssassin cache database Nov 17 23:20:26 localhost MailScanner[3380]: MailScanner E-Mail Virus Scanner version 4.54.6 starting... Nov 17 23:20:27 localhost MailScanner[3380]: Read 719 hostnames from the phishing whitelist Nov 17 23:20:28 localhost MailScanner[3380]: Using SpamAssassin results cache Nov 17 23:20:28 localhost MailScanner[3380]: Connected to SpamAssassin cache database -- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door Dark Eagle mail scanner en lijkt schoon te zijn. From ssilva at sgvwater.com Fri Nov 17 22:23:40 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Nov 17 22:25:23 2006 Subject: Massive queue buildup In-Reply-To: References: <223f97700611150056l19654a16m3eb9b03f42dbfadc@mail.gmail.com> Message-ID: Chandler, Jay spake the following on 11/15/2006 12:58 PM: > *deadpan* A workout? If only I had a massive queue for it to process. :-D > > The new box was apparently specced somewhere in the third world (Like Maine), so right now I have two boxes running mail: > > An older box that keeps screaming under the load, and has the massive buildup > > or > > A new box that has an incompatible NIC that crashes the server every two hours (new one overnighted, will be in tomorrow), an issue where it hangs on reboot, and a paltry 1 gig of RAM. > > And to think, I could have been a plumber... > As a plumber you are only up to your KNEES in crap! As a sysop it usually gets much deeper. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From res at ausics.net Sat Nov 18 00:28:39 2006 From: res at ausics.net (Res) Date: Sat Nov 18 00:28:48 2006 Subject: log is flotting with messages In-Reply-To: <20061117232222.he2i3uhkysw0k4cc@www.intranet> References: <20061117232222.he2i3uhkysw0k4cc@www.intranet> Message-ID: On Fri, 17 Nov 2006, redhat@techspace.nl wrote: > i have installed mailscanner and spamassassin with clamed > with the script that i'v downloaded at the site. > Running on fedora core 6 > > now my log is villing up with messages what is wrong???? > if i use the opting use spamassassin = no it stopes > > log: > Nov 17 23:18:47 localhost MailScanner[3342]: Read 719 hostnames from the > phishing whitelist ps ax does it show on mailscanner? also run spamassassin --lint if it shows nothing, try MailScanner --lint I hope you meant clamav above, as mailscanner does not use clamav's clamd The log output if continuous shows somthing is not loading its cont. restarting -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From mikea at mikea.ath.cx Sat Nov 18 00:57:15 2006 From: mikea at mikea.ath.cx (mikea) Date: Sat Nov 18 00:57:20 2006 Subject: Massive queue buildup In-Reply-To: ; from ssilva@sgvwater.com on Fri, Nov 17, 2006 at 02:23:40PM -0800 References: <223f97700611150056l19654a16m3eb9b03f42dbfadc@mail.gmail.com> Message-ID: <20061117185715.B5098@mikea.ath.cx> On Fri, Nov 17, 2006 at 02:23:40PM -0800, Scott Silva wrote: > Chandler, Jay spake the following on 11/15/2006 12:58 PM: > > *deadpan* A workout? If only I had a massive queue for it to process. :-D > > > > The new box was apparently specced somewhere in the third world (Like Maine), so right now I have two boxes running mail: > > > > An older box that keeps screaming under the load, and has the massive buildup > > > > or > > > > A new box that has an incompatible NIC that crashes the server every two hours (new one overnighted, will be in tomorrow), an issue where it hangs on reboot, and a paltry 1 gig of RAM. > > > > And to think, I could have been a plumber... > > > As a plumber you are only up to your KNEES in crap! > As a sysop it usually gets much deeper. More than once I've told my boss I wanted to transfer from the IT division to the Construction[1] division, so that I could point with pride to the ditch I dug. As things stand, all I've got is `tail -f` running on a lot of logfiles to show people what I do, and a bunch of dry reports and graphs. They mostly don't get to see the spam, and so aren't aware of it, but when they do see it, I catch H*** for it. As a matter of fact, my boss remarked today that he had forwarded a piece of false-negative spam to my spambucket today, and that it was the first he had seen in quite some time. Thanks to Julian and all the other folks whose work I'm using. [1] I work for a highway department. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From mikea at mikea.ath.cx Sat Nov 18 01:08:25 2006 From: mikea at mikea.ath.cx (mikea) Date: Sat Nov 18 01:08:28 2006 Subject: Anything similar to debora* out there? In-Reply-To: <455E1D79.8020400@nkpanama.com>; from alex@nkpanama.com on Fri, Nov 17, 2006 at 03:37:13PM -0500 References: <455DB6F3.61A4.0000.0@caspercollege.edu> <455E1D79.8020400@nkpanama.com> Message-ID: <20061117190825.C5098@mikea.ath.cx> On Fri, Nov 17, 2006 at 03:37:13PM -0500, Alex Neuman van der Hans wrote: > Daniel Straka wrote: > > Just wondering...I'm sure the name will change to something else soon. > > > > > > Dan Straka > > Systems Coordinator > > Casper College > > > > > Still catching quite a bunch of these, some with greet_pause, some with > rbls, some with sender-address-verification, some with spf, some with > greylisting, some with spamassassin > (razor|pyzor|dcc|imageinfo|fuzzyocr), and so on. > > I've been using it to (unscientifically, sort of like sticking your hand > out the window to see how much it's raining) see how effective each > method is. Content-ID in my spambucket at home is _quite_ interesting, especially after a sort | uniq -c | sort -r: 244 Content-ID: <000301c634d3$5e87f4f0$aa0fa8c0@sanya> 52 Content-ID: <000c01c63b06$077134e0$0403a8c0@mlto> 52 Content-ID: <000b01c63b06$076ec3e0$0403a8c0@mlto> 52 Content-ID: <000901c63b06$076ec3e0$0403a8c0@mlto> 52 Content-ID: <000801c63b06$0762dd00$0403a8c0@mlto> 34 Content-ID: 31 Content-ID: <00088751267563$0762dd00$0403a8c0@zuzu> 28 Content-ID: <004601c66a1a$04432100$0403a8c0@tutu> 25 Content-ID: <000301c6430e$44668390$aa0fa8c0@sanya> 23 Content-ID: <000301c64a92$2fd0c6d0$aa0fa8c0@sanya> 22 Content-ID: <000701c62a48$e2358cd0$aa0fa8c0@sanya> 21 Content-ID: <001601c65631$ad9d9610$aa0fa8c0@sanya> 21 Content-ID: <001501c65631$ad9d9610$aa0fa8c0@sanya> 19 Content-ID: <000c01c63b06$077134e0$0403a8c0@rcvd> 19 Content-ID: <000b01c63b06$076ec3e0$0403a8c0@rcvd> 19 Content-ID: <000901c63b06$076ec3e0$0403a8c0@rcvd> 19 Content-ID: <000801c63b06$0762dd00$0403a8c0@rcvd> 19 Content-ID: <000501c62cfa$7b75c640$aa0fa8c0@sanya> 18 Content-ID: <000701c66bc0$e6666180$aa0fa8c0@sanya> 12 Content-ID: 12 Content-ID: <004601c66a1a$04432100$0403a8c0@pivo> 12 Content-ID: <00088751267563$0762dd00$0403a8c0@vino> 12 Content-ID: <000801c62381$fd26a740$0100a8c0@sanya> 12 Content-ID: <000701c62381$fd26a740$0100a8c0@sanya> 12 Content-ID: <000601c62381$fd26a740$0100a8c0@sanya> 12 Content-ID: <000501c62381$fd26a740$0100a8c0@sanya> 12 Content-ID: <000401c62381$fd26a740$0100a8c0@sanya> 12 Content-ID: <000301c62381$fd26a740$0100a8c0@sanya> 11 Content-ID: <000b01c67e42$90d13990$aa0fa8c0@alex> 10 Content-ID: 10 Content-ID: 9 Content-ID: 9 Content-ID: <2.jpg> 9 Content-ID: <1.jpg> 6 Content-ID: 6 Content-ID: <00088751267563$0762dd00$0403a8c0@terv> 5 Content-ID: <> 5 Content-ID: <00088751267563$0762dd00$0403a8c0@pego> 5 Content-ID: <00088751267563$0762dd00$0403a8c0@gopa> 4 Content-ID: 4 Content-ID: 4 Content-ID: 4 Content-ID: 4 Content-ID: <000901c62e40$c12c04f0$aa0fa8c0@sanya> 4 Content-ID: <000601c4cdba$73ad39c0$020aa8c0@SHARP> 4 Content-ID: <000501c59d80$8686c0c0$0100a8c0@sanya> 4 Content-ID: <000301c662d1$69261c30$aa0fa8c0@sanya> 4 Content-ID: <000301c64237$3a6d1660$aa0fa8c0@sanya> 3 Content-ID: 3 Content-ID: 3 Content-ID: 3 Content-ID: <004601c66a1a$04432100$0403a8c0@caca> 3 Content-ID: <001901c5bda9$f8729a30$6f6e81d4@pc> 3 Content-ID: <000c01c63b06$077134e0$0403a8c0@bdsm> 3 Content-ID: <000b01c67399$2c073c20$aa0fa8c0@alex> 3 Content-ID: <000b01c63b06$076ec3e0$0403a8c0@bdsm> 3 Content-ID: <000901c63b06$076ec3e0$0403a8c0@bdsm> A very great deal of the spam I get appears to have a Content-ID in the body that matches /^Content-ID: <.*aa0fa8c0@>/ ("alex" or "sanya" or /^Content-ID: <.*0403a8c0@>/ ("bdsm", "caca", "pego", "pivo", etc.) or /^Content-ID: <.*0100a8c0@>/ ("sanya") Suitable rules should be easy to code in SA. I'm _very_ close to blocking anything that contains a GIF, and let the chips fall where they may. Hope this helps. I need to do the same sort of analysis at work, but it's more difficult there. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From jase at sensis.com Sat Nov 18 04:28:03 2006 From: jase at sensis.com (Desai, Jason) Date: Sat Nov 18 04:30:45 2006 Subject: noticesizeinfected in language translation file Message-ID: <1951DC816E1A9F469307B05FA183F4385FF79D@corpatsmail1.corp.sensis.com> > >>> Hi, > >>> > >>> I get this error on some of my servers (4.56.8). I looked in > >>> /etc/MailScanner/reports/en and I can't find an rpmnew > file or this > >>> string in the current languages.conf file. > >>> > >>> Looked up unknown string noticesizeinfected in language > >> translation file > >>> /etc/MailScanner/reports/en/languages.conf > >>> > >>> Has it been ommited? > >>> > >>> Regards, > >>> > >>> Ugo > >>> > >> Can anyone check that on their system? > >> > >> Ugo > > > > It is missing from my system. Running 4.56.8 from the tar > distribution. > > > > Jase > > Do you have errors in your logs about this string? Yes. From garry at glendown.de Sat Nov 18 05:52:33 2006 From: garry at glendown.de (Garry Glendown) Date: Sat Nov 18 05:52:36 2006 Subject: MS started crashing ... In-Reply-To: References: <455C9CD4.7030403@glendown.de> <455CB318.5080204@glendown.de> <455D416B.3070107@glendown.de> Message-ID: <455E9FA1.1050904@glendown.de> Ugo Bellavance wrote: > Garry Glendown wrote: >>> Upgrade, then check. The stable version is 4.56.8.1. >> >> I did last night, same ... > > Have you tried setting the TNEF expander to internal? > It IS set to internal ... has always been ... so should I try an external one? Also, judging from the behavior of MS, it seems as if the crash happens right after the file is copied to quarantine, and before it is removed from the mqueue.in directory ... I get the logg entry of it being quarantined, which I use to manually (via cron) delete it from the queue now, which is not necessarily something I prefer doing at all ... -gg From jrudd at ucsc.edu Sat Nov 18 07:47:50 2006 From: jrudd at ucsc.edu (John Rudd) Date: Sat Nov 18 07:49:28 2006 Subject: Anything similar to debora* out there? In-Reply-To: <455DB6F3.61A4.0000.0@caspercollege.edu> References: <455DB6F3.61A4.0000.0@caspercollege.edu> Message-ID: <455EBAA6.4070001@ucsc.edu> Daniel Straka wrote: > Just wondering...I'm sure the name will change to something else soon. > > Have you tried RelayCatcher? It's a spamassassin plugin I wrote. Seems to be very good at catching spam from botnets, including the debora* messages. Check the users@spamassassin.sourceforge.net mailing list archives for the RelayCatcher 0.3 release announcement. From MailScanner at ecs.soton.ac.uk Sat Nov 18 19:10:37 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Nov 18 19:15:29 2006 Subject: Sorry for my absence! Message-ID: <455F5AAD.4080409@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sory for my absence from the list recently! I have been very busy, both with MailScanner work and with my day job. I have a huge ASP.Net programming job that has just started at work, and I just haven't had time for the mailing list of IRC channel as a result. Day-job work doesn't look like it is going to slacken off any time soon, so I am about to ask a couple of people, who read the list every day, to keep me up to date on the important stuff for me. I am still working on MailScanner, don't worry, it's just that life is really busy right now. I'm still here! Thanks for all your hard work helping each other, it is very much appreciated :-) Thanks folks! Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.1 (Build 1557) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFX1vDEfZZRxQVtlQRAkfTAJ4ufkhWEqbu8c33iPvvvsZ6ED2auQCeP7rw XDqJbvgW1qYFVTg4RYqRAu0= =xucY -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From root at doctor.nl2k.ab.ca Sat Nov 18 20:10:56 2006 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Sat Nov 18 20:11:09 2006 Subject: Sorry for my absence! In-Reply-To: <455F5AAD.4080409@ecs.soton.ac.uk> References: <455F5AAD.4080409@ecs.soton.ac.uk> Message-ID: <20061118201056.GC3198@doctor.nl2k.ab.ca> On Sat, Nov 18, 2006 at 07:10:37PM +0000, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Sory for my absence from the list recently! > > I have been very busy, both with MailScanner work and with my day job. I > have a huge ASP.Net programming job that has just started at work, and I > just haven't had time for the mailing list of IRC channel as a result. > ASP.NET?? Hopefully you are using mono. ASP - Asking for Security Problems. > Day-job work doesn't look like it is going to slacken off any time soon, > so I am about to ask a couple of people, who read the list every day, to > keep me up to date on the important stuff for me. > > I am still working on MailScanner, don't worry, it's just that life is > really busy right now. I'm still here! > > Thanks for all your hard work helping each other, it is very much > appreciated :-) Idea, why not have a base MailScanner and let CPAN determine the rest ofthe necessary upgrades? > > Thanks folks! > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.1 (Build 1557) > Comment: Fetch my public key foot-print from www.mailscanner.info > Charset: ISO-8859-1 > > wj8DBQFFX1vDEfZZRxQVtlQRAkfTAJ4ufkhWEqbu8c33iPvvvsZ6ED2auQCeP7rw > XDqJbvgW1qYFVTg4RYqRAu0= > =xucY > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > From uxbod at splatnix.net Sat Nov 18 20:25:11 2006 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Sat Nov 18 20:24:49 2006 Subject: Sorry for my absence! In-Reply-To: <455F5AAD.4080409@ecs.soton.ac.uk> References: <455F5AAD.4080409@ecs.soton.ac.uk> Message-ID: <20061118202511.400fe24b@localhost> Jules, ASP.Net compared to Open Source what has happened ;) I am sure MickySoft pays better but not so much fun. Enjoy Vista :) Come back to happy blightey soon :) :) You are the man. Cheers, UxBoD On Sat, 18 Nov 2006 19:10:37 +0000 Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Sory for my absence from the list recently! > > I have been very busy, both with MailScanner work and with my day > job. I have a huge ASP.Net programming job that has just started at > work, and I just haven't had time for the mailing list of IRC channel > as a result. > > Day-job work doesn't look like it is going to slacken off any time > soon, so I am about to ask a couple of people, who read the list > every day, to keep me up to date on the important stuff for me. > > I am still working on MailScanner, don't worry, it's just that life > is really busy right now. I'm still here! > > Thanks for all your hard work helping each other, it is very much > appreciated :-) > > Thanks folks! > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.1 (Build 1557) > Comment: Fetch my public key foot-print from www.mailscanner.info > Charset: ISO-8859-1 > > wj8DBQFFX1vDEfZZRxQVtlQRAkfTAJ4ufkhWEqbu8c33iPvvvsZ6ED2auQCeP7rw > XDqJbvgW1qYFVTg4RYqRAu0= > =xucY > -----END PGP SIGNATURE----- > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From res at ausics.net Sat Nov 18 22:43:25 2006 From: res at ausics.net (Res) Date: Sat Nov 18 22:43:36 2006 Subject: Sorry for my absence! In-Reply-To: <455F5AAD.4080409@ecs.soton.ac.uk> References: <455F5AAD.4080409@ecs.soton.ac.uk> Message-ID: On Sat, 18 Nov 2006, Julian Field wrote: > I am still working on MailScanner, don't worry, it's just that life is It does most things people could want and does it well. So I dont think anyone would mind if its 6 months between releases unless a serious bug is found. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From redhat at techspace.nl Sat Nov 18 22:53:49 2006 From: redhat at techspace.nl (redhat@techspace.nl) Date: Sat Nov 18 22:54:12 2006 Subject: log is flotting with messages In-Reply-To: References: <20061117232222.he2i3uhkysw0k4cc@www.intranet> Message-ID: <20061118235349.1dpw454bc4cgcg84@www.intranet> Quoting Res : > > On Fri, 17 Nov 2006, redhat@techspace.nl wrote: > >> i have installed mailscanner and spamassassin with clamed >> with the script that i'v downloaded at the site. >> Running on fedora core 6 >> >> now my log is villing up with messages what is wrong???? >> if i use the opting use spamassassin = no it stopes >> >> log: >> Nov 17 23:18:47 localhost MailScanner[3342]: Read 719 hostnames >> from the phishing whitelist > > > ps ax does it show on mailscanner? > > also run spamassassin --lint > if it shows nothing, try MailScanner --lint > I hope you meant clamav above, as mailscanner does not use clamav's clamd > > The log output if continuous shows somthing is not loading its cont. > restarting > > > -- > Cheers > Res this is my output but i have no idea what it means exept that tere is a problem with spamassassin. [root@localhost ~]# spamassassin --lint [2982] warn: config: failed to parse line, skipping: dcc_path /usr/local/bin/dccproc [2982] warn: lint: 1 issues detected, please rerun with debug enabled for more information [root@localhost ~]# MailScanner --lint Read 719 hostnames from the phishing whitelist MailScanner setting GID to (89) MailScanner setting UID to (89) Checking for SpamAssassin errors (if you use it)... MailScanner.conf says "Virus Scanners = auto" Found these virus scanners installed: clamav [root@localhost ~]# if anyone can give me a hint please do. greets jasper -- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door Dark Eagle mail scanner en lijkt schoon te zijn. From res at ausics.net Sat Nov 18 23:22:21 2006 From: res at ausics.net (Res) Date: Sat Nov 18 23:22:29 2006 Subject: log is flotting with messages In-Reply-To: <20061118235349.1dpw454bc4cgcg84@www.intranet> References: <20061117232222.he2i3uhkysw0k4cc@www.intranet> <20061118235349.1dpw454bc4cgcg84@www.intranet> Message-ID: On Sat, 18 Nov 2006, redhat@techspace.nl wrote: > this is my output but i have no idea what it means exept that tere is a > problem with spamassassin. > > [root@localhost ~]# spamassassin --lint > [2982] warn: config: failed to parse line, skipping: dcc_path > /usr/local/bin/dccproc > [2982] warn: lint: 1 issues detected, please rerun with debug enabled for > more information Thats an "OK" error if you did not install dcc, you can ignore it, I disabled it recently because its laggy to here. > [root@localhost ~]# MailScanner --lint > Read 719 hostnames from the phishing whitelist > MailScanner setting GID to (89) > MailScanner setting UID to (89) What MTA are you using? 89 is usually the user/group BSD allocates for something like vpopmail, why are you setting run-as? If you use sendmail strip it out. if you are using postfix, I can't help you any further. There doesnt appear to be any problems with either, what value do you have for Max Children? should be 5 per REAL cpu (not HT'd). -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From TGFurnish at herffjones.com Sun Nov 19 00:20:34 2006 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Sun Nov 19 00:20:48 2006 Subject: Block dictionary attackers? Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC419@inex3.herffjones.hj-int> Can anyone point me to an effective means of automatically blocking dictionary attackers in close-to-realtime? By "dictionary attackers" I mean a connecting server that attempts delivery to more than X invalid local recipients within a given timeframe, which is almost always evidence that the connecting server is attempting to guess valid email addresses. My MTA is sendmail 8.12. Is Snertsoft's milter-report the best approach? My goal isn't so much to stop them from guessing valid email addresses -- every spammer under the sun seems to already have the entire list -- it's to identify the sending server as a (slightly stupid) 'soldier of the enemy'. :-) -- Trever Furnish, tgfurnish@herffjones.com Herff Jones, Inc. Unix / Network Administrator Phone: 317.612.3519 Any sufficiently advanced technology is indistinguishable from Unix. From res at ausics.net Sun Nov 19 01:08:40 2006 From: res at ausics.net (Res) Date: Sun Nov 19 01:08:49 2006 Subject: Block dictionary attackers? In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC419@inex3.herffjones.hj-int> References: <57573D714A832C43B9D80EAFBDA48D0302BAC419@inex3.herffjones.hj-int> Message-ID: On Sat, 18 Nov 2006, Furnish, Trever G wrote: > By "dictionary attackers" I mean a connecting server that attempts > delivery to more than X invalid local recipients within a given > timeframe, which is almost always evidence that the connecting server is define(`confBAD_RCPT_THROTTLE',`2')dnl I figure if they can't get it right in 2 attempts then they can go away -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From TGFurnish at herffjones.com Sun Nov 19 01:12:32 2006 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Sun Nov 19 01:17:50 2006 Subject: thoughts? Would this defeat botnets? Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC41A@inex3.herffjones.hj-int> Something like milter-error can block inbound connections based on past failures. Julian's IPBlock function can block inbound connections based on past message transmission rate. I'd like to solicite thoughts on an approach that takes those ideas a bit further. Is the approach valid (or would I be wasting my time by trying to implement it)? The idea would be similar to that used in Ironport's Senderbase, albeit much simpler. Problem: There are reportedly 75,000 Spamthru bots out there, and that's just one botnet. If I only let through one spam from each of those bots per week, I'll still be overwhelmed. Supposition #1: Most bots run on unmanaged systems that should never be connecting to my mail server in the first place. If I ever receive a message from those systems, it'll be spam. Idea: Keep a score for each sending IP address, forever. If that address sends me spam without sending me ham, it's blocked, permanently (or until manual intervention on my part). Reported false-negatives could be parsed to contribute to the scores. For example, if we consider a score <0 to mean the connecting system should be blocked, then I would score each inbound message like so: - Each sender IP address score defaults to 0. - If the message is ham, add 1 to the score for the sender's IP address. - If the message is spam, subtract 1 from the score of the sender's IP address. - If the message is a reported false negative, subtract 2 from the score for the sender's IP address (to counteract the 1 we added originally). Obviously this breaks some things: - Forwarders: If the connecting server isn't the original sender, then he is either a forwarder, a secure relay or an open relay. If he's an open relay, I'm happy he's blocked. If he's a forwarder...I think I'm ok with blocking him by default. If he's a secure relay (someone who only relays for his customers), I'm still ok with blocking him by default, provided I can override that with exceptions later. - Outbound mail from clients: I don't care -- my inbound relays only scan inbound mail, they don't deliver for clients or touch outbound mail. - Outbound mail from my own users on their home machines: I'm already trying to prevent that by using SPF, and if this helps spot a bot, so much the better. And also it obviously will fail for sender IP addresses that send both spam and ham without any acceptible choice in the matter, such as secure relays and mailing list servers. For those I do business with, I think I'd be ok putting in exceptions. Other rules can still be applied to identify the rest of the spam. I anticipate someone will suggest using dynablock or other RBLs that target dynamic IP addresses. I'm already using dynablock within spamassassin, but I'm still getting a lot of image spam. I could use imageinfo and fuzzyocr, but I really just do not consider those sustainable long-term solutions. All of the techniques spammers have ever used in text can easily be applied to images, and I can't accept the idea of multiplying my anti-spam server count by 100 to cope with the additional overhead of applying ocr to everything first when we eventually escalate to that level. -- Trever From jrudd at ucsc.edu Sun Nov 19 01:45:08 2006 From: jrudd at ucsc.edu (John Rudd) Date: Sun Nov 19 01:48:14 2006 Subject: thoughts? Would this defeat botnets? In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC41A@inex3.herffjones.hj-int> References: <57573D714A832C43B9D80EAFBDA48D0302BAC41A@inex3.herffjones.hj-int> Message-ID: <455FB724.6010009@ucsc.edu> For defeating botnets, I use a milter to block: a) anything without reverse DNS b) anything whose hostname from reverse DNS doesn't resolve c) anything whose hostname from reverse DNS doesn't resolve to an IP address or list of IP addresses which includes the IP address I started with d) any hostname which contains 2 or more octets of its own IP address (in decimal or hexidecimal), with or without leading zeroes, with or without separators. e) any hostname which contains keywords like: dynamic, dls, dial-up, ppp, modem, etc. Works VERY well. I do it in a way that lets the message through if it's going to postmaster and/or abuse (but no other addresses). That way people can ask for exceptions if I issue get false positive. I also took this code and made it into a spam assassin plugin (RelayChecker). One person gave me back stats from his site. He was getting 78% accuracy with RelayChecker, for overall spam. (78% of messages that were spam were getting tagged by RelayChecker) Though, he also had a 1% FP rate (1% of ham was getting tagged by RelayChecker, as well). So, there you. From ssilva at sgvwater.com Sun Nov 19 01:55:12 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Sun Nov 19 01:55:47 2006 Subject: Sorry for my absence! In-Reply-To: <20061118201056.GC3198@doctor.nl2k.ab.ca> References: <455F5AAD.4080409@ecs.soton.ac.uk> <20061118201056.GC3198@doctor.nl2k.ab.ca> Message-ID: Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem spake the following on 11/18/2006 12:10 PM: > On Sat, Nov 18, 2006 at 07:10:37PM +0000, Julian Field wrote: > Sory for my absence from the list recently! > > I have been very busy, both with MailScanner work and with my day job. I > have a huge ASP.Net programming job that has just started at work, and I > just haven't had time for the mailing list of IRC channel as a result. > > >> ASP.NET?? Hopefully you are using mono. ASP - Asking for >> Security Problems. > > Day-job work doesn't look like it is going to slacken off any time soon, > so I am about to ask a couple of people, who read the list every day, to > keep me up to date on the important stuff for me. > > I am still working on MailScanner, don't worry, it's just that life is > really busy right now. I'm still here! > > Thanks for all your hard work helping each other, it is very much > appreciated :-) > >> Idea, why not have a base MailScanner and let CPAN determine >> the rest ofthe necessary upgrades? Because using CPAN updates on an RPM based distro can break things, maybe not horribly, but broken is broken. Especially the enterprise class distros like RHEL and CentOS. > Thanks folks! > > Jules > >> -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Sun Nov 19 02:03:20 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Sun Nov 19 02:03:40 2006 Subject: thoughts? Would this defeat botnets? In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC41A@inex3.herffjones.hj-int> References: <57573D714A832C43B9D80EAFBDA48D0302BAC41A@inex3.herffjones.hj-int> Message-ID: Furnish, Trever G spake the following on 11/18/2006 5:12 PM: > Something like milter-error can block inbound connections based on past > failures. > > Julian's IPBlock function can block inbound connections based on past > message transmission rate. > > I'd like to solicite thoughts on an approach that takes those ideas a > bit further. Is the approach valid (or would I be wasting my time by > trying to implement it)? > > The idea would be similar to that used in Ironport's Senderbase, albeit > much simpler. > > Problem: There are reportedly 75,000 Spamthru bots out there, and that's > just one botnet. If I only let through one spam from each of those bots > per week, I'll still be overwhelmed. > > Supposition #1: Most bots run on unmanaged systems that should never be > connecting to my mail server in the first place. If I ever receive a > message from those systems, it'll be spam. > > Idea: Keep a score for each sending IP address, forever. If that > address sends me spam without sending me ham, it's blocked, permanently > (or until manual intervention on my part). Reported false-negatives > could be parsed to contribute to the scores. > > For example, if we consider a score <0 to mean the connecting system > should be blocked, then I would score each inbound message like so: > - Each sender IP address score defaults to 0. > - If the message is ham, add 1 to the score for the sender's IP > address. > - If the message is spam, subtract 1 from the score of the > sender's IP address. > - If the message is a reported false negative, subtract 2 from > the score for the sender's IP address (to counteract the 1 we added > originally). > > Obviously this breaks some things: > - Forwarders: If the connecting server isn't the original > sender, then he is either a forwarder, a secure relay or an open relay. > If he's an open relay, I'm happy he's blocked. If he's a forwarder...I > think I'm ok with blocking him by default. If he's a secure relay > (someone who only relays for his customers), I'm still ok with blocking > him by default, provided I can override that with exceptions later. > > - Outbound mail from clients: I don't care -- my inbound relays > only scan inbound mail, they don't deliver for clients or touch outbound > mail. > > - Outbound mail from my own users on their home machines: I'm > already trying to prevent that by using SPF, and if this helps spot a > bot, so much the better. > > And also it obviously will fail for sender IP addresses that send both > spam and ham without any acceptible choice in the matter, such as secure > relays and mailing list servers. For those I do business with, I think > I'd be ok putting in exceptions. Other rules can still be applied to > identify the rest of the spam. > > I anticipate someone will suggest using dynablock or other RBLs that > target dynamic IP addresses. I'm already using dynablock within > spamassassin, but I'm still getting a lot of image spam. I could use > imageinfo and fuzzyocr, but I really just do not consider those > sustainable long-term solutions. All of the techniques spammers have > ever used in text can easily be applied to images, and I can't accept > the idea of multiplying my anti-spam server count by 100 to cope with > the additional overhead of applying ocr to everything first when we > eventually escalate to that level. > > -- > Trever > As Julian might say, "When can you write it?" It sounds like an ambitious project, but in the cases I have checked, after a short period of attemps, I might not see that address for a long time after. Vispan does some of what you are looking for. It adds addresses to your access file or to your firewall at configurable levels and durations. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From pete at enitech.com.au Sun Nov 19 04:27:41 2006 From: pete at enitech.com.au (Peter Russell) Date: Sun Nov 19 04:28:25 2006 Subject: Sorry for my absence! In-Reply-To: References: <455F5AAD.4080409@ecs.soton.ac.uk> Message-ID: <455FDD3D.9040404@enitech.com.au> If there is anything i can do to help i am more than willing. Res wrote: > On Sat, 18 Nov 2006, Julian Field wrote: > >> I am still working on MailScanner, don't worry, it's just that life is > > It does most things people could want and does it well. So I dont think > anyone would mind if its 6 months between releases unless a serious bug > is found. > > From chandler at chapman.edu Sun Nov 19 06:45:26 2006 From: chandler at chapman.edu (Chandler, Jay) Date: Sun Nov 19 06:45:33 2006 Subject: Scripting white/black lists on a per user basis. Message-ID: Is there a way to write a ruleset so that Mailscanner takes the user portion of user@domain.com, and checks ~user/.spamasassin/user_prefs for white and black list information? If not, I presume the solution is to write a script that scrapes the entire user tree for user_prefs files, and formats them into FROM addy TO addy whitelist information, and stick them in the site rulesets-- anyone have a script that does something like this? - Jay Chandler Network Administrator, Chapman University 714.628.7249 / chandler@chapman.edu Today's Excuse: CD-ROM server needs recalibration -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061118/887f62d2/attachment.html From r.berber at computer.org Sun Nov 19 07:06:16 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Sun Nov 19 07:06:34 2006 Subject: Block dictionary attackers? In-Reply-To: References: <57573D714A832C43B9D80EAFBDA48D0302BAC419@inex3.herffjones.hj-int> Message-ID: Res wrote: > On Sat, 18 Nov 2006, Furnish, Trever G wrote: > >> By "dictionary attackers" I mean a connecting server that attempts >> delivery to more than X invalid local recipients within a given >> timeframe, which is almost always evidence that the connecting server is > > define(`confBAD_RCPT_THROTTLE',`2')dnl > > > I figure if they can't get it right in 2 attempts then they can go away They won't go away with throttle, it just puts a 1 second delay between tries. What I use is milter-error, after 3 strikes they are blocked... but it has to be 3 different messages and each usually has several recipients, so they really try about a dozen before getting blocked. And their program is so dumb that they keep trying, so your log now has "rejecting commands" over and over, at least they can't test their list of addresses. -- Ren? Berber From res at ausics.net Sun Nov 19 07:32:48 2006 From: res at ausics.net (Res) Date: Sun Nov 19 07:32:56 2006 Subject: Block dictionary attackers? In-Reply-To: References: <57573D714A832C43B9D80EAFBDA48D0302BAC419@inex3.herffjones.hj-int> Message-ID: On Sun, 19 Nov 2006, Ren? Berber wrote: > Res wrote: > >> On Sat, 18 Nov 2006, Furnish, Trever G wrote: >> >>> By "dictionary attackers" I mean a connecting server that attempts >>> delivery to more than X invalid local recipients within a given >>> timeframe, which is almost always evidence that the connecting server is >> >> define(`confBAD_RCPT_THROTTLE',`2')dnl >> >> >> I figure if they can't get it right in 2 attempts then they can go away > > They won't go away with throttle, it just puts a 1 second delay between tries. I know it doesn't stop them dead immediately, but it slows em to the point of stopping, or to the point that they are immaterial to the server if they are persistent. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From pete at enitech.com.au Sun Nov 19 08:53:59 2006 From: pete at enitech.com.au (Pete Russell) Date: Sun Nov 19 08:54:14 2006 Subject: thoughts? Would this defeat botnets? In-Reply-To: <455FB724.6010009@ucsc.edu> References: <57573D714A832C43B9D80EAFBDA48D0302BAC41A@inex3.herffjones.hj-int> <455FB724.6010009@ucsc.edu> Message-ID: <45601BA7.2030702@enitech.com.au> John Rudd wrote: > > > For defeating botnets, I use a milter to block: > > a) anything without reverse DNS > > b) anything whose hostname from reverse DNS doesn't resolve > > c) anything whose hostname from reverse DNS doesn't resolve to an IP > address or list of IP addresses which includes the IP address I started > with > > d) any hostname which contains 2 or more octets of its own IP address > (in decimal or hexidecimal), with or without leading zeroes, with or > without separators. > > e) any hostname which contains keywords like: dynamic, dls, dial-up, > ppp, modem, etc. > > > Works VERY well. I do it in a way that lets the message through if it's > going to postmaster and/or abuse (but no other addresses). That way > people can ask for exceptions if I issue get false positive. > > > I also took this code and made it into a spam assassin plugin > (RelayChecker). One person gave me back stats from his site. He was > getting 78% accuracy with RelayChecker, for overall spam. (78% of > messages that were spam were getting tagged by RelayChecker) Though, he > also had a 1% FP rate (1% of ham was getting tagged by RelayChecker, as > well). > > > So, there you. 1%? thats a few. What were the causes of those? Legit sender who have misconfigured PTR etc? From glenn.steen at gmail.com Sun Nov 19 10:39:46 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Nov 19 10:39:49 2006 Subject: log is flotting with messages In-Reply-To: References: <20061117232222.he2i3uhkysw0k4cc@www.intranet> <20061118235349.1dpw454bc4cgcg84@www.intranet> Message-ID: <223f97700611190239w7d1e50c9r29aff7f0e00a29e5@mail.gmail.com> On 19/11/06, Res wrote: > On Sat, 18 Nov 2006, redhat@techspace.nl wrote: > > > this is my output but i have no idea what it means exept that tere is a > > problem with spamassassin. > > > > [root@localhost ~]# spamassassin --lint > > [2982] warn: config: failed to parse line, skipping: dcc_path > > /usr/local/bin/dccproc > > [2982] warn: lint: 1 issues detected, please rerun with debug enabled for > > more information > > > Thats an "OK" error if you did not install dcc, you can ignore it, I > disabled it recently because its laggy to here. Right. If you don't use DCC, simply comment that line out (to avoid the error from the --lint). It's in your spam.assassin.prefs.conf file (also softlinked from /etc/mail/spamassassin/mailscanner.cf) > > > [root@localhost ~]# MailScanner --lint > > Read 719 hostnames from the phishing whitelist > > MailScanner setting GID to (89) > > MailScanner setting UID to (89) > > > What MTA are you using? 89 is usually the user/group BSD allocates for > something like vpopmail, why are you setting run-as? > If you use sendmail strip it out. if you are using postfix, I can't help > you any further. Giving up on postmix are you, eh Res?:-). Furtunate us postmixers are ready to step into the fray:-D > > There doesnt appear to be any problems with either, what value do you have > for Max Children? should be 5 per REAL cpu (not HT'd). > CC. What I'd like to see is the output of a debug run (for both MailScanner and SA)... Will just run through for one message. Have you implemented MailWatch too? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sun Nov 19 10:45:23 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Nov 19 10:45:25 2006 Subject: Sorry for my absence! In-Reply-To: <455FDD3D.9040404@enitech.com.au> References: <455F5AAD.4080409@ecs.soton.ac.uk> <455FDD3D.9040404@enitech.com.au> Message-ID: <223f97700611190245l56ed2d78y9ad254ec3d0c5d58@mail.gmail.com> On 19/11/06, Peter Russell wrote: > If there is anything i can do to help i am more than willing. > > Res wrote: > > On Sat, 18 Nov 2006, Julian Field wrote: > > > >> I am still working on MailScanner, don't worry, it's just that life is > > > > It does most things people could want and does it well. So I dont think > > anyone would mind if its 6 months between releases unless a serious bug > > is found. > > Have to agree with both of you. I'm sure we'll all chip in to keep things "floating":-)... Real Life permitting...:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sun Nov 19 10:51:35 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Nov 19 10:51:37 2006 Subject: Scripting white/black lists on a per user basis. In-Reply-To: References: Message-ID: <223f97700611190251t6eab5ca2r468e55b20b4773d4@mail.gmail.com> On 19/11/06, Chandler, Jay wrote: > > > Is there a way to write a ruleset so that Mailscanner takes the user portion > of user@domain.com, and checks ~user/.spamasassin/user_prefs for white and > black list information? > > If not, I presume the solution is to write a script that scrapes the entire > user tree for user_prefs files, and formats them into FROM addy TO addy > whitelist information, and stick them in the site rulesets-- anyone have a > script that does something like this? > - MailScanner as such is more "gateway centric" (than a "normal" SA+procmail setup), so it soesn't really do this, no. But having said that, there are solutions ... MailWatch provides SQL-based white/blacklists, that should be per recipient, provided you 1) split mails/recipient and 2) allow users access to MailWatch. I don't use this myself, so someone who does would have to fill in any details:-). One should perhaps be able to do something with a Custom Function to, but why bother if there already is a working solution about;-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From redhat at techspace.nl Sun Nov 19 14:55:32 2006 From: redhat at techspace.nl (redhat@techspace.nl) Date: Sun Nov 19 14:55:58 2006 Subject: log is flotting with messages In-Reply-To: <223f97700611190239w7d1e50c9r29aff7f0e00a29e5@mail.gmail.com> References: <20061117232222.he2i3uhkysw0k4cc@www.intranet> <20061118235349.1dpw454bc4cgcg84@www.intranet> <223f97700611190239w7d1e50c9r29aff7f0e00a29e5@mail.gmail.com> Message-ID: <20061119155532.mgm4oiwzk044wk84@www.intranet> Quoting Glenn Steen : > On 19/11/06, Res wrote: >> On Sat, 18 Nov 2006, redhat@techspace.nl wrote: >> >>> this is my output but i have no idea what it means exept that tere is a >>> problem with spamassassin. >>> >>> [root@localhost ~]# spamassassin --lint >>> [2982] warn: config: failed to parse line, skipping: dcc_path >>> /usr/local/bin/dccproc >>> [2982] warn: lint: 1 issues detected, please rerun with debug enabled for >>> more information >> >> >> Thats an "OK" error if you did not install dcc, you can ignore it, I >> disabled it recently because its laggy to here. > > Right. If you don't use DCC, simply comment that line out (to avoid > the error from the --lint). It's in your spam.assassin.prefs.conf file > (also softlinked from /etc/mail/spamassassin/mailscanner.cf) > >> >>> [root@localhost ~]# MailScanner --lint >>> Read 719 hostnames from the phishing whitelist >>> MailScanner setting GID to (89) >>> MailScanner setting UID to (89) >> >> >> What MTA are you using? 89 is usually the user/group BSD allocates for >> something like vpopmail, why are you setting run-as? >> If you use sendmail strip it out. if you are using postfix, I can't help >> you any further. > > Giving up on postmix are you, eh Res?:-). Furtunate us postmixers are > ready to step into the fray:-D > >> >> There doesnt appear to be any problems with either, what value do you have >> for Max Children? should be 5 per REAL cpu (not HT'd). >> > CC. > What I'd like to see is the output of a debug run (for both > MailScanner and SA)... Will just run through for one message. > Have you implemented MailWatch too? > > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Dit How do i run a debug and no i have not implemented mailwatch things so far no mail is transfered as long as i set the option Use SpamAssassin = yes if i disable this option mailscanner works. I can start SpamAssassin with /etc/init.d/SpamAssassin start and there are no problems in the log. My setup mta=postfix on fedora core 6 lasts lines of the log these repaeats over and over. Nov 19 15:26:48 localhost MailScanner[10323]: MailScanner E-Mail Virus Scanner version 4.55.1 starting... Nov 19 15:26:49 localhost MailScanner[10323]: Read 747 hostnames from the phishing whitelist Nov 19 15:26:50 localhost MailScanner[10323]: Using SpamAssassin results cache Nov 19 15:26:50 localhost MailScanner[10323]: Connected to SpamAssassin cache database Nov 19 15:26:50 localhost MailScanner[10323]: Enabling SpamAssassin auto-whitelist functionality... Is there a problem with the white list. I'm running the same setup on fedora core4 no problem. any advise thanks jasper -- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door Dark Eagle mail scanner en lijkt schoon te zijn. From glenn.steen at gmail.com Sun Nov 19 21:12:26 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Nov 19 21:12:32 2006 Subject: log is flotting with messages In-Reply-To: <20061119155532.mgm4oiwzk044wk84@www.intranet> References: <20061117232222.he2i3uhkysw0k4cc@www.intranet> <20061118235349.1dpw454bc4cgcg84@www.intranet> <223f97700611190239w7d1e50c9r29aff7f0e00a29e5@mail.gmail.com> <20061119155532.mgm4oiwzk044wk84@www.intranet> Message-ID: <223f97700611191312g1058bc0crd5b1d725d6597965@mail.gmail.com> On 19/11/06, redhat@techspace.nl wrote: > Quoting Glenn Steen : > > > On 19/11/06, Res wrote: > >> On Sat, 18 Nov 2006, redhat@techspace.nl wrote: > >> > >>> this is my output but i have no idea what it means exept that tere is a > >>> problem with spamassassin. > >>> > >>> [root@localhost ~]# spamassassin --lint > >>> [2982] warn: config: failed to parse line, skipping: dcc_path > >>> /usr/local/bin/dccproc > >>> [2982] warn: lint: 1 issues detected, please rerun with debug enabled for > >>> more information > >> > >> > >> Thats an "OK" error if you did not install dcc, you can ignore it, I > >> disabled it recently because its laggy to here. > > > > Right. If you don't use DCC, simply comment that line out (to avoid > > the error from the --lint). It's in your spam.assassin.prefs.conf file > > (also softlinked from /etc/mail/spamassassin/mailscanner.cf) > > > >> > >>> [root@localhost ~]# MailScanner --lint > >>> Read 719 hostnames from the phishing whitelist > >>> MailScanner setting GID to (89) > >>> MailScanner setting UID to (89) > >> > >> > >> What MTA are you using? 89 is usually the user/group BSD allocates for > >> something like vpopmail, why are you setting run-as? > >> If you use sendmail strip it out. if you are using postfix, I can't help > >> you any further. > > > > Giving up on postmix are you, eh Res?:-). Furtunate us postmixers are > > ready to step into the fray:-D > > > >> > >> There doesnt appear to be any problems with either, what value do you have > >> for Max Children? should be 5 per REAL cpu (not HT'd). > >> > > CC. > > What I'd like to see is the output of a debug run (for both > > MailScanner and SA)... Will just run through for one message. > > Have you implemented MailWatch too? > > > > -- > > -- Glenn > > email: glenn < dot > steen < at > gmail < dot > com > > work: glenn < dot > steen < at > ap1 < dot > se > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! -- Dit > > How do i run a debug and no i have not implemented mailwatch Being slightly tipsy (yes, I *know* it's a Sunday, but we had the final (well...:-) performance with the choir today... And the usual post mortem/beer, snaps and sausages afterwards (Some Mendelssohn, Bainton and Vaughn Williams, for those interested in such:-), can't say my precision is the best... Double-check everything with a MailScanner --help;-). IIRC (which is doubtful, considering my state:) you should run a "MailScanner --debug --debug-spamassassin" and send one message through. It'll output the debug info to the terminal you run it from, and then exit. > things so far no mail is transfered as long as i set the option > Use SpamAssassin = yes if i disable this option mailscanner works. > I can start SpamAssassin with /etc/init.d/SpamAssassin start and there > are no problems in the log. > My setup mta=postfix on fedora core 6 Hm, Drew should chip in here:-). > lasts lines of the log these repaeats over and over. > Nov 19 15:26:48 localhost MailScanner[10323]: MailScanner E-Mail Virus > Scanner version 4.55.1 starting... > Nov 19 15:26:49 localhost MailScanner[10323]: Read 747 hostnames from > the phishing whitelist > Nov 19 15:26:50 localhost MailScanner[10323]: Using SpamAssassin results cache > Nov 19 15:26:50 localhost MailScanner[10323]: Connected to > SpamAssassin cache database > Nov 19 15:26:50 localhost MailScanner[10323]: Enabling SpamAssassin > auto-whitelist functionality... > > Is there a problem with the white list. > I'm running the same setup on fedora core4 no problem. > > any advise thanks jasper Gut feeling is that this is a permissions related problem. Did you set a User State Dir (in MailScanner.conf) for SA? If you become your postfix user and run spamassassin --lint, does that work? Does it work when running a message through (spamassassin -t < /path/to/message/file)? Usually the postfix user need you to specify a shell, as in su - postfix -s /bin/bash ... or similar. Check that the user can find and read things like bayes db files, AWL etc etc. Cheers! -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From res at ausics.net Mon Nov 20 03:50:36 2006 From: res at ausics.net (Res) Date: Mon Nov 20 03:50:45 2006 Subject: log is flotting with messages In-Reply-To: <223f97700611190239w7d1e50c9r29aff7f0e00a29e5@mail.gmail.com> References: <20061117232222.he2i3uhkysw0k4cc@www.intranet> <20061118235349.1dpw454bc4cgcg84@www.intranet> <223f97700611190239w7d1e50c9r29aff7f0e00a29e5@mail.gmail.com> Message-ID: On Sun, 19 Nov 2006, Glenn Steen wrote: >> What MTA are you using? 89 is usually the user/group BSD allocates for >> something like vpopmail, why are you setting run-as? >> If you use sendmail strip it out. if you are using postfix, I can't help >> you any further. > > Giving up on postmix are you, eh Res?:-). Furtunate us postmixers are > ready to step into the fray:-D hehehe ive had too many postmix's lately, or maybe too many of what goes with it :P -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From vinay_poojary2000 at yahoo.co.in Mon Nov 20 07:01:00 2006 From: vinay_poojary2000 at yahoo.co.in (vinay poojary) Date: Mon Nov 20 07:01:04 2006 Subject: mailscanner is a lovely tool Message-ID: <341804.46924.qm@web8326.mail.in.yahoo.com> Dear Sir, Mailscanner is a lovely tool and i am using it with no problem at all . Presently my company wants to send the outgoing mails with the signature containg the company logo .Is there any facility via which i can add the logo in the signature of every out going mails . I am presently using the html signature. It would be very kind of you if u tell me the procedure of howto add the company logo which is in .png/.jpg format . Thks in advance . Regards, vinay poojary --------------------------------- Find out what India is talking about on - Yahoo! Answers India Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8. Get it NOW -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061120/3d404a8e/attachment.html From steve.freegard at fsl.com Mon Nov 20 07:33:00 2006 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Nov 20 07:33:06 2006 Subject: mailscanner is a lovely tool In-Reply-To: <341804.46924.qm@web8326.mail.in.yahoo.com> References: <341804.46924.qm@web8326.mail.in.yahoo.com> Message-ID: <45615A2C.1020708@fsl.com> Hi Vinjay, vinay poojary wrote: > Mailscanner is a lovely tool and i am using it with no problem at all . No arguments with that statement here... ;-) > Presently my company wants to send the outgoing mails with the signature > containg the company logo .Is there any facility via which i can add the > logo in the signature of every out going mails . > > I am presently using the html signature. > > It would be very kind of you if u tell me the procedure of howto add the > company logo which is in .png/.jpg format . Attaching a .png or .jpg to every message you send out would be an extremely bad idea (increase in bandwidth, annoyance of recipient etc.) so MailScanner makes no provision for this. What you could do is to place the company logo (in the correct format and in a sufficiently small size) on your web server, then put an IMG tag in the HTML signature linking to the logo on your web server. I don't advocate this - but it is a much nicer option than auto attaching an image to every mail (and you can do it without modification to MailScanner). Cheers, Steve. From fabien.garziano at caliseo.com Mon Nov 20 09:15:15 2006 From: fabien.garziano at caliseo.com (Fabien GARZIANO) Date: Mon Nov 20 09:16:49 2006 Subject: Clamav Update Message-ID: Hi folks, Like many others, I got a problem with clamav this Week End. In my maillog file, I got something like the clamd is not responding. I also got a LOT and unusual load. And when i tried to a freshclam : ClamAV update process started at Mon Nov 20 10:13:09 2006 main.cvd is up to date (version: 41, sigs: 73809, f-level: 10, builder: tkojm) WARNING: Your ClamAV installation is OUTDATED! WARNING: Current functionality level = 8, recommended = 10 DON'T PANIC! Read http://www.clamav.net/faq.html As I read the mails here, I can see the way to solve this is to update clamav. So I got a question : Should I build it from source, or is there a mailscanner specific binary ? Is there any doc about this on the mailscanner web site ? Thanks From raymond at prolocation.net Mon Nov 20 09:25:44 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Mon Nov 20 09:25:50 2006 Subject: Clamav Update In-Reply-To: References: Message-ID: Hi! > ClamAV update process started at Mon Nov 20 10:13:09 2006 > main.cvd is up to date (version: 41, sigs: 73809, f-level: 10, builder: > tkojm) > WARNING: Your ClamAV installation is OUTDATED! > WARNING: Current functionality level = 8, recommended = 10 > DON'T PANIC! Read http://www.clamav.net/faq.html > > As I read the mails here, I can see the way to solve this is to update > clamav. So I got a question : Should I build it from source, or is there > a mailscanner specific binary ? Is there any doc about this on the > mailscanner web site ? It would help if you told what version you are running... Bye, Raymond. From fabien.garziano at caliseo.com Mon Nov 20 09:40:53 2006 From: fabien.garziano at caliseo.com (Fabien GARZIANO) Date: Mon Nov 20 09:40:56 2006 Subject: Clamav Update Message-ID: OOOps sory I forgot this : Clamav-config --version returns : 0.88.2 I the maillog file I got this strange entries : Nov 20 10:39:52 califw3 MailScanner[3685]: I have found scanners installed, and will use them all by default. Nov 20 10:39:52 califw3 MailScanner[3685]: You appear to have no virus scanners installed at all! This is not good. If you have installed any, then check your virus.scanners.conf file to make sure the locations of your scanners are correct > part de Raymond Dijkxhoorn > It would help if you told what version you are running... From fabien.garziano at caliseo.com Mon Nov 20 10:44:59 2006 From: fabien.garziano at caliseo.com (Fabien GARZIANO) Date: Mon Nov 20 10:45:05 2006 Subject: Clamav Update Message-ID: Well ... After a reboot (not for the same reason btw), the problem seems to be solved. No more nasty entries in the maillog file. I still got my old clamav (0.88.2), and a freshclam still warn me, but everything looks fine now. But I still need to know : If I wantto update clamav, is there some MailScanner specific way to update, or could I just refer to the usual clamav update ? Thanks > -----Message d'origine----- > De : mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] De la > part de Fabien GARZIANO > Envoy? : lundi 20 novembre 2006 10:41 > ? : MailScanner discussion > Objet : RE: Clamav Update > > OOOps sory I forgot this : > Clamav-config --version returns : 0.88.2 > > I the maillog file I got this strange entries : > Nov 20 10:39:52 califw3 MailScanner[3685]: I have found > scanners installed, and will use them all by default. > Nov 20 10:39:52 califw3 MailScanner[3685]: You appear to have > no virus scanners installed at all! This is not good. If you > have installed any, then check your virus.scanners.conf file > to make sure the locations of your scanners are correct > > > part de Raymond Dijkxhoorn > > It would help if you told what version you are running... > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From prandal at herefordshire.gov.uk Mon Nov 20 11:21:43 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Mon Nov 20 11:35:52 2006 Subject: Clamav Update Message-ID: <86144ED6CE5B004DA23E1EAC0B569B581086E42D@isabella.herefordshire.gov.uk> It depends on which platform you are running. I many of us use Julian's install-Clam-SA package: http://www.mailscanner.info/files/4/install-Clam-0.88.6-SA-3.1.7.tar.gz It is listed in the "Stable" category on the MailScanner downloads page: http://www.mailscanner.info/downloads.html Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Fabien GARZIANO > Sent: 20 November 2006 10:45 > To: MailScanner discussion > Subject: RE: Clamav Update > > Well ... After a reboot (not for the same reason btw), the > problem seems to be solved. No more nasty entries in the > maillog file. I still got my old clamav (0.88.2), and a > freshclam still warn me, but everything looks fine now. > > But I still need to know : If I wantto update clamav, is > there some MailScanner specific way to update, or could I > just refer to the usual clamav update ? > > Thanks > > > -----Message d'origine----- > > De : mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] De la > > part de Fabien GARZIANO > > Envoy? : lundi 20 novembre 2006 10:41 > > ? : MailScanner discussion > > Objet : RE: Clamav Update > > > > OOOps sory I forgot this : > > Clamav-config --version returns : 0.88.2 > > > > I the maillog file I got this strange entries : > > Nov 20 10:39:52 califw3 MailScanner[3685]: I have found > > scanners installed, and will use them all by default. > > Nov 20 10:39:52 califw3 MailScanner[3685]: You appear to have > > no virus scanners installed at all! This is not good. If you > > have installed any, then check your virus.scanners.conf file > > to make sure the locations of your scanners are correct > > > > > part de Raymond Dijkxhoorn > > > It would help if you told what version you are running... > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From stef at aoc-uk.com Mon Nov 20 11:52:03 2006 From: stef at aoc-uk.com (Stef Morrell) Date: Mon Nov 20 11:52:04 2006 Subject: Spambuckets, Bayes and MailScanner signatures Message-ID: <120103F0F5EC264097BC0A06EC9D026A010C0572@pardessus.aoc-uk.com> Hi all, Having recently gotten my head around extracting RFC822 email from exchange servers using IMAP, I'm considering setting up a spambucket, so my users can dump false negatives - then using some kind of suitable script to feed them into sa-learn. Now, Bayes has already been told to ignore the X-MailScanner-Blah headers, in the spamassassin prefs, but I'm wondering about how it will react to being fed things like the inline anti-phishing stuff and also the "This has been scanned by MailScanner" etc signature. Obviously what I don't want is for Bayes to get wrong ideas from dodgy data. GIGO :) Do I need to somehow process those bits out in an effort to restore the original email, or does the order in which things are done mean that it's not terribly relevant? Regards Stef Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net From vinay_poojary2000 at yahoo.co.in Mon Nov 20 13:33:20 2006 From: vinay_poojary2000 at yahoo.co.in (vinay poojary) Date: Mon Nov 20 13:33:31 2006 Subject: mailscanner is a lovely tool In-Reply-To: <45615A2C.1020708@fsl.com> Message-ID: <131337.24174.qm@web8324.mail.in.yahoo.com> Dear Sir, Thanks a lot for your fast reply . I had tried the below solution .The only problem i faced here is that there are lot of people in the organistion who are not given the internet acces for browsing etc .Most of the people use outlook to download their mails . If i am linking the html signature with my web server, the persons who are denied with internet access are not able to view the company logo . It would be very kind of you if you could provide me an alternate solution. Thks Once again Regards, Vinay Poojary Steve Freegard wrote: Hi Vinjay, vinay poojary wrote: > Mailscanner is a lovely tool and i am using it with no problem at all . No arguments with that statement here... ;-) > Presently my company wants to send the outgoing mails with the signature > containg the company logo .Is there any facility via which i can add the > logo in the signature of every out going mails . > > I am presently using the html signature. > > It would be very kind of you if u tell me the procedure of howto add the > company logo which is in .png/.jpg format . Attaching a .png or .jpg to every message you send out would be an extremely bad idea (increase in bandwidth, annoyance of recipient etc.) so MailScanner makes no provision for this. What you could do is to place the company logo (in the correct format and in a sufficiently small size) on your web server, then put an IMG tag in the HTML signature linking to the logo on your web server. I don't advocate this - but it is a much nicer option than auto attaching an image to every mail (and you can do it without modification to MailScanner). Cheers, Steve. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! --------------------------------- Find out what India is talking about on - Yahoo! Answers India Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8. Get it NOW -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061120/44215599/attachment.html From rob at dido.ca Mon Nov 20 14:16:01 2006 From: rob at dido.ca (Rob Morin) Date: Mon Nov 20 14:16:10 2006 Subject: Due to incresing spam and deleations issues.... Message-ID: <4561B8A1.6060503@dido.ca> ... i would like to implement a PER user/mailbox rulset.... on the weekend i had a buddy mention that there is a way to incorporate squirrllmaill and MS with SA that uses MySQL to allow users to alter their own spam filters, rather than US (sys admins) doing special whitelists for each user, as more and more spam comes in more regular mail gets marked as spam and or gets deleted.... its becoming too much to manage now... if the clients can manage some stuff on their own, it would help with out regular duties rather than spend hours each day adjusting the rules and scores..... Especially those damm gif messages... so my 2 questions are.... 1) Has anyone actually done this per user rule set via mysql? 2) How is the success ratio with the gif plugin for MS to help with those darn gif messages? Thanks to all , and to all a good day! :) -- Rob Morin Dido InterNet Inc. Montreal, Canada Http://www.dido.ca 514-990-4444 From brett at wrl.org Mon Nov 20 14:25:27 2006 From: brett at wrl.org (Brett Charbeneau) Date: Mon Nov 20 14:26:18 2006 Subject: Sendmail reject trumps whitelist? In-Reply-To: References: <200611171200.kAHC0Lil009905@bkserver.blacknight.ie> Message-ID: On Fri, 17 Nov 2006, Brett Charbeneau wrote: BC> > > Greetings all, BC> > > BC> > > I've set up sendmail to reject incoming messages with a 554 error BC> > if BC> > > they are listed in dnsbl.sorbs.net by sticking this line in my BC> > sendmail.mc BC> > > file: BC> > > BC> > > FEATURE(`dnsbl',`dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} > " BC> > > BLACKLISTED found in dnsbl.sorbs.net"')dnl BC> > > BC> > > Now this list tends to get mad a AOL and Hotmail mail servers for BC> > > obvious reasons and therefore ALL mail from these domains, legit or not, BC> > BC> > Have sendmail "OK" aol.com and hotmail.com and let mailscanner deal BC> > with what is spam or not for those two domains BC> BC> Ah, so! BC> Good idea, Res - many thanks. Sendmail took my BC> BC> Spam:*aol.com FRIEND BC> BC> so I think I'm in business. BC> Thanks to all who offered suggestions and ideas! For posterity: turns out the sendmail access database does NOT support wildcards. So the entry above Spam:*aol.com FRIEND should *really* be Spam:@aol.com FRIEND to allow aol.com mail to get past the sendmail 554 rejection. -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From prandal at herefordshire.gov.uk Mon Nov 20 14:15:39 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Mon Nov 20 14:39:19 2006 Subject: mailscanner is a lovely tool Message-ID: <86144ED6CE5B004DA23E1EAC0B569B581086E4D4@isabella.herefordshire.gov.uk> The alternative is to not do it. Images in sigs are, in my opinion, are just another form of image spamming. You will so alienate your customers that the loss of business resulting from doing so should be high in your bosses' minds. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of vinay poojary Sent: 20 November 2006 13:33 To: MailScanner discussion Subject: Re: mailscanner is a lovely tool Dear Sir, Thanks a lot for your fast reply . I had tried the below solution .The only problem i faced here is that there are lot of people in the organistion who are not given the internet acces for browsing etc .Most of the people use outlook to download their mails . If i am linking the html signature with my web server, the persons who are denied with internet access are not able to view the company logo . It would be very kind of you if you could provide me an alternate solution. Thks Once again Regards, Vinay Poojary Steve Freegard wrote: Hi Vinjay, vinay poojary wrote: > Mailscanner is a lovely tool and i am using it with no problem at all . No arguments with that statement here... ;-) > Presently my company wants to send the outgoing mails with the signature > containg the company logo .Is there any facility via which i can add the > logo in the signature of every out going mails . > > I am presently using the html signature. > > It would be very kind of you if u tell me the procedure of howto add the > company logo which is in .png/.jpg format . Attaching a .png or .jpg to every message you send out would be an extremely bad idea (increase in bandwidth, annoyance of recipient etc.) so MailScanner makes no provision for this. What you could do is to place the company logo (in the correct format and in a sufficiently small size) on your web server, then put an IMG tag in the HTML signature linking to the logo on your web server. I don't advocate this - but it is a much nicer option than auto attaching an image to every mail (and you can do it without modification to MailScanner). Cheers, Steve. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! _____ Find out what India is talking about on - Yahoo! Answers India Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8. Get it NOW -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061120/1b4fdf0e/attachment.html From john at katy.com Mon Nov 20 14:57:53 2006 From: john at katy.com (John Schmerold) Date: Mon Nov 20 14:58:00 2006 Subject: mailscanner is a lovely tool In-Reply-To: <341804.46924.qm@web8326.mail.in.yahoo.com> References: <341804.46924.qm@web8326.mail.in.yahoo.com> Message-ID: <4561C271.10303@katy.com> My little brother includes a digital image of his signature with every email. I hate opening them because it takes a 1KB message & turns it into a 30KB message, not a huge deal, but one more delay in an already busy day. I'm with every else: Don't do it man! Within our firm we take it a step further & disable sending of HTML messages for the same reason. 95% of the time, there is no reason to color code, use larger fonts or do many of the silly things people do with email. John Schmerold Katy Computer & Wireless 347 Clarkson Rd Ellisville MO 63011 636-861-6900 v 775-227-6947 f vinay poojary wrote: > Dear Sir, > > Mailscanner is a lovely tool and i am using it with no problem at all . > > Presently my company wants to send the outgoing mails with the > signature containg the company logo .Is there any facility via which i > can add the logo in the signature of every out going mails . > > I am presently using the html signature. > > It would be very kind of you if u tell me the procedure of howto add > the company logo which is in .png/.jpg format . > > Thks in advance . > > Regards, > vinay poojary > > ------------------------------------------------------------------------ > Find out what India is talking about on - Yahoo! Answers India > > Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8. > Get it NOW > From daniel.maher at ubisoft.com Mon Nov 20 15:25:20 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Mon Nov 20 15:25:25 2006 Subject: MailScanner totally missing SA rules... In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D20226D479@UBIMAIL1.ubisoft.org> Message-ID: <1E293D3FF63A3740B10AD5AAD88535D203B97481@UBIMAIL1.ubisoft.org> Hi everybody, I was wondering if anybody had any further insight into why upgrading to MailScanner 4.57.3 from 4.51.6 would cause SpamAssassin to totally ignore the non-default rules. Mr. Campbell was kind enough to suggest the following: SpamAssassin Local Rules Dir = /etc/mail/spamassassin Unfortunately, this did not solve the issue. Downgrading back to 4.51.6 "solved" the problem, in that the non-default rules are being used again. That said, I'd rather like to use the new version... Any further insight would be greatly appreciated. Thanks! -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. > -----Original Message----- > From: Daniel Maher > Sent: November 14, 2006 4:46 PM > To: 'MailScanner discussion' > Subject: RE: MailScanner totally missing SA rules... > > Hi Steve, > > Thanks for the tip - unfortunately, this did not help the issue. It is > worth noting that /downgrading/ to the previous version I was running > (4.51), in fact, totally solves the problem. > > There would appear to be a bug afoot... > > -- > _ > ?v? Daniel Maher > /(_)\ Administrateur Syst?me Unix > ^ ^ Unix System Administrator > > Sentio aliquos togatos contra me conspirare. > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Steve Campbell > > Sent: November 14, 2006 4:31 PM > > To: MailScanner discussion > > Subject: Re: MailScanner totally missing SA rules... > > > > Daniel, > > > > Setting the MailScanner.conf set as below resolved all of my problems: > > > > SpamAssassin Local Rules Dir = /etc/mail/spamassassin > > > > I am running an old 4.52.2 version that is completely functioning > > properly. > > > > Steve > > > > ----- Original Message ----- > > From: "Daniel Maher" > > To: "MailScanner discussion" > > Sent: Tuesday, November 14, 2006 3:27 PM > > Subject: MailScanner totally missing SA rules... > > > > > > Hello all, > > > > > > > > I, too, am experiencing a similar problem to another member of the list; > > specifically, MailScanner seems to be totally missing (or, at best, > > randomly > > using) SpamAssassin rules. This is a fairly serious issue, since the > > amount > > of un-tagged spam now getting through the filters is becoming > problematic. > > > > > > > > For example, consider the following email message: > > > > > > > > Subject: test > > > > From: wahtever > > > > To: daniel.maher@ubisoft.com > > > > Content-Type: text/plain > > > > Message-Id: <1154034241.23136.34.camel@localhost.localdomain> > > > > Mime-Version: 1.0 > > > > X-Mailer: Evolution 2.6.1 > > > > Date: Fri, 15 Sep 2006 14:54:44 -0400 > > > > X-Evolution-Format: text/plain > > > > Content-Transfer-Encoding: 8bit > > > > > > > > PHxxARMACY V1xxAGRA C1xxALIS lose weight now, melt the extra pounds. > > > > > > > > > > > > The exact message, passed through MailScanner via SMTP (Postfix): > > > > > > > > Nov 14 15:16:15 ad-postfix MailScanner[14220]: Message 2EAFC1A65DB.C9579 > > from 127.0.0.1 (hihi@gmail.com) to ubisoft.com is not spam, SpamAssassin > > (score=1.572, required 6, DATE_IN_PAST_96_XX 1.57) > > > > > > > > > > > > Now passed through SpamAssassin via the commandline, as the MTA user: > > > > > > > > Content analysis details: (12.1 points, 5.0 required) > > > > > > > > pts rule name description > > > > ---- ---------------------- -------------------------------------------- > -- > > ---- > > > > -0.0 NO_RELAYS Informational: message was not relayed via > > SMTP > > > > 6.0 UBI_PHARMSTRNG01 BODY: Pharmacy string (01) > > > > 0.1 UBI_FINDME BODY: test string > > > > 3.0 UBI_LOSEFAT10 BODY: Weightloss hits (string) (10) > > > > 2.0 UBI_PHARMPILL02 Pharmacy hits (02) > > > > 1.0 UBI_LOSEFAT01 Weightloss hits (01) > > > > -0.0 NO_RECEIVED Informational: message has no Received > headers > > > > > > > > > > > > As you can see, the triggered rules are completely different, which is > > worrisome. I have tested numerous examples where MS would trigger some > SA > > rules, but not others (very bizarre). I recently upgraded to > MailScanner > > 4.57.3 and SpamAssassin 3.1.7 . Before the upgrade, everything worked > > perfectly. I didn't change any config files, with the exception of the > > following line in mailscanner.conf : > > > > > > > > Max SpamAssassin Size = 80000 trackback > > > > > > > > > > > > Does anybody have any ideas or insight? Thanks! > > > > > > > > -- > > > > _ > > ?v? Daniel Maher > > /(_)\ Administrateur Syst?me Unix > > > > ^ ^ Unix System Administrator > > > > > > > > Sentio aliquos togatos contra me conspirare. > > > > > > > > > > > > > > ------------------------------------------------------------------------ > -- > > ------ > > > > > > > -- > > > MailScanner mailing list > > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > Support MailScanner development - buy the book off the website! > > > > > > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! From marcin.rozek at ios.edu.pl Mon Nov 20 15:41:35 2006 From: marcin.rozek at ios.edu.pl (=?windows-1252?Q?Marcin_Roz=2Eek?=) Date: Mon Nov 20 15:41:58 2006 Subject: MailScanner totally missing SA rules... In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D203B97481@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D203B97481@UBIMAIL1.ubisoft.org> Message-ID: <4561CCAF.80500@ios.edu.pl> Daniel Maher wrote: > Hi everybody, > > I was wondering if anybody had any further insight into why upgrading to MailScanner 4.57.3 from 4.51.6 would cause SpamAssassin to totally ignore the non-default rules. > > Mr. Campbell was kind enough to suggest the following: > SpamAssassin Local Rules Dir = /etc/mail/spamassassin > > Unfortunately, this did not solve the issue. Downgrading back to 4.51.6 "solved" the problem, in that the non-default rules are being used again. That said, I'd rather like to use the new version... > > Any further insight would be greatly appreciated. Thanks! Stop MailScanner Set "Debug" and "Debug SpamAssassin" to "yes" in MailScanner.conf Start MailScanner and paste output to us. -- Best regards, Marcin Roz.ek From sandrews at andrewscompanies.com Mon Nov 20 15:57:35 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Mon Nov 20 15:57:40 2006 Subject: mailscanner is a lovely tool Message-ID: <1964AAFBC212F742958F9275BF63DBB0429971@winchester.andrewscompanies.com> Ok, we've all had out opinions here on it, but he's not asking that. Maybe his boss will fire him unless we point him the right direction here; so now that we've all had our say, let's see if we can give him some help. I'm using my mailscanner as a smarthost for outbound email so I can sign the messages with a boilerplate of legal junk...wasn't my idea, but I had to do it anyway. Why can't the sign clean functionality be used to add this logo in? It appears you'd just have to adjust inline.sig.html to have the logo in there, no? Julian sent out this recently to make it happen: Sign Clean Messages = %rules-dir%/sign.clean.rules In /etc/MailScanner/rules/sign.clean.rules, put something like this: From: hisdomain.com yes FromOrTo: default no And then if you want to vary the signature per-domain for example, use this Inline HTML Signature = %rules-dir%/html.sig.rules Inline Text Signature = %rules-dir%/text.sig.rules and then in ..../rules/html.sig.rules From: hisdomain.com /etc/MailScanner/reports/hisdomain/inline.sig.html FromOrTo: default /etc/MailScanner/reports/en/inline.sig.html and in ..../rules/text.sig.rules From: hisdomain.com /etc/MailScanner/reports/hisdomain/inline.sig.txt FromOrTo: default /etc/MailScanner/reports/en/inline.sig.txt That should be enough to get you started. _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Monday, November 20, 2006 9:16 AM To: MailScanner discussion Subject: RE: mailscanner is a lovely tool The alternative is to not do it. Images in sigs are, in my opinion, are just another form of image spamming. You will so alienate your customers that the loss of business resulting from doing so should be high in your bosses' minds. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of vinay poojary Sent: 20 November 2006 13:33 To: MailScanner discussion Subject: Re: mailscanner is a lovely tool Dear Sir, Thanks a lot for your fast reply . I had tried the below solution .The only problem i faced here is that there are lot of people in the organistion who are not given the internet acces for browsing etc .Most of the people use outlook to download their mails . If i am linking the html signature with my web server, the persons who are denied with internet access are not able to view the company logo . It would be very kind of you if you could provide me an alternate solution. Thks Once again Regards, Vinay Poojary Steve Freegard wrote: Hi Vinjay, vinay poojary wrote: > Mailscanner is a lovely tool and i am using it with no problem at all . No arguments with that statement here... ;-) > Presently my company wants to send the outgoing mails with the signature > containg the company logo .Is there any facility via which i can add the > logo in the signature of every out going mails . > > I am presently using the html signature. > > It would be very kind of you if u tell me the procedure of howto add the > company logo which is in .png/.jpg format . Attaching a .png or .jpg to every message you send out would be an extremely bad idea (increase in bandwidth, annoyance of recipient etc.) so MailScanner makes no provision for this. What you could do is to place the company logo (in the correct format and in a sufficiently small size) on your web server, then put an IMG tag in the HTML signature linking to the logo on your web server. I don't advocate this - but it is a much nicer option than auto attaching an image to every mail (and you can do it without modification to MailScanner). Cheers, Steve. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! _____ Find out what India is talking about on - Yahoo! Answers India Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8. Get it NOW -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061120/703f85b4/attachment.html From ssilva at sgvwater.com Mon Nov 20 16:25:41 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Nov 20 16:26:19 2006 Subject: mailscanner is a lovely tool In-Reply-To: <131337.24174.qm@web8324.mail.in.yahoo.com> References: <45615A2C.1020708@fsl.com> <131337.24174.qm@web8324.mail.in.yahoo.com> Message-ID: vinay poojary spake the following on 11/20/2006 5:33 AM: > Dear Sir, > > Thanks a lot for your fast reply . > > I had tried the below solution .The only problem i faced here is that > there are lot of people in the organistion who are not given the > internet acces for browsing etc .Most of the people use outlook to > download their mails . > > If i am linking the html signature with my web server, the persons who > are denied with internet access are not able to view the company logo . > > > It would be very kind of you if you could provide me an alternate solution. > > Thks Once again > > Regards, > Vinay Poojary This is a bad idea! With all the image spam floating around, your companies e-mails will stand a better chance of being caught as spam on your clients servers. Ask the management if it is worth it to alienate your customers, or have messages get dropped completely because of this "vanity". -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From steve.freegard at fsl.com Mon Nov 20 16:33:59 2006 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Nov 20 16:34:10 2006 Subject: OT: Wiki - Postfix SMTP recipient verification Message-ID: <4561D8F7.3010009@fsl.com> Hi Postfixers, I've just added a how-to to the MailScanner Wiki to do the Sendmail 'milter-ahead' SMTP recipient verification equivalent in native Postfix which is far easier than building recipient maps for mail systems that can reject unknown users at the SMTP stage. See http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:reject_non_existent_users#using_smtp_recipient_verification for the info. I'm surprised you Postfixers didn't beat me to it - so now you've got a Sendmailer editing your Wiki entries ;-) Cheers, Steve. From gmatt at nerc.ac.uk Mon Nov 20 16:51:50 2006 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Mon Nov 20 16:52:05 2006 Subject: mailscanner is a lovely tool In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0429971@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB0429971@winchester.andrewscompanies.com> Message-ID: <4561DD26.7000508@nerc.ac.uk> sandrews@andrewscompanies.com wrote: > I'm using my mailscanner as a smarthost for outbound email so I can sign > the messages with a boilerplate of legal junk...wasn't my idea, but I > had to do it anyway. Why can't the sign clean functionality be used to > add this logo in? I also had to implement a corporate signature (text only tho). Remember that "sign clean messages" will break gpg signatures because it frigs with line terminations. As far as I know this has never been fixed. GREG -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From drew at technologytiger.net Mon Nov 20 16:56:41 2006 From: drew at technologytiger.net (Drew Marshall) Date: Mon Nov 20 16:56:56 2006 Subject: OT: Wiki - Postfix SMTP recipient verification In-Reply-To: <4561D8F7.3010009@fsl.com> References: <4561D8F7.3010009@fsl.com> Message-ID: <48244.194.70.180.170.1164041801.squirrel@www.technologytiger.net> On Mon, November 20, 2006 16:33, Steve Freegard wrote: > Hi Postfixers, > > I've just added a how-to to the MailScanner Wiki to do the Sendmail > 'milter-ahead' SMTP recipient verification equivalent in native Postfix > which is far easier than building recipient maps for mail systems that > can reject unknown users at the SMTP stage. > > See > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:reject_non_existent_users#using_smtp_recipient_verification > for the info. Thanks. When I get a moment, I'll see if I can also enhance that with a few extra tricks like per domain verification (i.e. If you relay for more than one domain, enable recipient verification based on the recipient domain. Like rulesets) and also sender verification, which works exactily the same but the other way round (Verify the sender exists rather than the recipient). > I'm surprised you Postfixers didn't beat me to it - so now you've got a > Sendmailer editing your Wiki entries ;-) Is now the time to claim that we just wanted to show the Sendmailers how easy it was?? :-) Drew From listacct at tulsaconnect.com Mon Nov 20 17:05:14 2006 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Mon Nov 20 17:07:16 2006 Subject: OT: Wiki - Postfix SMTP recipient verification In-Reply-To: <4561D8F7.3010009@fsl.com> References: <4561D8F7.3010009@fsl.com> Message-ID: <4561E04A.4070206@tulsaconnect.com> Steve Freegard wrote: > Hi Postfixers, > > I've just added a how-to to the MailScanner Wiki to do the Sendmail > 'milter-ahead' SMTP recipient verification equivalent in native Postfix > which is far easier than building recipient maps for mail systems that > can reject unknown users at the SMTP stage. > > See > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:reject_non_existent_users#using_smtp_recipient_verification > for the info. > > I'm surprised you Postfixers didn't beat me to it - so now you've got a > Sendmailer editing your Wiki entries ;-) > > Cheers, > Steve. FWIW, we are doing this with exim now via ACLs, in the acl_check_rcpt (near the bottom): deny message = user unknown domains = +route_to_domains !verify = recipient/callout=10s,defer_ok (+route_to_domains is a SQL lookup that checks to see if the domain is one that we route mail to a "hidden" mailhub for, and one that we don't do other type of RCPT checks for, such as LDAP) We then have a router set up that pulls the IP of the mailhub, and the callout uses that to do the verify against.. -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From glenn.steen at gmail.com Mon Nov 20 17:24:29 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Nov 20 17:24:46 2006 Subject: OT: Wiki - Postfix SMTP recipient verification In-Reply-To: <4561D8F7.3010009@fsl.com> References: <4561D8F7.3010009@fsl.com> Message-ID: <223f97700611200924l73352acdnbf230c6e1056351a@mail.gmail.com> On 20/11/06, Steve Freegard wrote: > Hi Postfixers, > > I've just added a how-to to the MailScanner Wiki to do the Sendmail > 'milter-ahead' SMTP recipient verification equivalent in native Postfix > which is far easier than building recipient maps for mail systems that > can reject unknown users at the SMTP stage. > > See > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:reject_non_existent_users#using_smtp_recipient_verification > for the info. > > I'm surprised you Postfixers didn't beat me to it - so now you've got a > Sendmailer editing your Wiki entries ;-) Perhaps because it doesn't provide me with the flexibility I need? I do a bit more than just snarf the LDAP list(s) straight up... Scripting it all (or using a nicely convoluted LDAP search statememnt:-) I can make addresses that really should never be visible anywhere but our organization... be so:-). Sure, I could probably do this by beating the windoze guys over the head a couple of times or three... But that way I'd have to start looking over my shoulder going down staircases etc...:-D The "old" way is far better for me;-). Not to mention that laziness is a virtue...:-D. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From prandal at herefordshire.gov.uk Mon Nov 20 17:38:45 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Mon Nov 20 17:40:17 2006 Subject: Sendmail reject trumps whitelist? Message-ID: <86144ED6CE5B004DA23E1EAC0B569B581086E588@isabella.herefordshire.gov.uk> I've had another look at all this. To bypass RBL checking from AOL you'd do Connect:aol.com OK The friend stuff is for recipient email addresses, not sender ones. So, to ensure that your abuse address gets emails from boxes otherwise blocked by RBLs, you'd use: Spam:abuse.my.domain FRIEND See also: http://blue-labs.org/howto/access_hints.php Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Brett Charbeneau > Sent: 20 November 2006 14:25 > To: mailscanner@lists.mailscanner.info > Subject: Re: Sendmail reject trumps whitelist? > > On Fri, 17 Nov 2006, Brett Charbeneau wrote: > > BC> > > Greetings all, > BC> > > > BC> > > I've set up sendmail to reject incoming > messages with a 554 error > BC> > if > BC> > > they are listed in dnsbl.sorbs.net by sticking this line in my > BC> > sendmail.mc > BC> > > file: > BC> > > > BC> > > FEATURE(`dnsbl',`dnsbl.sorbs.net',`"554 Rejected " > $&{client_addr} > " > BC> > > BLACKLISTED found in dnsbl.sorbs.net"')dnl > BC> > > > BC> > > Now this list tends to get mad a AOL and > Hotmail mail servers for > BC> > > obvious reasons and therefore ALL mail from these > domains, legit or not, > BC> > > BC> > Have sendmail "OK" aol.com and hotmail.com and let > mailscanner deal > BC> > with what is spam or not for those two domains > BC> > BC> Ah, so! > BC> Good idea, Res - many thanks. Sendmail took my > BC> > BC> Spam:*aol.com FRIEND > BC> > BC> so I think I'm in business. > BC> Thanks to all who offered suggestions and ideas! > > For posterity: turns out the sendmail access database > does NOT support > wildcards. So the entry above > > Spam:*aol.com FRIEND > > should *really* be > > Spam:@aol.com FRIEND > > to allow aol.com mail to get past the sendmail 554 rejection. > > -- > ******************************************************************** > Brett Charbeneau > Network Administrator > Williamsburg Regional Library > 7770 Croaker Road > Williamsburg, VA 23188-7064 > (757)259-4044 www.wrl.org > (757)259-4079 (fax) brett@wrl.org > ******************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From martinh at solidstatelogic.com Mon Nov 20 17:47:43 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Mon Nov 20 17:48:16 2006 Subject: Due to incresing spam and deleations issues.... In-Reply-To: <4561B8A1.6060503@dido.ca> References: <4561B8A1.6060503@dido.ca> Message-ID: <4561EA3F.9040209@solidstatelogic.com> Rob Morin wrote: > ... i would like to implement a PER user/mailbox rulset.... > > on the weekend i had a buddy mention that there is a way to incorporate > squirrllmaill and MS with SA that uses MySQL to allow users to alter > their own spam filters, rather than US (sys admins) doing special > whitelists for each user, as more and more spam comes in more regular > mail gets marked as spam and or gets deleted.... its becoming too much > to manage now... if the clients can manage some stuff on their own, it > would help with out regular duties rather than spend hours each day > adjusting the rules and scores..... > > Especially those damm gif messages... so my 2 questions are.... > > 1) Has anyone actually done this per user rule set via mysql? > 2) How is the success ratio with the gif plugin for MS to help with > those darn gif messages? > > Thanks to all , and to all a good day! > :) > There's sqlqhitelist that you can use, but you'll have to split the meail up into individual recipients first..(see the wiki on this) I'd ask why you are getting problems with false positives here. What rules are firing when they shouldn't. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at solidstatelogic.com Mon Nov 20 17:49:51 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Mon Nov 20 17:50:11 2006 Subject: Due to incresing spam and deleations issues.... In-Reply-To: <4561B8A1.6060503@dido.ca> References: <4561B8A1.6060503@dido.ca> Message-ID: <4561EABF.4000104@solidstatelogic.com> Rob Morin wrote: > ... i would like to implement a PER user/mailbox rulset.... > > on the weekend i had a buddy mention that there is a way to incorporate > squirrllmaill and MS with SA that uses MySQL to allow users to alter > their own spam filters, rather than US (sys admins) doing special > whitelists for each user, as more and more spam comes in more regular > mail gets marked as spam and or gets deleted.... its becoming too much > to manage now... if the clients can manage some stuff on their own, it > would help with out regular duties rather than spend hours each day > adjusting the rules and scores..... > > Especially those damm gif messages... so my 2 questions are.... > > 1) Has anyone actually done this per user rule set via mysql? > 2) How is the success ratio with the gif plugin for MS to help with > those darn gif messages? > > Thanks to all , and to all a good day! > :) > Rob sorry on the 2nd question, I'd look at the SARE_Stocks ruleset from www.rulesemporium.com/rules.html and freds' rules from www.rulesemporium.com/other-rules.htm. Also make sure you are running SA 3.1.7 as this catches some of the gif/image spam quite well on it's own (will give a score acore above 5 anyway). -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From jimc at laridian.com Mon Nov 20 18:01:41 2006 From: jimc at laridian.com (Jim Coates) Date: Mon Nov 20 18:03:54 2006 Subject: MailScanner/SA Rules In-Reply-To: <455CB318.5080204@glendown.de> Message-ID: <03c801c70ccd$ef40d160$6401a8c0@zorak> Ok - I'm a little confused here. I was changing some scoring around for the RBL rules and searched through the list here to discover something: I have been using a local.cf to set up custom rules. They seem to work just fine. Then I went to edit the RBL scores and noticed that changing them in local.cf didn't seem to do anything (yes - I restarted). I started checking through the list and came across some postings that state that you shouldn't have a local.cf if you are using MailScanner, but you should instead be using the spam.assassin.prefs.conf The messages said that it states this in the prefs file, but for some reason mine didn't - which is why I didn't change how I was doing it. So I have a few questions... 1) Should I add everything I currently have in my local.cf to my spam.assassin.prefs.conf and rename/remove the local.cf? 2) Why were custom rules working, but not RBL score changes from the local.cf? 3) My rules from Rules Du Jour still get dropped into /usr/local/etc/mail/spamassassin, where the local.cf currently exists... will they function properly from there and can therefore be left alone, or should they be moved elsewhere, too? I thought I had a pretty good grasp on where things should be and where to edit them, but now I'm confused. Thanks! Jim Coates From martinh at solidstatelogic.com Mon Nov 20 18:17:11 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Mon Nov 20 18:17:22 2006 Subject: MailScanner/SA Rules In-Reply-To: <03c801c70ccd$ef40d160$6401a8c0@zorak> References: <03c801c70ccd$ef40d160$6401a8c0@zorak> Message-ID: <4561F127.2060402@solidstatelogic.com> Jim Coates wrote: > Ok - I'm a little confused here. > > I was changing some scoring around for the RBL rules and searched through > the list here to discover something: > > I have been using a local.cf to set up custom rules. They seem to work just > fine. Then I went to edit the RBL scores and noticed that changing them in > local.cf didn't seem to do anything (yes - I restarted). I started checking > through the list and came across some postings that state that you shouldn't > have a local.cf if you are using MailScanner, but you should instead be > using the spam.assassin.prefs.conf > > The messages said that it states this in the prefs file, but for some reason > mine didn't - which is why I didn't change how I was doing it. > > So I have a few questions... > > 1) Should I add everything I currently have in my local.cf to my > spam.assassin.prefs.conf and rename/remove the local.cf? > 2) Why were custom rules working, but not RBL score changes from the > local.cf? > 3) My rules from Rules Du Jour still get dropped into > /usr/local/etc/mail/spamassassin, where the local.cf currently exists... > will they function properly from there and can therefore be left alone, or > should they be moved elsewhere, too? > > I thought I had a pretty good grasp on where things should be and where to > edit them, but now I'm confused. > > Thanks! > Jim Coates > Jim changing stuff in local.cf is fine..make sure there's nothing after the local.cf that's changing the scores back (like mailscanner.cf which is a sym-link to spam.assassin.prefs.conf). -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From taz at taz-mania.com Mon Nov 20 18:25:14 2006 From: taz at taz-mania.com (Dennis Willson) Date: Mon Nov 20 18:25:17 2006 Subject: Due to incresing spam and deleations issues.... In-Reply-To: <4561B8A1.6060503@dido.ca> Message-ID: Have you looked at mailwatch? It's specifically for MailScanner and allows users to maintain their own black and white lists. This is done via an SQL database On Mon, 20 Nov 2006 09:16:01 -0500 Rob Morin wrote: >... i would like to implement a PER user/mailbox rulset.... > >on the weekend i had a buddy mention that there is a way to >incorporate squirrllmaill and MS with SA that uses MySQL to allow >users to alter their own spam filters, rather than US (sys admins) >doing special whitelists for each user, as more and more spam comes >in more regular mail gets marked as spam and or gets deleted.... its >becoming too much to manage now... if the clients can manage some >stuff on their own, it would help with out regular duties rather than >spend hours each day adjusting the rules and scores..... > >Especially those damm gif messages... so my 2 questions are.... > >1) Has anyone actually done this per user rule set via mysql? >2) How is the success ratio with the gif plugin for MS to help with >those darn gif messages? > >Thanks to all , and to all a good day! >:) > >-- > >Rob Morin >Dido InterNet Inc. >Montreal, Canada >Http://www.dido.ca >514-990-4444 > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham (Extra Class): ka6lsw Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Owner: Kepnet Internet Services Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" From Denis.Beauchemin at USherbrooke.ca Mon Nov 20 18:51:18 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Nov 20 18:53:48 2006 Subject: mailscanner is a lovely tool In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0429971@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB0429971@winchester.andrewscompanies.com> Message-ID: <4561F926.4030507@USherbrooke.ca> sandrews@andrewscompanies.com a ?crit : > Ok, we've all had out opinions here on it, but he's not asking that. > Maybe his boss will fire him unless we point him the right direction > here; so now that we've all had our say, let's see if we can give him > some help. > > I'm using my mailscanner as a smarthost for outbound email so I can > sign the messages with a boilerplate of legal junk...wasn't my idea, > but I had to do it anyway. Why can't the sign clean functionality be > used to add this logo in? > > It appears you'd just have to adjust inline.sig.html to have the logo > in there, no? > > Julian sent out this recently to make it happen: > > Sign Clean Messages = %rules-dir%/sign.clean.rules > > In /etc/MailScanner/rules/sign.clean.rules, put something like this: > > From: hisdomain.com yes > > FromOrTo: default no > > And then if you want to vary the signature per-domain for example, use > this > > Inline HTML Signature = %rules-dir%/html.sig.rules Inline Text > Signature = %rules-dir%/text.sig.rules > > and then in ..../rules/html.sig.rules > > From: hisdomain.com /etc/MailScanner/reports/hisdomain/inline.sig.html > > FromOrTo: default /etc/MailScanner/reports/en/inline.sig.html > > and in ..../rules/text.sig.rules > > From: hisdomain.com /etc/MailScanner/reports/hisdomain/inline.sig.txt > > FromOrTo: default /etc/MailScanner/reports/en/inline.sig.txt > > That should be enough to get you started. > I don't think can work... how is he supposed to save his company logo in the HTML sig file? UUencode it? Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061120/01d87373/smime-0001.bin From mkettler at evi-inc.com Mon Nov 20 19:00:39 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Nov 20 19:00:59 2006 Subject: MailScanner/SA Rules In-Reply-To: <03c801c70ccd$ef40d160$6401a8c0@zorak> References: <03c801c70ccd$ef40d160$6401a8c0@zorak> Message-ID: <4561FB57.7010107@evi-inc.com> Jim Coates wrote: > Ok - I'm a little confused here. > > I was changing some scoring around for the RBL rules and searched through > the list here to discover something: > > I have been using a local.cf to set up custom rules. They seem to work just > fine. Then I went to edit the RBL scores and noticed that changing them in > local.cf didn't seem to do anything (yes - I restarted). I started checking > through the list and came across some postings that state that you shouldn't > have a local.cf if you are using MailScanner, but you should instead be > using the spam.assassin.prefs.conf That's bad advice. In fact, from a SA perspective, you can't have rules in this file, only rescore and other non-administrative options. That said, in modern versions of mailscanner, spam.assassin.prefs.conf is symlinked to mailscanner.cf, so it gets parsed the same as local.cf. I'd check around and set your site rules directory in MailScanner.conf instead. > > The messages said that it states this in the prefs file, but for some reason > mine didn't - which is why I didn't change how I was doing it. > > So I have a few questions... > > 1) Should I add everything I currently have in my local.cf to my > spam.assassin.prefs.conf and rename/remove the local.cf? No. Technically, this file should be a replacement for user_prefs, although as said above, it's now equivalent to local.cf due to symlinks. > 2) Why were custom rules working, but not RBL score changes from the > local.cf? That seems very odd, I'd expect all or nothing. Unless a parse error is causing half the file to be ignored. Try running spamassassin --lint. It should run and exit quietly. > 3) My rules from Rules Du Jour still get dropped into > /usr/local/etc/mail/spamassassin, where the local.cf currently exists... > will they function properly from there and can therefore be left alone, or > should they be moved elsewhere, too? Note: check to make sure /etc/mail/spamassassin doesn't exist. If it does, the /usr/local one will be ignored unless SA is explicitly told to use it. (SA by default does a search for reasonable equivalents to /etc/mail/spamassassin, and it uses the first one it finds) From redhat at techspace.nl Mon Nov 20 19:00:43 2006 From: redhat at techspace.nl (redhat@techspace.nl) Date: Mon Nov 20 19:01:08 2006 Subject: log is flotting with messages In-Reply-To: <223f97700611191312g1058bc0crd5b1d725d6597965@mail.gmail.com> References: <20061117232222.he2i3uhkysw0k4cc@www.intranet> <20061118235349.1dpw454bc4cgcg84@www.intranet> <223f97700611190239w7d1e50c9r29aff7f0e00a29e5@mail.gmail.com> <20061119155532.mgm4oiwzk044wk84@www.intranet> <223f97700611191312g1058bc0crd5b1d725d6597965@mail.gmail.com> Message-ID: <20061120200043.u8ltl9ed4wg4swko@www.intranet> Quoting Glenn Steen : > On 19/11/06, redhat@techspace.nl wrote: >> Quoting Glenn Steen : >> >>> On 19/11/06, Res wrote: >>>> On Sat, 18 Nov 2006, redhat@techspace.nl wrote: >>>> >>>>> this is my output but i have no idea what it means exept that tere is a >>>>> problem with spamassassin. >>>>> >>>>> [root@localhost ~]# spamassassin --lint >>>>> [2982] warn: config: failed to parse line, skipping: dcc_path >>>>> /usr/local/bin/dccproc >>>>> [2982] warn: lint: 1 issues detected, please rerun with debug enabled for >>>>> more information >>>> >>>> >>>> Thats an "OK" error if you did not install dcc, you can ignore it, I >>>> disabled it recently because its laggy to here. >>> >>> Right. If you don't use DCC, simply comment that line out (to avoid >>> the error from the --lint). It's in your spam.assassin.prefs.conf file >>> (also softlinked from /etc/mail/spamassassin/mailscanner.cf) >>> >>>> >>>>> [root@localhost ~]# MailScanner --lint >>>>> Read 719 hostnames from the phishing whitelist >>>>> MailScanner setting GID to (89) >>>>> MailScanner setting UID to (89) >>>> >>>> >>>> What MTA are you using? 89 is usually the user/group BSD allocates for >>>> something like vpopmail, why are you setting run-as? >>>> If you use sendmail strip it out. if you are using postfix, I can't help >>>> you any further. >>> >>> Giving up on postmix are you, eh Res?:-). Furtunate us postmixers are >>> ready to step into the fray:-D >>> >>>> >>>> There doesnt appear to be any problems with either, what value do you have >>>> for Max Children? should be 5 per REAL cpu (not HT'd). >>>> >>> CC. >>> What I'd like to see is the output of a debug run (for both >>> MailScanner and SA)... Will just run through for one message. >>> Have you implemented MailWatch too? >>> >>> -- >>> -- Glenn >>> email: glenn < dot > steen < at > gmail < dot > com >>> work: glenn < dot > steen < at > ap1 < dot > se >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! -- Dit >> >> How do i run a debug and no i have not implemented mailwatch > > Being slightly tipsy (yes, I *know* it's a Sunday, but we had the > final (well...:-) performance with the choir today... And the usual > post mortem/beer, snaps and sausages afterwards (Some Mendelssohn, > Bainton and Vaughn Williams, for those interested in such:-), can't > say my precision is the best... Double-check everything with a > MailScanner --help;-). > IIRC (which is doubtful, considering my state:) you should run a > "MailScanner --debug --debug-spamassassin" and send one message > through. It'll output the debug info to the terminal you run it from, > and then exit. > >> things so far no mail is transfered as long as i set the option >> Use SpamAssassin = yes if i disable this option mailscanner works. >> I can start SpamAssassin with /etc/init.d/SpamAssassin start and there >> are no problems in the log. >> My setup mta=postfix on fedora core 6 > > Hm, Drew should chip in here:-). > >> lasts lines of the log these repaeats over and over. >> Nov 19 15:26:48 localhost MailScanner[10323]: MailScanner E-Mail Virus >> Scanner version 4.55.1 starting... >> Nov 19 15:26:49 localhost MailScanner[10323]: Read 747 hostnames from >> the phishing whitelist >> Nov 19 15:26:50 localhost MailScanner[10323]: Using SpamAssassin >> results cache >> Nov 19 15:26:50 localhost MailScanner[10323]: Connected to >> SpamAssassin cache database >> Nov 19 15:26:50 localhost MailScanner[10323]: Enabling SpamAssassin >> auto-whitelist functionality... >> >> Is there a problem with the white list. >> I'm running the same setup on fedora core4 no problem. >> >> any advise thanks jasper > > Gut feeling is that this is a permissions related problem. Did you set > a User State Dir (in MailScanner.conf) for SA? If you become your > postfix user and run spamassassin --lint, does that work? Does it work > when running a message through (spamassassin -t < > /path/to/message/file)? Usually the postfix user need you to specify a > shell, as in > su - postfix -s /bin/bash > ... or similar. Check that the user can find and read things like > bayes db files, AWL etc etc. > > i ran the lint commants spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf --lint output no problems MailScanner --lint output: Read 747 hostnames from the phishing whitelist MailScanner setting GID to (89) MailScanner setting UID to (89) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database perl: ldap-nss.c:1312: do_init: Bewering `cfg->ldc_uris[__session.ls_current_uri] != ((void *)0)' mislukt. Geannuleerd sorry output is dutch but vales at the last line's What does this mean. and yes i can run a message trou spamassasin and i made the spool dir read and write to anyone. thanks jasper -- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door Dark Eagle mail scanner en lijkt schoon te zijn. From clacroix at cegep-ste-foy.qc.ca Mon Nov 20 19:01:16 2006 From: clacroix at cegep-ste-foy.qc.ca (Charles Lacroix) Date: Mon Nov 20 19:01:21 2006 Subject: mailscanner is a lovely tool In-Reply-To: <4561F926.4030507@USherbrooke.ca> References: <1964AAFBC212F742958F9275BF63DBB0429971@winchester.andrewscompanies.com> <4561F926.4030507@USherbrooke.ca> Message-ID: <200611201401.17104.clacroix@cegep-ste-foy.qc.ca> On Monday 20 November 2006 13:51, Denis Beauchemin wrote: > sandrews@andrewscompanies.com a ?crit : > > Ok, we've all had out opinions here on it, but he's not asking that. > > Maybe his boss will fire him unless we point him the right direction > > here; so now that we've all had our say, let's see if we can give him > > some help. > > > > I'm using my mailscanner as a smarthost for outbound email so I can > > sign the messages with a boilerplate of legal junk...wasn't my idea, > > but I had to do it anyway. Why can't the sign clean functionality be > > used to add this logo in? > > > > It appears you'd just have to adjust inline.sig.html to have the logo > > in there, no? > > > > Julian sent out this recently to make it happen: > > > > Sign Clean Messages = %rules-dir%/sign.clean.rules > > > > In /etc/MailScanner/rules/sign.clean.rules, put something like this: > > > > From: hisdomain.com yes > > > > FromOrTo: default no > > > > And then if you want to vary the signature per-domain for example, use > > this > > > > Inline HTML Signature = %rules-dir%/html.sig.rules Inline Text > > Signature = %rules-dir%/text.sig.rules > > > > and then in ..../rules/html.sig.rules > > > > From: hisdomain.com /etc/MailScanner/reports/hisdomain/inline.sig.html > > > > FromOrTo: default /etc/MailScanner/reports/en/inline.sig.html > > > > and in ..../rules/text.sig.rules > > > > From: hisdomain.com /etc/MailScanner/reports/hisdomain/inline.sig.txt > > > > FromOrTo: default /etc/MailScanner/reports/en/inline.sig.txt > > > > That should be enough to get you started. > > I don't think can work... how is he supposed to save his company logo in > the HTML sig file? UUencode it? > > Denis With something ugly/very ugly ... external image hosted somewhere. -- Charles Lacroix, Administrateur UNIX. Service des t?l?communications et des technologies C?gep de Sainte-Foy (418) 659-6600 # 4266 From brett at wrl.org Mon Nov 20 19:22:13 2006 From: brett at wrl.org (Brett Charbeneau) Date: Mon Nov 20 19:23:54 2006 Subject: Sendmail reject trumps whitelist? In-Reply-To: <200611201856.kAKIufMZ014857@bkserver.blacknight.ie> References: <200611201856.kAKIufMZ014857@bkserver.blacknight.ie> Message-ID: > I've had another look at all this. > > To bypass RBL checking from AOL you'd do > > Connect:aol.com OK > > The friend stuff is for recipient email addresses, not sender ones. > > So, to ensure that your abuse address gets emails from boxes otherwise > blocked by RBLs, you'd use: > > Spam:abuse.my.domain FRIEND > > See also: > > http://blue-labs.org/howto/access_hints.php Thanks for the response and clarification, Phil! Good web page to study too. I appreciate it! -- ******************************************************************** Brett Charbeneau Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ******************************************************************** From jimc at laridian.com Mon Nov 20 20:46:05 2006 From: jimc at laridian.com (Jim Coates) Date: Mon Nov 20 20:48:19 2006 Subject: MailScanner/SA Rules In-Reply-To: <4561FB57.7010107@evi-inc.com> Message-ID: <03f401c70ce4$e64e33b0$6401a8c0@zorak> > > Ok - I'm a little confused here. > > > > I was changing some scoring around for the RBL rules and searched > > through the list here to discover something: > > > > I have been using a local.cf to set up custom rules. They seem to > > work just fine. Then I went to edit the RBL scores and > noticed that > > changing them in local.cf didn't seem to do anything (yes - I > > restarted). I started checking through the list and came > across some > > postings that state that you shouldn't have a local.cf if you are > > using MailScanner, but you should instead be using the > > spam.assassin.prefs.conf > > That's bad advice. In fact, from a SA perspective, you can't > have rules in this file, only rescore and other > non-administrative options. > > That said, in modern versions of mailscanner, > spam.assassin.prefs.conf is symlinked to mailscanner.cf, so > it gets parsed the same as local.cf. > > > I'd check around and set your site rules directory in > MailScanner.conf instead. Matt - thanks. So are you suggesting that local.cf is still the appropriate place to put custom SA rules (rather than spam.assassin.prefs.conf? > > > > The messages said that it states this in the prefs file, > but for some > > reason mine didn't - which is why I didn't change how I was > doing it. > > > > So I have a few questions... > > > > 1) Should I add everything I currently have in my local.cf to my > > spam.assassin.prefs.conf and rename/remove the local.cf? > > No. Technically, this file should be a replacement for > user_prefs, although as said above, it's now equivalent to > local.cf due to symlinks. > > > 2) Why were custom rules working, but not RBL score changes > from the > > local.cf? > > That seems very odd, I'd expect all or nothing. Unless a > parse error is causing half the file to be ignored. > > Try running spamassassin --lint. It should run and exit quietly. Oops... I did indeed find a single parse error. "descrive" instead of "describe" - and it did occur before the score changes in the order of the local.cf file. I've made the appropriate changes and am waiting to see if it has helped. > > 3) My rules from Rules Du Jour still get dropped into > > /usr/local/etc/mail/spamassassin, where the local.cf currently > > exists... will they function properly from there and can > therefore be > > left alone, or should they be moved elsewhere, too? > > Note: check to make sure /etc/mail/spamassassin doesn't > exist. If it does, the /usr/local one will be ignored unless > SA is explicitly told to use it. > > (SA by default does a search for reasonable equivalents to > /etc/mail/spamassassin, and it uses the first one it finds) Thanks, Jim From ssilva at sgvwater.com Mon Nov 20 20:54:26 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Nov 20 20:55:07 2006 Subject: MailScanner/SA Rules In-Reply-To: <03f401c70ce4$e64e33b0$6401a8c0@zorak> References: <4561FB57.7010107@evi-inc.com> <03f401c70ce4$e64e33b0$6401a8c0@zorak> Message-ID: Jim Coates spake the following on 11/20/2006 12:46 PM: >>> Ok - I'm a little confused here. >>> >>> I was changing some scoring around for the RBL rules and searched >>> through the list here to discover something: >>> >>> I have been using a local.cf to set up custom rules. They seem to >>> work just fine. Then I went to edit the RBL scores and >> noticed that >>> changing them in local.cf didn't seem to do anything (yes - I >>> restarted). I started checking through the list and came >> across some >>> postings that state that you shouldn't have a local.cf if you are >>> using MailScanner, but you should instead be using the >>> spam.assassin.prefs.conf >> That's bad advice. In fact, from a SA perspective, you can't >> have rules in this file, only rescore and other >> non-administrative options. >> >> That said, in modern versions of mailscanner, >> spam.assassin.prefs.conf is symlinked to mailscanner.cf, so >> it gets parsed the same as local.cf. >> >> >> I'd check around and set your site rules directory in >> MailScanner.conf instead. > > Matt - thanks. So are you suggesting that local.cf is still the appropriate > place to put custom SA rules (rather than spam.assassin.prefs.conf? No. He stated that you should not put them there. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From res at ausics.net Mon Nov 20 22:08:47 2006 From: res at ausics.net (Res) Date: Mon Nov 20 22:08:58 2006 Subject: Sendmail reject trumps whitelist? In-Reply-To: References: <200611171200.kAHC0Lil009905@bkserver.blacknight.ie> Message-ID: On Mon, 20 Nov 2006, Brett Charbeneau wrote: > should *really* be > > Spam:@aol.com FRIEND > > to allow aol.com mail to get past the sendmail 554 rejection. or simply. Spam:aol.com FRIEND -or- aol.com OK works the same. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From sandrews at andrewscompanies.com Mon Nov 20 22:14:27 2006 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Mon Nov 20 22:14:29 2006 Subject: mailscanner is a lovely tool Message-ID: <1964AAFBC212F742958F9275BF63DBB042998A@winchester.andrewscompanies.com> Sure...why not? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Denis Beauchemin Sent: Monday, November 20, 2006 1:51 PM To: MailScanner discussion Subject: Re: mailscanner is a lovely tool sandrews@andrewscompanies.com a ?crit : > Ok, we've all had out opinions here on it, but he's not asking that. > Maybe his boss will fire him unless we point him the right direction > here; so now that we've all had our say, let's see if we can give him > some help. > > I'm using my mailscanner as a smarthost for outbound email so I can > sign the messages with a boilerplate of legal junk...wasn't my idea, > but I had to do it anyway. Why can't the sign clean functionality be > used to add this logo in? > > It appears you'd just have to adjust inline.sig.html to have the logo > in there, no? > > Julian sent out this recently to make it happen: > > Sign Clean Messages = %rules-dir%/sign.clean.rules > > In /etc/MailScanner/rules/sign.clean.rules, put something like this: > > From: hisdomain.com yes > > FromOrTo: default no > > And then if you want to vary the signature per-domain for example, use > this > > Inline HTML Signature = %rules-dir%/html.sig.rules Inline Text > Signature = %rules-dir%/text.sig.rules > > and then in ..../rules/html.sig.rules > > From: hisdomain.com /etc/MailScanner/reports/hisdomain/inline.sig.html > > FromOrTo: default /etc/MailScanner/reports/en/inline.sig.html > > and in ..../rules/text.sig.rules > > From: hisdomain.com /etc/MailScanner/reports/hisdomain/inline.sig.txt > > FromOrTo: default /etc/MailScanner/reports/en/inline.sig.txt > > That should be enough to get you started. > I don't think can work... how is he supposed to save his company logo in the HTML sig file? UUencode it? Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From pete at enitech.com.au Tue Nov 21 01:04:50 2006 From: pete at enitech.com.au (Peter Russell) Date: Tue Nov 21 01:05:01 2006 Subject: Spambuckets, Bayes and MailScanner signatures In-Reply-To: <120103F0F5EC264097BC0A06EC9D026A010C0572@pardessus.aoc-uk.com> References: <120103F0F5EC264097BC0A06EC9D026A010C0572@pardessus.aoc-uk.com> Message-ID: <456250B2.7000509@enitech.com.au> It is even easier to create a public folder and make the default access contributer, not read, then everyone can drag and drop onto the public folder, then there is a python script here that will read the public folder and delete its contents and write a little log of events for you. This si easier to setup and avoid the issues of exchanged erasing the headers when you forward email to another email account. The script was posted (by me) about 2 weeks ago, i can resend if you need it. Stef Morrell wrote: > Hi all, > > Having recently gotten my head around extracting RFC822 email from > exchange servers using IMAP, I'm considering setting up a spambucket, so > my users can dump false negatives - then using some kind of suitable > script to feed them into sa-learn. > > Now, Bayes has already been told to ignore the X-MailScanner-Blah > headers, in the spamassassin prefs, but I'm wondering about how it will > react to being fed things like the inline anti-phishing stuff and also > the "This has been scanned by MailScanner" etc signature. > > Obviously what I don't want is for Bayes to get wrong ideas from dodgy > data. GIGO :) > > Do I need to somehow process those bits out in an effort to restore the > original email, or does the order in which things are done mean that > it's not terribly relevant? > > Regards > > Stef > Stefan Morrell | Operations Director > Tel: 0845 3452820 | Alpha Omega Computers Ltd > Fax: 0845 3452830 | Incorporating Level 5 Internet > stef@aoc-uk.com | stef@l5net.net From vinay_poojary2000 at yahoo.co.in Tue Nov 21 03:51:05 2006 From: vinay_poojary2000 at yahoo.co.in (vinay poojary) Date: Tue Nov 21 03:51:12 2006 Subject: mailscanner is a lovely tool In-Reply-To: <1964AAFBC212F742958F9275BF63DBB042998A@winchester.andrewscompanies.com> Message-ID: <601295.14854.qm@web8323.mail.in.yahoo.com> Dear Sir, Thanks a lot for your quick reply . I would surely place all your opinions in front of the mangement and would speak to them regarding the same . What i think is that my statement for not including images in the signature would have been more appreciated if i had some solution to add the logo in the signature , and would have told them it's not good to add the images in the signature. Presently i have no solution to add the images ,so they might feel that i am making the excuses for the same. I think mailscanner should have the feature to embed the images as a signature.The people who would like to use it would use it while those who r not interested would use the normal html signatures. Thks once again for your quick response. Regards, Vinay Poojary sandrews@andrewscompanies.com wrote: Sure...why not? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Denis Beauchemin Sent: Monday, November 20, 2006 1:51 PM To: MailScanner discussion Subject: Re: mailscanner is a lovely tool sandrews@andrewscompanies.com a ?crit : > Ok, we've all had out opinions here on it, but he's not asking that. > Maybe his boss will fire him unless we point him the right direction > here; so now that we've all had our say, let's see if we can give him > some help. > > I'm using my mailscanner as a smarthost for outbound email so I can > sign the messages with a boilerplate of legal junk...wasn't my idea, > but I had to do it anyway. Why can't the sign clean functionality be > used to add this logo in? > > It appears you'd just have to adjust inline.sig.html to have the logo > in there, no? > > Julian sent out this recently to make it happen: > > Sign Clean Messages = %rules-dir%/sign.clean.rules > > In /etc/MailScanner/rules/sign.clean.rules, put something like this: > > From: hisdomain.com yes > > FromOrTo: default no > > And then if you want to vary the signature per-domain for example, use > this > > Inline HTML Signature = %rules-dir%/html.sig.rules Inline Text > Signature = %rules-dir%/text.sig.rules > > and then in ..../rules/html.sig.rules > > From: hisdomain.com /etc/MailScanner/reports/hisdomain/inline.sig.html > > FromOrTo: default /etc/MailScanner/reports/en/inline.sig.html > > and in ..../rules/text.sig.rules > > From: hisdomain.com /etc/MailScanner/reports/hisdomain/inline.sig.txt > > FromOrTo: default /etc/MailScanner/reports/en/inline.sig.txt > > That should be enough to get you started. > I don't think can work... how is he supposed to save his company logo in the HTML sig file? UUencode it? Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! --------------------------------- Find out what India is talking about on - Yahoo! Answers India Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8. Get it NOW -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061121/384c866a/attachment.html From ylacan at teicam.com Tue Nov 21 08:15:10 2006 From: ylacan at teicam.com (Youri LACAN-BARTLEY) Date: Tue Nov 21 08:15:29 2006 Subject: mailscanner is a lovely tool In-Reply-To: <601295.14854.qm@web8323.mail.in.yahoo.com> References: <601295.14854.qm@web8323.mail.in.yahoo.com> Message-ID: <4562B58E.9000700@teicam.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Talking about alternatives, why not just add within the signature your company logo in ASCII ! That should get everyone happy :p vinay poojary wrote: > Dear Sir, > > Thanks a lot for your quick reply . > > I would surely place all your opinions in front of the mangement and > would speak to them regarding the same . > > What i think is that my statement for not including images in the > signature would have been more appreciated if i had some solution to add > the logo in the signature , and would have told them it's not good to > add the images in the signature. > > Presently i have no solution to add the images ,so they might feel that > i am making the excuses for the same. > > I think mailscanner should have the feature to embed the images as a > signature.The people who would like to use it would use it while those > who r not interested would use the normal html signatures. > > Thks once again for your quick response. > > > Regards, > Vinay Poojary > > */sandrews@andrewscompanies.com/* wrote: > > Sure...why not? > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Denis Beauchemin > Sent: Monday, November 20, 2006 1:51 PM > To: MailScanner discussion > Subject: Re: mailscanner is a lovely tool > > sandrews@andrewscompanies.com a ?crit : > > Ok, we've all had out opinions here on it, but he's not asking that. > > Maybe his boss will fire him unless we point him the right direction > > here; so now that we've all had our say, let's see if we can give him > > some help. > > > > I'm using my mailscanner as a smarthost for outbound email so I can > > sign the messages with a boilerplate of legal junk...wasn't my idea, > > but I had to do it anyway. Why can't the sign clean functionality be > > used to add this logo in? > > > > It appears you'd just have to adjust inline.sig.html to have the logo > > in there, no? > > > > Julian sent out this recently to make it happen: > > > > Sign Clean Messages = %rules-dir%/sign.clean.rules > > > > In /etc/MailScanner/rules/sign.clean.rules, put something like this: > > > > From: hisdomain.com yes > > > > FromOrTo: default no > > > > And then if you want to vary the signature per-domain for example, > use > > this > > > > Inline HTML Signature = %rules-dir%/html.sig.rules Inline Text > > Signature = %rules-dir%/text.sig.rules > > > > and then in ..../rules/html.sig.rules > > > > From: hisdomain.com /etc/MailScanner/reports/hisdomain/inline.sig.html > > > > FromOrTo: default /etc/MailScanner/reports/en/inline.sig.html > > > > and in ..../rules/text.sig.rules > > > > From: hisdomain.com /etc/MailScanner/reports/hisdomain/inline.sig.txt > > > > FromOrTo: default /etc/MailScanner/reports/en/inline.sig.txt > > > > That should be enough to get you started. > > > > I don't think can work... how is he supposed to save his company > logo in the HTML sig file? UUencode it? > > Denis > > -- > _ > ?v? Denis Beauchemin, analyste > /(_)\ Universit? de Sherbrooke, S.T.I. > ^ ^ T: 819.821.8000x62252 F: 819.821.8045 > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > ------------------------------------------------------------------------ > Find out what India is talking about on - Yahoo! Answers India > > Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8. > Get it NOW > > > - -- Cordialement, Youri LACAN-BARTLEY PCAM Espace HERVANN 641 Chemin des terriers 06600 ANTIBES Tel: 04.93.33.26.25 Fax: 04.93.33.73.45 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) iD8DBQFFYrWOWC9/YPePNU4RAvyMAJ9YrbKO2FbGrx4xY+wlzGKcSPiICwCbBb1Q PWe9ijY4jdzElfG0Z2BpSl8= =V6Of -----END PGP SIGNATURE----- From admin at thenamegame.com Tue Nov 21 08:38:00 2006 From: admin at thenamegame.com (Michael S.) Date: Tue Nov 21 08:30:39 2006 Subject: Anything similar to debora* out there? In-Reply-To: <455DB6F3.61A4.0000.0@caspercollege.edu> Message-ID: <200611210830.kAL8UbT9023346@bkserver.blacknight.ie> That's fine and when they do we will also change our filter. Its not too hard to spot these people. I'd say they are using a pretty outdated mailer as they cant be any more original in their use of an email address other than debora?????@. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Daniel Straka Sent: Friday, November 17, 2006 3:20 PM To: mailscanner@lists.mailscanner.info Subject: Anything similar to debora* out there? Just wondering...I'm sure the name will change to something else soon. Dan Straka Systems Coordinator Casper College -- This message has been scanned for viruses and dangerous content by MailScanner at caspercollege.edu and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mailscanner at barendse.to Tue Nov 21 08:35:52 2006 From: mailscanner at barendse.to (Remco Barendse) Date: Tue Nov 21 08:35:57 2006 Subject: pingscript to deal with flakey connections Message-ID: Hi list! I have several MailScanner boxes sending/receiving e-mail and forwarding it to my M$ Exchange box. The boxes are connected to different DSL connections whose connections tends to be flakey. I want to prevent that Exchange thinks a MS box is still up and running and sending outgoing mail to it when the connection is down and MS is only queuing up the mail, not sending it. I am trying to modify a ping script i found somewhere, basically I want it to stop MS to accept connections when the DSL line is down. The script doesn't seem to be giving me expected results though (probably because I do not have any programming skills at all), maybe somebody already has a similar ping script? If yes, could it be posted, or maybe someone can help me on what I've got so far? I think such a script could be usefull for others on this list too. This is my feeble attempt to modify an other script I found : http://www.ecem-it.nl/pingscript/pingscript.txt the contents is also below: #!/bin/sh # Initialisation date=`date +'%b %d %k:%M:%S'` logfile="/var/log/connection.log" ping1="ping -c 2 -i 2 www.xs4all.nl"; ping2="ping -c 2 -i 2 www.planet.nl"; ping3="ping -c 2 -i 2 www.redhat.com"; ping4="ping -c 2 -i 2 www.ti.com"; ping5="ping -c 2 -i 2 www.oracle.com"; echo "" >> $logfile echo $date "Checking if connection is still up ..." >> $logfile if ! $ping1 > /dev/null & ! $ping2 > /dev/null & ! $ping3 > /dev/null & ! $ping4 > /dev/null & ! $ping5 > /dev/null; then if [ -f /tmp/conndown ] ; then echo $date "No ping packets received, connection is still down" | tee -a $logfile else /sbin/clock >> /tmp/conndown echo $date "No ping packets received" | tee -a $logfile echo $date "Connection is down! ===> stopping MailScanner ..." | tee -a $logfile service MailScanner stop exit 1 fi else echo -n "-----------------------------------------------------------------------------------------" > /dev/null echo -n "PINGRESULTS:" > /dev/null echo -n "-----------------------------------------------------------------------------------------" > /dev/null ping -c 1 www.xs4all.nl > /dev/null echo -n "-----------------------------------------------------------------------------------------" > /dev/null ping -c 1 www.planet.nl > /dev/null echo -n "-----------------------------------------------------------------------------------------" > /dev/null ping -c 1 www.redhat.nl > /dev/null echo -n "-----------------------------------------------------------------------------------------" > /dev/null ping -c 1 www.ti.com > /dev/null echo -n "-----------------------------------------------------------------------------------------" > /dev/null ping -c 1 www.oracle.com > /dev/null echo -n "-----------------------------------------------------------------------------------------" > /dev/null if [ -f /tmp/conndown ] ; then echo $date "Connection is up! Restarting MailScanner ..." | tee -a $logfile rm -f /tmp/conndown service MailScanner start else echo $date "Connection is still up!" >> $logfile exit 1 fi fi From vinay_poojary2000 at yahoo.co.in Tue Nov 21 09:09:39 2006 From: vinay_poojary2000 at yahoo.co.in (vinay poojary) Date: Tue Nov 21 09:09:44 2006 Subject: blocking mp3 files Message-ID: <20061121090939.90713.qmail@web8324.mail.in.yahoo.com> Dear Sir, i want to block mp3 files . I have added the same in the filename.rules.conf and the files are getting blocked but people started to rename the extension and sending it .Is there any way i could add the extension in the filetype.rules.conf file . Thks in advance Regards, Vinay Poojary --------------------------------- Find out what India is talking about on - Yahoo! Answers India Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8. Get it NOW -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061121/2b33832f/attachment.html From glenn.steen at gmail.com Tue Nov 21 09:12:34 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Nov 21 09:12:37 2006 Subject: log is flotting with messages In-Reply-To: <20061120200043.u8ltl9ed4wg4swko@www.intranet> References: <20061117232222.he2i3uhkysw0k4cc@www.intranet> <20061118235349.1dpw454bc4cgcg84@www.intranet> <223f97700611190239w7d1e50c9r29aff7f0e00a29e5@mail.gmail.com> <20061119155532.mgm4oiwzk044wk84@www.intranet> <223f97700611191312g1058bc0crd5b1d725d6597965@mail.gmail.com> <20061120200043.u8ltl9ed4wg4swko@www.intranet> Message-ID: <223f97700611210112s316b0b3oef52e6efdd0fe5e9@mail.gmail.com> On 20/11/06, redhat@techspace.nl wrote: > Quoting Glenn Steen : (snip) > > Being slightly tipsy (yes, I *know* it's a Sunday, but we had the > > final (well...:-) performance with the choir today... And the usual > > post mortem/beer, snaps and sausages afterwards (Some Mendelssohn, > > Bainton and Vaughn Williams, for those interested in such:-), can't > > say my precision is the best... Double-check everything with a > > MailScanner --help;-). > > IIRC (which is doubtful, considering my state:) you should run a > > "MailScanner --debug --debug-spamassassin" and send one message > > through. It'll output the debug info to the terminal you run it from, > > and then exit. Less tipsy today (more's the pity:-), and the command would be something like (after stopping MailScanner, of course) MailScanner --debug --debug-sa or look around for the more manual method (editing MailScanner.conf etc). > >> things so far no mail is transfered as long as i set the option > >> Use SpamAssassin = yes if i disable this option mailscanner works. > >> I can start SpamAssassin with /etc/init.d/SpamAssassin start and there > >> are no problems in the log. > >> My setup mta=postfix on fedora core 6 > > > > Hm, Drew should chip in here:-). Or some of you other postfixing freebsders:-). > >> lasts lines of the log these repaeats over and over. > >> Nov 19 15:26:48 localhost MailScanner[10323]: MailScanner E-Mail Virus > >> Scanner version 4.55.1 starting... > >> Nov 19 15:26:49 localhost MailScanner[10323]: Read 747 hostnames from > >> the phishing whitelist > >> Nov 19 15:26:50 localhost MailScanner[10323]: Using SpamAssassin > >> results cache > >> Nov 19 15:26:50 localhost MailScanner[10323]: Connected to > >> SpamAssassin cache database > >> Nov 19 15:26:50 localhost MailScanner[10323]: Enabling SpamAssassin > >> auto-whitelist functionality... > >> > >> Is there a problem with the white list. > >> I'm running the same setup on fedora core4 no problem. > >> > >> any advise thanks jasper > > > > Gut feeling is that this is a permissions related problem. Did you set > > a User State Dir (in MailScanner.conf) for SA? If you become your > > postfix user and run spamassassin --lint, does that work? Does it work > > when running a message through (spamassassin -t < > > /path/to/message/file)? Usually the postfix user need you to specify a > > shell, as in > > su - postfix -s /bin/bash > > ... or similar. Check that the user can find and read things like > > bayes db files, AWL etc etc. > > > > > > i ran the lint commants > spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf --lint > output no problems > MailScanner --lint > output: > Read 747 hostnames from the phishing whitelist > MailScanner setting GID to (89) > MailScanner setting UID to (89) > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > perl: ldap-nss.c:1312: do_init: Bewering > `cfg->ldc_uris[__session.ls_current_uri] != ((void *)0)' mislukt. > Geannuleerd > > sorry output is dutch but vales at the last line's I think I'll manage:-)... Something seems to be up with that ldap-nss thing, and a quick google on "perl: ldap-nss.c" gives a few results (mainly troubled FreeBSD users:), although perhaps no resolution. Anyway, that error could well be the root of your troubles. As to resolutions (here is where you FreeBSD experts should start chipping in:-)... One could suspect that that failed call is either to do with the Phishing net, or perhaps (just by it following on the heels of the "Connected to..." line) the SpamAssassin cache database. Try first disabling the result cache, then (if that didn't help) the phishing net. If either helps, you at least know where it borks out, and have a somewhat workable workaround (namely "don't do that then";-). Have you checked the cache DB, for readability by your postfix user? Sometimes the devil is in the small details, when it comes to postfix:-):-) > What does this mean. That that call didn't work:-). Hopefully someone with a) a better knowledge of FreeBSD, and b) more coffee in that persons system (I'm trying to cut back... 7 mug-sized esspressos/day isn't good for me:-). > and yes i can run a message trou spamassasin and i made the spool dir > read and write to anyone. > > thanks jasper > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From carinus.carelse at mrc.ac.za Tue Nov 21 09:27:51 2006 From: carinus.carelse at mrc.ac.za (carinus.carelse@mrc.ac.za) Date: Tue Nov 21 09:28:48 2006 Subject: Just Upgraded to 4.56.8 am getting one error message. In-Reply-To: <223f97700611210112s316b0b3oef52e6efdd0fe5e9@mail.gmail.com> Message-ID: When I run the MailScanner in debug mode I get one error message from the server Can't locate object method "RejectMessages" via package "MailScanner::MessageBatch" at /opt/MailScanner-Ext/bin/MailScanner line 763 Any help is appreciated. I am running on Solaris 9. Carinus -- This e-mail and its contents are subject to the South African Medical Research Council e-mail legal notice available at http://www.mrc.ac.za/about/EmailLegalNotice.htm -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061121/a1063e25/attachment.html From carinus.carelse at mrc.ac.za Tue Nov 21 09:43:10 2006 From: carinus.carelse at mrc.ac.za (carinus.carelse@mrc.ac.za) Date: Tue Nov 21 09:43:45 2006 Subject: Another Error Message Message-ID: Can't locate object method "AddVirusInfoToCache" via package "MailScanner::MessageBatch" at /opt/MailScanner-Ext/bin/MailScanner line 838. To append to the other error message I was getting. Carinus -- This e-mail and its contents are subject to the South African Medical Research Council e-mail legal notice available at http://www.mrc.ac.za/about/EmailLegalNotice.htm -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061121/a7dc760a/attachment.html From glenn.steen at gmail.com Tue Nov 21 09:47:24 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Nov 21 09:47:28 2006 Subject: mailscanner is a lovely tool In-Reply-To: <4562B58E.9000700@teicam.com> References: <601295.14854.qm@web8323.mail.in.yahoo.com> <4562B58E.9000700@teicam.com> Message-ID: <223f97700611210147y4ae9bb4agd4970fb298411909@mail.gmail.com> On 21/11/06, Youri LACAN-BARTLEY wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Talking about alternatives, why not just add within the signature your > company logo in ASCII ! That should get everyone happy :p > You mean like: # pamscale -xscale=0.5 -yscale=0.5 mslogo.ppm | ppmtopgm | pgmtop d+oodoovb.vo, .ov. ,..v, vv\, _,.\....,.\ ..\.. ,.. ....J6:<:\:?:&L &T JT. ,,. /. || 1: :| ,\. ,v_ .?:\\: ,_:?. .\\ \_\. `?$?:T`\. ,/T:|| &`|.|T. || 9 || |! `\=o: d' M || H |T `L H' H ,T ?L ||.H '?:$ `: |:H' & &?:T. +""M, |i i| ] 9 H ,.+""M, || -} F & |P"'_ |i " ""#[?::&#' -#~|?-d= ?~~*?\??.?? +\\~' `b-/ `~~*?-?? ~b|:b|.#~`\~?'.??. `"""" . --- --- - - --- -- --- - - -- --` ------- - -- - . -- -- ... Absolutely horrid with proportional spacing:-):-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Nov 21 09:49:09 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Nov 21 09:49:13 2006 Subject: mailscanner is a lovely tool In-Reply-To: <223f97700611210147y4ae9bb4agd4970fb298411909@mail.gmail.com> References: <601295.14854.qm@web8323.mail.in.yahoo.com> <4562B58E.9000700@teicam.com> <223f97700611210147y4ae9bb4agd4970fb298411909@mail.gmail.com> Message-ID: <223f97700611210149l27af6c50u3f47ae4ffe2fab1c@mail.gmail.com> On 21/11/06, Glenn Steen wrote: > On 21/11/06, Youri LACAN-BARTLEY wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Talking about alternatives, why not just add within the signature your > > company logo in ASCII ! That should get everyone happy :p > > > You mean like: > # pamscale -xscale=0.5 -yscale=0.5 mslogo.ppm | ppmtopgm | pgmtop > d+oodoovb.vo, .ov. ,..v, vv\, _,.\....,.\ ..\.. ,.. > ....J6:<:\:?:&L &T JT. ,,. /. || 1: :| ,\. ,v_ .?:\\: ,_:?. .\\ \_\. > `?$?:T`\. ,/T:|| &`|.|T. || 9 || |! `\=o: d' M || H |T `L H' H ,T ?L ||.H > '?:$ `: |:H' & &?:T. +""M, |i i| ] 9 H ,.+""M, || -} F & |P"'_ |i > " ""#[?::&#' -#~|?-d= ?~~*?\??.?? +\\~' `b-/ `~~*?-?? ~b|:b|.#~`\~?'.??. > `"""" . --- --- - - --- -- --- - - -- --` ------- - -- - . -- -- > > ... Absolutely horrid with proportional spacing:-):-) > The commandline got cut off... Should read # pamscale -xscale=0.5 -yscale=0.5 mslogo.ppm | ppmtopgm | pgmtopbm | pbmtoascii -2x4 ... Therem much better:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From uxbod at splatnix.net Tue Nov 21 13:00:31 2006 From: uxbod at splatnix.net (uxbod) Date: Tue Nov 21 13:00:43 2006 Subject: OT: MailScanner & Zimbra Message-ID: <4b17fcc45df9877a51d939b7602b414e@10.0.0.10> Hi, Is anybody on the list using MailScanner with Zimbra ? If so was it easy to integrate ? Best Regards, --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From drew at technologytiger.net Tue Nov 21 14:05:03 2006 From: drew at technologytiger.net (Drew Marshall) Date: Tue Nov 21 14:05:19 2006 Subject: log is flotting with messages In-Reply-To: <223f97700611210112s316b0b3oef52e6efdd0fe5e9@mail.gmail.com> References: <20061117232222.he2i3uhkysw0k4cc@www.intranet> <20061118235349.1dpw454bc4cgcg84@www.intranet> <223f97700611190239w7d1e50c9r29aff7f0e00a29e5@mail.gmail.com> <20061119155532.mgm4oiwzk044wk84@www.intranet> <223f97700611191312g1058bc0crd5b1d725d6597965@mail.gmail.com> <20061120200043.u8ltl9ed4wg4swko@www.intranet> <223f97700611210112s316b0b3oef52e6efdd0fe5e9@mail.gmail.com> Message-ID: <50873.194.70.180.170.1164117903.squirrel@www.technologytiger.net> On Tue, November 21, 2006 09:12, Glenn Steen wrote: > (snip) >> > Being slightly tipsy (yes, I *know* it's a Sunday, but we had the >> > final (well...:-) performance with the choir today... And the usual >> > post mortem/beer, snaps and sausages afterwards (Some Mendelssohn, >> > Bainton and Vaughn Williams, for those interested in such:-), can't >> > say my precision is the best... Double-check everything with a >> > MailScanner --help;-). >> > IIRC (which is doubtful, considering my state:) you should run a >> > "MailScanner --debug --debug-spamassassin" and send one message >> > through. It'll output the debug info to the terminal you run it from, >> > and then exit. > > Less tipsy today (more's the pity:-), and the command would be > something like (after stopping MailScanner, of course) > MailScanner --debug --debug-sa > or look around for the more manual method (editing MailScanner.conf etc). This I think has to be the next course of action (Debug not tipsy, that comes afterwards :-) ) > >> >> things so far no mail is transfered as long as i set the option >> >> Use SpamAssassin = yes if i disable this option mailscanner works. >> >> I can start SpamAssassin with /etc/init.d/SpamAssassin start and >> there >> >> are no problems in the log. >> >> My setup mta=postfix on fedora core 6 >> > >> > Hm, Drew should chip in here:-). Ooops, missed that one :-( > > Or some of you other postfixing freebsders:-). But the OP is running Fedora Core6 not FBSD? However, never fear I am here to try to add my typos and dodgy whit to the game :-) Good grief this thread is hard to follow with posts after sigs and all sorts ;-) >> i ran the lint commants >> spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf --lint >> output no problems Good, but as which user? >> MailScanner --lint >> output: >> Read 747 hostnames from the phishing whitelist >> MailScanner setting GID to (89) >> MailScanner setting UID to (89) Has it been confirmed that this is the Postfix UID/ GID? >> Checking for SpamAssassin errors (if you use it)... >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> perl: ldap-nss.c:1312: do_init: Bewering >> `cfg->ldc_uris[__session.ls_current_uri] != ((void *)0)' mislukt. >> Geannuleerd >> >> sorry output is dutch but vales at the last line's > >> What does this mean. > > That that call didn't work:-). > Hopefully someone with > a) a better knowledge of FreeBSD, and > b) more coffee in that persons system (I'm trying to cut back... 7 > mug-sized esspressos/day isn't good for me:-). Perhaps a better question is; What is it trying to do? I am a little bemused why MS is making this call... Having read the port description here http://www.freebsd.org/cgi/url.cgi?ports/net/nss_ldap/pkg-descr I guess this is being for passwd/ group look ups, which fits with the Postfix user issue that there seems to be. Not being a RH/ rpm user I don't know where to look for this module but is it installed? I don't remember anything like this is part of the MailScanner port in FBSD. Drew From glenn.steen at gmail.com Tue Nov 21 14:40:34 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Nov 21 14:40:41 2006 Subject: log is flotting with messages In-Reply-To: <50873.194.70.180.170.1164117903.squirrel@www.technologytiger.net> References: <20061117232222.he2i3uhkysw0k4cc@www.intranet> <20061118235349.1dpw454bc4cgcg84@www.intranet> <223f97700611190239w7d1e50c9r29aff7f0e00a29e5@mail.gmail.com> <20061119155532.mgm4oiwzk044wk84@www.intranet> <223f97700611191312g1058bc0crd5b1d725d6597965@mail.gmail.com> <20061120200043.u8ltl9ed4wg4swko@www.intranet> <223f97700611210112s316b0b3oef52e6efdd0fe5e9@mail.gmail.com> <50873.194.70.180.170.1164117903.squirrel@www.technologytiger.net> Message-ID: <223f97700611210640h7913ed78sfe14df85b83a4e5d@mail.gmail.com> On 21/11/06, Drew Marshall wrote: > On Tue, November 21, 2006 09:12, Glenn Steen wrote: > > (snip) > >> > Being slightly tipsy (yes, I *know* it's a Sunday, but we had the > >> > final (well...:-) performance with the choir today... And the usual > >> > post mortem/beer, snaps and sausages afterwards (Some Mendelssohn, > >> > Bainton and Vaughn Williams, for those interested in such:-), can't > >> > say my precision is the best... Double-check everything with a > >> > MailScanner --help;-). > >> > IIRC (which is doubtful, considering my state:) you should run a > >> > "MailScanner --debug --debug-spamassassin" and send one message > >> > through. It'll output the debug info to the terminal you run it from, > >> > and then exit. > > > > Less tipsy today (more's the pity:-), and the command would be > > something like (after stopping MailScanner, of course) > > MailScanner --debug --debug-sa > > or look around for the more manual method (editing MailScanner.conf etc). > > This I think has to be the next course of action (Debug not tipsy, that > comes afterwards :-) ) One can wonder if I've been mixing the two... > >> >> things so far no mail is transfered as long as i set the option > >> >> Use SpamAssassin = yes if i disable this option mailscanner works. > >> >> I can start SpamAssassin with /etc/init.d/SpamAssassin start and > >> there > >> >> are no problems in the log. > >> >> My setup mta=postfix on fedora core 6 > >> > > >> > Hm, Drew should chip in here:-). > > Ooops, missed that one :-( > > > > > Or some of you other postfixing freebsders:-). > > But the OP is running Fedora Core6 not FBSD? However, never fear I am here > to try to add my typos and dodgy whit to the game :-) ... since I definitely mixed this up... Probably because of associating Res with FreeBSD...:-). The wonders of a slightly dysfunctional memory/mind:-D... Oh well. > Good grief this thread is hard to follow with posts after sigs > and all sorts ;-) And we're helping?:-) > >> i ran the lint commants > >> spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf --lint > >> output no problems > > Good, but as which user? > > >> MailScanner --lint > >> output: > >> Read 747 hostnames from the phishing whitelist > >> MailScanner setting GID to (89) > >> MailScanner setting UID to (89) > > Has it been confirmed that this is the Postfix UID/ GID? Nope. Ah, now I remember why I thought this to be FreeBSD... Stray comment by Res, indeed... > >> Checking for SpamAssassin errors (if you use it)... > >> Using SpamAssassin results cache > >> Connected to SpamAssassin cache database > >> perl: ldap-nss.c:1312: do_init: Bewering > >> `cfg->ldc_uris[__session.ls_current_uri] != ((void *)0)' mislukt. > >> Geannuleerd > >> > >> sorry output is dutch but vales at the last line's > > > > Thaqnks for removing the only really worthwile advice there (namely checking the ownership of the actual cache SQLite db file;-). > >> What does this mean. > > > > That that call didn't work:-). > > Hopefully someone with > > a) a better knowledge of FreeBSD, and > > b) more coffee in that persons system (I'm trying to cut back... 7 > > mug-sized esspressos/day isn't good for me:-). > > Perhaps a better question is; What is it trying to do? I am a little > bemused why MS is making this call... > > Having read the port description here > http://www.freebsd.org/cgi/url.cgi?ports/net/nss_ldap/pkg-descr I guess > this is being for passwd/ group look ups, which fits with the Postfix user > issue that there seems to be. Not being a RH/ rpm user I don't know where > to look for this module but is it installed? I don't remember anything > like this is part of the MailScanner port in FBSD. > > Drew rpm -qil nss_ldap is very likely it. Unless one needs that module (ie is using ldap for authentication), I'm pretty certain one can live without it. It might be a wrong config in /etc/ldap.conf, for all I know:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From gmourani at privalodc.com Tue Nov 21 14:58:36 2006 From: gmourani at privalodc.com (Gerhard Mourani) Date: Tue Nov 21 14:58:49 2006 Subject: Spam inside images Message-ID: <4572.70.82.58.187.1164121116.squirrel@webmail.privalodc.com> Hello list, I would like to know if someone know how to make MailScanner scan inside images for spam. I receive lot of this kind of new spam now. There are inside the image and cannot be detected by spamassasin which check for texts only. Gerhard, -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From evanderleun at hal9000.nl Tue Nov 21 15:11:42 2006 From: evanderleun at hal9000.nl (Erik van der Leun) Date: Tue Nov 21 15:11:44 2006 Subject: ClamAV || Oversized.zip Message-ID: <4563172E.4090904@hal9000.nl> Hi, A ClamAV feature to protect against DoS alike attacks checking filesizes and such in zipfiles, creates this message, causing attachments to end up in the quarantine, although all other scanners claim the attachment is harmless... # clamscan test.zip test.zip: Oversized.Zip FOUND I've googled bits and pieces together and am pretty sure it's a flaw in ClamAV. Some dubious solutions are presented, by hacking sourcecode of libclamav, but I've decided to disable clamav for a while (on certain servers that is). If anybody's got better advice, I'd be grateful :) Kind regards, Erik van der Leun -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061121/0c9cc421/attachment.html From evanderleun at hal9000.nl Tue Nov 21 15:12:23 2006 From: evanderleun at hal9000.nl (Erik van der Leun) Date: Tue Nov 21 15:12:25 2006 Subject: Spam inside images In-Reply-To: <4572.70.82.58.187.1164121116.squirrel@webmail.privalodc.com> References: <4572.70.82.58.187.1164121116.squirrel@webmail.privalodc.com> Message-ID: <45631757.8070609@hal9000.nl> Gerhard Mourani wrote: > Hello list, > > I would like to know if someone know how to make MailScanner scan inside > images for spam. I receive lot of this kind of new spam now. There are > inside the image and cannot be detected by spamassasin which check for > texts only. > > Gerhard, > > 1. cd to /etc/mail/spamassassin 2. download the patch file from: http://antispam.imp.ch/patches/patch-ocrtext 3. type 'patch < patch-ocrtext' This will create two files in your current directory called ocrtext.cf and ocrtext.pm 4. Edit v310.pre and add the following lines: # OCR - performs Optical Character Recognition on spam images # loadplugin ocrtext /etc/mail/spamassassin/ocrtext.pm loadplugin Mail::SpamAssassin::Timeout 5. Edit the ocrtext.cr file and change the following settings: ## This points to your gocr binary not just the path. Try 'which gocr'. gocr_path /usr/local/bin/gocr ## This is JUST the path to your pnm binarys ( i.e. pngtopnm, giftopnm, jpegtopnm ) pnmtools_path /usr/bin 6. Run spamassassin -D --lint and check for errors. If all went well restart spamassassin or force it to reread it's config however you would on your system. Then try typing something like 'tail -f /var/log/mail.log | grep SPAMPIC_ALPHA', on a high volume server you should see some rules matching after a few minutes. If so then you are OCR'ing the images! From rob at robhq.com Tue Nov 21 15:16:50 2006 From: rob at robhq.com (Rob Freeman) Date: Tue Nov 21 15:17:06 2006 Subject: stock spam Message-ID: <000601c70d80$13936430$3aba2c90$@com> We are getting some spam that seems to be skipped by MailScanner and spamassasin. Mainly stock junk email. I am now having to write custom rules in the spam.assassin.prefs.conf file, but this is after they have been delivered to some people. I tried custom rules that I have seen on the list to block out image spams: uri IE_VULN /%([01][0-9a-f]|7f).*@/i score IE_VULN 100.0 describe IE_VULN Internet Explorer vulnerability full CRF_GIF_ATTACH /name=\"?[0-9a-z._\-]{3,18}\.gif\"?/i describe CRF_GIF_ATTACH Email has a inline gif score CRF_GIF_ATTACH 3.25 full CRF_PNG_ATTACH /name=\"?[0-9a-z._\-]{3,18}\.png\"?/i describe CRF_PNG_ATTACH Email has a inline png score CRF_PNG_ATTACH 3.25 This catches most of the image spam, but getting a lot of stock spam. I am running bayes, with DCC, pyzor, and razor. Some of them still get through though. It is almost like spamassasin rules are not ran against some emails. This is MailScanner version 4.56.8 Module versions are: 1.00 AnyDBM_File 1.16 Archive::Zip 1.03 Carp 1.119 Convert::BinHex 1.00 DirHandle 1.05 Fcntl 2.73 File::Basename 2.08 File::Copy 2.01 FileHandle 1.06 File::Path 0.14 File::Temp 0.78 Filesys::Df 1.35 HTML::Entities 3.54 HTML::Parser 2.37 HTML::TokeParser 1.21 IO 1.10 IO::File 1.123 IO::Pipe 1.74 Mail::Header 3.05 MIME::Base64 5.420 MIME::Decoder 5.420 MIME::Decoder::UU 5.420 MIME::Head 5.420 MIME::Parser 3.03 MIME::QuotedPrint 5.420 MIME::Tools 0.11 Net::CIDR 1.08 POSIX 1.77 Socket 1.4 Sys::Hostname::Long 0.18 Sys::Syslog 1.86 Time::HiRes 1.02 Time::localtime Optional module versions are: 0.17 Convert::TNEF 1.814 DB_File 1.13 DBD::SQLite 1.50 DBI 1.15 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.10 Digest::SHA1 0.44 Inline 0.17 Mail::ClamAV 3.001007 Mail::SpamAssassin 1.999001 Mail::SPF::Query 0.20 Net::CIDR::Lite 1.24 Net::IP 0.57 Net::DNS 0.32 Net::LDAP 1.94 Parse::RecDescent missing SAVI 2.56 Test::Harness 0.47 Test::Simple 1.95 Text::Balanced 1.35 URI Spammassin rules: 70_sare_adult.cf 70_sare_bayes_poison_nxm.cf 70_sare_evilnum0.cf 70_sare_genlsubj0.cf 70_sare_genlsubj1.cf 70_sare_header0.cf 70_sare_header1.cf 70_sare_html0.cf 70_sare_html1.cf 70_sare_html.cf 70_sare_obfu.cf 70_sare_oem.cf 70_sare_random.cf 70_sare_specific.cf 70_sare_spoof.cf 70_sare_stocks.cf 70_sare_unsub.cf 70_sare_uri0.cf 72_sare_bml_post25x.cf 72_sare_redirect_post3.0.0.cf 88_FVGT_body.cf 88_FVGT_headers.cf 88_FVGT_rawbody.cf 88_FVGT_subject.cf 88_FVGT_uri.cf 99_FVGT_meta.cf 99_FVGT_Tripwire.cf 99_sare_fraud_post25x.cf Example email: Stocks Quotes in attachement Impose rational academic reputation rid societies. Kicked Programand camps incentive defections. Paragraph replaces lesser evilsin? Build maintain places publish literature Recognises. Partner in Taizhou Evening wu Xianghu beating in yearold stormed in offices! Singapore Germany or Austria buys about things. How can I slap these stock emails upside the head? Thanks Rob -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061121/a70d32b7/attachment.html From drew at technologytiger.net Tue Nov 21 15:18:03 2006 From: drew at technologytiger.net (Drew Marshall) Date: Tue Nov 21 15:18:12 2006 Subject: log is flotting with messages In-Reply-To: <223f97700611210640h7913ed78sfe14df85b83a4e5d@mail.gmail.com> References: <20061117232222.he2i3uhkysw0k4cc@www.intranet> <20061118235349.1dpw454bc4cgcg84@www.intranet> <223f97700611190239w7d1e50c9r29aff7f0e00a29e5@mail.gmail.com> <20061119155532.mgm4oiwzk044wk84@www.intranet> <223f97700611191312g1058bc0crd5b1d725d6597965@mail.gmail.com> <20061120200043.u8ltl9ed4wg4swko@www.intranet> <223f97700611210112s316b0b3oef52e6efdd0fe5e9@mail.gmail.com> <50873.194.70.180.170.1164117903.squirrel@www.technologytiger.net> <223f97700611210640h7913ed78sfe14df85b83a4e5d@mail.gmail.com> Message-ID: <51192.194.70.180.170.1164122283.squirrel@www.technologytiger.net> On Tue, November 21, 2006 14:40, Glenn Steen wrote: >> Good grief this thread is hard to follow with posts after sigs >> and all sorts ;-) > > And we're helping?:-) No, but it adds to the fun :-) >> > > Thaqnks for removing the only really worthwile advice there (namely > checking the ownership of the actual cache SQLite db file;-). Oops, far too excited with the delete button. Sorry :-( >> rpm -qil nss_ldap is very likely it. Nice! > Unless one needs that module (ie is using ldap for > authentication), I'm pretty certain one can live without it. > It might be a wrong config in /etc/ldap.conf, for all I know:-). Quite. I really am not sure why it's there or being called but then I am still along way off any form of writer of perl leave alone taking apart MS or SA. Drew From mailscanner at yeticomputers.com Tue Nov 21 15:27:08 2006 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Tue Nov 21 15:27:21 2006 Subject: blocking mp3 files In-Reply-To: <20061121090939.90713.qmail@web8324.mail.in.yahoo.com> References: <20061121090939.90713.qmail@web8324.mail.in.yahoo.com> Message-ID: <45631ACC.6050708@yeticomputers.com> vinay poojary wrote: > i want to block mp3 files . > I have added the same in the filename.rules.conf and the files are > getting blocked but people started to rename the extension and sending > it .Is there any way i could add the extension in the > filetype.rules.conf file . As long as you have the correct information on the "File Command =" line in your mailscanner configuration, it should be as simple as adding a line like: deny MP3 No mp3s No MP3 files allowed into your filetype.rules.conf file. The file command is usually "/usr/bin/file", but it might be different on your distribution. Try "which file" to find it on your system. Rick From clacroix at cegep-ste-foy.qc.ca Tue Nov 21 15:32:50 2006 From: clacroix at cegep-ste-foy.qc.ca (Charles Lacroix) Date: Tue Nov 21 15:32:54 2006 Subject: ClamAV || Oversized.zip In-Reply-To: <4563172E.4090904@hal9000.nl> References: <4563172E.4090904@hal9000.nl> Message-ID: <200611211032.50978.clacroix@cegep-ste-foy.qc.ca> On Tuesday 21 November 2006 10:11, Erik van der Leun wrote: > Hi, > > A ClamAV feature to protect against DoS alike attacks checking filesizes > and such > in zipfiles, creates this message, causing attachments to end up in the > quarantine, > although all other scanners claim the attachment is harmless... > > # clamscan test.zip > test.zip: Oversized.Zip FOUND > > I've googled bits and pieces together and am pretty sure it's a flaw in > ClamAV. > Some dubious solutions are presented, by hacking sourcecode of > libclamav, but > I've decided to disable clamav for a while (on certain servers that is). > > If anybody's got better advice, I'd be grateful :) > > Kind regards, > Erik van der Leun Hi, i would check this in clamd.conf # If a file in an archive is compressed more than ArchiveMaxCompressionRatio # times it will be marked as a virus (Oversized.ArchiveType, e.g. Oversized.Zip) # Value of 0 disables the limit. # Default: 250 #ArchiveMaxCompressionRatio 300 Just bump it up enough to get your file to scan correctly or diable it. -- Charles Lacroix, Administrateur UNIX. Service des t?l?communications et des technologies C?gep de Sainte-Foy (418) 659-6600 # 4266 From evanderleun at hal9000.nl Tue Nov 21 15:44:04 2006 From: evanderleun at hal9000.nl (Erik van der Leun) Date: Tue Nov 21 15:45:05 2006 Subject: ClamAV || Oversized.zip In-Reply-To: <200611211032.50978.clacroix@cegep-ste-foy.qc.ca> References: <4563172E.4090904@hal9000.nl> <200611211032.50978.clacroix@cegep-ste-foy.qc.ca> Message-ID: <45631EC4.7080604@hal9000.nl> Charles Lacroix wrote: > On Tuesday 21 November 2006 10:11, Erik van der Leun wrote: > >> Hi, >> >> A ClamAV feature to protect against DoS alike attacks checking filesizes >> and such >> in zipfiles, creates this message, causing attachments to end up in the >> quarantine, >> although all other scanners claim the attachment is harmless... >> >> # clamscan test.zip >> test.zip: Oversized.Zip FOUND >> >> I've googled bits and pieces together and am pretty sure it's a flaw in >> ClamAV. >> Some dubious solutions are presented, by hacking sourcecode of >> libclamav, but >> I've decided to disable clamav for a while (on certain servers that is). >> >> If anybody's got better advice, I'd be grateful :) >> >> Kind regards, >> Erik van der Leun >> > > Hi, > > i would check this in clamd.conf > > > # If a file in an archive is compressed more than ArchiveMaxCompressionRatio > # times it will be marked as a virus (Oversized.ArchiveType, e.g. > Oversized.Zip) > # Value of 0 disables the limit. > # Default: 250 > #ArchiveMaxCompressionRatio 300 > > Just bump it up enough to get your file to scan correctly or diable it. > > Oops, sorry, should have told that... I disabled the setting by setting it to 0 and it didn't make any difference.. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061121/80dc17dc/attachment.html From mike at vesol.com Tue Nov 21 15:52:33 2006 From: mike at vesol.com (Mike Kercher) Date: Tue Nov 21 15:54:10 2006 Subject: Spam inside images In-Reply-To: <45631757.8070609@hal9000.nl> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Erik van der Leun > Sent: Tuesday, November 21, 2006 9:12 AM > To: MailScanner discussion > Subject: Re: Spam inside images > > Gerhard Mourani wrote: > > Hello list, > > > > I would like to know if someone know how to make MailScanner scan > > inside images for spam. I receive lot of this kind of new spam now. > > There are inside the image and cannot be detected by > spamassasin which > > check for texts only. > > > > Gerhard, > > > > > 1. cd to /etc/mail/spamassassin > 2. download the patch file from: > http://antispam.imp.ch/patches/patch-ocrtext > 3. type 'patch < patch-ocrtext' > This will create two files in your current directory called > ocrtext.cf and ocrtext.pm > 4. Edit v310.pre and add the following lines: > > # OCR - performs Optical Character Recognition on spam images > # > loadplugin ocrtext /etc/mail/spamassassin/ocrtext.pm > loadplugin Mail::SpamAssassin::Timeout > > 5. Edit the ocrtext.cr file and change the following settings: > > ## This points to your gocr binary not just the path. Try > 'which gocr'. > gocr_path /usr/local/bin/gocr > ## This is JUST the path to your pnm binarys ( i.e. > pngtopnm, giftopnm, > jpegtopnm ) > pnmtools_path /usr/bin > > 6. Run spamassassin -D --lint and check for errors. > > If all went well restart spamassassin or force it to > reread it's config > however you would on your system. > > Then try typing something like 'tail -f /var/log/mail.log | grep > SPAMPIC_ALPHA', on a high volume server you should see some rules > matching after a few minutes. If so then you are OCR'ing > the images! > > -- I followed these instructions and can't get around: (Can't locate object method "ocrtext_eval" via package "Mail::SpamAssassin::PerMsgStatus" at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2638. Thoughts? Mike From prandal at herefordshire.gov.uk Tue Nov 21 15:46:12 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Nov 21 15:56:27 2006 Subject: Spam inside images Message-ID: <86144ED6CE5B004DA23E1EAC0B569B5810BA677D@isabella.herefordshire.gov.uk> First, get yourself up to date and running an sa-update'd spamassassin 3.1.7 Add the sare rules (sepecially sare stocks) from www.rulesemporium.com Fred's header rules help too. Add the ImageInfo plugin from http://www.rulesemporium.com/plugins.htm too. These will all help push up Spamassassin scores to obviate the need for FuzzyOcr. Then install FuzzyOcr 3.4.2 from http://fuzzyocr.own-hero.net/ with all its dependencies. You'll need ocrad as well. You will need to set focr_autodisable_score in FuzzyOcr.cf to a suitable value so that FuzzyOcr doesn't attempt to scan emails already scored as spam. To catch the latest "artistic" stock spams you'll need to add the scanset $ocrad -s5 -i $pfile in FuzzyOcr.cf Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Gerhard Mourani > Sent: 21 November 2006 14:59 > To: mailscanner@lists.mailscanner.info > Subject: Spam inside images > > Hello list, > > I would like to know if someone know how to make MailScanner > scan inside > images for spam. I receive lot of this kind of new spam now. There are > inside the image and cannot be detected by spamassasin which check for > texts only. > > Gerhard, > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From evanderleun at hal9000.nl Tue Nov 21 15:56:36 2006 From: evanderleun at hal9000.nl (Erik van der Leun) Date: Tue Nov 21 15:56:38 2006 Subject: ClamAV || Oversized.zip In-Reply-To: <200611211032.50978.clacroix@cegep-ste-foy.qc.ca> References: <4563172E.4090904@hal9000.nl> <200611211032.50978.clacroix@cegep-ste-foy.qc.ca> Message-ID: <456321B4.1020304@hal9000.nl> Charles Lacroix wrote: > On Tuesday 21 November 2006 10:11, Erik van der Leun wrote: > >> Hi, >> >> A ClamAV feature to protect against DoS alike attacks checking filesizes >> and such >> in zipfiles, creates this message, causing attachments to end up in the >> quarantine, >> although all other scanners claim the attachment is harmless... >> >> # clamscan test.zip >> test.zip: Oversized.Zip FOUND >> >> I've googled bits and pieces together and am pretty sure it's a flaw in >> ClamAV. >> Some dubious solutions are presented, by hacking sourcecode of >> libclamav, but >> I've decided to disable clamav for a while (on certain servers that is). >> >> If anybody's got better advice, I'd be grateful :) >> >> Kind regards, >> Erik van der Leun >> > > Hi, > > i would check this in clamd.conf > > > # If a file in an archive is compressed more than ArchiveMaxCompressionRatio > # times it will be marked as a virus (Oversized.ArchiveType, e.g. > Oversized.Zip) > # Value of 0 disables the limit. > # Default: 250 > #ArchiveMaxCompressionRatio 300 > > Just bump it up enough to get your file to scan correctly or diable it. > > Sorry for bothering y'all :) using --max-ratio within MailScanner does what I hoped for :) Thanks for thinking along though -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061121/39487f94/attachment.html From andy at tireswing.net Tue Nov 21 16:32:32 2006 From: andy at tireswing.net (Andy Norris) Date: Tue Nov 21 16:32:53 2006 Subject: whitelisted? But where??? Message-ID: <6.2.3.4.2.20061121102625.02f44728@mail.finedaycoming.com> Hi Gang, Once in a while a spam gets in with a high score ... because it's whitelisted: X-TireSwing-Spam: not spam (whitelisted), SpamAssassin (not cached, score=29.493, required 5, autolearn=spam, BAYES_50 0.00, FROM_LOCAL_NOVOWEL 2.86, HELO_DYNAMIC_HCC 4.10, HELO_DYNAMIC_IPADDR2 3.82, HELO_DYNAMIC_SPLIT_IP 2.19, HTML_50_60 0.13, HTML_MESSAGE 0.00, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, RCVD_FORGED_WROTE 2.80, RCVD_NUMERIC_HELO 1.50, SPAMMY_XMAILER 1.00, URIBL_BLACK 3.00, URIBL_JP_SURBL 4.09) X-TireSwing-From: akstcaxtelmnsdgs@axtel.net I hate to ask, but does anyone else seem to have this particular problem? I've checked the usual suspects, as far as files go, but don't know where it's pulling this from. I will search my disk for "axtel.net"... But *I* wouldn't have put it there! Thanks, Andy From mike at vesol.com Tue Nov 21 16:35:31 2006 From: mike at vesol.com (Mike Kercher) Date: Tue Nov 21 16:36:44 2006 Subject: Spam inside images In-Reply-To: Message-ID: > > > > -- > > I followed these instructions and can't get around: > > (Can't locate object method "ocrtext_eval" via package > "Mail::SpamAssassin::PerMsgStatus" at > /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus. > pm line 2638. > > Thoughts? > > Mike > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Nevermind...I was missing a couple of perl modules. Mike From mkettler at evi-inc.com Tue Nov 21 17:07:52 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Tue Nov 21 17:08:19 2006 Subject: whitelisted? But where??? In-Reply-To: <6.2.3.4.2.20061121102625.02f44728@mail.finedaycoming.com> References: <6.2.3.4.2.20061121102625.02f44728@mail.finedaycoming.com> Message-ID: <45633268.3070204@evi-inc.com> Andy Norris wrote: > > Hi Gang, > > Once in a while a spam gets in with a high score ... because it's > whitelisted: > > X-TireSwing-Spam: not spam (whitelisted), SpamAssassin (not cached, > score=29.493, required 5, autolearn=spam, BAYES_50 0.00, > X-TireSwing-From: akstcaxtelmnsdgs@axtel.net > > > I hate to ask, but does anyone else seem to have this particular > problem? I've checked the usual suspects, as far as files go, but don't > know where it's pulling this from. > > I will search my disk for "axtel.net"... But *I* wouldn't have put it > there! Interesting.. It's definitely whitelisted at the MailScanner level. Check the file pointed to the "Is Definitely Not Spam" setting in your mailscanner.conf.. Perhaps one of the recipients is whitelisted? \ From leah at frauerpower.com Tue Nov 21 17:08:27 2006 From: leah at frauerpower.com (Leah Kubik) Date: Tue Nov 21 17:08:29 2006 Subject: Use MailScanner and Spamassassin spamd Message-ID: <200611211208.27907.leah@frauerpower.com> I am wondering if it might be possible to run spamd on a server that is running MailScanner and not have major issues? Has anyone done this before? The goal is for people who have mail clients with plugins that can talk directly to spamd to be able to do so so that they can easily add their own marked SPAM and HAM messages. I am under the impression that MailScanner does not fully run the spamd, so there is nothing to talk to... Any ideas on this one? Thanks, Leah -- Leah Kubik : d416-585-9971x692 : d416-703-5977 : m416-559-6511 Frauerpower! Co. : www.frauerpower.com : Toronto, ON Canada From redhat at techspace.nl Tue Nov 21 17:12:55 2006 From: redhat at techspace.nl (redhat@techspace.nl) Date: Tue Nov 21 17:13:23 2006 Subject: log is flotting with messages In-Reply-To: References: <20061117232222.he2i3uhkysw0k4cc@www.intranet> Message-ID: <20061121181255.4tkj4b7i8484osgg@www.intranet> Ok now i't getting messy system feodra core 6 with ldap samba postfix dovecot pureftpd enz. on the command as user postfix MailScanner --debug --debug-sa last few lines: [3037] dbg: config: using "/etc/mail/spamassassin" for site rules dir [3037] dbg: config: read file /etc/mail/spamassassin/local.cf [3037] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf perl: ldap-nss.c:1312: do_init: Bewering `cfg->ldc_uris[__session.ls_current_uri] != ((void *)0)' mislukt. Geannuleerd ommand as user postfix spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf --lint last few lines: [3037] dbg: config: read file /etc/mail/spamassassin/local.cf [3037] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf perl: ldap-nss.c:1312: do_init: Bewering `cfg->ldc_uris[__session.ls_current_uri] != ((void *)0)' mislukt. Geannuleerd itse the same. user 89 = postfix owner and group of te file /var/spool/MailScanner/incoming/SpamAssassin.cache.db =postfix cache SQLite db file are there more than this one?? nss_ldap is needed becouse i'm using ldap for user information user passw and more exept users as postfix clam local deamons. do i need to configure mailscanner to search in ldap for users?? the system is already running using ldap what coult mailscanner whant look for in ldap?. anyone mayday need to get more coffee!!!!. jasper -- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door Dark Eagle mail scanner en lijkt schoon te zijn. From mkettler at evi-inc.com Tue Nov 21 17:17:04 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Tue Nov 21 17:17:28 2006 Subject: Use MailScanner and Spamassassin spamd In-Reply-To: <200611211208.27907.leah@frauerpower.com> References: <200611211208.27907.leah@frauerpower.com> Message-ID: <45633490.7090109@evi-inc.com> Leah Kubik wrote: > I am wondering if it might be possible to run spamd on a server that is > running MailScanner and not have major issues? Why? it would be considerably slower. MailScanner uses SA at the API level (ie: Mail::SpamAssassin), and does so on a persistent basis, therefore it acts as it's own spamd. Calling an external process would be considerably slower. The usual 'use spamd instead of spamassassin' applies only to folks using the spamassassin commandline script. MailScanner uses neither and directly loads a Mail::SpamAssassin instance into its own process space. From andy at tireswing.net Tue Nov 21 17:28:53 2006 From: andy at tireswing.net (Andy Norris) Date: Tue Nov 21 17:29:15 2006 Subject: whitelisted? But where??? In-Reply-To: <45633268.3070204@evi-inc.com> References: <6.2.3.4.2.20061121102625.02f44728@mail.finedaycoming.com> <45633268.3070204@evi-inc.com> Message-ID: <6.2.3.4.2.20061121112341.02e76910@mail.tireswing.net> At 11:07 am 2006-11-21, you wrote: >Interesting.. It's definitely whitelisted at the MailScanner level. > >Check the file pointed to the "Is Definitely Not Spam" setting in your >mailscanner.conf.. Perhaps one of the recipients is whitelisted? > >\ >-- Thanks Matt, Unless they BCC'd some others (and had a pretty good idea who was on my whitelist), I'm the only recipient. Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules And in there is just stuff I've put in there for pesky, whiny, pampered users. Still flustered, Andy From martinh at solidstatelogic.com Tue Nov 21 17:31:45 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Nov 21 17:32:08 2006 Subject: stock spam In-Reply-To: <000601c70d80$13936430$3aba2c90$@com> References: <000601c70d80$13936430$3aba2c90$@com> Message-ID: <45633801.40901@solidstatelogic.com> Rob Freeman wrote: > We are getting some spam that seems to be skipped by MailScanner and > spamassasin. Mainly stock junk email. I am now having to write custom > rules in the spam.assassin.prefs.conf file, but this is after they have > been delivered to some people. I tried custom rules that I have seen on > the list to block out image spams: > > > > uri IE_VULN /%([01][0-9a-f]|7f).*@/i > > score IE_VULN 100.0 > > describe IE_VULN Internet Explorer vulnerability > > > > full CRF_GIF_ATTACH /name=\"?[0-9a-z._\-]{3,18}\.gif\"?/i > > describe CRF_GIF_ATTACH Email has a inline gif > > score CRF_GIF_ATTACH 3.25 > > > > full CRF_PNG_ATTACH /name=\"?[0-9a-z._\-]{3,18}\.png\"?/i > > describe CRF_PNG_ATTACH Email has a inline png > > score CRF_PNG_ATTACH 3.25 > > > > This catches most of the image spam, but getting a lot of stock spam. I > am running bayes, with DCC, pyzor, and razor. Some of them still get > through though. It is almost like spamassasin rules are not ran against > some emails. > > > > This is MailScanner version 4.56.8 > > Module versions are: > > 1.00 AnyDBM_File > > 1.16 Archive::Zip > > 1.03 Carp > > 1.119 Convert::BinHex > > 1.00 DirHandle > > 1.05 Fcntl > > 2.73 File::Basename > > 2.08 File::Copy > > 2.01 FileHandle > > 1.06 File::Path > > 0.14 File::Temp > > 0.78 Filesys::Df > > 1.35 HTML::Entities > > 3.54 HTML::Parser > > 2.37 HTML::TokeParser > > 1.21 IO > > 1.10 IO::File > > 1.123 IO::Pipe > > 1.74 Mail::Header > > 3.05 MIME::Base64 > > 5.420 MIME::Decoder > > 5.420 MIME::Decoder::UU > > 5.420 MIME::Head > > 5.420 MIME::Parser > > 3.03 MIME::QuotedPrint > > 5.420 MIME::Tools > > 0.11 Net::CIDR > > 1.08 POSIX > > 1.77 Socket > > 1.4 Sys::Hostname::Long > > 0.18 Sys::Syslog > > 1.86 Time::HiRes > > 1.02 Time::localtime > > > > Optional module versions are: > > 0.17 Convert::TNEF > > 1.814 DB_File > > 1.13 DBD::SQLite > > 1.50 DBI > > 1.15 Digest > > 1.01 Digest::HMAC > > 2.36 Digest::MD5 > > 2.10 Digest::SHA1 > > 0.44 Inline > > 0.17 Mail::ClamAV > > 3.001007 Mail::SpamAssassin > > 1.999001 Mail::SPF::Query > > 0.20 Net::CIDR::Lite > > 1.24 Net::IP > > 0.57 Net::DNS > > 0.32 Net::LDAP > > 1.94 Parse::RecDescent > > missing SAVI > > 2.56 Test::Harness > > 0.47 Test::Simple > > 1.95 Text::Balanced > > 1.35 URI > > > > Spammassin rules: > > > > 70_sare_adult.cf > > 70_sare_bayes_poison_nxm.cf > > 70_sare_evilnum0.cf > > 70_sare_genlsubj0.cf > > 70_sare_genlsubj1.cf > > 70_sare_header0.cf > > 70_sare_header1.cf > > 70_sare_html0.cf > > 70_sare_html1.cf > > 70_sare_html.cf > > 70_sare_obfu.cf > > 70_sare_oem.cf > > 70_sare_random.cf > > 70_sare_specific.cf > > 70_sare_spoof.cf > > 70_sare_stocks.cf > > 70_sare_unsub.cf > > 70_sare_uri0.cf > > 72_sare_bml_post25x.cf > > 72_sare_redirect_post3.0.0.cf > > 88_FVGT_body.cf > > 88_FVGT_headers.cf > > 88_FVGT_rawbody.cf > > 88_FVGT_subject.cf > > 88_FVGT_uri.cf > > 99_FVGT_meta.cf > > 99_FVGT_Tripwire.cf > > 99_sare_fraud_post25x.cf > > > > Example email: > > > > Stocks Quotes in attachement > > Impose rational academic reputation rid societies. > Kicked Programand camps incentive defections. > Paragraph replaces lesser evilsin? > Build maintain places publish literature Recognises. > Partner in Taizhou Evening wu Xianghu beating in yearold stormed in offices! > Singapore Germany or Austria buys about things. > > > > How can I slap these stock emails upside the head? > > > > Thanks > > > > Rob > check you've got the latest SA (3.1.7) AND the SARE_Stock and Fred's rules from www.rulesemporium.com -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at solidstatelogic.com Tue Nov 21 17:33:01 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Nov 21 17:33:35 2006 Subject: Spam inside images In-Reply-To: <4572.70.82.58.187.1164121116.squirrel@webmail.privalodc.com> References: <4572.70.82.58.187.1164121116.squirrel@webmail.privalodc.com> Message-ID: <4563384D.6010004@solidstatelogic.com> Gerhard Mourani wrote: > Hello list, > > I would like to know if someone know how to make MailScanner scan inside > images for spam. I receive lot of this kind of new spam now. There are > inside the image and cannot be detected by spamassasin which check for > texts only. > > Gerhard, > Hi check you've got the latest SA version (3.1.7) and the SARE_stock along with freds' rules from www.rulesemporium.com. this should drive these above a score of 5 at least... -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From luisj_ramos at yahoo.com Tue Nov 21 17:41:35 2006 From: luisj_ramos at yahoo.com (Luis Ramos) Date: Tue Nov 21 17:41:39 2006 Subject: Spam inside images Message-ID: <20061121174135.27891.qmail@web38803.mail.mud.yahoo.com> How do you fixed it. I got the same error. Which modules are missing? ----- Original Message ---- From: Mike Kercher To: MailScanner discussion Sent: Tuesday, November 21, 2006 11:35:31 AM Subject: RE: Spam inside images > > > > -- > > I followed these instructions and can't get around: > > (Can't locate object method "ocrtext_eval" via package > "Mail::SpamAssassin::PerMsgStatus" at > /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus. > pm line 2638. > > Thoughts? > > Mike > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Nevermind...I was missing a couple of perl modules. Mike -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061121/f233fb85/attachment.html From dave.list at pixelhammer.com Tue Nov 21 17:43:58 2006 From: dave.list at pixelhammer.com (DAve) Date: Tue Nov 21 17:44:08 2006 Subject: whitelisted? But where??? In-Reply-To: <6.2.3.4.2.20061121112341.02e76910@mail.tireswing.net> References: <6.2.3.4.2.20061121102625.02f44728@mail.finedaycoming.com> <45633268.3070204@evi-inc.com> <6.2.3.4.2.20061121112341.02e76910@mail.tireswing.net> Message-ID: <45633ADE.6000905@pixelhammer.com> Andy Norris wrote: > > At 11:07 am 2006-11-21, you wrote: >> Interesting.. It's definitely whitelisted at the MailScanner level. >> >> Check the file pointed to the "Is Definitely Not Spam" setting in your >> mailscanner.conf.. Perhaps one of the recipients is whitelisted? >> >> \ >> -- > > Thanks Matt, > > Unless they BCC'd some others (and had a pretty good idea who was on my > whitelist), I'm the only recipient. > > Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules > > And in there is just stuff I've put in there for pesky, whiny, pampered > users. > > Still flustered, > > Andy If you run the message through SpamAssassin alone does it still get whitelisted? DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From leah at frauerpower.com Tue Nov 21 18:09:27 2006 From: leah at frauerpower.com (Leah Kubik) Date: Tue Nov 21 18:09:31 2006 Subject: Use MailScanner and Spamassassin spamd In-Reply-To: <45633490.7090109@evi-inc.com> References: <200611211208.27907.leah@frauerpower.com> <45633490.7090109@evi-inc.com> Message-ID: <200611211309.27372.leah@frauerpower.com> On Tuesday 21 November 2006 12:17, Matt Kettler wrote: > Leah Kubik wrote: > > I am wondering if it might be possible to run spamd on a server that is > > running MailScanner and not have major issues? > > Why? it would be considerably slower. The reason being so that people could use applications to talk to spamd over TCP from their mail clients to further manage their Bayesian filters... > MailScanner uses SA at the API level (ie: Mail::SpamAssassin), and does so > on a persistent basis, therefore it acts as it's own spamd. Calling an > external process would be considerably slower. I do understand that, but I don't believe that it's listening for outside requests the way that spamd does, therefore, the question of if it would be possible to both run MailScanner and to have a listening spamd. One of my clients is asking if it would be possible to use some of the Outlook plugins for talking to spamd on the server, which is why I am trying to find out if it is just impossible, or maybe possible. -- Leah Kubik : d416-585-9971x692 : d416-703-5977 : m416-559-6511 Frauerpower! Co. : www.frauerpower.com : Toronto, ON Canada From joshua.hirsh at partnersolutions.ca Tue Nov 21 18:11:13 2006 From: joshua.hirsh at partnersolutions.ca (Joshua Hirsh) Date: Tue Nov 21 18:10:59 2006 Subject: OT: RE: pingscript to deal with flakey connections In-Reply-To: Message-ID: <0768EC5DB0115C43BF4E84FC8AC17D77534E83@psims002.pshosting.intranet> Hi Remco, I don't have a script like this in production, but it isn't very hard to write :-P Attached is one I just wrote in perl (about 20 minutes). It requires the fping binary to be installed (http://www.fping.com/). This particular version can be set with a threshold level, so you can take your server offline if 4 out of 5 sites are offline. You'll want to verify that you've removed your hourly cron job to check the status of MailScanner, otherwise it will start itself back up (/etc/cron.hourly/check_MailScanner on my system). I've only tested this on my workstation, but it seems to run as expected. The standard disclaimer applies.. I wrote it, but take no responsibility for its use or any damage you may incur on your systems from using it. If you like it, great. If you don't, edit it to your liking or just delete it ;-) Cheers, -Joshua -------------- next part -------------- A non-text attachment was scrubbed... Name: FlakeyDSL.pl Type: application/octet-stream Size: 3184 bytes Desc: FlakeyDSL.pl Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061121/e9c6b315/FlakeyDSL.obj From mike at vesol.com Tue Nov 21 18:19:23 2006 From: mike at vesol.com (Mike Kercher) Date: Tue Nov 21 18:20:39 2006 Subject: Spam inside images In-Reply-To: <20061121174135.27891.qmail@web38803.mail.mud.yahoo.com> Message-ID: I had to install String::Approx , Image::ExifTool and Imager via CPAN Mike ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Luis Ramos Sent: Tuesday, November 21, 2006 11:42 AM To: MailScanner discussion Subject: Re: Spam inside images How do you fixed it. I got the same error. Which modules are missing? ----- Original Message ---- From: Mike Kercher To: MailScanner discussion Sent: Tuesday, November 21, 2006 11:35:31 AM Subject: RE: Spam inside images > > > > -- > > I followed these instructions and can't get around: > > (Can't locate object method "ocrtext_eval" via package > "Mail::SpamAssassin::PerMsgStatus" at > /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus. > pm line 2638. > > Thoughts? > > Mike > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Nevermind...I was missing a couple of perl modules. Mike -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mkettler at evi-inc.com Tue Nov 21 18:23:34 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Tue Nov 21 18:24:43 2006 Subject: Use MailScanner and Spamassassin spamd In-Reply-To: <200611211309.27372.leah@frauerpower.com> References: <200611211208.27907.leah@frauerpower.com> <45633490.7090109@evi-inc.com> <200611211309.27372.leah@frauerpower.com> Message-ID: <45634426.3090602@evi-inc.com> Leah Kubik wrote: > On Tuesday 21 November 2006 12:17, Matt Kettler wrote: >> Leah Kubik wrote: >>> I am wondering if it might be possible to run spamd on a server that is >>> running MailScanner and not have major issues? >> Why? it would be considerably slower. > > The reason being so that people could use applications to talk to spamd over > TCP from their mail clients to further manage their Bayesian filters... Ahh, that should be perfectly fine. SA does have reasonable locks on the bayes DB, so spamd's activities should not interfere with MailScanner.. You'll just have to make sure your bayes_path and bayes_file_mode are set appropriately. (and read the docs carefully, bayes path is NOT a path, and bayes_file_mode is not a mode, it's a positive-logic mask and should include the 'x' bit) The biggest thing to beware of is that on rare occasion some versions of spamd have been known to wind up chowing the bayes db to nobody, even if started with -u. Therefore it's usually best to use 0777 for bayes_file_mode. From mkettler at evi-inc.com Tue Nov 21 18:24:40 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Tue Nov 21 18:24:59 2006 Subject: whitelisted? But where??? In-Reply-To: <6.2.3.4.2.20061121112341.02e76910@mail.tireswing.net> References: <6.2.3.4.2.20061121102625.02f44728@mail.finedaycoming.com> <45633268.3070204@evi-inc.com> <6.2.3.4.2.20061121112341.02e76910@mail.tireswing.net> Message-ID: <45634468.3060203@evi-inc.com> Andy Norris wrote: > > At 11:07 am 2006-11-21, you wrote: >> Interesting.. It's definitely whitelisted at the MailScanner level. >> >> Check the file pointed to the "Is Definitely Not Spam" setting in your >> mailscanner.conf.. Perhaps one of the recipients is whitelisted? >> >> \ >> -- > > Thanks Matt, > > Unless they BCC'd some others (and had a pretty good idea who was on my > whitelist), I'm the only recipient. Check your maillogs. Spam is FREQUENTLY bcc'ed to many recipients. From mkettler at evi-inc.com Tue Nov 21 18:27:29 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Tue Nov 21 18:27:42 2006 Subject: whitelisted? But where??? In-Reply-To: <45633ADE.6000905@pixelhammer.com> References: <6.2.3.4.2.20061121102625.02f44728@mail.finedaycoming.com> <45633268.3070204@evi-inc.com> <6.2.3.4.2.20061121112341.02e76910@mail.tireswing.net> <45633ADE.6000905@pixelhammer.com> Message-ID: <45634511.4090203@evi-inc.com> DAve wrote: > > If you run the message through SpamAssassin alone does it still get > whitelisted? > No, you can tell that just by looking at the header. This was DEFINITELY whitelisted by MailScanner, not SA. SA's whitelists will all show up as a rule hit (ie: USER_IN_WHITELIST or USER_IN_WHITELIST_TO). It would also cause a score adjustment, resulting in the score being low. X-TireSwing-Spam: not spam (whitelisted), SpamAssassin (not cached, score=29.493, required 5, autolearn=spam, BAYES_50 0.00, FROM_LOCAL_NOVOWEL 2.86, HELO_DYNAMIC_HCC 4.10, HELO_DYNAMIC_IPADDR2 3.82, HELO_DYNAMIC_SPLIT_IP 2.19, HTML_50_60 0.13, HTML_MESSAGE 0.00, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, RCVD_FORGED_WROTE 2.80, RCVD_NUMERIC_HELO 1.50, SPAMMY_XMAILER 1.00, URIBL_BLACK 3.00, URIBL_JP_SURBL 4.09) There's no SA whitelist in that list of rule hits, and the score is high. This is purely a MailScanner.conf level issue. From mrm at medicine.wisc.edu Tue Nov 21 18:28:50 2006 From: mrm at medicine.wisc.edu (Michael Masse) Date: Tue Nov 21 18:29:22 2006 Subject: Use MailScanner and Spamassassin spamd In-Reply-To: <200611211309.27372.leah@frauerpower.com> References: <200611211208.27907.leah@frauerpower.com> <45633490.7090109@evi-inc.com> <200611211309.27372.leah@frauerpower.com> Message-ID: <4562F115.7FBE.00FC.3@medicine.wisc.edu> >>> On 11/21/2006 at 12:09 PM, in message <200611211309.27372.leah@frauerpower.com>, Leah Kubik > > I do understand that, but I don't believe that it's listening for outside > requests the way that spamd does, therefore, the question of if it would be > possible to both run MailScanner and to have a listening spamd. > > One of my clients is asking if it would be possible to use some of the > Outlook > plugins for talking to spamd on the server, which is why I am trying to find > > out if it is just impossible, or maybe possible. It is possible. I used to run a MS system that way. All you have to do is tell Mailscanner not to use spamassassin, and then run spamd separately. There is a HUGE performance hit by running it this way though. The same server used to be pegged close to 100 % utilization until I switched to having MS call SA directly, and it now runs around 10-20% utilization, and that's even while increasing the number of emails/spam/whatever every day. I'm not familiar with the Outlook plugins you're talking about, but it might be worthwhile to look at the end result of what the plugin's do. For example, can a user modify his/her own .spamassassin/user_prefs while with the plugin? If so, allow that, and then write a simple cron type script to convert everyone's user_prefs file into SA rules files. This way you can get the best of both worlds. Mike From mailscanner at barendse.to Tue Nov 21 18:30:35 2006 From: mailscanner at barendse.to (Remco Barendse) Date: Tue Nov 21 18:30:39 2006 Subject: OT: RE: pingscript to deal with flakey connections In-Reply-To: <0768EC5DB0115C43BF4E84FC8AC17D77534E83@psims002.pshosting.intranet> References: <0768EC5DB0115C43BF4E84FC8AC17D77534E83@psims002.pshosting.intranet> Message-ID: On Tue, 21 Nov 2006, Joshua Hirsh wrote: > Hi Remco, > > I don't have a script like this in production, but it isn't very hard > to write :-P > > Attached is one I just wrote in perl (about 20 minutes). It requires > the fping binary to be installed (http://www.fping.com/). This > particular version can be set with a threshold level, so you can take > your server offline if 4 out of 5 sites are offline. > > You'll want to verify that you've removed your hourly cron job to check > the status of MailScanner, otherwise it will start itself back up > (/etc/cron.hourly/check_MailScanner on my system). > > > I've only tested this on my workstation, but it seems to run as > expected. The standard disclaimer applies.. I wrote it, but take no > responsibility for its use or any damage you may incur on your systems > from using it. If you like it, great. If you don't, edit it to your > liking or just delete it ;-) > > Cheers, > > -Joshua Great!! I will have a look at it and I am sure my provider will put it to test ;) Thanks!!! From ugob at camo-route.com Tue Nov 21 18:39:20 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Tue Nov 21 18:39:57 2006 Subject: OT sendmail access config Message-ID: Hi, I have 3 domains on a MailScanner gateway machine. domain1.com, domain2.com, domain3.com. Domain1 has 10 users, domain 2 has 1000 and domain 3 2000. Each domain is delivered to a separate back-end server, no local users. Since domain1 has only 10 users, I'd like to put only the valid e-mail addresses in the access map so that it doesn't even have to use milter-ahead. Is this possible? Regards, Ugo From mailscanner at barendse.to Tue Nov 21 18:47:41 2006 From: mailscanner at barendse.to (Remco Barendse) Date: Tue Nov 21 18:47:48 2006 Subject: OT: RE: pingscript to deal with flakey connections In-Reply-To: <0768EC5DB0115C43BF4E84FC8AC17D77534E83@psims002.pshosting.intranet> References: <0768EC5DB0115C43BF4E84FC8AC17D77534E83@psims002.pshosting.intranet> Message-ID: On Tue, 21 Nov 2006, Joshua Hirsh wrote: > Hi Remco, > > I don't have a script like this in production, but it isn't very hard > to write :-P > > Attached is one I just wrote in perl (about 20 minutes). It requires > the fping binary to be installed (http://www.fping.com/). This > particular version can be set with a threshold level, so you can take > your server offline if 4 out of 5 sites are offline. > > You'll want to verify that you've removed your hourly cron job to check > the status of MailScanner, otherwise it will start itself back up > (/etc/cron.hourly/check_MailScanner on my system). > > > I've only tested this on my workstation, but it seems to run as > expected. The standard disclaimer applies.. I wrote it, but take no > responsibility for its use or any damage you may incur on your systems > from using it. If you like it, great. If you don't, edit it to your > liking or just delete it ;-) Wow! You really wrote all that in just 20 minutes?? Looks complicated! If I am not mistaken, the hourly cron job will not bite, some time ago it was made intelligent I believe and now checks if MailScanner was not stopped purposely, if it was, it will not restart MS. Thanks again!!! This is a real life saver, especially I am on holiday and they call me and I have to explain how to stop MS on one box to get outgoing mail working again. Cheers! Remco From ms-list at alexb.ch Tue Nov 21 19:03:37 2006 From: ms-list at alexb.ch (Alex Broens) Date: Tue Nov 21 19:03:48 2006 Subject: MS & PersistentPerl Message-ID: <45634D89.4010105@alexb.ch> Guys, Was wondering if it would be of any benefit to run MaiScanner or parts of it under "PersistentPerl" (http://www.daemoninc.com/PersistentPerl/) I use a number of non daemonized scripts using PerPerl and its does increase performance quite a bit. May the clued show me the light... Alex -- CustomFunction programmer sought - reply offlist. From mike at vesol.com Tue Nov 21 19:39:48 2006 From: mike at vesol.com (Mike Kercher) Date: Tue Nov 21 19:41:11 2006 Subject: OT sendmail access config In-Reply-To: Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Ugo Bellavance > Sent: Tuesday, November 21, 2006 12:39 PM > To: mailscanner@lists.mailscanner.info > Subject: OT sendmail access config > > Hi, > > I have 3 domains on a MailScanner gateway machine. > domain1.com, domain2.com, domain3.com. Domain1 has 10 users, > domain 2 has 1000 and domain 3 2000. Each domain is > delivered to a separate back-end server, no local users. > > Since domain1 has only 10 users, I'd like to put only > the valid e-mail addresses in the access map so that it > doesn't even have to use milter-ahead. Is this possible? > > Regards, > > Ugo > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > In /etc/mail/access: domain1.com REJECT Probable Account Forgery user1@domain1.com OK user2@domain1.com OK user3@domain1.com OK Mike From glenn.steen at gmail.com Tue Nov 21 20:23:40 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Nov 21 20:23:43 2006 Subject: log is flotting with messages In-Reply-To: <20061121181255.4tkj4b7i8484osgg@www.intranet> References: <20061117232222.he2i3uhkysw0k4cc@www.intranet> <20061121181255.4tkj4b7i8484osgg@www.intranet> Message-ID: <223f97700611211223r2d9ddf9dh5416fc8988097157@mail.gmail.com> On 21/11/06, redhat@techspace.nl wrote: > Ok now i't getting messy > > system feodra core 6 with ldap samba postfix dovecot pureftpd enz. > > > on the command as user postfix MailScanner --debug --debug-sa > last few lines: > [3037] dbg: config: using "/etc/mail/spamassassin" for site rules dir > [3037] dbg: config: read file /etc/mail/spamassassin/local.cf > [3037] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf > perl: ldap-nss.c:1312: do_init: Bewering > `cfg->ldc_uris[__session.ls_current_uri] != ((void *)0)' mislukt. > Geannuleerd > > ommand as user postfix > spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf --lint > last few lines: > [3037] dbg: config: read file /etc/mail/spamassassin/local.cf > [3037] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf > perl: ldap-nss.c:1312: do_init: Bewering > `cfg->ldc_uris[__session.ls_current_uri] != ((void *)0)' mislukt. > Geannuleerd Good, then we can be pretty sure this is a problem with SA when run as user postfix. > itse the same. > > user 89 = postfix > owner and group of te file > /var/spool/MailScanner/incoming/SpamAssassin.cache.db > =postfix > cache SQLite db file are there more than this one?? As said, that is a "red herring", so ... lets concentrate on SA instead. > nss_ldap is needed becouse i'm using ldap for user information user > passw and more > exept users as postfix clam local deamons. Ok, so no real possibility of just removing it. > do i need to configure mailscanner to search in ldap for users?? > the system is already running using ldap what coult mailscanner whant > look for in ldap?. I don't think it is anything as obvious as that:-). Just thinking out loud... Postfix is in the usual jail, right? So in the jail there is one set of passwd files etc... And perhaps you have the usual "proxy:..." configuration in main.cf (for postfix to be able to read /etc/passwd, instead of the jails copy)... and I suppose you have it set to read recipients from LDAP too... This is all likely working OK, but... something seems to go bad for SA. Could you check that /etc/mail/spamassassin/mailscanner.cf (which is a symbolic link ("soft") to /etc/MailScanner/spam.assassin.prefs.conf) is readable to the postfix user (and all directories intervening from the root (/)) and possibly the file directly following (compare with a --lint run as root)... Do you have a ~postfix/.spamassassin directory owned by postfix? > anyone mayday need to get more coffee!!!!. > jasper > Tomorrow...:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Nov 21 20:39:35 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Nov 21 20:39:39 2006 Subject: whitelisted? But where??? In-Reply-To: <6.2.3.4.2.20061121112341.02e76910@mail.tireswing.net> References: <6.2.3.4.2.20061121102625.02f44728@mail.finedaycoming.com> <45633268.3070204@evi-inc.com> <6.2.3.4.2.20061121112341.02e76910@mail.tireswing.net> Message-ID: <223f97700611211239m41e57f2ex7333e19c5a5167f6@mail.gmail.com> On 21/11/06, Andy Norris wrote: > > At 11:07 am 2006-11-21, you wrote: > >Interesting.. It's definitely whitelisted at the MailScanner level. > > > >Check the file pointed to the "Is Definitely Not Spam" setting in your > >mailscanner.conf.. Perhaps one of the recipients is whitelisted? > > > >\ > >-- > > Thanks Matt, > > Unless they BCC'd some others (and had a pretty good idea who was on > my whitelist), I'm the only recipient. > > Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules > > And in there is just stuff I've put in there for pesky, whiny, pampered users. > > Still flustered, > > Andy > Do you have an X-TireSwing-To: header too? Wpuld show all the envelope recipients, no? Likely will reveal that you _do_ whitelist one of those addresses:-). Yet another example of why one shouldn't whitelist by email address alone, perhaps:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ugob at camo-route.com Tue Nov 21 20:52:35 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Tue Nov 21 20:53:02 2006 Subject: ClamAV || Oversized.zip In-Reply-To: <456321B4.1020304@hal9000.nl> References: <4563172E.4090904@hal9000.nl> <200611211032.50978.clacroix@cegep-ste-foy.qc.ca> <456321B4.1020304@hal9000.nl> Message-ID: Erik van der Leun wrote: > Charles Lacroix wrote: >> On Tuesday 21 November 2006 10:11, Erik van der Leun wrote: >> >>> Hi, >>> >>> A ClamAV feature to protect against DoS alike attacks checking filesizes >>> and such >>> in zipfiles, creates this message, causing attachments to end up in the >>> quarantine, >>> although all other scanners claim the attachment is harmless... >>> >>> # clamscan test.zip >>> test.zip: Oversized.Zip FOUND >>> >>> I've googled bits and pieces together and am pretty sure it's a flaw in >>> ClamAV. >>> Some dubious solutions are presented, by hacking sourcecode of >>> libclamav, but >>> I've decided to disable clamav for a while (on certain servers that is). >>> >>> If anybody's got better advice, I'd be grateful :) >>> >>> Kind regards, >>> Erik van der Leun >>> >> >> Hi, >> >> i would check this in clamd.conf >> >> >> # If a file in an archive is compressed more than ArchiveMaxCompressionRatio >> # times it will be marked as a virus (Oversized.ArchiveType, e.g. >> Oversized.Zip) >> # Value of 0 disables the limit. >> # Default: 250 >> #ArchiveMaxCompressionRatio 300 >> >> Just bump it up enough to get your file to scan correctly or diable it. >> >> > Sorry for bothering y'all :) > using --max-ratio within MailScanner does what I hoped for :) > > Thanks for thinking along though > Could you explain in what file you made your change? clamav-wrapper? How did you set the option exactly? From ugob at camo-route.com Tue Nov 21 20:58:19 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Tue Nov 21 20:58:50 2006 Subject: ClamAV || Oversized.zip In-Reply-To: References: <4563172E.4090904@hal9000.nl> <200611211032.50978.clacroix@cegep-ste-foy.qc.ca> <456321B4.1020304@hal9000.nl> Message-ID: Ugo Bellavance wrote: >>> >> Sorry for bothering y'all :) >> using --max-ratio within MailScanner does what I hoped for :) >> >> Thanks for thinking along though >> > > Could you explain in what file you made your change? clamav-wrapper? > > How did you set the option exactly? > I guess I found it in clamav-wrapper: # Now increase the allowed expansion size of zip files ExtraScanOptions="$ExtraScanOptions --max-ratio=1000" From mkettler at evi-inc.com Tue Nov 21 21:06:22 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Tue Nov 21 21:06:44 2006 Subject: whitelisted? But where??? In-Reply-To: <223f97700611211239m41e57f2ex7333e19c5a5167f6@mail.gmail.com> References: <6.2.3.4.2.20061121102625.02f44728@mail.finedaycoming.com> <45633268.3070204@evi-inc.com> <6.2.3.4.2.20061121112341.02e76910@mail.tireswing.net> <223f97700611211239m41e57f2ex7333e19c5a5167f6@mail.gmail.com> Message-ID: <45636A4E.5020802@evi-inc.com> Glenn Steen wrote: >> > Do you have an X-TireSwing-To: header too? Wpuld show all the envelope > recipients, no? That would be a massive breach of privacy for the users of the system. Bcc's are intentionally NOT included in the message headers, and you should not make any features that try to do so. Otherwise Bcc becomes the same as Cc, which is not what users expect. As said, check your mailserver logs for this kind of thing. It looks like Andy is using sendmail so he can just grep his logs for the E?SMTP ID of the message which you can get from the Received: headers. For example, I have a spam that my server received: ---------- Received: from PNX2.u1yxrk.net (ALyon-257-1-17-64.w86-209.abo.wanadoo.fr [86.209.64.64]) by xanadu.evi-inc.com (8.12.11.20060308/8.12.11) with ESMTP id kALJDTOe015612; Tue, 21 Nov 2006 14:13:30 -0500 ---------- And I can see that this one went to multiple recipients here: (note: I've censored everyone else's usernames besides my own. Also note that my copy was delivered locally, but the others were relayed to an internal group server) ---------- #grep "kALJDTOe015612" /var/log/maillog Nov 21 14:13:58 xanadu sendmail[878]: kALJDTOe015612: to=, delay=00:00:28, xdelay=00:00:00, mailer=local, pri=213758, dsn=2.0.0, stat=Sent Nov 21 14:13:58 xanadu sendmail[878]: kALJDTOe015612: to=@.evi-inc.com,@.evi-inc.com ,@.evi-inc.com, delay=00:00:28, xdelay=00:00:00, mailer=esmtp, pri=213758, relay=.evi-inc.com. [], dsn=2.0.0, stat=Sent (Ok) ---------- This one was delivered to me, and 3 internal users. > Likely will reveal that you _do_ whitelist one of > those addresses:-). Yet another example of why one shouldn't whitelist > by email address alone, perhaps:-) Agreed. From ugob at camo-route.com Tue Nov 21 21:11:20 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Tue Nov 21 21:11:53 2006 Subject: OT sendmail access config In-Reply-To: References: Message-ID: Mike Kercher wrote: > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Ugo Bellavance >> Sent: Tuesday, November 21, 2006 12:39 PM >> To: mailscanner@lists.mailscanner.info >> Subject: OT sendmail access config >> >> Hi, >> >> I have 3 domains on a MailScanner gateway machine. >> domain1.com, domain2.com, domain3.com. Domain1 has 10 users, >> domain 2 has 1000 and domain 3 2000. Each domain is >> delivered to a separate back-end server, no local users. >> >> Since domain1 has only 10 users, I'd like to put only >> the valid e-mail addresses in the access map so that it >> doesn't even have to use milter-ahead. Is this possible? >> >> Regards, >> >> Ugo >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > In /etc/mail/access: > > domain1.com REJECT Probable Account Forgery > user1@domain1.com OK > user2@domain1.com OK > user3@domain1.com OK > > Mike It was that simple? Woah... thanks :) Ugo From matt at coders.co.uk Tue Nov 21 21:18:01 2006 From: matt at coders.co.uk (Matt Hampton) Date: Tue Nov 21 21:18:45 2006 Subject: OT sendmail access config In-Reply-To: References: Message-ID: <45636D09.2010908@coders.co.uk> >> In /etc/mail/access: >> >> domain1.com REJECT Probable Account Forgery >> user1@domain1.com OK >> user2@domain1.com OK >> user3@domain1.com OK >> >> Mike > > It was that simple? Woah... thanks :) > I would make one minor modification: To:domain1.com .... To:user1@domain.com etc The "To:" ensures that it only applies to incoming mail matt From redhat at techspace.nl Tue Nov 21 21:20:42 2006 From: redhat at techspace.nl (redhadjasper) Date: Tue Nov 21 21:21:16 2006 Subject: log is flotting with messages In-Reply-To: <223f97700611211223r2d9ddf9dh5416fc8988097157@mail.gmail.com> References: <20061117232222.he2i3uhkysw0k4cc@www.intranet> <20061121181255.4tkj4b7i8484osgg@www.intranet> <223f97700611211223r2d9ddf9dh5416fc8988097157@mail.gmail.com> Message-ID: <45636DAA.30807@techspace.nl> Glenn Steen schreef: > On 21/11/06, redhat@techspace.nl wrote: >> Ok now i't getting messy >> >> system feodra core 6 with ldap samba postfix dovecot pureftpd enz. >> >> >> on the command as user postfix MailScanner --debug --debug-sa >> last few lines: >> [3037] dbg: config: using "/etc/mail/spamassassin" for site rules dir >> [3037] dbg: config: read file /etc/mail/spamassassin/local.cf >> [3037] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf >> perl: ldap-nss.c:1312: do_init: Bewering >> `cfg->ldc_uris[__session.ls_current_uri] != ((void *)0)' mislukt. >> Geannuleerd >> >> ommand as user postfix >> spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf --lint >> last few lines: >> [3037] dbg: config: read file /etc/mail/spamassassin/local.cf >> [3037] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf >> perl: ldap-nss.c:1312: do_init: Bewering >> `cfg->ldc_uris[__session.ls_current_uri] != ((void *)0)' mislukt. >> Geannuleerd > > Good, then we can be pretty sure this is a problem with SA when run as > user postfix. > >> itse the same. >> >> user 89 = postfix >> owner and group of te file >> /var/spool/MailScanner/incoming/SpamAssassin.cache.db >> =postfix >> cache SQLite db file are there more than this one?? > > As said, that is a "red herring", so ... lets concentrate on SA instead. > >> nss_ldap is needed becouse i'm using ldap for user information user >> passw and more >> exept users as postfix clam local deamons. > > Ok, so no real possibility of just removing it. > >> do i need to configure mailscanner to search in ldap for users?? >> the system is already running using ldap what coult mailscanner whant >> look for in ldap?. > > I don't think it is anything as obvious as that:-). > Just thinking out loud... Postfix is in the usual jail, right? So in > the jail there is one set of passwd files etc... And perhaps you have > the usual "proxy:..." configuration in main.cf (for postfix to be able > to read /etc/passwd, instead of the jails copy)... and I suppose you > have it set to read recipients from LDAP too... This is all likely > working OK, but... something seems to go bad for SA. > > Could you check that /etc/mail/spamassassin/mailscanner.cf (which is a > symbolic link ("soft") to /etc/MailScanner/spam.assassin.prefs.conf) > is readable to the postfix user (and all directories intervening from > the root (/)) and possibly the file directly following (compare with a > --lint run as root)... Do you have a ~postfix/.spamassassin directory > owned by postfix? > >> anyone mayday need to get more coffee!!!!. >> jasper >> > Tomorrow...:-) yes done al that home/postfix/.spamassasin owner postfix and the config files readable to everyone. cant i run spamassasin as root in mailscanner? greets jasper. -- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door Dark Eagle mail scanner en lijkt schoon te zijn. From prandal at herefordshire.gov.uk Tue Nov 21 21:32:27 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Nov 21 21:32:35 2006 Subject: OT sendmail access config Message-ID: <86144ED6CE5B004DA23E1EAC0B569B58017681E2@isabella.herefordshire.gov.uk> And don't forget to allow incoming emails for postmaster@... and abuse@... Phil -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Matt Hampton Sent: Tuesday, November 21, 2006 9:18 PM To: MailScanner discussion Subject: Re: OT sendmail access config >> In /etc/mail/access: >> >> domain1.com REJECT Probable Account Forgery >> user1@domain1.com OK >> user2@domain1.com OK >> user3@domain1.com OK >> >> Mike > > It was that simple? Woah... thanks :) > I would make one minor modification: To:domain1.com .... To:user1@domain.com etc The "To:" ensures that it only applies to incoming mail matt -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From jozef at uptime.at Tue Nov 21 21:38:07 2006 From: jozef at uptime.at (Jozef Harman) Date: Tue Nov 21 21:35:08 2006 Subject: Filename rules - blocking whole message In-Reply-To: <45634D89.4010105@alexb.ch> References: <45634D89.4010105@alexb.ch> Message-ID: <456371BF.7060602@uptime.at> Dear all, I would like to completely block/delete WHOLE email with a .gif attachment. I have added this to filename.rules.conf: deny+delete \.gif$ Maybe gif spam - This is just removing .gif attachments. I would like to BLOCK/NOT DELIVER message with the .gif attachment. Is this somehow possible ? Many thanks Jozef Harman From mkettler at evi-inc.com Tue Nov 21 21:36:01 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Tue Nov 21 21:36:11 2006 Subject: OT sendmail access config In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B58017681E2@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B58017681E2@isabella.herefordshire.gov.uk> Message-ID: <45637141.6080605@evi-inc.com> Aww, but it's so fun to get listed in RFCI... Randal, Phil wrote: > And don't forget to allow incoming emails for postmaster@... and > abuse@... > > Phil From prandal at herefordshire.gov.uk Tue Nov 21 23:59:27 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Nov 21 23:59:35 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches i t Message-ID: <86144ED6CE5B004DA23E1EAC0B569B58017681E3@isabella.herefordshire.gov.uk> Sometimes it pays to actually test it with debug on and see the results... For my SA 3.1.7 installation, SpamAssassin Local State Dir = /var/lib/spamassassin is the correct setting, not SpamAssassin Local State Dir = /var/lib Tested with MailScanner --debug-sa and the debug flags set in MailScanner.conf. Cheers, Phil, who's amazed he didn't notice this earlier -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Friday, November 10, 2006 4:35 PM To: MailScanner discussion Subject: Re: Mailscanner not catching SPAM but manual run via SA catches it Dan Carl wrote: > Hi all, > > I'm perplexed, > Today I took a spam email from my inbox that got through Mailscanner and > saved it to my mail server. > I then ran it though spamassassin(spamassassin -t test.eml) and it caught it > as SPAM. > What's up with that?? > > Just yesterday I upgraded to the latest version of Mailscanner (thanks > volunteers) > because a lot of spam was getting through. After many hours of work I also > installed the Fuzzy OCR plugin. > > Mailscanner appears to be working fine and using spamassassin. > My maillog shows lines this: > MailScanner[7707]: SpamAssassin cache hit for message kAAFfqxU010369 > > Thanks in advance > Check the SA paths in MailScanner to make sure you're running the same rules - also check you've only got one perl and one SA installed. IF you've run sa-update make sure MS knows about it by setting SpamAssassin Local State Dir = /var/lib -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From res at ausics.net Wed Nov 22 00:47:28 2006 From: res at ausics.net (Res) Date: Wed Nov 22 00:47:37 2006 Subject: Use MailScanner and Spamassassin spamd In-Reply-To: <45633490.7090109@evi-inc.com> References: <200611211208.27907.leah@frauerpower.com> <45633490.7090109@evi-inc.com> Message-ID: On Tue, 21 Nov 2006, Matt Kettler wrote: > Leah Kubik wrote: >> I am wondering if it might be possible to run spamd on a server that is >> running MailScanner and not have major issues? > Yep. > Why? it would be considerably slower. > > MailScanner uses SA at the API level (ie: Mail::SpamAssassin), and does so on a > persistent basis, therefore it acts as it's own spamd. Calling an external > process would be considerably slower. I think the issue is so undividual users have preferences, rather than putting up with system wide tuff luck settings. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From mkettler at evi-inc.com Wed Nov 22 01:02:08 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Nov 22 01:02:27 2006 Subject: Use MailScanner and Spamassassin spamd In-Reply-To: References: <200611211208.27907.leah@frauerpower.com> <45633490.7090109@evi-inc.com> Message-ID: <4563A190.7050904@evi-inc.com> Res wrote: > On Tue, 21 Nov 2006, Matt Kettler wrote: > >> Leah Kubik wrote: >>> I am wondering if it might be possible to run spamd on a server that is >>> running MailScanner and not have major issues? >> > > Yep. > >> Why? it would be considerably slower. >> >> MailScanner uses SA at the API level (ie: Mail::SpamAssassin), and >> does so on a >> persistent basis, therefore it acts as it's own spamd. Calling an >> external >> process would be considerably slower. > > I think the issue is so undividual users have preferences, rather than > putting up with system wide tuff luck settings. True, but you won't get MailScanner to use that spamd. However, you can run MailScanner at the MTA layer without SA enabled, and call SA at the MTA layer (ie: via procmail). At that point MS would only handle virus scanning. You'd gain the advantage of per-user configs, but also loose the performance gain of one-scan per message. Now you'll be doing one SA scan per recipient, which shouldn't be that big a difference, but it does add load when a spam gets bcc'ed to 10 people at once. It's all part of the standard trade-offs of MTA vs MDA layer scanning. (And yes, there are tricks to make MS handle recipients one at a time, but you still don't get per-user configs) That said, as it turns out none of this has anything to do with what the OP wanted. They wanted to remotely update a bayes DB using spamd as a target of bayes learning. (A new feature of spamc in 3.1x is the ability to to "spamc -L spam References: <4b17fcc45df9877a51d939b7602b414e@10.0.0.10> Message-ID: <4563AC3D.8090701@nkpanama.com> uxbod wrote: > Hi, > > Is anybody on the list using MailScanner with Zimbra ? > > If so was it easy to integrate ? > > Best Regards, > > --[ UxBoD ]-- > // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 > // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 > > Easy... if you have Zimbra on one box and MailScanner on the other. If you want to try and get MailScanner running on Zimbra, let us know how it goes... but beware, I've heard MailScanner on a box running Postfix (IIRC Zimbra uses Postfix) *could cause swapping*! ;-) From Denis.Beauchemin at USherbrooke.ca Wed Nov 22 02:06:34 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Nov 22 02:06:43 2006 Subject: Filename rules - blocking whole message In-Reply-To: <456371BF.7060602@uptime.at> References: <45634D89.4010105@alexb.ch> <456371BF.7060602@uptime.at> Message-ID: <4563B0AA.5030500@USherbrooke.ca> Jozef Harman a ?crit : > Dear all, > > I would like to completely block/delete WHOLE email with a .gif > attachment. > I have added this to filename.rules.conf: > > deny+delete \.gif$ Maybe gif spam - > > This is just removing .gif attachments. I would like to BLOCK/NOT > DELIVER message with the .gif attachment. > Is this somehow possible ? > > Many thanks > > Jozef Harman I think you would have to go the SA way and write a rule that would match a gif attachment and assign it a large enough score to have the email deleted. There is a howto in the wiki. Denis -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061121/63f23f4e/smime.bin From brent.addis at pronet.co.nz Wed Nov 22 02:13:07 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Wed Nov 22 02:13:36 2006 Subject: Annoying!!! In-Reply-To: <45585CA7.65ED.00A2.0@plattesheriff.org> References: <45585CA7.65ED.00A2.0@plattesheriff.org> Message-ID: <4563B233.7020404@pronet.co.nz> Look into using SPF (everyone was supposed to be using it by 2004 though, right?) I get joe-jobbed fairly often on some of my domains, since implementing spf, the bounces have dropped to about 40% of what they were. Many companies drop email coming from hosts that aren't listed as an address in a valid spf record, so they don't bounce back to you. Of course they still accept mail without any spf record assigned to it, but i'm sure that'll stop oneday. http://www.openspf.org/wizard.html?mydomain=&x=0&y=0 has a wizard for it. It gets inserted into your dns records. Be warned though, if you have remote users, they will have to use a server within your spf realm for sending mail. I would recommend turning off the catchall too. Rob Poe wrote: > Someone is sending spam as one of my domains (poeweb.com, if you're getting it, it's NOT me!). I'm getting literally hundreds of bounce messages daily. > > I *DO* have a catchall for this domain, and that's getting a lot of the bounceback messages. > > Anyone have any great ideas for at least slowing the delivery failure, bounced for spam, etc messages? > > It's image based stock spam that they're sending. I'd really like them to stop, it's quite annoying. > > > > From Richard.Frovarp at sendit.nodak.edu Wed Nov 22 03:36:43 2006 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Wed Nov 22 03:36:58 2006 Subject: Filename rules - blocking whole message In-Reply-To: <456371BF.7060602@uptime.at> References: <45634D89.4010105@alexb.ch> <456371BF.7060602@uptime.at> Message-ID: <4563C5CB.8000903@sendit.nodak.edu> Jozef Harman wrote: > Dear all, > > I would like to completely block/delete WHOLE email with a .gif > attachment. > I have added this to filename.rules.conf: > > deny+delete \.gif$ Maybe gif spam - > > This is just removing .gif attachments. I would like to BLOCK/NOT > DELIVER message with the .gif attachment. > Is this somehow possible ? > > Many thanks > > Jozef Harman First, you should start a new message when creating a new topic. This message is put in the same thread as a completely unrelated post, since you hit reply to that post. What do you have for Deliver Cleaned Messages? I believe if that is set to yes, it will strip out offending attachments and send the message on. So you should have that set to no. I would guess you are going to FP on HTML mail, but that is your choice. Richard From uxbod at splatnix.net Wed Nov 22 08:13:38 2006 From: uxbod at splatnix.net (uxbod) Date: Wed Nov 22 08:13:51 2006 Subject: OT: MailScanner & Zimbra In-Reply-To: <4563AC3D.8090701@nkpanama.com> References: <4563AC3D.8090701@nkpanama.com> Message-ID: <452fd0b0f573eaeffec2f34d21dace56@10.0.0.10> Hmmm, interesting as I have been running both Postfix and MailScanner on the same box for a year and even on a single server where I work without any problems. The only difference to other installations is that I use two instances of Postfix, the first handles all the standard checks HELO etc and performs LDAP lookups; if this is passed then the emails are handed over the to the second instance where MailScanner will perform its checks. I would imagine that a Zimbra installation may need three instances of Postfix running FrontEnd->MailScanner->Zimbra. I will probably start on this at the weekend so will let you know how it goes. Have some interesting ideas to try out with the Ajax client especially for using information from MailScanner for White and Grey listing. Regards, On Tue, 21 Nov 2006 20:47:41 -0500, Alex Neuman van der Hans wrote: > uxbod wrote: >> Hi, >> >> Is anybody on the list using MailScanner with Zimbra ? >> >> If so was it easy to integrate ? >> >> Best Regards, >> >> --[ UxBoD ]-- >> // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" >> // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 >> // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 >> >> > Easy... if you have Zimbra on one box and MailScanner on the other. > > If you want to try and get MailScanner running on Zimbra, let us know > how it goes... but beware, I've heard MailScanner on a box running > Postfix (IIRC Zimbra uses Postfix) *could cause swapping*! ;-) > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is > believed to be clean. --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From support-lists at petdoctors.co.uk Wed Nov 22 08:45:11 2006 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Wed Nov 22 08:45:28 2006 Subject: Auto forwarding spam for pickup by sa-learn Message-ID: <010301c70e12$859c9460$3c65a8c0@support01> Hi Folks, I have set a rule in MailScanner so that high scoring spam is automatically sent to 'spam@localhost' and there's a cron.hourly job that runs sa-learn on it. All's fine so far, but I am wondering whether any extra headers put on the email due to the forwarding will adversely affect the sa-learn process? Anyone? Thanks Nigel Kendrick From stef at aoc-uk.com Wed Nov 22 09:14:42 2006 From: stef at aoc-uk.com (Stef Morrell) Date: Wed Nov 22 09:14:45 2006 Subject: Spambuckets, Bayes and MailScanner signatures Message-ID: <120103F0F5EC264097BC0A06EC9D026A010C0574@pardessus.aoc-uk.com> Hi Peter, pete@enitech.com.au wrote: > It is even easier to create a public folder and make the > default access contributer, not read, then everyone can drag > and drop onto the public folder Yes, that's my plan. , then there is a python > script here that will read the public folder and delete its > contents and write a little log of events for you. *grin* Yes, I saw that, which is what put me down the path. Once I realised that exchange could be persuaded to give sensible data (including headers and such) I wanted to implement an auto-learning system. > This si easier to setup and avoid the issues of exchanged > erasing the headers when you forward email to another email account. Yup! > The script was posted (by me) about 2 weeks ago, i can resend > if you need it. No, I have it thanks. My real question is how the MailScanner headers, inline anti-phishing and/or trailing signature might pollute the Bayes database - or am I worrying unecessarily? Thanks Stef Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net > > Stef Morrell wrote: >> Hi all, >> >> Having recently gotten my head around extracting RFC822 email from >> exchange servers using IMAP, I'm considering setting up a >> spambucket, so my users can dump false negatives - then using some >> kind of suitable script to feed them into sa-learn. >> >> Now, Bayes has already been told to ignore the X-MailScanner-Blah >> headers, in the spamassassin prefs, but I'm wondering about how it >> will react to being fed things like the inline anti-phishing stuff >> and also the "This has been scanned by MailScanner" etc signature. >> >> Obviously what I don't want is for Bayes to get wrong ideas from >> dodgy data. GIGO :) >> >> Do I need to somehow process those bits out in an effort to restore >> the original email, or does the order in which things are done mean >> that it's not terribly relevant? >> >> Regards >> >> Stef >> Stefan Morrell | Operations Director >> Tel: 0845 3452820 | Alpha Omega Computers Ltd >> Fax: 0845 3452830 | Incorporating Level 5 Internet >> stef@aoc-uk.com | stef@l5net.net > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Wed Nov 22 09:22:50 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 22 09:22:53 2006 Subject: whitelisted? But where??? In-Reply-To: <45636A4E.5020802@evi-inc.com> References: <6.2.3.4.2.20061121102625.02f44728@mail.finedaycoming.com> <45633268.3070204@evi-inc.com> <6.2.3.4.2.20061121112341.02e76910@mail.tireswing.net> <223f97700611211239m41e57f2ex7333e19c5a5167f6@mail.gmail.com> <45636A4E.5020802@evi-inc.com> Message-ID: <223f97700611220122u1a715abbke80f6bb525ca5a9c@mail.gmail.com> On 21/11/06, Matt Kettler wrote: > Glenn Steen wrote: > > >> > > Do you have an X-TireSwing-To: header too? Wpuld show all the envelope > > recipients, no? > > That would be a massive breach of privacy for the users of the system. Yep. > Bcc's are intentionally NOT included in the message headers, and you should not > make any features that try to do so. Otherwise Bcc becomes the same as Cc, which > is not what users expect. I know this. I'm not suggesting he does anything like that, I'm asking if he already did. > As said, check your mailserver logs for this kind of thing. It looks like Andy > is using sendmail so he can just grep his logs for the E?SMTP ID of the message > which you can get from the Received: headers. > > For example, I have a spam that my server received: > ---------- > Received: from PNX2.u1yxrk.net (ALyon-257-1-17-64.w86-209.abo.wanadoo.fr > [86.209.64.64]) > by xanadu.evi-inc.com (8.12.11.20060308/8.12.11) with ESMTP id kALJDTOe015612; > Tue, 21 Nov 2006 14:13:30 -0500 > ---------- > > And I can see that this one went to multiple recipients here: (note: I've > censored everyone else's usernames besides my own. Also note that my copy was > delivered locally, but the others were relayed to an internal group server) > ---------- > #grep "kALJDTOe015612" /var/log/maillog > > Nov 21 14:13:58 xanadu sendmail[878]: kALJDTOe015612: to=, > delay=00:00:28, xdelay=00:00:00, mailer=local, pri=213758, dsn=2.0.0, stat=Sent > Nov 21 14:13:58 xanadu sendmail[878]: kALJDTOe015612: > to=@.evi-inc.com,@.evi-inc.com > ,@.evi-inc.com, delay=00:00:28, xdelay=00:00:00, > mailer=esmtp, pri=213758, relay=.evi-inc.com. [], > dsn=2.0.0, stat=Sent (Ok) > ---------- > > This one was delivered to me, and 3 internal users. Yes. There are situations where a simplistic grep might be harder to follow though (like with multiple Postfix instances... Used for splitting mails/recipient, not the deprecated dual PF/MS setup). And no, I'm still not advocating implementing the "Add Envelope To = yes" thing. Just mentioning that you might need multiple greps for some MTAs;). > > Likely will reveal that you _do_ whitelist one of > > those addresses:-). Yet another example of why one shouldn't whitelist > > by email address alone, perhaps:-) > > > Agreed. Would've been very surprised otherwose;-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Nov 22 09:32:51 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 22 09:33:29 2006 Subject: log is flotting with messages In-Reply-To: <45636DAA.30807@techspace.nl> References: <20061117232222.he2i3uhkysw0k4cc@www.intranet> <20061121181255.4tkj4b7i8484osgg@www.intranet> <223f97700611211223r2d9ddf9dh5416fc8988097157@mail.gmail.com> <45636DAA.30807@techspace.nl> Message-ID: <223f97700611220132n7cc4d3f0p26739c55772348ee@mail.gmail.com> On 21/11/06, redhadjasper wrote: (snip) > yes done al that home/postfix/.spamassasin owner postfix > and the config files readable to everyone. > > cant i run spamassasin as root in mailscanner? > Nope. Since you run postfix, MailScanner needs run as that user... And MailScanner loads the spamassassin perl modules into itself, more or less, so spamassassin will be run as that user. Something is slightly strange here, so ... I need to think... Could you tell a bit more about your SA setup? Is it via RPM or Jules install-Clam-SA package? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From steve.freegard at fsl.com Wed Nov 22 10:29:24 2006 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Nov 22 10:29:36 2006 Subject: OT: SPF was Re: Annoying!!! In-Reply-To: <4563B233.7020404@pronet.co.nz> References: <45585CA7.65ED.00A2.0@plattesheriff.org> <4563B233.7020404@pronet.co.nz> Message-ID: <45642684.4010101@fsl.com> Brent Addis wrote: > Many companies drop email coming from hosts that aren't listed as an > address in a valid spf record, so they don't bounce back to you. Of > course they still accept mail without any spf record assigned to it, but > i'm sure that'll stop oneday. > > http://www.openspf.org/wizard.html?mydomain=&x=0&y=0 has a wizard for > it. It gets inserted into your dns records. Let me go on record saying that I *hate* that wizard... It defaults records to ~all (if SPF record doesn't match return SOFTFAIL) or ?all (if SPF record doesn't match return NEUTRAL), it does *not* give the option of -all (if SPF record doesn't match return FAIL) at all. The only time you can *safely* reject mail at SMTP time is if the SPF result == Fail (-all), all other states e.g. softfail, neutral and pass are only useful for more expensive content checking such as SpamAssassin... SPF Pass - can be useful when used with 'other' tests, although I've seen a lot of spam domains set-up SPF records with a '+all' (return Pass if the SPF record doesn't match) that try and take advantage of this. Because I think '+all' is both useless and evil, I downgrade this to 'Neutral' on my systems... > Be warned though, if you have remote users, they will have to use a > server within your spf realm for sending mail. Yes - especially true if you set -all or ~all in your SPF record, if you use ?all then it really doesn't matter. > I would recommend turning off the catchall too. Yes - catch-alls are evil. On my spam trap I set a SPF record of 'v=spf1 mx -all' and reject any SPF fail at SMTP time, currently I don't get brilliant results with this, but I do get some: Out of 49,630 senders - 1,331 were rejected due to SPF fail, most of these I suspect were due to spammers trying to send in junk by forging my own domain. These numbers might be higher if I reduced some of the other pre-DATA rejections on this box. Cheers, Steve. From Jan-Peter.Koopmann at seceidos.de Wed Nov 22 10:36:43 2006 From: Jan-Peter.Koopmann at seceidos.de (Koopmann, Jan-Peter) Date: Wed Nov 22 10:36:36 2006 Subject: ClamAV || Oversized.zip In-Reply-To: <200611211032.50978.clacroix@cegep-ste-foy.qc.ca> Message-ID: On Tuesday, November 21, 2006 4:33 PM Charles Lacroix wrote: > i would check this in clamd.conf Clamd.conf is not used by clamscan and clamav-module. Just by clamd which is not used by MailScanner. If you are using the module, make the change in MailScanner.conf. If you are using the wrapper, you need to change clamav-wrapper. Kind regards, JP From jen at ah.dk Wed Nov 22 11:14:54 2006 From: jen at ah.dk (Jan Elmqvist Nielsen) Date: Wed Nov 22 11:15:25 2006 Subject: SV: MailScanner miss several Regning.exe files In-Reply-To: <223f97700611160334v3c3fcb3lde292a43ff849789@mail.gmail.com> Message-ID: <41EA997496BB5542BDA52CFA44FE78FC9A6C6D@AHMAIL.ah.ahnet.local> Several of thise (virus) exe files is still comming through!! I wonder if it's Fedora 4's file command which is to blam. I have some mail which the file command say it's MPEG but it's a plain html file! Have any of you have the same experience with FC4 and MailScanner? /Jan Elmqvist Nielsen From mailing_lists+mailscanner at caleotech.com Wed Nov 22 11:18:59 2006 From: mailing_lists+mailscanner at caleotech.com (Jens Ahlin) Date: Wed Nov 22 11:19:07 2006 Subject: OT: Sendmail gateway using mailertable and access db Message-ID: <1840.172.16.1.115.1164194339.squirrel@www.caleotech.com> Hi All, I have a MailScanner box (CentOS 4) with sendmail-8.13.1-3 acting gateway in front of an Exchange server (Not my decision). Now all mails for all domains handled are scanned and forwarded to the exchange server. Lately the amount of mail for unknown recipients has exploded over the roof and I need to implement a quick solution. The server is dying and I don't want to be "that guy" that send undeliverable reports for spam/virus. I'm using access db for another installation and it works fine there but the MailScanner box is not a gateway. All mails are delivered locally. Now with a sendmail installation in gateway mode this doesn't work. I have a script that pulls all valid email addresses from the exchange server and want to use access db to block all but my valid users. I have looked at milter-ahead but I could not figure out if this is the right thing for me. My config using test.com as domain and xxx.xxx.xxx.xxx as the Exchange server IP address. mailertable: test.com smtp[xxx.xxx.xxx.xxx] access db: test.com RELAY xxx.xxx.xxx.xxx RELAY TO:user@test.com RELAY TO:test.com ERROR:5.1.1:550 User unknown I have no "relay" FEATURE in my sendmail.mc. Using this config results in all mails sent to user@test.com are rejected with error 550 User unknown. I have read the sendmail documentation regarding access db and tried a lot of different settings (Only TO:, Only Connect:, TO: and Connect:) Any idea of how to do this? Jens From jen at ah.dk Wed Nov 22 11:29:26 2006 From: jen at ah.dk (Jan Elmqvist Nielsen) Date: Wed Nov 22 11:30:00 2006 Subject: SV: MailScanner miss several Regning.exe files - beware zip virus In-Reply-To: <41EA997496BB5542BDA52CFA44FE78FC9A6C6D@AHMAIL.ah.ahnet.local> Message-ID: <41EA997496BB5542BDA52CFA44FE78FC9A6C6E@AHMAIL.ah.ahnet.local> Attached is a zip queue file. None af my virus scanners detect the virus yet /jan Elmqvist Nielsen -----Oprindelig meddelelse----- Fra: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] P? vegne af Jan Elmqvist Nielsen Sendt: 22. november 2006 12:15 Til: MailScanner discussion Emne: SV: MailScanner miss several Regning.exe files Several of thise (virus) exe files is still comming through!! I wonder if it's Fedora 4's file command which is to blam. I have some mail which the file command say it's MPEG but it's a plain html file! Have any of you have the same experience with FC4 and MailScanner? /Jan Elmqvist Nielsen -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: example.zip Type: application/x-zip-compressed Size: 10133 bytes Desc: example.zip Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061122/42407deb/example.bin From amirse at gmail.com Wed Nov 22 11:32:05 2006 From: amirse at gmail.com (Amir Sela) Date: Wed Nov 22 11:32:07 2006 Subject: Mail gets tagged as spam but passes through anyways. Message-ID: <814064980611220332l3579ad24l7c1f43775db8dd5@mail.gmail.com> Hi, My MailScanner.conf file contains: Required SpamAssassin Score = 6 I'm receiving mails that seem to have their spam score at 7: X-myorg-MailScanner-SpamScore: sssssss Back when I installed the server a while ago, I decided to filter the spam with a procmail rule as such: :0: * ^X-myorg-MailScanner-SpamCheck: spam $MAILDIR/SPAM I assumed that whenever MailScanner encounters a mail with a spam score of anything over the above mentioned value, it will add the SpamCheck: spam line. This mail that passed through didn't get that line added to its headers, and I'm at a loss as to why.. Of course, I could simply set the procmail rule to filter based on s's, but I'm still wondering why MailScanner lets this mail pass without appending the proper line into the header, which would make my procmail rule work. I should mention that some mails DO get that line appended. The reason this baffles me is that I can't seem to see a pattern here. Some times it gets appended, the others it doesn't. What am I missing here? I'm sort of a MailScanner newbie, so please bare with me ;) Thanks a lot, -Amir From prandal at herefordshire.gov.uk Wed Nov 22 11:41:44 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Nov 22 11:42:02 2006 Subject: MailScanner miss several Regning.exe files - beware zip virus Message-ID: <86144ED6CE5B004DA23E1EAC0B569B5810BA68AF@isabella.herefordshire.gov.uk> Submit the (unzipped) file to http://www.clamav.net/sendvirus.html I've submitted it to http://virusscan.jotti.org and http://www.virustotal.com already. Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Jan Elmqvist Nielsen > Sent: 22 November 2006 11:29 > To: MailScanner discussion > Subject: SV: MailScanner miss several Regning.exe files - > beware zip virus > > Attached is a zip queue file. > None af my virus scanners detect the virus yet > > /jan Elmqvist Nielsen > > -----Oprindelig meddelelse----- > Fra: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] P? vegne > af Jan Elmqvist Nielsen > Sendt: 22. november 2006 12:15 > Til: MailScanner discussion > Emne: SV: MailScanner miss several Regning.exe files > > Several of thise (virus) exe files is still comming through!! > > I wonder if it's Fedora 4's file command which is to blam. > > I have some mail which the file command say it's MPEG but > it's a plain html file! > > Have any of you have the same experience with FC4 and MailScanner? > > /Jan Elmqvist Nielsen > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From glenn.steen at gmail.com Wed Nov 22 11:51:57 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 22 11:52:00 2006 Subject: MailScanner miss several Regning.exe files - beware zip virus In-Reply-To: <41EA997496BB5542BDA52CFA44FE78FC9A6C6E@AHMAIL.ah.ahnet.local> References: <41EA997496BB5542BDA52CFA44FE78FC9A6C6D@AHMAIL.ah.ahnet.local> <41EA997496BB5542BDA52CFA44FE78FC9A6C6E@AHMAIL.ah.ahnet.local> Message-ID: <223f97700611220351t79393c47t14320163a43246f2@mail.gmail.com> On 22/11/06, Jan Elmqvist Nielsen wrote: > Attached is a zip queue file. > None af my virus scanners detect the virus yet > > /jan Elmqvist Nielsen > > -----Oprindelig meddelelse----- > Fra: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] P? vegne af Jan Elmqvist Nielsen > Sendt: 22. november 2006 12:15 > Til: MailScanner discussion > Emne: SV: MailScanner miss several Regning.exe files > > Several of thise (virus) exe files is still comming through!! > > I wonder if it's Fedora 4's file command which is to blam. > > I have some mail which the file command say it's MPEG but it's a plain html file! > > Have any of you have the same experience with FC4 and MailScanner? > > /Jan Elmqvist Nielsen Jan, do you mean that you _have_ filename/filetype checking on? And this slipped through? Do you employ any rulesets for those settings in MailScanner.conf? Looking at the file, it looks like it'd fall afoul of the filename checks, so no matter if the filetype checks worked or not, it should've been caught... Unless you axplicitly allow it (perhaps by a ruleset.). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jen at ah.dk Wed Nov 22 12:08:48 2006 From: jen at ah.dk (Jan Elmqvist Nielsen) Date: Wed Nov 22 12:09:18 2006 Subject: SV: MailScanner miss several Regning.exe files - beware zip virus In-Reply-To: <223f97700611220351t79393c47t14320163a43246f2@mail.gmail.com> Message-ID: <41EA997496BB5542BDA52CFA44FE78FC9A6C6F@AHMAIL.ah.ahnet.local> -----Oprindelig meddelelse----- Fra: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] P? vegne af Glenn Steen Sendt: 22. november 2006 12:52 Til: MailScanner discussion Emne: Re: MailScanner miss several Regning.exe files - beware zip virus On 22/11/06, Jan Elmqvist Nielsen wrote: > Attached is a zip queue file. > None af my virus scanners detect the virus yet > > /jan Elmqvist Nielsen > > -----Oprindelig meddelelse----- > Fra: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] P? vegne af Jan > Elmqvist Nielsen > Sendt: 22. november 2006 12:15 > Til: MailScanner discussion > Emne: SV: MailScanner miss several Regning.exe files > > Several of thise (virus) exe files is still comming through!! > > I wonder if it's Fedora 4's file command which is to blam. > > I have some mail which the file command say it's MPEG but it's a plain html file! > > Have any of you have the same experience with FC4 and MailScanner? > > /Jan Elmqvist Nielsen Jan, do you mean that you _have_ filename/filetype checking on? And this slipped through? Do you employ any rulesets for those settings in MailScanner.conf? Looking at the file, it looks like it'd fall afoul of the filename checks, so no matter if the filetype checks worked or not, it should've been caught... Unless you axplicitly allow it (perhaps by a ruleset.). Hi Glenn Yes - that's correct! I have received 49 today of which 17 wasn't stopped even though it contains af exe file! And I can see some of the 17 also have missed the virus check! Even though f-secure can detect it!! MS 4.54.6 on FC4 /Jan Elmqvist Nielsen From prandal at herefordshire.gov.uk Wed Nov 22 12:24:56 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Nov 22 12:25:53 2006 Subject: MailScanner miss several Regning.exe files - beware zip virus Message-ID: <86144ED6CE5B004DA23E1EAC0B569B5810BA6901@isabella.herefordshire.gov.uk> > MS 4.54.6 on FC4 Any compelling reason why you're not running MailScanner 4.56.8? Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK From jen at ah.dk Wed Nov 22 12:28:08 2006 From: jen at ah.dk (Jan Elmqvist Nielsen) Date: Wed Nov 22 12:28:43 2006 Subject: SV: MailScanner miss several Regning.exe files - beware zip virus In-Reply-To: <41EA997496BB5542BDA52CFA44FE78FC9A6C6F@AHMAIL.ah.ahnet.local> Message-ID: <41EA997496BB5542BDA52CFA44FE78FC9A6C70@AHMAIL.ah.ahnet.local> -----Oprindelig meddelelse----- Fra: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] P? vegne af Jan Elmqvist Nielsen Sendt: 22. november 2006 13:09 Til: MailScanner discussion Emne: SV: MailScanner miss several Regning.exe files - beware zip virus -----Oprindelig meddelelse----- Fra: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] P? vegne af Glenn Steen Sendt: 22. november 2006 12:52 Til: MailScanner discussion Emne: Re: MailScanner miss several Regning.exe files - beware zip virus On 22/11/06, Jan Elmqvist Nielsen wrote: > Attached is a zip queue file. > None af my virus scanners detect the virus yet > > /jan Elmqvist Nielsen > > -----Oprindelig meddelelse----- > Fra: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] P? vegne af Jan > Elmqvist Nielsen > Sendt: 22. november 2006 12:15 > Til: MailScanner discussion > Emne: SV: MailScanner miss several Regning.exe files > > Several of thise (virus) exe files is still comming through!! > > I wonder if it's Fedora 4's file command which is to blam. > > I have some mail which the file command say it's MPEG but it's a plain html file! > > Have any of you have the same experience with FC4 and MailScanner? > > /Jan Elmqvist Nielsen Jan, do you mean that you _have_ filename/filetype checking on? And this slipped through? Do you employ any rulesets for those settings in MailScanner.conf? Looking at the file, it looks like it'd fall afoul of the filename checks, so no matter if the filetype checks worked or not, it should've been caught... Unless you axplicitly allow it (perhaps by a ruleset.). Hi Glenn I have found out why.... :-) There is no file and virus check when High Spam is reached. And I store high spam mails - no deliver! /Jan Elmqvist Nielsen -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Johan.Hedlund at tietoenator.com Wed Nov 22 12:36:20 2006 From: Johan.Hedlund at tietoenator.com (Johan.Hedlund@tietoenator.com) Date: Wed Nov 22 12:36:28 2006 Subject: SV: Sendmail gateway using mailertable and access db In-Reply-To: <1840.172.16.1.115.1164194339.squirrel@www.caleotech.com> Message-ID: <1D1C14F9CD24904987F2907D74C772B405D27CD3@mustang.eu.tieto.com> Hi, If you're using Exchange as a mailserver you sure have a Active Directory, why not use sendmail with LDAP to verify you mailadresses ? There should be more material on the subject than using Access ;-) /Johan -----Ursprungligt meddelande----- Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] F?r Jens Ahlin Skickat: den 22 november 2006 12:19 Till: mailscanner@lists.mailscanner.info ?mne: OT: Sendmail gateway using mailertable and access db Hi All, I have a MailScanner box (CentOS 4) with sendmail-8.13.1-3 acting gateway in front of an Exchange server (Not my decision). Now all mails for all domains handled are scanned and forwarded to the exchange server. Lately the amount of mail for unknown recipients has exploded over the roof and I need to implement a quick solution. The server is dying and I don't want to be "that guy" that send undeliverable reports for spam/virus. I'm using access db for another installation and it works fine there but the MailScanner box is not a gateway. All mails are delivered locally. Now with a sendmail installation in gateway mode this doesn't work. I have a script that pulls all valid email addresses from the exchange server and want to use access db to block all but my valid users. I have looked at milter-ahead but I could not figure out if this is the right thing for me. My config using test.com as domain and xxx.xxx.xxx.xxx as the Exchange server IP address. mailertable: test.com smtp[xxx.xxx.xxx.xxx] access db: test.com RELAY xxx.xxx.xxx.xxx RELAY TO:user@test.com RELAY TO:test.com ERROR:5.1.1:550 User unknown I have no "relay" FEATURE in my sendmail.mc. Using this config results in all mails sent to user@test.com are rejected with error 550 User unknown. I have read the sendmail documentation regarding access db and tried a lot of different settings (Only TO:, Only Connect:, TO: and Connect:) Any idea of how to do this? Jens -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Wed Nov 22 13:30:39 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 22 13:30:42 2006 Subject: MailScanner miss several Regning.exe files - beware zip virus In-Reply-To: <41EA997496BB5542BDA52CFA44FE78FC9A6C70@AHMAIL.ah.ahnet.local> References: <41EA997496BB5542BDA52CFA44FE78FC9A6C6F@AHMAIL.ah.ahnet.local> <41EA997496BB5542BDA52CFA44FE78FC9A6C70@AHMAIL.ah.ahnet.local> Message-ID: <223f97700611220530w4b8243den5a62ce9a31f9aea0@mail.gmail.com> On 22/11/06, Jan Elmqvist Nielsen wrote: > (snip) > > Hi Glenn > > I have found out why.... :-) > > There is no file and virus check when High Spam is reached. > And I store high spam mails - no deliver! > # grep Keep /etc/MailScanner/MailScanner.conf Keep Spam And MCP Archive Clean = yes Consider setting that option;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From dyioulos at firstbhph.com Wed Nov 22 13:41:50 2006 From: dyioulos at firstbhph.com (Dimitri Yioulos) Date: Wed Nov 22 13:42:12 2006 Subject: SA Updated - W/L mail scored Message-ID: <200611220841.52002.dyioulos@firstbhph.com> Hello to all. Apologies, as I posted something along these lines a few days ago, with no response: I recently updated spamassassin to version 3.1.7 from the last stock version (3.0.4) on a CentOS 3.8 box running sendmail-8.12.11-4.RHEL3.6 and the latest versions of MS and MailWatch. After the SA update, all of my whitelisted mail is being scored, Mail from my domain is also scanned, although supposedly whitelisted. Additionally, MCP is now being scored (it's enabled), even though my mcp .cf file has no real rules in it. Some (I thinK) relevant file snippets: From MailScanner.conf - Is Definitely Not Spam = &SQLWhitelist Is Definitely Not Spam = &SQLWhitelist MCP Required SpamAssassin Score = 6 <-- I intentionally set this high so as not to trip MCP MCP High SpamAssassin Score = 10 MCP Error Score = 1 MCP Header = X-%org-name%-MailScanner-MCPCheck: Non MCP Actions = deliver store MCP Actions = deliver store High Scoring MCP Actions = deliver store Bounce MCP As Attachment = no MCP Modify Subject = yes MCP Subject Text = {MCP?} High Scoring MCP Modify Subject = yes High Scoring MCP Subject Text = {MCP?} Is Definitely MCP = no Is Definitely Not MCP = no Definite MCP Is High Scoring = no Always Include MCP Report = no Detailed MCP Report = yes Include Scores In MCP Report = yes Log MCP = no MCP Max SpamAssassin Timeouts = 20 MCP Max SpamAssassin Size = 100000 MCP SpamAssassin Timeout = 10 MCP SpamAssassin Prefs File = %mcp-dir%/mcp.spam.assassin.prefs.conf MCP SpamAssassin User State Dir = MCP SpamAssassin Local Rules Dir = %mcp-dir% MCP SpamAssassin Default Rules Dir = %mcp-dir% MCP SpamAssassin Install Prefix = %mcp-dir% Recipient MCP Report = %report-dir%/recipient.mcp.report.txt Sender MCP Report = %report-dir%/sender.mcp.report.txt >From spam.whitelist.rules (although I'm not sure what affect this has) - From: 192.168. yes From: 127.0.0.1 yes FromOrTo: default no I'm not sure where else to look. I would really appreciate some help sorting this out and getting to where I was prior to the SA update. Many thanks. And to my American colleagues, happy Thanksgiving. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rob at dido.ca Wed Nov 22 13:44:52 2006 From: rob at dido.ca (Rob Morin) Date: Wed Nov 22 13:45:01 2006 Subject: Due to incresing spam and deleations issues.... In-Reply-To: <4561EABF.4000104@solidstatelogic.com> References: <4561B8A1.6060503@dido.ca> <4561EABF.4000104@solidstatelogic.com> Message-ID: <45645454.3040000@dido.ca> Thanks for all your replys..... We are getting allot of spam coming through now.... i am not sure why, most of it gets caught as spam but not deleted....even though it looks clearly like spam.....an example is below that was not marked as spam at all. I am running MS 4.5.3 and SA 3.1.1 i installed via the tarball scripty thing.... should i upgrade to next version? If so is it a simple as running the install script again? I thought i remember someone saying if i used the install script it makes upgrading easier.... Thanks again for all your guys and gals help... this list is a a great resource! And of course MS ROCKS! Have a great day! Return-Path: X-Original-To: rob@stupidguytalk.org Delivered-To: rob@stupidguytalk.org Received: from peter.dido.ca (peter [64.86.63.158]) by stewy.dido.ca (Postfix) with ESMTP id 1E88B2F403C for ; Wed, 22 Nov 2006 01:39:28 -0500 (EST) Received: from brian.dido.ca (mx2.dido.ca [206.248.146.163]) by peter.dido.ca (Postfix) with ESMTP id 34A7C690024 for ; Wed, 22 Nov 2006 01:45:13 -0500 (EST) Received: from datafast.net.au (unknown [220.205.4.250]) by brian.dido.ca (Postfix) with SMTP id 842FA1002B5 for ; Wed, 22 Nov 2006 01:38:56 -0500 (EST) Message-ID: <001201c70e44$10e07920$078a8a9c@CPQ26783710725> From: "Steve Potts" To: "rob" Subject: To capitulate to every Date: Wed, 22 Nov 2006 14:39:50 +0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_000F_01C70E44.10E07920" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.4682 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2720.2962 X-Peter-Dido-ca-MailScanner-Information: Please contact the ISP for more information X-Peter-Dido-ca-MailScanner: Found to be clean X-Peter-Dido-ca-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.135, required 4, autolearn=not spam, FORGED_RCVD_HELO 0.14) X-Peter-Dido-ca-MailScanner-From: vmdrivalry@datafast.net.au X-Spam-Status: No ------=_NextPart_000_000F_01C70E44.10E07920 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: quoted-printable This is often misstated as the proof is in the pudding. It's the empty can = that makes the most noise. From Isle of Beauty by Thomas Haynes Bayly Knock= and the door will be opened unto you. --Matthew 7:7 It's a blessing in dis= guise.=0A= That which does not kill you, makes you stronger. Handsome is as handsome d= oes. Be careful what you wish for, you might just get it.=0A= The whole is greater than the sum of its parts Don't have too many irons in= the fire. Talking a mile a minute. Don't trudge mud into the house of love= =0A= =0A= Rob Morin Dido InterNet Inc. Montreal, Canada Http://www.dido.ca 514-990-4444 Martin Hepworth wrote: > Rob Morin wrote: >> ... i would like to implement a PER user/mailbox rulset.... >> >> on the weekend i had a buddy mention that there is a way to >> incorporate squirrllmaill and MS with SA that uses MySQL to allow >> users to alter their own spam filters, rather than US (sys admins) >> doing special whitelists for each user, as more and more spam comes >> in more regular mail gets marked as spam and or gets deleted.... its >> becoming too much to manage now... if the clients can manage some >> stuff on their own, it would help with out regular duties rather than >> spend hours each day adjusting the rules and scores..... >> >> Especially those damm gif messages... so my 2 questions are.... >> >> 1) Has anyone actually done this per user rule set via mysql? >> 2) How is the success ratio with the gif plugin for MS to help with >> those darn gif messages? >> >> Thanks to all , and to all a good day! >> :) >> > Rob > > sorry on the 2nd question, I'd look at the SARE_Stocks ruleset from > www.rulesemporium.com/rules.html and freds' rules from > www.rulesemporium.com/other-rules.htm. > > Also make sure you are running SA 3.1.7 as this catches some of the > gif/image spam quite well on it's own (will give a score acore above 5 > anyway). > From jen at ah.dk Wed Nov 22 13:49:19 2006 From: jen at ah.dk (Jan Elmqvist Nielsen) Date: Wed Nov 22 13:49:55 2006 Subject: SV: MailScanner miss several Regning.exe files - beware zip virus In-Reply-To: <223f97700611220530w4b8243den5a62ce9a31f9aea0@mail.gmail.com> Message-ID: <41EA997496BB5542BDA52CFA44FE78FC9A6C72@AHMAIL.ah.ahnet.local> > > Hi Glenn > > I have found out why.... :-) > > There is no file and virus check when High Spam is reached. > And I store high spam mails - no deliver! > # grep Keep /etc/MailScanner/MailScanner.conf Keep Spam And MCP Archive Clean = yes Consider setting that option;-). Hi Glenn Yes - that looks like a good idea... It will make my virus statistics better :-) Thanks Jan Elmqvist Nielsen From gmourani at privalodc.com Wed Nov 22 14:07:57 2006 From: gmourani at privalodc.com (Gerhard Mourani) Date: Wed Nov 22 14:08:12 2006 Subject: Spam inside images In-Reply-To: <45631757.8070609@hal9000.nl> References: <4572.70.82.58.187.1164121116.squirrel@webmail.privalodc.com> <45631757.8070609@hal9000.nl> Message-ID: <2658.70.82.58.187.1164204477.squirrel@webmail.privalodc.com> Hello list, Thanks for your nice and quick replies, this help me a lot. Erik van der Leun recommended to go with the ocrtext patch approch (see further down in this message) where Randal Phil talk about implementing FuzzyOcr to do it. I would like to know what's the difference between both technic and according to users experiences with them, which one is recommended, preferable, etc? Gerhard, > Gerhard Mourani wrote: >> Hello list, >> >> I would like to know if someone know how to make MailScanner scan inside >> images for spam. I receive lot of this kind of new spam now. There are >> inside the image and cannot be detected by spamassasin which check for >> texts only. >> >> Gerhard, >> >> > 1. cd to /etc/mail/spamassassin > 2. download the patch file from: > http://antispam.imp.ch/patches/patch-ocrtext > 3. type 'patch < patch-ocrtext' > This will create two files in your current directory called > ocrtext.cf and ocrtext.pm > 4. Edit v310.pre and add the following lines: > > # OCR - performs Optical Character Recognition on spam images > # > loadplugin ocrtext /etc/mail/spamassassin/ocrtext.pm > loadplugin Mail::SpamAssassin::Timeout > > 5. Edit the ocrtext.cr file and change the following settings: > > ## This points to your gocr binary not just the path. Try 'which > gocr'. > gocr_path /usr/local/bin/gocr > ## This is JUST the path to your pnm binarys ( i.e. pngtopnm, giftopnm, > jpegtopnm ) > pnmtools_path /usr/bin > > 6. Run spamassassin -D --lint and check for errors. > > If all went well restart spamassassin or force it to reread it's config > however you would on your system. > > Then try typing something like 'tail -f /var/log/mail.log | grep > SPAMPIC_ALPHA', on a high volume server you should see some rules > matching after a few minutes. If so then you are OCR'ing the images! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From prandal at herefordshire.gov.uk Wed Nov 22 14:17:33 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Nov 22 14:18:40 2006 Subject: Spam inside images Message-ID: <86144ED6CE5B004DA23E1EAC0B569B5810BA69AB@isabella.herefordshire.gov.uk> FuzzyOcr 3.4.2 is the way to go. It's under active development, is well supported, and has a growing community of users. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Gerhard Mourani > Sent: 22 November 2006 14:08 > To: MailScanner discussion > Subject: Re: Spam inside images > > Hello list, > > Thanks for your nice and quick replies, this help me a lot. > Erik van der > Leun recommended to go with the ocrtext patch approch (see > further down in > this message) where Randal Phil talk about implementing > FuzzyOcr to do it. > I would like to know what's the difference between both technic and > according to users experiences with them, which one is recommended, > preferable, etc? > > Gerhard, > > > Gerhard Mourani wrote: > >> Hello list, > >> > >> I would like to know if someone know how to make > MailScanner scan inside > >> images for spam. I receive lot of this kind of new spam > now. There are > >> inside the image and cannot be detected by spamassasin > which check for > >> texts only. > >> > >> Gerhard, > >> > >> > > 1. cd to /etc/mail/spamassassin > > 2. download the patch file from: > > http://antispam.imp.ch/patches/patch-ocrtext > > 3. type 'patch < patch-ocrtext' > > This will create two files in your current directory called > > ocrtext.cf and ocrtext.pm > > 4. Edit v310.pre and add the following lines: > > > > # OCR - performs Optical Character Recognition on spam images > > # > > loadplugin ocrtext /etc/mail/spamassassin/ocrtext.pm > > loadplugin Mail::SpamAssassin::Timeout > > > > 5. Edit the ocrtext.cr file and change the following settings: > > > > ## This points to your gocr binary not just the path. Try 'which > > gocr'. > > gocr_path /usr/local/bin/gocr > > ## This is JUST the path to your pnm binarys ( i.e. > pngtopnm, giftopnm, > > jpegtopnm ) > > pnmtools_path /usr/bin > > > > 6. Run spamassassin -D --lint and check for errors. > > > > If all went well restart spamassassin or force it to > reread it's config > > however you would on your system. > > > > Then try typing something like 'tail -f /var/log/mail.log | grep > > SPAMPIC_ALPHA', on a high volume server you should see some rules > > matching after a few minutes. If so then you are > OCR'ing the images! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From ccampbell at brueggers.com Wed Nov 22 14:14:19 2006 From: ccampbell at brueggers.com (Christian Campbell) Date: Wed Nov 22 14:19:10 2006 Subject: AWL? Message-ID: Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3090 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061122/3a34d9f6/smime.bin From prandal at herefordshire.gov.uk Wed Nov 22 14:36:58 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Nov 22 14:38:01 2006 Subject: Patch to default MailScanner.conf for correct SpamAssassin Local State Dir Message-ID: <86144ED6CE5B004DA23E1EAC0B569B5810BA69BD@isabella.herefordshire.gov.uk> As Theo van Dinter notes in http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4952#c11 , the spamassassin local_state_dir includes /spamassassin, e.g. /var/lib/spamassassin, and not /var/lib. The attached patch fixes the default MailScanner.conf to document the correct location. It would be great if MailScanner --lint could do some sanity checks on the spamassassin directories specified by users. The Spamassassin Local State Dir should have a numeric subdirectory representing the SA version and under it we'd expect to find an updates_spamassassin_org directory containing a bunch of .cf files. Similar consistency checks could be used against the SpamAssassin Site Rules Dir entry, etc. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK -------------- next part -------------- A non-text attachment was scrubbed... Name: MailScanner.conf.patch Type: application/octet-stream Size: 1038 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061122/b78be97d/MailScanner.conf.obj From P.G.M.Peters at utwente.nl Wed Nov 22 14:49:22 2006 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Wed Nov 22 14:49:27 2006 Subject: ClamAV || Oversized.zip In-Reply-To: <4563172E.4090904@hal9000.nl> References: <4563172E.4090904@hal9000.nl> Message-ID: <45646372.9040308@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Erik van der Leun wrote on 21-11-2006 16:11: > Hi, > > A ClamAV feature to protect against DoS alike attacks checking filesizes > and such > in zipfiles, creates this message, causing attachments to end up in the > quarantine, > although all other scanners claim the attachment is harmless... > > # clamscan test.zip > test.zip: Oversized.Zip FOUND I have seen this happen today too. To bad it was because a customer got a message stating the file was quarantined. It turned out it wasn't. As far as I can see it happens with these two configuration settings: Quarantine Infections = yes Quarantine Silent Viruses = no Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar Oversized Phishing - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFZGNyelLo80lrIdIRAnWjAJwLZlK/R5Hwsbmk4jAZ3WH5GCDRLACfeB2S C6CdZPVdexcA6Ue2mSoghLk= =zur7 -----END PGP SIGNATURE----- From mike at vesol.com Wed Nov 22 14:56:39 2006 From: mike at vesol.com (Mike Kercher) Date: Wed Nov 22 14:58:15 2006 Subject: Sendmail gateway using mailertable and access db In-Reply-To: <1840.172.16.1.115.1164194339.squirrel@www.caleotech.com> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Jens Ahlin > Sent: Wednesday, November 22, 2006 5:19 AM > To: mailscanner@lists.mailscanner.info > Subject: OT: Sendmail gateway using mailertable and access db > > > My config using test.com as domain and xxx.xxx.xxx.xxx as the > Exchange server IP address. > > mailertable: > > test.com smtp[xxx.xxx.xxx.xxx] > > access db: > test.com RELAY > xxx.xxx.xxx.xxx RELAY > > TO:user@test.com RELAY > TO:test.com ERROR:5.1.1:550 User unknown > > I have no "relay" FEATURE in my sendmail.mc. > > Using this config results in all mails sent to user@test.com > are rejected with error 550 User unknown. > > I have read the sendmail documentation regarding access db > and tried a lot of different settings (Only TO:, Only > Connect:, TO: and Connect:) > > Any idea of how to do this? > > Jens > > -- Using your example, test.com should be listed in /etc/mail/relay-domains and NOT in /etc/mail/local-host-names. I would highly recommend you implement milter-ahead and set your Exchange server(s) to reject unknown recipients. In /etc/mail/access, remove: test.com RELAY TO:user@test.com RELAY TO:test.com ERROR:5.1.1:550 User unknown Mike From ka at pacific.net Wed Nov 22 16:07:34 2006 From: ka at pacific.net (Ken A) Date: Wed Nov 22 16:05:09 2006 Subject: OT: SPF was Re: Annoying!!! [ + dns lookups] In-Reply-To: <45642684.4010101@fsl.com> References: <45585CA7.65ED.00A2.0@plattesheriff.org> <4563B233.7020404@pronet.co.nz> <45642684.4010101@fsl.com> Message-ID: <456475C6.8040804@pacific.net> Steve Freegard wrote: > Brent Addis wrote: >> Many companies drop email coming from hosts that aren't listed as an >> address in a valid spf record, so they don't bounce back to you. Of >> course they still accept mail without any spf record assigned to it, >> but i'm sure that'll stop oneday. >> >> http://www.openspf.org/wizard.html?mydomain=&x=0&y=0 has a wizard for >> it. It gets inserted into your dns records. > > Let me go on record saying that I *hate* that wizard... > > It defaults records to ~all (if SPF record doesn't match return > SOFTFAIL) or ?all (if SPF record doesn't match return NEUTRAL), it does > *not* give the option of -all (if SPF record doesn't match return FAIL) > at all. > > The only time you can *safely* reject mail at SMTP time is if the SPF > result == Fail (-all), all other states e.g. softfail, neutral and pass > are only useful for more expensive content checking such as SpamAssassin... > > SPF Pass - can be useful when used with 'other' tests, although I've > seen a lot of spam domains set-up SPF records with a '+all' (return Pass > if the SPF record doesn't match) that try and take advantage of this. > Because I think '+all' is both useless and evil, I downgrade this to > 'Neutral' on my systems... > >> Be warned though, if you have remote users, they will have to use a >> server within your spf realm for sending mail. > > Yes - especially true if you set -all or ~all in your SPF record, if you > use ?all then it really doesn't matter. > >> I would recommend turning off the catchall too. > > Yes - catch-alls are evil. > > On my spam trap I set a SPF record of 'v=spf1 mx -all' and reject any > SPF fail at SMTP time, currently I don't get brilliant results with > this, but I do get some: > > Out of 49,630 senders - 1,331 were rejected due to SPF fail, most of > these I suspect were due to spammers trying to send in junk by forging > my own domain. These numbers might be higher if I reduced some of the > other pre-DATA rejections on this box. > > Cheers, > Steve. Careful with spf. We do a lot of dns lookups for every piece of spam. Spammers control the lookups to some extent and the more lookups your systems do, and the kind of lookups they do, the more popular a reflector/amplifier you are for DNS based attacks. Have a nice, safe, Happy Thanksgiving! :-) Ken A Pacific.Net From alex at nkpanama.com Wed Nov 22 14:32:27 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Wed Nov 22 16:25:39 2006 Subject: OT: MailScanner & Zimbra In-Reply-To: <452fd0b0f573eaeffec2f34d21dace56@10.0.0.10> References: <4563AC3D.8090701@nkpanama.com> <452fd0b0f573eaeffec2f34d21dace56@10.0.0.10> Message-ID: <45645F7B.2030801@nkpanama.com> The reference to "mailscanner causes swapping" is regarding an old thread where someone was blaming MailScanner saying "it causes swapping"; everybody took turns explaining that "MailScanner causes swapping" sounds like "exercise causes breathing". It's been asserted many times on this list that MailScanner works perfectly with Postfix, regardless of what some people (like Postfix's own Wietsev Enema) might say ;) uxbod wrote: > Hmmm, interesting as I have been running both Postfix and MailScanner on the same box for a year and even on a single server where I work without any problems. The only difference to other installations is that I use two instances of Postfix, the first handles all the standard checks HELO etc and performs LDAP lookups; if this is passed then the emails are handed over the to the second instance where MailScanner will perform its checks. > > I would imagine that a Zimbra installation may need three instances of Postfix running FrontEnd->MailScanner->Zimbra. I will probably start on this at the weekend so will let you know how it goes. Have some interesting ideas to try out with the Ajax client especially for using information from MailScanner for White and Grey listing. > > Regards, > > On Tue, 21 Nov 2006 20:47:41 -0500, Alex Neuman van der Hans wrote: >> uxbod wrote: >>> Hi, >>> >>> Is anybody on the list using MailScanner with Zimbra ? >>> >>> If so was it easy to integrate ? >>> >>> Best Regards, >>> >>> --[ UxBoD ]-- >>> // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" >>> // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 >>> // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 >>> >>> >> Easy... if you have Zimbra on one box and MailScanner on the other. >> >> If you want to try and get MailScanner running on Zimbra, let us know >> how it goes... but beware, I've heard MailScanner on a box running >> Postfix (IIRC Zimbra uses Postfix) *could cause swapping*! ;-) >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> This message has been scanned for viruses and dangerous content by >> MailScanner, and is >> believed to be clean. > --[ UxBoD ]-- > // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 > // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 > > From jase at sensis.com Wed Nov 22 16:48:02 2006 From: jase at sensis.com (Desai, Jason) Date: Wed Nov 22 16:48:40 2006 Subject: MCP and sa-update Message-ID: <1951DC816E1A9F469307B05FA183F4385FF825@corpatsmail1.corp.sensis.com> Julian, I have come across what I think is a bug in MCP. It appears to pick up rules from sa-update when doing MCP checks, causing a higher MCP score and possible false positives. I have not come across a way to disable the local state directory in SpamAssassin, but I have found that changing it to a bogus directory gives the desired result. I have made the following change to MCP.pm: --- MCP.pm.orig 2006-04-12 05:45:37.000000000 -0400 +++ MCP.pm 2006-11-22 11:00:00.000000000 -0500 @@ -88,6 +88,8 @@ $settings{userstate_dir} = $val if $val ne ""; $val = MailScanner::Config::Value('mcpspamassassinlocalrulesdir'); $settings{LOCAL_RULES_DIR} = $val if $val ne ""; + # Set the local state directory to a bogus value so it is not used + $settings{LOCAL_STATE_DIR} = '/BogusSAStateDir'; $val = MailScanner::Config::Value('mcpspamassassindefaultrulesdir'); $settings{DEF_RULES_DIR} = $val if $val ne ""; $val = MailScanner::Config::Value('mcpspamassassininstallprefix'); Here is a portion of the debug output (MailScanner --debug --debug-sa) without the above patch: [snip] [21779] dbg: config: using "/opt/MailScanner/etc/mcp" for site rules pre files [21779] dbg: config: using "/var/lib/spamassassin/3.001007" for sys rules pre files [21779] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org.pre [21779] dbg: config: using "/var/lib/spamassassin/3.001007" for default rules dir [21779] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org.cf [21779] dbg: config: using "/opt/MailScanner/etc/mcp" for site rules dir [21779] dbg: config: read file /opt/MailScanner/etc/mcp/10_example.cf [21779] dbg: config: using "/opt/MailScanner/etc/mcp/mcp.spam.assassin.prefs.conf" for user prefs file [snip] As you can see, MCP is using the sa-update rules. With the above changes in place, I get the desired effect: [snip] [21662] dbg: config: using "/opt/MailScanner/etc/mcp" for site rules pre files [21662] dbg: config: using "/opt/MailScanner/etc/mcp" for sys rules pre files [21662] dbg: config: using "/opt/MailScanner/etc/mcp" for default rules dir [21662] dbg: config: read file /opt/MailScanner/etc/mcp/10_example.cf [21662] dbg: config: using "/opt/MailScanner/etc/mcp" for site rules dir [21662] dbg: config: read file /opt/MailScanner/etc/mcp/10_example.cf [21662] dbg: config: using "/opt/MailScanner/etc/mcp/mcp.spam.assassin.prefs.conf" for user prefs file [21662] dbg: config: read file /opt/MailScanner/etc/mcp/mcp.spam.assassin.prefs.conf [snip] I know you've been busy lately. When you get some time, can you please review the patch, and possibly include it in the next release? Or maybe make this a user configurable option (MCP SpamAssassin Local State Dir)? Or maybe you know of a better solution? Thanks for looking into this, and thanks for MailScanner! Jase -- Jason Desai Network Administrator Sensis Corporation jase@sensis.com http://www.sensis.com (315) 445-5811 From redhat at techspace.nl Wed Nov 22 17:24:23 2006 From: redhat at techspace.nl (redhat@techspace.nl) Date: Wed Nov 22 17:24:50 2006 Subject: log is flotting with messages In-Reply-To: <223f97700611220132n7cc4d3f0p26739c55772348ee@mail.gmail.com> References: <20061117232222.he2i3uhkysw0k4cc@www.intranet> <20061121181255.4tkj4b7i8484osgg@www.intranet> <223f97700611211223r2d9ddf9dh5416fc8988097157@mail.gmail.com> <45636DAA.30807@techspace.nl> <223f97700611220132n7cc4d3f0p26739c55772348ee@mail.gmail.com> Message-ID: <20061122182423.d0l1plbegwg0kkw8@www.intranet> Quoting Glenn Steen : > On 21/11/06, redhadjasper wrote: > (snip) >> yes done al that home/postfix/.spamassasin owner postfix >> and the config files readable to everyone. >> >> cant i run spamassasin as root in mailscanner? >> > > Nope. Since you run postfix, MailScanner needs run as that user... And > MailScanner loads the spamassassin perl modules into itself, more or > less, so spamassassin will be run as that user. > > Something is slightly strange here, so ... I need to think... Could > you tell a bit more about your SA setup? Is it via RPM or Jules > install-Clam-SA package? > I have tried both no difrent in behavoure same problems the rest made not mutch changes. exept to run with postfix. tried to run mailscanner as user and group root no diverance. waaaaaaaaaaaaaaaa!!! close to give up. greets. -- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door Dark Eagle mail scanner en lijkt schoon te zijn. From martinh at solidstatelogic.com Wed Nov 22 17:31:17 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Nov 22 17:31:42 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches i t In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B58017681E3@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B58017681E3@isabella.herefordshire.gov.uk> Message-ID: <45648965.3040400@solidstatelogic.com> Randal, Phil wrote: > Sometimes it pays to actually test it with debug on and see the > results... > > For my SA 3.1.7 installation, > > SpamAssassin Local State Dir = /var/lib/spamassassin > > is the correct setting, not > > SpamAssassin Local State Dir = /var/lib > > Tested with MailScanner --debug-sa and the debug flags set in > MailScanner.conf. > > Cheers, > > Phil, who's amazed he didn't notice this earlier > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin > Hepworth > Sent: Friday, November 10, 2006 4:35 PM > To: MailScanner discussion > Subject: Re: Mailscanner not catching SPAM but manual run via SA catches > it > > Dan Carl wrote: >> Hi all, >> >> I'm perplexed, >> Today I took a spam email from my inbox that got through Mailscanner > and >> saved it to my mail server. >> I then ran it though spamassassin(spamassassin -t test.eml) and it > caught it >> as SPAM. >> What's up with that?? >> >> Just yesterday I upgraded to the latest version of Mailscanner (thanks >> volunteers) >> because a lot of spam was getting through. After many hours of work I > also >> installed the Fuzzy OCR plugin. >> >> Mailscanner appears to be working fine and using spamassassin. >> My maillog shows lines this: >> MailScanner[7707]: SpamAssassin cache hit for message kAAFfqxU010369 >> >> Thanks in advance >> > Check the SA paths in MailScanner to make sure you're running the same > rules - also check you've only got one perl and one SA installed. > > IF you've run sa-update make sure MS knows about it by setting > > SpamAssassin Local State Dir = /var/lib > > > hmm thats interesting 'cos when we tested it we needed to put in /var/lib there..... what's below the /var/lib/spamassassin directory? -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From martinh at solidstatelogic.com Wed Nov 22 17:36:29 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Wed Nov 22 17:37:11 2006 Subject: AWL? In-Reply-To: References: Message-ID: <45648A9D.9080005@solidstatelogic.com> Christian Campbell wrote: > A SA rule - AWL - seems to be subtracting score, and effectively marking > my spam as ham. I've found that it's a Auto-whitelist rule, but I'm > unsure as to why it's being triggered. Here's an example header. It's > the typical debora stock spam... > > Microsoft Mail Internet Headers Version 2.0 > Received: from mydomain.com ([xxx.xxx.xxx.xxx]) by internal.mydomain.com > with Microsoft SMTPSVC(6.0.3790.1830); > Wed, 22 Nov 2006 09:00:01 -0500 > Received: from IBM-2CAA5E0CA42.rdsar.ro ([86.125.206.121]) > by mydomain.com (8.12.8/8.12.8) with ESMTP id kAME86XO013605 > for >; Wed, 22 Nov > 2006 09:08:06 -0500 > Received: from 64.202.166.12 (HELO smtp.secureserver.net) > by mydomain.com with esmtp (151H*6E+,16: @(/M7C) > id FI,),4-*/*XFJ-2B > for helpdesk@mydomain.com ; Wed, 22 > Nov 2006 13:58:28 -0120 > From: "Dean Slaughter" > > To: > > Subject: Dean wrote: > Date: Wed, 22 Nov 2006 13:58:28 -0120 > Message-ID: <01c70e3e$495f6be0$6c822ecf@deborahweilert > > > MIME-Version: 1.0 > Content-Type: text/plain; > charset="Windows-1252" > Content-Transfer-Encoding: 7bit > X-Priority: 3 (Normal) > X-MSMail-Priority: Normal > X-Mailer: Microsoft Office Outlook, Build 11.0.5510 > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663 > Thread-Index: Aca6QO9*397L+'W25/33 X-Brueggers-MailScanner-Information: Please contact Bruegger's IT > Department for more information > X-Brueggers-MailScanner: Found to be clean > X-Brueggers-MailScanner-SpamCheck: not spam, SpamAssassin (score=4.853, > required 5, AWL -4.85, BRU_STOCK1 5.00, RCVD_IN_BL_SPAMCOP_NET 1.33, > RCVD_IN_NJABL_DUL 1.71, SARE_PROLOSTOCK_SYM1 1.66) > X-Brueggers-MailScanner-SpamScore: ssss > X-MailScanner-From: deborahweilert@bosh.com > Return-Path: deborahweilert@bosh.com > X-OriginalArrivalTime: 22 Nov 2006 14:00:01.0340 (UTC) > FILETIME=[80B427C0:01C70E3E] > > What cause it to match the AWL rule? I certainly never added anything > like this to a whitelist. > > Thanks, > Christian > > > Christian Campbell Hi I find AWL a PITA (ie doesn't work well for me). Alot of people find it works OK, alot say any user population over 8 it's not good for. Try commenting out the plugin in /etc/mail/spamassassin/init.pre (or what .pre file its in, and restart Mailscanner to stop AWL running. If you want to keep AWL, make sure trusted_networks and the associated SA parameters are set correctly in your spam.assassin.prefs.conf - this can help. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From ljosnet at gmail.com Wed Nov 22 17:44:27 2006 From: ljosnet at gmail.com (emm1) Date: Wed Nov 22 17:44:30 2006 Subject: Gocr errors Message-ID: <910ee2ac0611220944q7627949bj3ae1e3f3ec47379c@mail.gmail.com> Hello, I followed instructuion on howto use gocr to catch image spam and I see lots of this in my maillog. Any idea? Nov 22 16:26:37 secure spamd[6435]: rules: failed to run SPAMPIC_BROKEN test, skipping: Nov 22 16:26:37 secure spamd[6435]: rules: failed to run SPAMPIC_SUSPECT test, skipping: Nov 22 16:26:37 secure spamd[6435]: rules: failed to run SPAMPIC_ALPHA_1 test, skipping: Nov 22 16:26:37 secure spamd[6435]: rules: failed to run SPAMPIC_UNKNOWN test, skipping: Nov 22 16:26:37 secure spamd[6435]: rules: failed to run SPAMPIC_WORDS_1 test, skipping: Nov 22 16:26:37 secure spamd[6435]: rules: failed to run __SPAMPIC_COUNT_5 test, skipping: Nov 22 16:26:37 secure spamd[6435]: rules: failed to run SPAMPIC_FORGED_CT test, skipping: Nov 22 16:26:37 secure spamd[6435]: rules: failed to run SPAMPIC_ALPHA_3 test, skipping: Nov 22 16:26:37 secure spamd[6435]: rules: failed to run __SPAMPIC_COUNT_7 test, skipping: Nov 22 16:26:37 secure spamd[6435]: rules: failed to run SPAMPIC_NONSTD test, skipping: Nov 22 16:26:37 secure spamd[6435]: rules: failed to run SPAMPIC_WORDS_4 test, skipping: Nov 22 16:26:37 secure spamd[6435]: rules: failed to run __SPAMPIC_COUNT_2 test, skipping: Nov 22 16:26:37 secure spamd[6435]: rules: failed to run SPAMPIC_WORDS_2 test, skipping: Nov 22 16:26:37 secure spamd[6435]: rules: failed to run __SPAMPIC_COUNT_4 test, skipping: Nov 22 16:26:37 secure spamd[6435]: rules: failed to run __SPAMPIC_COUNT_6 test, skipping: Nov 22 16:26:37 secure spamd[6435]: rules: failed to run __SPAMPIC_COUNT_3 test, skipping: Nov 22 16:26:37 secure spamd[6435]: rules: failed to run SPAMPIC_WORDS_5 test, skipping: Nov 22 16:26:37 secure spamd[6435]: rules: failed to run SPAMPIC_ALPHA_2 test, skipping: Nov 22 16:26:37 secure spamd[6435]: rules: failed to run SPAMPIC_WORDS_3 test, skipping: Nov 22 16:26:48 secure spamd[6435]: rules: meta test SPAMPIC_MULTI_2 has undefined dependency 'IMPPYZOR_CHECK' Nov 22 16:26:48 secure spamd[6435]: rules: meta test SPAMPIC_MULTI_1 has undefined dependency 'IMPPYZOR_CHECK' Nov 22 16:26:48 secure spamd[6435]: rules: meta test SPAMPIC_MULTI_4 has undefined dependency 'IMPPYZOR_CHECK' Nov 22 16:26:48 secure spamd[6435]: rules: meta test SPAMPIC_MULTI_6 has undefined dependency 'IMPPYZOR_CHECK' Nov 22 16:26:48 secure spamd[6435]: rules: meta test SPAMPIC_MULTI_3 has undefined dependency 'IMPPYZOR_CHECK' Nov 22 16:26:48 secure spamd[6435]: rules: meta test SPAMPIC_MULTI_5 has undefined dependency 'IMPPYZOR_CHECK' Nov 22 16:29:54 secure spamd[6529]: rules: meta test SPAMPIC_MULTI_2 has undefined dependency 'IMPPYZOR_CHECK' Nov 22 16:29:54 secure spamd[6529]: rules: meta test SPAMPIC_MULTI_1 has undefined dependency 'IMPPYZOR_CHECK' Nov 22 16:29:54 secure spamd[6529]: rules: meta test SPAMPIC_MULTI_4 has undefined dependency 'IMPPYZOR_CHECK' Nov 22 16:29:54 secure spamd[6529]: rules: meta test SPAMPIC_MULTI_6 has undefined dependency 'IMPPYZOR_CHECK' Nov 22 16:29:54 secure spamd[6529]: rules: meta test SPAMPIC_MULTI_3 has undefined dependency 'IMPPYZOR_CHECK' Nov 22 16:29:54 secure spamd[6529]: rules: meta test SPAMPIC_MULTI_5 has undefined dependency 'IMPPYZOR_CHECK' From daniel.maher at ubisoft.com Wed Nov 22 17:52:09 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Wed Nov 22 17:52:18 2006 Subject: MailScanner totally missing SA rules (need help!)... In-Reply-To: <4561CCAF.80500@ios.edu.pl> Message-ID: <1E293D3FF63A3740B10AD5AAD88535D203C0040F@UBIMAIL1.ubisoft.org> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Marcin Roz.ek > Sent: November 20, 2006 10:42 AM > To: MailScanner discussion > Subject: Re: MailScanner totally missing SA rules... > > Daniel Maher wrote: > > Hi everybody, > > > > I was wondering if anybody had any further insight into why upgrading to > MailScanner 4.57.3 from 4.51.6 would cause SpamAssassin to totally ignore > the non-default rules. > > > > Mr. Campbell was kind enough to suggest the following: > > SpamAssassin Local Rules Dir = /etc/mail/spamassassin > > > > Unfortunately, this did not solve the issue. Downgrading back to 4.51.6 > "solved" the problem, in that the non-default rules are being used again. > That said, I'd rather like to use the new version... > > > > Any further insight would be greatly appreciated. Thanks! > Stop MailScanner > Set "Debug" and "Debug SpamAssassin" to "yes" in MailScanner.conf > Start MailScanner and paste output to us. > The output is quite long - I've included attached it to this message. Some interesting observations about that debug output: "using "/var/lib/spamassassin/3.001007" for default rules dir" EVEN THOUGH: "SpamAssassin Default Rules Dir = /usr/share/spamassassin" is defined The "test" ruleset is apparently being read: "config: read file /etc/mail/spamassassin/99_test.cf". The /entire contents/ of this ruleset are: body UBI_CRUNK1 /CRUNKME/ score UBI_CRUNK1 0.1 describe UBI_CRUNK1 test rule However, an email with the noted string will /not/ trigger the rule... Seriously, any help would be greatly appreciated. This is driving me up the wall! -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. -------------- next part -------------- In Debugging mode, not forking... [13863] dbg: logger: adding facilities: all [13863] dbg: logger: logging level is DBG [13863] dbg: generic: SpamAssassin version 3.1.7 [13863] dbg: config: score set 0 chosen. [13863] dbg: util: running in taint mode? no [13863] dbg: message: ---- MIME PARSER START ---- [13863] dbg: message: main message type: text/plain [13863] dbg: message: parsing normal part [13863] dbg: message: added part, type: text/plain [13863] dbg: message: ---- MIME PARSER END ---- [13863] dbg: dns: is Net::DNS::Resolver available? yes [13863] dbg: dns: Net::DNS version: 0.48 [13863] dbg: ignore: test message to precompile patterns and load modules [13863] dbg: config: using "/etc/mail/spamassassin" for site rules pre files [13863] dbg: config: read file /etc/mail/spamassassin/init.pre [13863] dbg: config: read file /etc/mail/spamassassin/v310.pre [13863] dbg: config: read file /etc/mail/spamassassin/v312.pre [13863] dbg: config: using "/var/lib/spamassassin/3.001007" for sys rules pre files [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org.pre [13863] dbg: config: using "/var/lib/spamassassin/3.001007" for default rules dir [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org.cf [13863] dbg: config: using "/etc/mail/spamassassin" for site rules dir [13863] dbg: config: read file /etc/mail/spamassassin/70_sare_adult.cf [13863] dbg: config: read file /etc/mail/spamassassin/70_sare_header0.cf [13863] dbg: config: read file /etc/mail/spamassassin/70_sare_obfu0.cf [13863] dbg: config: read file /etc/mail/spamassassin/70_sare_specific.cf [13863] dbg: config: read file /etc/mail/spamassassin/70_sare_spoof.cf [13863] dbg: config: read file /etc/mail/spamassassin/70_sare_stocks.cf [13863] dbg: config: read file /etc/mail/spamassassin/70_sare_uri0.cf [13863] dbg: config: read file /etc/mail/spamassassin/72_sare_bml_post25x.cf [13863] dbg: config: read file /etc/mail/spamassassin/99_sare_fraud_post25x.cf [13863] dbg: config: read file /etc/mail/spamassassin/99_test.cf [13863] dbg: config: read file /etc/mail/spamassassin/99_ubisoft_custom.cf [13863] dbg: config: read file /etc/mail/spamassassin/FuzzyOcr.cf [13863] dbg: config: read file /etc/mail/spamassassin/german.cf [13863] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf [13863] dbg: config: using "/var/spool/postfix/.spamassassin/user_prefs" for user prefs file [13863] dbg: config: read file /var/spool/postfix/.spamassassin/user_prefs [13863] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [13863] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa4ebcd0) [13863] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC [13863] dbg: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa535f08) [13863] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [13863] dbg: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0xa4f4460) [13863] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC [13863] dbg: pyzor: network tests on, attempting Pyzor [13863] dbg: plugin: registered Mail::SpamAssassin::Plugin::Pyzor=HASH(0xa4f4304) [13863] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [13863] dbg: razor2: razor2 is available, version 2.67 [13863] dbg: plugin: registered Mail::SpamAssassin::Plugin::Razor2=HASH(0xa58dca0) [13863] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC [13863] dbg: reporter: network tests on, attempting SpamCop [13863] dbg: plugin: registered Mail::SpamAssassin::Plugin::SpamCop=HASH(0xa5e27c8) [13863] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC [13863] dbg: plugin: registered Mail::SpamAssassin::Plugin::AWL=HASH(0xa5f536c) [13863] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC [13863] dbg: plugin: registered Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0xa8f823c) [13863] dbg: plugin: loading Mail::SpamAssassin::Plugin::TextCat from @INC [13863] dbg: textcat: loading languages file... [13863] dbg: textcat: loaded 73 language models [13863] dbg: plugin: registered Mail::SpamAssassin::Plugin::TextCat=HASH(0xa9656f0) [13863] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC [13863] dbg: plugin: registered Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0xa5f542c) [13863] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC [13863] dbg: plugin: registered Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0xa5f54c8) [13863] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC [13863] dbg: plugin: registered Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0xa996a40) [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/empty.pre [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/empty.pre" for included file [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/10_misc.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/10_misc.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/10_misc.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_advance_fee.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_advance_fee.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_advance_fee.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_anti_ratware.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_anti_ratware.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_anti_ratware.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_body_tests.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_body_tests.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_body_tests.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_compensate.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_compensate.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_compensate.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_dnsbl_tests.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_dnsbl_tests.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_dnsbl_tests.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_drugs.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_drugs.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_drugs.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_fake_helo_tests.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_fake_helo_tests.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_fake_helo_tests.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_head_tests.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_head_tests.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_head_tests.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_html_tests.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_html_tests.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_html_tests.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_meta_tests.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_meta_tests.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_meta_tests.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_net_tests.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_net_tests.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_net_tests.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_phrases.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_phrases.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_phrases.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_porn.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_porn.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_porn.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_ratware.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_ratware.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_ratware.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_uri_tests.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/20_uri_tests.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/20_uri_tests.cf [13863] dbg: config: adding redirector regex: /^http:\/\/chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i [13863] dbg: config: adding redirector regex: /^http:\/\/www(?:\d+)?\.nate\.com\/r\/\w+\/(.*)$/i [13863] dbg: config: adding redirector regex: /^http:\/\/.+\.gov\/(?:.*\/)?externalLink\.jhtml\?.*url=(.*?)(?:&.*)?$/i [13863] dbg: config: adding redirector regex: /^http:\/\/redir\.internet\.com\/.+?\/.+?\/(.*)$/i [13863] dbg: config: adding redirector regex: /^http:\/\/(?:.*?\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i [13863] dbg: config: adding redirector regex: m'^http.*?/redirect\.php\?.*(?<=[?&])goto=(.*?)(?:$|[&#])'i [13863] dbg: config: adding redirector regex: m'^https?:/*(?:[^/]+\.)?emf\d\.com/r\.cfm.*?&r=(.*)'i [13863] dbg: config: adding redirector regex: m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&#])'i [13863] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&#])'i [13863] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])site:(.*?)(?:$|%20|[\s+&#])'i [13863] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&#])'i [13863] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&#])'i [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/23_bayes.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/23_bayes.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/23_bayes.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_accessdb.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_accessdb.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_accessdb.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_antivirus.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_antivirus.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_antivirus.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_body_tests_es.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_body_tests_es.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_body_tests_es.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_body_tests_pl.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_body_tests_pl.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_body_tests_pl.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_dcc.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_dcc.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_dcc.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_dkim.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_dkim.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_dkim.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_domainkeys.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_domainkeys.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_domainkeys.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_hashcash.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_hashcash.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_hashcash.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_pyzor.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_pyzor.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_pyzor.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_razor2.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_razor2.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_razor2.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_replace.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_replace.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_replace.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_spf.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_spf.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_spf.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_textcat.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_textcat.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_textcat.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_uribl.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/25_uribl.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_uribl.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_de.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_de.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_de.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_fr.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_fr.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_fr.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_it.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_it.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_it.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_nl.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_nl.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_nl.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_pl.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_pl.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_pl.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_pt_br.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_pt_br.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/30_text_pt_br.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/50_scores.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/50_scores.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/50_scores.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_awl.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/60_awl.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_awl.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_dk.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_dk.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_dk.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_dkim.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_dkim.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_dkim.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_spf.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_spf.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_spf.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_subject.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_subject.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist_subject.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/70_iadb.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/70_iadb.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/70_iadb.cf [13863] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_spamassassin_org/80_additional.cf [13863] dbg: config: using "/var/lib/spamassassin/3.001007/updates_spamassassin_org/80_additional.cf" for included file [13863] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org/80_additional.cf [13863] dbg: plugin: fixed relative path: /etc/mail/spamassassin/FuzzyOcr.pm [13863] dbg: plugin: loading FuzzyOcr from /etc/mail/spamassassin/FuzzyOcr.pm [13863] dbg: plugin: registered FuzzyOcr=HASH(0xabc5de0) [13863] dbg: plugin: FuzzyOcr=HASH(0xabc5de0) implements 'parse_config' [13863] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0xa996a40) implements 'finish_parsing_end' [13863] dbg: replacetags: replacing tags [13863] dbg: replacetags: done replacing tags [13863] dbg: bayes: tie-ing to DB file R/O /var/spool/MailScanner/incoming/bayes/bayes_toks [13863] dbg: bayes: tie-ing to DB file R/O /var/spool/MailScanner/incoming/bayes/bayes_seen [13863] dbg: bayes: found bayes db version 3 [13863] dbg: bayes: DB journal sync: last sync: 1156345626 [13863] dbg: config: score set 3 chosen. [13863] dbg: message: ---- MIME PARSER START ---- [13863] dbg: message: main message type: text/plain [13863] dbg: message: parsing normal part [13863] dbg: message: added part, type: text/plain [13863] dbg: message: ---- MIME PARSER END ---- [13863] dbg: dns: name server: 216.98.52.5, family: 2, ipv6: 0 [13863] dbg: dns: testing resolver nameservers: 216.98.52.5, 216.98.52.6 [13863] dbg: dns: trying (3) msn.com... [13863] dbg: dns: looking up NS for 'msn.com' [13863] dbg: dns: NS lookup of msn.com using 216.98.52.5 succeeded => DNS available (set dns_available to override) [13863] dbg: dns: is DNS available? 1 [13863] dbg: metadata: X-Spam-Relays-Trusted: [13863] dbg: metadata: X-Spam-Relays-Untrusted: [13863] dbg: metadata: X-Spam-Relays-Internal: [13863] dbg: metadata: X-Spam-Relays-External: [13863] dbg: plugin: Mail::SpamAssassin::Plugin::TextCat=HASH(0xa9656f0) implements 'extract_metadata' [13863] dbg: message: no encoding detected [13863] dbg: textcat: classifying, skipping: et yi rm sco cy fy eo lv is bs sl ga gd la lt eu sa [13863] dbg: textcat: language possibly: en [13863] dbg: textcat: X-Languages: "en", X-Languages-Length: 1340 [13863] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa4ebcd0) implements 'parsed_metadata' [13863] dbg: uridnsbl: domains to query: [13863] dbg: check: running tests for priority: 0 [13863] dbg: rules: running header regexp tests; score so far=0 [13863] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" [13863] dbg: rules: ran header rule __SANE_MSGID ======> got hit: "<1164217422.46041@spamassassin_spamd_init> [13863] dbg: rules: " [13863] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: "@spamassassin_spamd_init>" [13863] dbg: rules: ran header rule NO_REAL_NAME ======> got hit: "ignore@compiling.spamassassin.taint.org [13863] dbg: rules: " [13863] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: "1164217422" [13863] dbg: spf: no suitable relay for spf use found, skipping SPF-helo check [13863] dbg: eval: all '*From' addrs: ignore@compiling.spamassassin.taint.org [13863] dbg: eval: all '*To' addrs: [13863] dbg: spf: no suitable relay for spf use found, skipping SPF check [13863] dbg: rules: ran eval rule NO_RELAYS ======> got hit [13863] dbg: spf: cannot get Envelope-From, cannot use SPF [13863] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender [13863] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit [13863] dbg: spf: spf_whitelist_from: could not find useable envelope sender [13863] dbg: rules: running body-text per-line regexp tests; score so far=0.96 [13863] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" [13863] dbg: uri: running uri tests; score so far=0.96 [13863] dbg: rules: running raw-body-text per-line regexp tests; score so far=0.96 [13863] dbg: rules: running full-text regexp tests; score so far=0.96 [13863] dbg: info: entering helper-app run mode [13863] dbg: info: leaving helper-app run mode [13863] dbg: razor2: part=0 engine=4 contested=0 confidence=0 [13863] dbg: razor2: results: spam? 0 [13863] dbg: razor2: results: engine 8, highest cf score: 0 [13863] dbg: razor2: results: engine 4, highest cf score: 0 [13863] dbg: util: current PATH is: /sbin:/bin:/usr/sbin:/usr/bin [13863] dbg: pyzor: pyzor is not available: no pyzor executable found [13863] dbg: pyzor: no pyzor found, disabling Pyzor [13863] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa4ebcd0) implements 'check_tick' [13863] dbg: check: running tests for priority: 500 [13863] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa4ebcd0) implements 'check_post_dnsbl' [13863] dbg: rules: running meta tests; score so far=0.96 [13863] info: rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK' [13863] info: rules: meta test SARE_SPEC_PROLEO_M2a has dependency 'MIME_QP_LONG_LINE' with a zero score [13863] info: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_XMAIL_SUSP2' [13863] info: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_HEAD_XAUTH_WARN' [13863] dbg: rules: running header regexp tests; score so far=2.906 [13863] dbg: rules: running body-text per-line regexp tests; score so far=2.906 [13863] dbg: uri: running uri tests; score so far=2.906 [13863] dbg: rules: running raw-body-text per-line regexp tests; score so far=2.906 [13863] dbg: rules: running full-text regexp tests; score so far=2.906 [13863] dbg: check: running tests for priority: 900 [13863] dbg: rules: running meta tests; score so far=2.906 [13863] dbg: rules: running header regexp tests; score so far=2.906 [13863] dbg: rules: running body-text per-line regexp tests; score so far=2.906 [13863] dbg: uri: running uri tests; score so far=2.906 [13863] dbg: rules: running raw-body-text per-line regexp tests; score so far=2.906 [13863] dbg: rules: running full-text regexp tests; score so far=2.906 [13863] dbg: check: running tests for priority: 1000 [13863] dbg: rules: running meta tests; score so far=2.906 [13863] dbg: rules: running header regexp tests; score so far=2.906 [13863] dbg: rules: running body-text per-line regexp tests; score so far=2.906 [13863] dbg: uri: running uri tests; score so far=2.906 [13863] dbg: rules: running raw-body-text per-line regexp tests; score so far=2.906 [13863] dbg: rules: running full-text regexp tests; score so far=2.906 [13863] dbg: check: is spam? score=2.906 required=5 [13863] dbg: check: tests=MISSING_SUBJECT,NO_REAL_NAME,NO_RECEIVED,NO_RELAYS,TO_CC_NONE [13863] dbg: check: subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__NONEMPTY_BODY,__SANE_MSGID,__UNUSABLE_MSGID [13863] dbg: bayes: untie-ing [13863] dbg: bayes: untie-ing db_toks [13863] dbg: bayes: untie-ing db_seen From rob at dido.ca Wed Nov 22 17:58:25 2006 From: rob at dido.ca (Rob Morin) Date: Wed Nov 22 17:58:49 2006 Subject: Gocr errors In-Reply-To: <910ee2ac0611220944q7627949bj3ae1e3f3ec47379c@mail.gmail.com> References: <910ee2ac0611220944q7627949bj3ae1e3f3ec47379c@mail.gmail.com> Message-ID: <45648FC1.1090501@dido.ca> Here is what i had to install to get it working on my debian system.... This was after reading an earlier post from Gerhard, the below MUST be installed in order for OCR to work with MS and or SA Install these , note i use apt-get on Debian apt-get install gocr apt-get install netpbm apt-get install imagemagick apt-get install giflib-bin Via CPAN install the following (cpan -e at the prompt) install Image::ExifTool install Imager The to make sure all is ok lint SA Then all worked fine for me... Hope this helps! Rob Morin Dido InterNet Inc. Montreal, Canada Http://www.dido.ca 514-990-4444 emm1 wrote: > Hello, I followed instructuion on howto use gocr to catch image spam > and I see lots of this in my maillog. Any idea? > > > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > SPAMPIC_BROKEN test, skipping: > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > SPAMPIC_SUSPECT test, skipping: > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > SPAMPIC_ALPHA_1 test, skipping: > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > SPAMPIC_UNKNOWN test, skipping: > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > SPAMPIC_WORDS_1 test, skipping: > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > __SPAMPIC_COUNT_5 test, skipping: > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > SPAMPIC_FORGED_CT test, skipping: > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > SPAMPIC_ALPHA_3 test, skipping: > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > __SPAMPIC_COUNT_7 test, skipping: > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > SPAMPIC_NONSTD test, skipping: > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > SPAMPIC_WORDS_4 test, skipping: > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > __SPAMPIC_COUNT_2 test, skipping: > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > SPAMPIC_WORDS_2 test, skipping: > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > __SPAMPIC_COUNT_4 test, skipping: > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > __SPAMPIC_COUNT_6 test, skipping: > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > __SPAMPIC_COUNT_3 test, skipping: > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > SPAMPIC_WORDS_5 test, skipping: > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > SPAMPIC_ALPHA_2 test, skipping: > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > SPAMPIC_WORDS_3 test, skipping: > Nov 22 16:26:48 secure spamd[6435]: rules: meta test SPAMPIC_MULTI_2 > has undefined dependency 'IMPPYZOR_CHECK' > Nov 22 16:26:48 secure spamd[6435]: rules: meta test SPAMPIC_MULTI_1 > has undefined dependency 'IMPPYZOR_CHECK' > Nov 22 16:26:48 secure spamd[6435]: rules: meta test SPAMPIC_MULTI_4 > has undefined dependency 'IMPPYZOR_CHECK' > Nov 22 16:26:48 secure spamd[6435]: rules: meta test SPAMPIC_MULTI_6 > has undefined dependency 'IMPPYZOR_CHECK' > Nov 22 16:26:48 secure spamd[6435]: rules: meta test SPAMPIC_MULTI_3 > has undefined dependency 'IMPPYZOR_CHECK' > Nov 22 16:26:48 secure spamd[6435]: rules: meta test SPAMPIC_MULTI_5 > has undefined dependency 'IMPPYZOR_CHECK' > Nov 22 16:29:54 secure spamd[6529]: rules: meta test SPAMPIC_MULTI_2 > has undefined dependency 'IMPPYZOR_CHECK' > Nov 22 16:29:54 secure spamd[6529]: rules: meta test SPAMPIC_MULTI_1 > has undefined dependency 'IMPPYZOR_CHECK' > Nov 22 16:29:54 secure spamd[6529]: rules: meta test SPAMPIC_MULTI_4 > has undefined dependency 'IMPPYZOR_CHECK' > Nov 22 16:29:54 secure spamd[6529]: rules: meta test SPAMPIC_MULTI_6 > has undefined dependency 'IMPPYZOR_CHECK' > Nov 22 16:29:54 secure spamd[6529]: rules: meta test SPAMPIC_MULTI_3 > has undefined dependency 'IMPPYZOR_CHECK' > Nov 22 16:29:54 secure spamd[6529]: rules: meta test SPAMPIC_MULTI_5 > has undefined dependency 'IMPPYZOR_CHECK' From ljosnet at gmail.com Wed Nov 22 18:39:06 2006 From: ljosnet at gmail.com (emm1) Date: Wed Nov 22 18:39:10 2006 Subject: Gocr errors In-Reply-To: <45648FC1.1090501@dido.ca> References: <910ee2ac0611220944q7627949bj3ae1e3f3ec47379c@mail.gmail.com> <45648FC1.1090501@dido.ca> Message-ID: <910ee2ac0611221039p1e571601x94640705058970eb@mail.gmail.com> Im running FreeBSD and this is the output from spamassass -D --lint [root@secure ~]# spamassassin -D --lint [10212] dbg: logger: adding facilities: all [10212] dbg: logger: logging level is DBG [10212] dbg: generic: SpamAssassin version 3.1.7 [10212] dbg: config: score set 0 chosen. [10212] dbg: util: running in taint mode? yes [10212] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [10212] dbg: util: PATH included '/sbin', keeping [10212] dbg: util: PATH included '/usr/sbin', keeping [10212] dbg: util: PATH included '/bin', keeping [10212] dbg: util: PATH included '/usr/bin', keeping [10212] dbg: util: PATH included '/usr/local/sbin', keeping [10212] dbg: util: PATH included '/usr/local/bin', keeping [10212] dbg: util: PATH included '/usr/X11R6/bin', keeping [10212] dbg: util: final PATH set to: /sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin [10212] dbg: message: ---- MIME PARSER START ---- [10212] dbg: message: main message type: text/plain [10212] dbg: message: parsing normal part [10212] dbg: message: added part, type: text/plain [10212] dbg: message: ---- MIME PARSER END ---- [10212] dbg: dns: is Net::DNS::Resolver available? yes [10212] dbg: dns: Net::DNS version: 0.59 [10212] dbg: diag: perl platform: 5.008008 freebsd [10212] dbg: diag: module installed: Digest::SHA1, version 2.11 [10212] dbg: diag: module installed: Net::Ident, version 1.20 [10212] dbg: diag: module installed: IO::Socket::INET6, version 2.51 [10212] dbg: diag: module installed: IO::Socket::SSL, version 1.01 [10212] dbg: diag: module installed: Time::HiRes, version 1.91 [10212] dbg: diag: module installed: DBI, version 1.52 [10212] dbg: diag: module installed: Getopt::Long, version 2.35 [10212] dbg: diag: module installed: LWP::UserAgent, version 2.033 [10212] dbg: diag: module installed: HTTP::Date, version 1.47 [10212] dbg: diag: module installed: Archive::Tar, version 1.30 [10212] dbg: diag: module installed: IO::Zlib, version 1.04 [10212] dbg: diag: module installed: MIME::Base64, version 3.07 [10212] dbg: diag: module installed: HTML::Parser, version 3.55 [10212] dbg: diag: module installed: DB_File, version 1.814 [10212] dbg: diag: module installed: Net::DNS, version 0.59 [10212] dbg: diag: module installed: Net::SMTP, version 2.29 [10212] dbg: diag: module not installed: Mail::SPF::Query ('require' failed) [10212] dbg: diag: module not installed: IP::Country::Fast ('require' failed) [10212] dbg: diag: module installed: Razor2::Client::Agent, version 2.82 [10212] dbg: ignore: using a test message to lint rules [10212] dbg: config: using "/usr/local/etc/mail/spamassassin" for site rules pre files [10212] dbg: config: read file /usr/local/etc/mail/spamassassin/init.pre [10212] dbg: config: read file /usr/local/etc/mail/spamassassin/v310.pre [10212] dbg: config: read file /usr/local/etc/mail/spamassassin/v312.pre [10212] dbg: config: using "/usr/local/share/spamassassin" for sys rules pre files [10212] dbg: config: using "/usr/local/share/spamassassin" for default rules dir [10212] dbg: config: read file /usr/local/share/spamassassin/10_misc.cf [10212] dbg: config: read file /usr/local/share/spamassassin/20_advance_fee.cf [10212] dbg: config: read file /usr/local/share/spamassassin/20_anti_ratware.cf [10212] dbg: config: read file /usr/local/share/spamassassin/20_body_tests.cf [10212] dbg: config: read file /usr/local/share/spamassassin/20_compensate.cf [10212] dbg: config: read file /usr/local/share/spamassassin/20_dnsbl_tests.cf [10212] dbg: config: read file /usr/local/share/spamassassin/20_drugs.cf [10212] dbg: config: read file /usr/local/share/spamassassin/20_fake_helo_tests.cf [10212] dbg: config: read file /usr/local/share/spamassassin/20_head_tests.cf [10212] dbg: config: read file /usr/local/share/spamassassin/20_html_tests.cf [10212] dbg: config: read file /usr/local/share/spamassassin/20_meta_tests.cf [10212] dbg: config: read file /usr/local/share/spamassassin/20_net_tests.cf [10212] dbg: config: read file /usr/local/share/spamassassin/20_phrases.cf [10212] dbg: config: read file /usr/local/share/spamassassin/20_porn.cf [10212] dbg: config: read file /usr/local/share/spamassassin/20_ratware.cf [10212] dbg: config: read file /usr/local/share/spamassassin/20_uri_tests.cf [10212] dbg: config: read file /usr/local/share/spamassassin/23_bayes.cf [10212] dbg: config: read file /usr/local/share/spamassassin/25_accessdb.cf [10212] dbg: config: read file /usr/local/share/spamassassin/25_antivirus.cf [10212] dbg: config: read file /usr/local/share/spamassassin/25_body_tests_es.cf [10212] dbg: config: read file /usr/local/share/spamassassin/25_body_tests_pl.cf [10212] dbg: config: read file /usr/local/share/spamassassin/25_dcc.cf [10212] dbg: config: read file /usr/local/share/spamassassin/25_dkim.cf [10212] dbg: config: read file /usr/local/share/spamassassin/25_domainkeys.cf [10212] dbg: config: read file /usr/local/share/spamassassin/25_hashcash.cf [10212] dbg: config: read file /usr/local/share/spamassassin/25_pyzor.cf [10212] dbg: config: read file /usr/local/share/spamassassin/25_razor2.cf [10212] dbg: config: read file /usr/local/share/spamassassin/25_replace.cf [10212] dbg: config: read file /usr/local/share/spamassassin/25_spf.cf [10212] dbg: config: read file /usr/local/share/spamassassin/25_textcat.cf [10212] dbg: config: read file /usr/local/share/spamassassin/25_uribl.cf [10212] dbg: config: read file /usr/local/share/spamassassin/30_text_de.cf [10212] dbg: config: read file /usr/local/share/spamassassin/30_text_fr.cf [10212] dbg: config: read file /usr/local/share/spamassassin/30_text_it.cf [10212] dbg: config: read file /usr/local/share/spamassassin/30_text_nl.cf [10212] dbg: config: read file /usr/local/share/spamassassin/30_text_pl.cf [10212] dbg: config: read file /usr/local/share/spamassassin/30_text_pt_br.cf [10212] dbg: config: read file /usr/local/share/spamassassin/50_scores.cf [10212] dbg: config: read file /usr/local/share/spamassassin/60_awl.cf [10212] dbg: config: read file /usr/local/share/spamassassin/60_whitelist.cf [10212] dbg: config: read file /usr/local/share/spamassassin/60_whitelist_dk.cf [10212] dbg: config: read file /usr/local/share/spamassassin/60_whitelist_dkim.cf [10212] dbg: config: read file /usr/local/share/spamassassin/60_whitelist_spf.cf [10212] dbg: config: read file /usr/local/share/spamassassin/60_whitelist_subject.cf [10212] dbg: config: using "/usr/local/etc/mail/spamassassin" for site rules dir [10212] dbg: config: read file /usr/local/etc/mail/spamassassin/imageinfo.cf [10212] dbg: config: read file /usr/local/etc/mail/spamassassin/local.cf [10212] dbg: config: read file /usr/local/etc/mail/spamassassin/mailscanner.cf [10212] dbg: config: read file /usr/local/etc/mail/spamassassin/ocrtext.cf [10212] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [10212] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x9086e7c) [10212] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC [10212] dbg: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x910c3c4) [10212] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [10212] dbg: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x909dd80) [10212] dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo from @INC [10212] dbg: plugin: registered Mail::SpamAssassin::Plugin::ImageInfo=HASH(0x90ceeb0) [10212] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC [10212] dbg: dcc: local tests only, disabling DCC [10212] dbg: plugin: registered Mail::SpamAssassin::Plugin::DCC=HASH(0x929865c) [10212] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC [10212] dbg: pyzor: local tests only, disabling Pyzor [10212] dbg: plugin: registered Mail::SpamAssassin::Plugin::Pyzor=HASH(0x92bd070) [10212] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [10212] dbg: razor2: local tests only, skipping Razor [10212] dbg: plugin: registered Mail::SpamAssassin::Plugin::Razor2=HASH(0x92d80a0) [10212] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC [10212] dbg: reporter: local tests only, disabling SpamCop [10212] dbg: plugin: registered Mail::SpamAssassin::Plugin::SpamCop=HASH(0x92ec9c4) [10212] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC [10212] dbg: plugin: registered Mail::SpamAssassin::Plugin::AWL=HASH(0x90c54cc) [10212] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC [10212] dbg: plugin: registered Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0x9474020) [10212] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC [10212] dbg: plugin: registered Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0x947aa68) [10212] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC [10212] dbg: plugin: registered Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0x947b6f8) [10212] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC [10212] dbg: plugin: registered Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x9484758) [10212] dbg: plugin: loading ocrtext from /usr/local/etc/mail/spamassassin/ocrtext.pm [10212] dbg: plugin: registered ocrtext=HASH(0x96c791c) [10212] dbg: plugin: loading Mail::SpamAssassin::Timeout from @INC [10212] dbg: plugin: registered Mail::SpamAssassin::Timeout=HASH(0x910c8d4) [10212] dbg: config: adding redirector regex: /^http:\/\/chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i [10212] dbg: config: adding redirector regex: /^http:\/\/www(?:\d+)?\.nate\.com\/r\/\w+\/(.*)$/i [10212] dbg: config: adding redirector regex: /^http:\/\/.+\.gov\/(?:.*\/)?externalLink\.jhtml\?.*url=(.*?)(?:&.*)?$/i [10212] dbg: config: adding redirector regex: /^http:\/\/redir\.internet\.com\/.+?\/.+?\/(.*)$/i [10212] dbg: config: adding redirector regex: /^http:\/\/(?:.*?\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i [10212] dbg: config: adding redirector regex: m'^http.*?/redirect\.php\?.*(?<=[?&])goto=(.*?)(?:$|[&#])'i [10212] dbg: config: adding redirector regex: m'^https?:/*(?:[^/]+\.)?emf\d\.com/r\.cfm.*?&r=(.*)'i [10212] dbg: config: adding redirector regex: m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&#])'i [10212] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&#])'i [10212] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])site:(.*?)(?:$|%20|[\s+&#])'i [10212] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&#])'i [10212] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&#])'i [10212] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x9484758) implements 'finish_parsing_end' [10212] dbg: replacetags: replacing tags [10212] dbg: replacetags: done replacing tags [10212] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_toks [10212] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_seen [10212] dbg: bayes: found bayes db version 3 [10212] dbg: bayes: DB journal sync: last sync: 1164206502 [10212] dbg: config: score set 2 chosen. [10212] dbg: message: ---- MIME PARSER START ---- [10212] dbg: message: main message type: text/plain [10212] dbg: message: parsing normal part [10212] dbg: message: added part, type: text/plain [10212] dbg: message: ---- MIME PARSER END ---- [10212] dbg: dns: is DNS available? 0 [10212] dbg: metadata: X-Spam-Relays-Trusted: [10212] dbg: metadata: X-Spam-Relays-Untrusted: [10212] dbg: metadata: X-Spam-Relays-Internal: [10212] dbg: metadata: X-Spam-Relays-External: [10212] dbg: message: no encoding detected [10212] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x9086e7c) implements 'parsed_metadata' [10212] dbg: rules: local tests only, ignoring RBL eval [10212] dbg: check: running tests for priority: 0 [10212] dbg: rules: running header regexp tests; score so far=0 [10212] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" [10212] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: "1164220611" [10212] dbg: rules: ran header rule __SANE_MSGID ======> got hit: "<1164220611@lint_rules> [10212] dbg: rules: " [10212] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: "@lint_rules>" [10212] dbg: eval: all '*From' addrs: ignore@compiling.spamassassin.taint.org [10212] dbg: eval: all '*To' addrs: [10212] dbg: rules: ran eval rule NO_RELAYS ======> got hit [10212] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit [10212] dbg: rules: running body-text per-line regexp tests; score so far=-0.001 [10212] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" [10212] dbg: uri: running uri tests; score so far=-0.001 [10212] dbg: bayes: DB journal sync: last sync: 1164206502 [10212] dbg: bayes: corpus size: nspam = 770, nham = 1717 [10212] dbg: bayes: score = 0.470482399386908 [10212] dbg: bayes: DB expiry: tokens in DB: 146417, Expiry max size: 150000, Oldest atime: 1148508897, Newest atime: 1164220564, Last expire: 0, Current time: 1164220611 [10212] dbg: bayes: DB journal sync: last sync: 1164206502 [10212] dbg: bayes: untie-ing [10212] dbg: bayes: untie-ing db_toks [10212] dbg: bayes: untie-ing db_seen [10212] dbg: rules: ran eval rule BAYES_50 ======> got hit [10212] dbg: rules: running raw-body-text per-line regexp tests; score so far=0 [10212] dbg: rules: running full-text regexp tests; score so far=0 [10212] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x9086e7c) implements 'check_tick' [10212] dbg: check: running tests for priority: 500 [10212] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x9086e7c) implements 'check_post_dnsbl' [10212] dbg: rules: running meta tests; score so far=0 [10212] info: rules: meta test SPAMPIC_MULTI_2 has undefined dependency 'IMPPYZOR_CHECK' [10212] info: rules: meta test SPAMPIC_MULTI_1 has undefined dependency 'IMPPYZOR_CHECK' [10212] info: rules: meta test SPAMPIC_MULTI_4 has undefined dependency 'IMPPYZOR_CHECK' [10212] info: rules: meta test SPAMPIC_MULTI_6 has undefined dependency 'IMPPYZOR_CHECK' [10212] info: rules: meta test SPAMPIC_MULTI_3 has undefined dependency 'IMPPYZOR_CHECK' [10212] info: rules: meta test SPAMPIC_MULTI_5 has undefined dependency 'IMPPYZOR_CHECK' [10212] dbg: rules: running header regexp tests; score so far=2.157 [10212] dbg: rules: running body-text per-line regexp tests; score so far=2.157 [10212] dbg: uri: running uri tests; score so far=2.157 [10212] dbg: rules: running raw-body-text per-line regexp tests; score so far=2.157 [10212] dbg: rules: running full-text regexp tests; score so far=2.157 [10212] dbg: check: running tests for priority: 900 [10212] dbg: rules: running meta tests; score so far=2.157 [10212] dbg: rules: running header regexp tests; score so far=2.157 [10212] dbg: rules: running body-text per-line regexp tests; score so far=2.157 [10212] dbg: uri: running uri tests; score so far=2.157 [10212] dbg: ocrtext: score is 2.157 [10212] dbg: ocrtext: Imagecount is 0 [10212] dbg: rules: running raw-body-text per-line regexp tests; score so far=2.157 [10212] dbg: rules: running full-text regexp tests; score so far=2.157 [10212] dbg: check: running tests for priority: 1000 [10212] dbg: rules: running meta tests; score so far=2.157 [10212] dbg: rules: running header regexp tests; score so far=2.157 [10212] dbg: rules: running body-text per-line regexp tests; score so far=2.157 [10212] dbg: uri: running uri tests; score so far=2.157 [10212] dbg: rules: running raw-body-text per-line regexp tests; score so far=2.157 [10212] dbg: rules: running full-text regexp tests; score so far=2.157 [10212] dbg: check: is spam? score=2.157 required=5 [10212] dbg: check: tests=BAYES_50,MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS,TO_CC_NONE [10212] dbg: check: subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__NONEMPTY_BODY,__SANE_MSGID,__UNUSABLE_MSGID On 11/22/06, Rob Morin wrote: > Here is what i had to install to get it working on my debian system.... > This was after reading an earlier post from Gerhard, the below MUST be > installed in order for OCR to work with MS and or SA > > Install these , note i use apt-get on Debian > > apt-get install gocr > apt-get install netpbm > apt-get install imagemagick > apt-get install giflib-bin > > Via CPAN install the following (cpan -e at the prompt) > > install Image::ExifTool > install Imager > > The to make sure all is ok lint SA > > Then all worked fine for me... > > Hope this helps! > > Rob Morin > Dido InterNet Inc. > Montreal, Canada > Http://www.dido.ca > 514-990-4444 > > > > emm1 wrote: > > Hello, I followed instructuion on howto use gocr to catch image spam > > and I see lots of this in my maillog. Any idea? > > > > > > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > > SPAMPIC_BROKEN test, skipping: > > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > > SPAMPIC_SUSPECT test, skipping: > > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > > SPAMPIC_ALPHA_1 test, skipping: > > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > > SPAMPIC_UNKNOWN test, skipping: > > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > > SPAMPIC_WORDS_1 test, skipping: > > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > > __SPAMPIC_COUNT_5 test, skipping: > > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > > SPAMPIC_FORGED_CT test, skipping: > > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > > SPAMPIC_ALPHA_3 test, skipping: > > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > > __SPAMPIC_COUNT_7 test, skipping: > > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > > SPAMPIC_NONSTD test, skipping: > > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > > SPAMPIC_WORDS_4 test, skipping: > > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > > __SPAMPIC_COUNT_2 test, skipping: > > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > > SPAMPIC_WORDS_2 test, skipping: > > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > > __SPAMPIC_COUNT_4 test, skipping: > > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > > __SPAMPIC_COUNT_6 test, skipping: > > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > > __SPAMPIC_COUNT_3 test, skipping: > > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > > SPAMPIC_WORDS_5 test, skipping: > > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > > SPAMPIC_ALPHA_2 test, skipping: > > Nov 22 16:26:37 secure spamd[6435]: rules: failed to run > > SPAMPIC_WORDS_3 test, skipping: > > Nov 22 16:26:48 secure spamd[6435]: rules: meta test SPAMPIC_MULTI_2 > > has undefined dependency 'IMPPYZOR_CHECK' > > Nov 22 16:26:48 secure spamd[6435]: rules: meta test SPAMPIC_MULTI_1 > > has undefined dependency 'IMPPYZOR_CHECK' > > Nov 22 16:26:48 secure spamd[6435]: rules: meta test SPAMPIC_MULTI_4 > > has undefined dependency 'IMPPYZOR_CHECK' > > Nov 22 16:26:48 secure spamd[6435]: rules: meta test SPAMPIC_MULTI_6 > > has undefined dependency 'IMPPYZOR_CHECK' > > Nov 22 16:26:48 secure spamd[6435]: rules: meta test SPAMPIC_MULTI_3 > > has undefined dependency 'IMPPYZOR_CHECK' > > Nov 22 16:26:48 secure spamd[6435]: rules: meta test SPAMPIC_MULTI_5 > > has undefined dependency 'IMPPYZOR_CHECK' > > Nov 22 16:29:54 secure spamd[6529]: rules: meta test SPAMPIC_MULTI_2 > > has undefined dependency 'IMPPYZOR_CHECK' > > Nov 22 16:29:54 secure spamd[6529]: rules: meta test SPAMPIC_MULTI_1 > > has undefined dependency 'IMPPYZOR_CHECK' > > Nov 22 16:29:54 secure spamd[6529]: rules: meta test SPAMPIC_MULTI_4 > > has undefined dependency 'IMPPYZOR_CHECK' > > Nov 22 16:29:54 secure spamd[6529]: rules: meta test SPAMPIC_MULTI_6 > > has undefined dependency 'IMPPYZOR_CHECK' > > Nov 22 16:29:54 secure spamd[6529]: rules: meta test SPAMPIC_MULTI_3 > > has undefined dependency 'IMPPYZOR_CHECK' > > Nov 22 16:29:54 secure spamd[6529]: rules: meta test SPAMPIC_MULTI_5 > > has undefined dependency 'IMPPYZOR_CHECK' > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From mkettler at evi-inc.com Wed Nov 22 18:41:55 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Nov 22 18:42:12 2006 Subject: AWL? In-Reply-To: References: Message-ID: <456499F3.7060708@evi-inc.com> Christian Campbell wrote: > A SA rule - AWL - seems to be subtracting score, and effectively marking > my spam as ham. I've found that it's a Auto-whitelist rule, but I'm > unsure as to why it's being triggered. Here's an example header. It's > the typical debora stock spam... The AWL is a history-tracking score averager. In this case, SA had seen mail from this sender before that was very low scoring. When a high-scoring message came in, it used the AWL to reduce the score to be halfway between the current score and the past average. See http://wiki.apache.org/spamassassin/AutoWhitelist Also, I personally suggest disabling the AWL on production systems. The AWL does not currently support expiry, so the database will grow without bound. While it's a neat feature, it's really not yet ready for prime-time on servers of more than modest mail volume. Disabling it depends a bit on version, but assuming SA 3.1.x it should be a plugin you can disable in v310.pre simply comment out the following line: loadplugin Mail::SpamAssassin::Plugin::AWL From mkettler at evi-inc.com Wed Nov 22 18:44:52 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Nov 22 18:45:09 2006 Subject: SA Updated - W/L mail scored In-Reply-To: <200611220841.52002.dyioulos@firstbhph.com> References: <200611220841.52002.dyioulos@firstbhph.com> Message-ID: <45649AA4.4040704@evi-inc.com> Dimitri Yioulos wrote: > Hello to all. > > Apologies, as I posted something along these lines a few days ago, with no > response: > > I recently updated spamassassin to version 3.1.7 from the last stock version > (3.0.4) on a CentOS 3.8 box running sendmail-8.12.11-4.RHEL3.6 and the latest > versions of MS and MailWatch. After the SA update, all of my whitelisted > mail is being scored, Mail from my domain is also scanned, although > supposedly whitelisted. Additionally, MCP is now being scored (it's > enabled), even though my mcp .cf file has no real rules in it. > > Some (I thinK) relevant file snippets: There's one that's relevant that's missing. Do you have: Always Include SpamAssassin Report = yes If so, there's your answer. AFAIK MS takes that seriously. It will *ALWAYS* include the SA report, even for whitelisted mail. From stemi15 at poczta.onet.pl Wed Nov 22 09:33:53 2006 From: stemi15 at poczta.onet.pl (pawel) Date: Wed Nov 22 18:45:30 2006 Subject: Debora is a huge spammers!!!! References: <20061115093217.I48256@mikea.ath.cx> <200611160346.kAG3kmX6020205@bkserver.blacknight.ie> Message-ID: IN RCPT SECTION: deny senders = ^debora.*@.* From gregg at gbcomputers.com Wed Nov 22 19:20:37 2006 From: gregg at gbcomputers.com (Gregg Berkholtz) Date: Wed Nov 22 19:20:50 2006 Subject: Skipping SpamAssassin w/ high number of RBL hits Message-ID: <4564A305.9080800@gbcomputers.com> I'm using a ruleset to skip SpamAssassin when the From address matches whitelisted domains that use SPF - this alone greatly reduces my server's load. Though I need to further cut the load, and considering a good chunk of inbound spam is already being caught through MailScanner's RBL checks, is there any way to skip SpamAssassin when a message has, say...3 or more positive "Spam List" and/or "Spam Domain List" hits in MailScanner? I was thinking a ruleset directive like "From:" or "To:", but instead they'd be something like "spam:" or "rbl:". I cant find any indication these options exist. Thanks for any help! Gregg Berkholtz From dyioulos at firstbhph.com Wed Nov 22 19:43:37 2006 From: dyioulos at firstbhph.com (Dimitri Yioulos) Date: Wed Nov 22 19:43:46 2006 Subject: SA Updated - W/L mail scored In-Reply-To: <45649AA4.4040704@evi-inc.com> References: <200611220841.52002.dyioulos@firstbhph.com> <45649AA4.4040704@evi-inc.com> Message-ID: <200611221443.38093.dyioulos@firstbhph.com> On Wednesday 22 November 2006 1:44 pm, Matt Kettler wrote: > Dimitri Yioulos wrote: > > Hello to all. > > > > Apologies, as I posted something along these lines a few days ago, with > > no response: > > > > I recently updated spamassassin to version 3.1.7 from the last stock > > version (3.0.4) on a CentOS 3.8 box running sendmail-8.12.11-4.RHEL3.6 > > and the latest versions of MS and MailWatch. After the SA update, all of > > my whitelisted mail is being scored, Mail from my domain is also > > scanned, although supposedly whitelisted. Additionally, MCP is now being > > scored (it's enabled), even though my mcp .cf file has no real rules in > > it. > > > > Some (I thinK) relevant file snippets: > > There's one that's relevant that's missing. Do you have: > Always Include SpamAssassin Report = yes > > If so, there's your answer. AFAIK MS takes that seriously. It will *ALWAYS* > include the SA report, even for whitelisted mail. > -- Matt, It appears you're right about that. My humble thanks. I had that directive set to yes as per MailWatch installation instructions; it's been like that for quite a while. OK, that takes care of whitelisted addresses being scored. But, it's curious to me why mcp is still scored with spamassassin-type rules, as in: MCP Report: Score Matching Rule Description 2.71 RCVD_IN_SBL As I described in my original post, the mcp directives in MailScanner.conf are stock, except for bumping up the scores so as not to get an fp. Shouldn't mcp be looking only in its .cf files? Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From leah at frauerpower.com Wed Nov 22 22:24:05 2006 From: leah at frauerpower.com (Leah Kubik) Date: Wed Nov 22 22:24:04 2006 Subject: Managing per user SPAM settings w/MailScanner (but w/o MailWatch) -- simple CGI anyone? Message-ID: <200611221724.06519.leah@frauerpower.com> We realize that it is not possible to use the per user settings for SA when running w/MailScanner, but most of the types of things we want users to be able to adjust in terms of their own spam settings can be done through various MailScanner rulesets. We used to have some CGI scripts that we used to let users tweak their own SA preferences before we used MailScanner. Stuff like individual whitelists, blacklists, spam score to be spam, etc. So we are wondering if anyone has come up with a simple solution to work w/MailScanner rulesets to do something similar, that is simpler than the MailWatch tool. We have MailWatch running, but it is a bit overkill for what we want, which is just an easy web script that will let users manage their own spam settings. Has anyone worked on anything like this or have any suggestions? Leah -- Leah Kubik : d416-585-9971x692 : d416-703-5977 : m416-559-6511 Frauerpower! Co. : www.frauerpower.com : Toronto, ON Canada From mgt at stellarcore.net Wed Nov 22 22:40:42 2006 From: mgt at stellarcore.net (Mike Tremaine) Date: Wed Nov 22 22:41:00 2006 Subject: OT: Sendmail gateway using mailertable and access db In-Reply-To: <200611221754.kAMHsQnF027590@bkserver.blacknight.ie> References: <200611221754.kAMHsQnF027590@bkserver.blacknight.ie> Message-ID: <4564D1EA.9070806@stellarcore.net> > OT: Sendmail gateway using mailertable and access db > > Hi All, > > I have a MailScanner box (CentOS 4) with sendmail-8.13.1-3 acting gateway in front of an Exchange server (Not my decision). Now all mails for all domains handled are scanned and forwarded to the exchange server. Lately the amount of mail for unknown recipients has exploded over the roof and I need to implement a quick solution. The server is dying and I don't want to be "that guy" that send undeliverable reports for spam/virus. > > I'm using access db for another installation and it works fine there but the MailScanner box is not a gateway. All mails are delivered locally. Now with a sendmail installation in gateway mode this doesn't work. I have a script that pulls all valid email addresses from the exchange server and want to use access db to block all but my valid users. I have looked at milter-ahead but I could not figure out if this is the right thing for me. > > My config using test.com as domain and xxx.xxx.xxx.xxx as the Exchange server IP address. > > mailertable: > > test.com smtp[xxx.xxx.xxx.xxx] > > access db: > test.com RELAY > xxx.xxx.xxx.xxx RELAY > > TO:user@test.com RELAY > TO:test.com ERROR:5.1.1:550 User unknown > > I have no "relay" FEATURE in my sendmail.mc. > > Using this config results in all mails sent to user@test.com are rejected with error 550 User unknown. > > I have read the sendmail documentation regarding access db and tried a lot of different settings (Only TO:, Only Connect:, TO: and Connect:) > > Any idea of how to do this? > > Jens Having just gone done this route I can verify it works when you also put the domain in /etc/mail/relay-domains without that it will reject. As far as the LDAP, milter-ahead etc... arguments it seems to me that if you AD does not change very often then the Net::LDAP dump to /etc/mail/access with a makemap afterwards is the great low resource solution. I did this on a domain that was getting 170,000+ emails per day [thanks to this recent spam spike] it is now dropping 115,000 at the gateway. No extra ldap lookups, no fuss. Good Luck. -Mike From prandal at herefordshire.gov.uk Wed Nov 22 23:00:29 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Nov 22 23:00:47 2006 Subject: Mailscanner not catching SPAM but manual run via SA catches i t Message-ID: <86144ED6CE5B004DA23E1EAC0B569B58017681E6@isabella.herefordshire.gov.uk> /var/lib/spamassassin/ 3.001007/updates_spamassassin_org Believe me, test it for yourself and see. I did, several times, just to make sure I wasn't being dumb. Cheers, Phil -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Wednesday, November 22, 2006 5:31 PM To: MailScanner discussion Subject: Re: Mailscanner not catching SPAM but manual run via SA catches i t Randal, Phil wrote: > Sometimes it pays to actually test it with debug on and see the > results... > > For my SA 3.1.7 installation, > > SpamAssassin Local State Dir = /var/lib/spamassassin > > is the correct setting, not > > SpamAssassin Local State Dir = /var/lib > > Tested with MailScanner --debug-sa and the debug flags set in > MailScanner.conf. > > Cheers, > > Phil, who's amazed he didn't notice this earlier > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin > Hepworth > Sent: Friday, November 10, 2006 4:35 PM > To: MailScanner discussion > Subject: Re: Mailscanner not catching SPAM but manual run via SA catches > it > > Dan Carl wrote: >> Hi all, >> >> I'm perplexed, >> Today I took a spam email from my inbox that got through Mailscanner > and >> saved it to my mail server. >> I then ran it though spamassassin(spamassassin -t test.eml) and it > caught it >> as SPAM. >> What's up with that?? >> >> Just yesterday I upgraded to the latest version of Mailscanner (thanks >> volunteers) >> because a lot of spam was getting through. After many hours of work I > also >> installed the Fuzzy OCR plugin. >> >> Mailscanner appears to be working fine and using spamassassin. >> My maillog shows lines this: >> MailScanner[7707]: SpamAssassin cache hit for message kAAFfqxU010369 >> >> Thanks in advance >> > Check the SA paths in MailScanner to make sure you're running the same > rules - also check you've only got one perl and one SA installed. > > IF you've run sa-update make sure MS knows about it by setting > > SpamAssassin Local State Dir = /var/lib > > > hmm thats interesting 'cos when we tested it we needed to put in /var/lib there..... what's below the /var/lib/spamassassin directory? -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Thu Nov 23 04:43:12 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 23 04:43:21 2006 Subject: SV: MailScanner miss several Regning.exe files - beware zip virus In-Reply-To: <41EA997496BB5542BDA52CFA44FE78FC9A6C6F@AHMAIL.ah.ahnet.local> References: <223f97700611220351t79393c47t14320163a43246f2@mail.gmail.com> <41EA997496BB5542BDA52CFA44FE78FC9A6C6F@AHMAIL.ah.ahnet.local> Message-ID: Jan Elmqvist Nielsen spake the following on 11/22/2006 4:08 AM: > -----Oprindelig meddelelse----- > Fra: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] P? vegne af Glenn Steen > Sendt: 22. november 2006 12:52 > Til: MailScanner discussion > Emne: Re: MailScanner miss several Regning.exe files - beware zip virus > > On 22/11/06, Jan Elmqvist Nielsen wrote: >> Attached is a zip queue file. >> None af my virus scanners detect the virus yet >> >> /jan Elmqvist Nielsen >> >> -----Oprindelig meddelelse----- >> Fra: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] P? vegne af Jan >> Elmqvist Nielsen >> Sendt: 22. november 2006 12:15 >> Til: MailScanner discussion >> Emne: SV: MailScanner miss several Regning.exe files >> >> Several of thise (virus) exe files is still comming through!! >> >> I wonder if it's Fedora 4's file command which is to blam. >> >> I have some mail which the file command say it's MPEG but it's a plain html file! >> >> Have any of you have the same experience with FC4 and MailScanner? >> >> /Jan Elmqvist Nielsen > > Jan, do you mean that you _have_ filename/filetype checking on? And this slipped through? > Do you employ any rulesets for those settings in MailScanner.conf? > > Looking at the file, it looks like it'd fall afoul of the filename checks, so no matter if the filetype checks worked or not, it should've been caught... Unless you axplicitly allow it (perhaps by a ruleset.). > > Hi Glenn > > Yes - that's correct! > > I have received 49 today of which 17 wasn't stopped even though it contains af exe file! > And I can see some of the 17 also have missed the virus check! Even though f-secure can detect it!! > > MS 4.54.6 on FC4 > > /Jan Elmqvist Nielsen > Is your virus scanning timeout or your file command timeout too short? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Nov 23 04:50:17 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 23 04:50:37 2006 Subject: OT: MailScanner & Zimbra In-Reply-To: <45645F7B.2030801@nkpanama.com> References: <4563AC3D.8090701@nkpanama.com> <452fd0b0f573eaeffec2f34d21dace56@10.0.0.10> <45645F7B.2030801@nkpanama.com> Message-ID: "mailscanner causes swapping" is the joke that won't die!!! > The reference to "mailscanner causes swapping" is regarding an old > thread where someone was blaming MailScanner saying "it causes > swapping"; everybody took turns explaining that "MailScanner causes > swapping" sounds like "exercise causes breathing". > > It's been asserted many times on this list that MailScanner works > perfectly with Postfix, regardless of what some people (like Postfix's > own Wietsev Enema) might say ;) > > uxbod wrote: >> Hmmm, interesting as I have been running both Postfix and MailScanner >> on the same box for a year and even on a single server where I work >> without any problems. The only difference to other installations is >> that I use two instances of Postfix, the first handles all the >> standard checks HELO etc and performs LDAP lookups; if this is passed >> then the emails are handed over the to the second instance where >> MailScanner will perform its checks. >> >> I would imagine that a Zimbra installation may need three instances of >> Postfix running FrontEnd->MailScanner->Zimbra. I will probably start >> on this at the weekend so will let you know how it goes. Have some >> interesting ideas to try out with the Ajax client especially for using >> information from MailScanner for White and Grey listing. >> >> Regards, >> >> On Tue, 21 Nov 2006 20:47:41 -0500, Alex Neuman van der Hans >> wrote: >>> uxbod wrote: >>>> Hi, >>>> >>>> Is anybody on the list using MailScanner with Zimbra ? >>>> >>>> If so was it easy to integrate ? >>>> >>>> Best Regards, >>>> >>>> --[ UxBoD ]-- >>>> // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" >>>> // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 >>>> // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 >>>> >>>> >>> Easy... if you have Zimbra on one box and MailScanner on the other. >>> >>> If you want to try and get MailScanner running on Zimbra, let us know >>> how it goes... but beware, I've heard MailScanner on a box running >>> Postfix (IIRC Zimbra uses Postfix) *could cause swapping*! ;-) >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> -- >>> This message has been scanned for viruses and dangerous content by >>> MailScanner, and is >>> believed to be clean. >> --[ UxBoD ]-- >> // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" >> // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 >> // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 >> >> > -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From vinay_poojary2000 at yahoo.co.in Thu Nov 23 05:03:37 2006 From: vinay_poojary2000 at yahoo.co.in (vinay poojary) Date: Thu Nov 23 05:03:42 2006 Subject: blocking files Message-ID: <905960.92795.qm@web8317.mail.in.yahoo.com> Dear Sir, I have blocked the video files by using filetype.rules.conf by using the below entry. deny ASF No Windows media No Windows media files allowed So it is blocking all the video files . But people have become smart and are now sending mails via zipping the media files. Is there any way i could block these zipped media files. Also i want to allow other zipped documents . Regards, Vinay Poojary --------------------------------- Find out what India is talking about on - Yahoo! Answers India Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8. Get it NOW -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061123/a1f4c498/attachment.html From mailing_lists+mailscanner at caleotech.com Thu Nov 23 07:51:51 2006 From: mailing_lists+mailscanner at caleotech.com (Jens Ahlin) Date: Thu Nov 23 07:52:05 2006 Subject: OT: Sendmail gateway using mailertable and access db In-Reply-To: <4564D1EA.9070806@stellarcore.net> References: <200611221754.kAMHsQnF027590@bkserver.blacknight.ie> <4564D1EA.9070806@stellarcore.net> Message-ID: <4625.172.16.1.115.1164268311.squirrel@www.caleotech.com> >> OT: Sendmail gateway using mailertable and access db >> >> Hi All, >> >> I have a MailScanner box (CentOS 4) with sendmail-8.13.1-3 acting >> gateway in front of an Exchange server (Not my decision). Now all mails >> for all domains handled are scanned and forwarded to the exchange >> server. Lately the amount of mail for unknown recipients has exploded >> over the roof and I need to implement a quick solution. The server is >> dying and I don't want to be "that guy" that send undeliverable reports >> for spam/virus. >> >> I'm using access db for another installation and it works fine there but >> the MailScanner box is not a gateway. All mails are delivered locally. >> Now with a sendmail installation in gateway mode this doesn't work. I >> have a script that pulls all valid email addresses from the exchange >> server and want to use access db to block all but my valid users. I have >> looked at milter-ahead but I could not figure out if this is the right >> thing for me. >> >> My config using test.com as domain and xxx.xxx.xxx.xxx as the Exchange >> server IP address. >> >> mailertable: >> >> test.com smtp[xxx.xxx.xxx.xxx] >> >> access db: >> test.com RELAY >> xxx.xxx.xxx.xxx RELAY >> >> TO:user@test.com RELAY >> TO:test.com ERROR:5.1.1:550 User unknown >> >> I have no "relay" FEATURE in my sendmail.mc. >> >> Using this config results in all mails sent to user@test.com are >> rejected with error 550 User unknown. >> >> I have read the sendmail documentation regarding access db and tried a >> lot of different settings (Only TO:, Only Connect:, TO: and Connect:) >> >> Any idea of how to do this? >> >> Jens > > > Having just gone done this route I can verify it works when you also put > the > domain in /etc/mail/relay-domains without that it will reject. > > As far as the LDAP, milter-ahead etc... arguments it seems to me that if > you AD > does not change very often then the Net::LDAP dump to /etc/mail/access > with a > makemap afterwards is the great low resource solution. > > I did this on a domain that was getting 170,000+ emails per day [thanks to > this > recent spam spike] it is now dropping 115,000 at the gateway. No extra > ldap > lookups, no fuss. > > Good Luck. > > -Mike > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Hi, Thanks for your suggestions. You are right Mike. As soon I put my relay domains in relay-domains it works great with the access db. I figured this out eventually and just before you sent the email. I will look at other solutions when I have more time (If it ever will happen). For now this is good enough solution since the system is quite static. Thanks all for suggestions. Jens From jen at ah.dk Thu Nov 23 08:10:01 2006 From: jen at ah.dk (Jan Elmqvist Nielsen) Date: Thu Nov 23 08:10:50 2006 Subject: SV: SV: MailScanner miss several Regning.exe files - beware zipvirus In-Reply-To: Message-ID: <41EA997496BB5542BDA52CFA44FE78FC9A6C76@AHMAIL.ah.ahnet.local> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi folks, I've been wanting to upgrade my version of SpamAssassin from stable/Sarge to testing/Etch for a while now. I've already upgraded MailScanner from 4.41.3-2 (stable) to 4.51.5-1.1 (testing) without any issues. However, looking through the archives I've stumbled on many posts mentioning problems with MailScanner after updating from SA 3.0.x to 3.1.x. So my question is pretty straightforward, will I run into problems when upgrading SpamAssassin from 3.0.3-2sarge1 (stable) to 3.1.7-1 (testing)? Ie. different config file formats, different defaults, buggy behaviors, etc? (I've just have a nice surprise when upgrading Dovecot which grounded me all morning yesterday ... ) Basically, should I plan this when I have loads of time on my hands or can I trust the upgrade to be smooth? Thanks for the tips -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) iD8DBQFFZV+oWC9/YPePNU4RArJtAJ9WvrcR1cirU2tJHFDonrH9Mkj9GQCghiiA jMEg+70xKpFmc0hJ+QpcmuI= =85QQ -----END PGP SIGNATURE----- From glenn.steen at gmail.com Thu Nov 23 09:26:49 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 23 09:26:54 2006 Subject: log is flotting with messages In-Reply-To: <20061122182423.d0l1plbegwg0kkw8@www.intranet> References: <20061117232222.he2i3uhkysw0k4cc@www.intranet> <20061121181255.4tkj4b7i8484osgg@www.intranet> <223f97700611211223r2d9ddf9dh5416fc8988097157@mail.gmail.com> <45636DAA.30807@techspace.nl> <223f97700611220132n7cc4d3f0p26739c55772348ee@mail.gmail.com> <20061122182423.d0l1plbegwg0kkw8@www.intranet> Message-ID: <223f97700611230126k7c5b30c8r84fbeeca07e96f@mail.gmail.com> On 22/11/06, redhat@techspace.nl wrote: > Quoting Glenn Steen : > > > On 21/11/06, redhadjasper wrote: > > (snip) > >> yes done al that home/postfix/.spamassasin owner postfix > >> and the config files readable to everyone. > >> > >> cant i run spamassasin as root in mailscanner? > >> > > > > Nope. Since you run postfix, MailScanner needs run as that user... And > > MailScanner loads the spamassassin perl modules into itself, more or > > less, so spamassassin will be run as that user. > > > > Something is slightly strange here, so ... I need to think... Could > > you tell a bit more about your SA setup? Is it via RPM or Jules > > install-Clam-SA package? > > > > I have tried both no difrent in behavoure same problems the rest made > not mutch changes. > exept to run with postfix. > > tried to run mailscanner as user and group root no diverance. > > waaaaaaaaaaaaaaaa!!! > close to give up. > greets. > I totally understand your frustration... And I might have some good news to you... I found these on gmande (for debian, but they seem to apply to this problem)... Try the workaround Andre suggests, hopefully you'll be back in business:-). http://article.gmane.org/gmane.linux.debian.devel.bugs.general/99162/match=bug+309983 http://article.gmane.org/gmane.linux.debian.devel.bugs.general/119087/match=bug+309983 If this is something you can live with, then ... great:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From stef at aoc-uk.com Thu Nov 23 10:02:35 2006 From: stef at aoc-uk.com (Stef Morrell) Date: Thu Nov 23 10:02:37 2006 Subject: Patch to default MailScanner.conf for correct SpamAssassin Local State Dir Message-ID: <120103F0F5EC264097BC0A06EC9D026A0111BF09@pardessus.aoc-uk.com> Hello, Randal, Phil [prandal@herefordshire.gov.uk] wrote: > As Theo van Dinter notes in > http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4952#c11 > , the spamassassin local_state_dir includes /spamassassin, e.g. > /var/lib/spamassassin, and not /var/lib. Might want to be a bit careful with this. My spamassassin installs, which are from Julian's most recent bundle have the following code: # note that the CWD takes priority. This is required in case a user # is testing a new version of SpamAssassin on a machine with an older # version installed. Unless you can come up with a fix for this that # allows "make test" to work, don't change this. @default_rules_path = ( '__local_state_dir__/__version__', '__def_rules_dir__', '__prefix__/share/spamassassin', '/usr/local/share/spamassassin', '/usr/share/spamassassin', ); As you can see, /spamassassin is NOT included in the _local_state_dir_ line. Accordingly, MailScanner.conf should not be changed at this time. It will need to be checked again after the next release of SA, I would guess. Regards Stef Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net From alex at nkpanama.com Thu Nov 23 09:03:42 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Nov 23 10:09:12 2006 Subject: blocking files In-Reply-To: <905960.92795.qm@web8317.mail.in.yahoo.com> References: <905960.92795.qm@web8317.mail.in.yahoo.com> Message-ID: <456563EE.2070004@nkpanama.com> Check the "archive depth" settings. vinay poojary wrote: > Dear Sir, > > I have blocked the video files by using filetype.rules.conf > by using the below entry. > > deny ASF No Windows media No Windows media files > allowed > > So it is blocking all the video files . > > But people have become smart and are now sending mails via zipping the > media files. > > Is there any way i could block these zipped media files. > > Also i want to allow other zipped documents . > > > Regards, > Vinay Poojary > > ------------------------------------------------------------------------ > Find out what India is talking about on - Yahoo! Answers India > > Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8. > Get it NOW > > > From alex at nkpanama.com Thu Nov 23 09:03:12 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Nov 23 10:09:20 2006 Subject: OT: MailScanner & Zimbra In-Reply-To: References: <4563AC3D.8090701@nkpanama.com> <452fd0b0f573eaeffec2f34d21dace56@10.0.0.10> <45645F7B.2030801@nkpanama.com> Message-ID: <456563D0.9020102@nkpanama.com> I *love* keeping it alive myself... ;) Scott Silva wrote: > "mailscanner causes swapping" is the joke that won't die!!! > >> The reference to "mailscanner causes swapping" is regarding an old >> thread where someone was blaming MailScanner saying "it causes >> swapping"; everybody took turns explaining that "MailScanner causes >> swapping" sounds like "exercise causes breathing". >> >> It's been asserted many times on this list that MailScanner works >> perfectly with Postfix, regardless of what some people (like Postfix's >> own Wietsev Enema) might say ;) >> >> uxbod wrote: >>> Hmmm, interesting as I have been running both Postfix and MailScanner >>> on the same box for a year and even on a single server where I work >>> without any problems. The only difference to other installations is >>> that I use two instances of Postfix, the first handles all the >>> standard checks HELO etc and performs LDAP lookups; if this is passed >>> then the emails are handed over the to the second instance where >>> MailScanner will perform its checks. >>> >>> I would imagine that a Zimbra installation may need three instances of >>> Postfix running FrontEnd->MailScanner->Zimbra. I will probably start >>> on this at the weekend so will let you know how it goes. Have some >>> interesting ideas to try out with the Ajax client especially for using >>> information from MailScanner for White and Grey listing. >>> >>> Regards, >>> >>> On Tue, 21 Nov 2006 20:47:41 -0500, Alex Neuman van der Hans >>> wrote: >>>> uxbod wrote: >>>>> Hi, >>>>> >>>>> Is anybody on the list using MailScanner with Zimbra ? >>>>> >>>>> If so was it easy to integrate ? >>>>> >>>>> Best Regards, >>>>> >>>>> --[ UxBoD ]-- >>>>> // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" >>>>> // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 >>>>> // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 >>>>> >>>>> >>>> Easy... if you have Zimbra on one box and MailScanner on the other. >>>> >>>> If you want to try and get MailScanner running on Zimbra, let us know >>>> how it goes... but beware, I've heard MailScanner on a box running >>>> Postfix (IIRC Zimbra uses Postfix) *could cause swapping*! ;-) >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>>> -- >>>> This message has been scanned for viruses and dangerous content by >>>> MailScanner, and is >>>> believed to be clean. >>> --[ UxBoD ]-- >>> // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" >>> // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 >>> // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 >>> >>> > > From prandal at herefordshire.gov.uk Thu Nov 23 10:38:22 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Nov 23 10:38:39 2006 Subject: Patch to default MailScanner.conf for correct SpamAssassin Lo cal State Dir Message-ID: <86144ED6CE5B004DA23E1EAC0B569B5810BA6AFB@isabella.herefordshire.gov.uk> Oh yes it is: See the SA bug I referenced earlier: '__local_state_dir__/__version__' where __local_state_dir__ is (on my system at least) /var/lib/spamassassin. Look through the archives, see what I did to test it and replicate it if you don't believe me. *sighs* Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Stef Morrell > Sent: 23 November 2006 10:03 > To: MailScanner discussion > Subject: RE: Patch to default MailScanner.conf for correct > SpamAssassin Local State Dir > > Hello, > > Randal, Phil [prandal@herefordshire.gov.uk] wrote: > > As Theo van Dinter notes in > > http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4952#c11 > > , the spamassassin local_state_dir includes /spamassassin, e.g. > > /var/lib/spamassassin, and not /var/lib. > > Might want to be a bit careful with this. My spamassassin installs, > which are from Julian's most recent bundle have the following code: > > # note that the CWD takes priority. This is required in case a user > # is testing a new version of SpamAssassin on a machine with an older > # version installed. Unless you can come up with a fix for this that > # allows "make test" to work, don't change this. > @default_rules_path = ( > '__local_state_dir__/__version__', > '__def_rules_dir__', > '__prefix__/share/spamassassin', > '/usr/local/share/spamassassin', > '/usr/share/spamassassin', > ); > > As you can see, /spamassassin is NOT included in the _local_state_dir_ > line. Accordingly, MailScanner.conf should not be changed at > this time. > > It will need to be checked again after the next release of SA, I would > guess. > > Regards > > Stef > Stefan Morrell | Operations Director > Tel: 0845 3452820 | Alpha Omega Computers Ltd > Fax: 0845 3452830 | Incorporating Level 5 Internet > stef@aoc-uk.com | stef@l5net.net > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From jrudd at ucsc.edu Thu Nov 23 10:58:06 2006 From: jrudd at ucsc.edu (John Rudd) Date: Thu Nov 23 10:59:10 2006 Subject: Botnet 0.4 Spam Assassin plugin Message-ID: <45657EBE.9030508@ucsc.edu> (since I've recently mentioned this plugin on the mailscanner and communigate pro mailing lists, as an effective means of catching spam from botnets, I'm cross-posting this message) I've changed RelayChecker's name to Botnet (since that's its real purpose: identify potential botnet submitted messages). Here's the 0.4 release. Botnet is a spam assassin plugin which attempts to identify whether or not a message was submitted via a botnet host. It does this by looking at its DNS characteristics. http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar Install instructions are in the Botnet.txt file and in the INSTALL text file. Changes: 1) Changed all of the rules from RELAY_CHECKER_* to BOTNET_* 2) Changed all of the config items from relaychecker_* to botnet_* 3) While the config items were stored in the global Spam Assassin Config hash, they were stored with names like "skip_ip" instead of relaychecker_skip_ip. Now they're stored with botnet_skip_ip, so that they don't conflict with any other plugin's potential "skip_ip" configuration parameter. 4) I've removed the '*_reduced_dns' option. Instead, Botnet automatically uses the rdns= part of the Untrusted Relay pseudo-header for the hostname. This reduces the number of DNS checks by up to 5 checks. It still does a DNS check in the BOTNET_BADDNS rule. You can avoid that one DNS check if you set that rule's score to 0. 5) BOTNET_BADDNS has a 4 part score now (0.01 0.01 0.00 0.01) so that it will properly be disabled if you're not doing network checks. 6) the *_IPHOSTNAME rule changed to BOTNET_IPINHOSTNAME. Similarly, the corresponding function is botnet_ipinhostname. 7) There are now two keyword checks. BOTNET_CLIENTWORDS is the same as the old keyword rule: it looks for words that look like client hostnames. Now there is also a BOTNET_SERVERWORDS for words that look like mail server hostnames. It acts as a counter to BOTNET_CLIENTWORDS and BOTNET_IPINHOSTNAME. (I honestly wasn't sure what to think of what became the SERVERWORDS feature when it was suggested ... but it hasn't been causing any problems with its default word list ("mail" and "smtp")) 8) The botnet_serverwords config option works like the old relaychecker_keywords config option (space delimited regular expressions for words to use in the BOTNET_SERVERWORDS rule). The relaychecker_keywords config has been changed to botnet_clientwords. 9) The BOTNET meta rule has 3 things it looks at: BOTNET_NORDNS, BOTNET_BADDNS and a new meta rule BOTNET_CLIENT. BOTNET_CLIENT is as follows: (BOTNET_IPINHOSTNAME || BOTNET_CLIENTWORDS) && !BOTNET_SERVERWORDS 10) There's now an INSTALL file with very general installation instructions, and some install instructions in Botnet.txt (less general than the INSTALL file). 11) Oh, and, the included cf file had one of my own local address exceptions in it (my mail server subnet at work). I have taken that out of the released cf file. (I was surprised no one had mentioned it) 12) The BOTNET rule is now worth 5 points, instead of 6. It would be interesting to know what people have found as useful scores for the plugin. So, let me know what you think. Let me know if you find any bugs, what your hit/miss/fp stats are (one person said 78% accuracy with 1% fp's), things like that. I hope no one has any new feature suggestions... it seems like it's pretty close to addressing the complete picture. I'm hoping my next release is going to be 1.0. Also, I'm trying to decide on two things: a) Does anyone think I _should_ switch to Net::DNS for the botnet_baddns function? Or is the gethostbyname() call good enough? b) It seems kind of cluttered to have all of the various BOTNET_* rules show up in the test list and detailed report. But I have kept it that way, instead of changing their names to have __ in front, so that I can see what sub-rules were specifically triggered. What are people's opinions on that, for the 1.0 release: i) do you want me to leave it as it is, or ii) put in the __ so that the sub-rules stop showing up in the final report? From vinay_poojary2000 at yahoo.co.in Thu Nov 23 11:05:44 2006 From: vinay_poojary2000 at yahoo.co.in (vinay poojary) Date: Thu Nov 23 11:05:48 2006 Subject: blocking files In-Reply-To: <456563EE.2070004@nkpanama.com> Message-ID: <241829.47968.qm@web8318.mail.in.yahoo.com> Dear Sir, Thks a lot ,Its working . Mailscanner is a gr8 tool and i love using it Regards, vinay Poojary Alex Neuman van der Hans wrote: Check the "archive depth" settings. vinay poojary wrote: > Dear Sir, > > I have blocked the video files by using filetype.rules.conf > by using the below entry. > > deny ASF No Windows media No Windows media files > allowed > > So it is blocking all the video files . > > But people have become smart and are now sending mails via zipping the > media files. > > Is there any way i could block these zipped media files. > > Also i want to allow other zipped documents . > > > Regards, > Vinay Poojary > > ------------------------------------------------------------------------ > Find out what India is talking about on - Yahoo! Answers India > > Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8. > Get it NOW > > > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! --------------------------------- Find out what India is talking about on - Yahoo! Answers India Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8. Get it NOW -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061123/6c1ce53e/attachment.html From stef at aoc-uk.com Thu Nov 23 11:29:03 2006 From: stef at aoc-uk.com (Stef Morrell) Date: Thu Nov 23 11:29:06 2006 Subject: Patch to default MailScanner.conf for correct SpamAssassin Local State Dir Message-ID: <120103F0F5EC264097BC0A06EC9D026A010C0579@pardessus.aoc-uk.com> Randal, Phil [prandal@herefordshire.gov.uk] wrote on : > Look through the archives, see what I did to test it and > replicate it if you don't believe me. > > *sighs* *sighs also* Very well... Right... ok... that's interesting. I find that on my test rig I hadn't uncommented the "Spamassassin Local State Dir" value, so it's set to null, which makes me look suitably stupid... except... This is the output when Local State is commented (ie null) in MailScanner.conf: [16278] dbg: config: using "/etc/mail/spamassassin" for site rules pre files [16278] dbg: config: read file /etc/mail/spamassassin/init.pre [16278] dbg: config: read file /etc/mail/spamassassin/v310.pre [16278] dbg: config: read file /etc/mail/spamassassin/v312.pre [16278] dbg: config: using "/var/lib/spamassassin/3.001007" for sys rules pre fi les [16278] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassass in_org.pre [16278] dbg: config: using "/var/lib/spamassassin/3.001007" for default rules di r [16278] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassass in_org.cf ... Seems to have found the updates fine. Here is the output when Local State is configured to /var/lib/spamassassin [16125] dbg: config: using "/etc/mail/spamassassin" for site rules pre files [16125] dbg: config: read file /etc/mail/spamassassin/init.pre [16125] dbg: config: read file /etc/mail/spamassassin/v310.pre [16125] dbg: config: read file /etc/mail/spamassassin/v312.pre [16125] dbg: config: using "/var/lib/spamassassin/3.001007" for sys rules pre fi les [16125] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassass in_org.pre [16125] dbg: config: using "/var/lib/spamassassin/3.001007" for default rules di r [16125] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassass in_org.cf ... Identical!! And for completeness, here with Local State set to /var/lib [16672] dbg: config: using "/etc/mail/spamassassin" for site rules pre files [16672] dbg: config: read file /etc/mail/spamassassin/init.pre [16672] dbg: config: read file /etc/mail/spamassassin/v310.pre [16672] dbg: config: read file /etc/mail/spamassassin/v312.pre [16672] dbg: config: using "/usr/share/spamassassin" for sys rules pre files [16672] dbg: config: using "/usr/share/spamassassin" for default rules dir ... Didn't find it. So.. my hat is off, Phil - you were correct - there is a mistake and /var/lib is clearly wrong. I pose a new question: Given it behaved correctly with a null value in Spamassassin Local State, is the setting required at all? Stef Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net > > Phil > -- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >> Stef Morrell Sent: 23 November 2006 10:03 >> To: MailScanner discussion >> Subject: RE: Patch to default MailScanner.conf for correct >> SpamAssassin Local State Dir >> >> Hello, >> >> Randal, Phil [prandal@herefordshire.gov.uk] wrote: >>> As Theo van Dinter notes in >>> http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4952#c11 >>> , the spamassassin local_state_dir includes /spamassassin, e.g. >>> /var/lib/spamassassin, and not /var/lib. >> >> Might want to be a bit careful with this. My spamassassin installs, >> which are from Julian's most recent bundle have the following code: >> >> # note that the CWD takes priority. This is required in case a user >> # is testing a new version of SpamAssassin on a machine with an >> older # version installed. Unless you can come up with a fix for >> this that # allows "make test" to work, don't change this. >> @default_rules_path = ( >> '__local_state_dir__/__version__', >> '__def_rules_dir__', >> '__prefix__/share/spamassassin', >> '/usr/local/share/spamassassin', >> '/usr/share/spamassassin', >> ); >> >> As you can see, /spamassassin is NOT included in the >> _local_state_dir_ line. Accordingly, MailScanner.conf should not be >> changed at this time. >> >> It will need to be checked again after the next release of SA, I >> would guess. >> >> Regards >> >> Stef >> Stefan Morrell | Operations Director >> Tel: 0845 3452820 | Alpha Omega Computers Ltd >> Fax: 0845 3452830 | Incorporating Level 5 Internet >> stef@aoc-uk.com | stef@l5net.net >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From garry at glendown.de Thu Nov 23 11:38:06 2006 From: garry at glendown.de (Garry Glendown) Date: Thu Nov 23 11:40:04 2006 Subject: MS started crashing ... In-Reply-To: <455E9FA1.1050904@glendown.de> References: <455C9CD4.7030403@glendown.de> <455CB318.5080204@glendown.de> <455D416B.3070107@glendown.de> <455E9FA1.1050904@glendown.de> Message-ID: <4565881E.6040409@glendown.de> Hm ... we just did a fresh install on a new machine to cluster our MS servers, and seem to be running into the same problem on the new box, too ... so it has to be some current issue in either a Perl library, or MS itself ... !? Not good ... Anybody have an idea??? tnx, -gg From prandal at herefordshire.gov.uk Thu Nov 23 11:43:07 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Nov 23 11:43:50 2006 Subject: Patch to default MailScanner.conf for correct SpamAssassin Lo cal State Dir Message-ID: <86144ED6CE5B004DA23E1EAC0B569B5810BA6B51@isabella.herefordshire.gov.uk> It was required with an earlier 3.1.x release, maybe it isn't now, as your research suggests. Theo's patch was committed on August 20th, so that would seem to relate to SA version 3.1.5 and later. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Stef Morrell > Sent: 23 November 2006 11:29 > To: MailScanner discussion > Subject: RE: Patch to default MailScanner.conf for correct > SpamAssassin Local State Dir > > Randal, Phil [prandal@herefordshire.gov.uk] wrote on : > > Look through the archives, see what I did to test it and > > replicate it if you don't believe me. > > > > *sighs* > > *sighs also* > > Very well... > > Right... ok... that's interesting. > > I find that on my test rig I hadn't uncommented the > "Spamassassin Local > State Dir" value, so it's set to null, which makes me look suitably > stupid... except... > > This is the output when Local State is commented (ie null) in > MailScanner.conf: > > [16278] dbg: config: using "/etc/mail/spamassassin" for site rules pre > files > [16278] dbg: config: read file /etc/mail/spamassassin/init.pre > [16278] dbg: config: read file /etc/mail/spamassassin/v310.pre > [16278] dbg: config: read file /etc/mail/spamassassin/v312.pre > [16278] dbg: config: using "/var/lib/spamassassin/3.001007" for sys > rules pre fi > les > [16278] dbg: config: read file > /var/lib/spamassassin/3.001007/updates_spamassass > in_org.pre > [16278] dbg: config: using "/var/lib/spamassassin/3.001007" > for default > rules di > r > [16278] dbg: config: read file > /var/lib/spamassassin/3.001007/updates_spamassass > in_org.cf > ... > > Seems to have found the updates fine. > > Here is the output when Local State is configured to > /var/lib/spamassassin > > [16125] dbg: config: using "/etc/mail/spamassassin" for site rules pre > files > [16125] dbg: config: read file /etc/mail/spamassassin/init.pre > [16125] dbg: config: read file /etc/mail/spamassassin/v310.pre > [16125] dbg: config: read file /etc/mail/spamassassin/v312.pre > [16125] dbg: config: using "/var/lib/spamassassin/3.001007" for sys > rules pre fi > les > [16125] dbg: config: read file > /var/lib/spamassassin/3.001007/updates_spamassass > in_org.pre > [16125] dbg: config: using "/var/lib/spamassassin/3.001007" > for default > rules di > r > [16125] dbg: config: read file > /var/lib/spamassassin/3.001007/updates_spamassass > in_org.cf > ... > > Identical!! > > And for completeness, here with Local State set to /var/lib > > [16672] dbg: config: using "/etc/mail/spamassassin" for site rules pre > files > [16672] dbg: config: read file /etc/mail/spamassassin/init.pre > [16672] dbg: config: read file /etc/mail/spamassassin/v310.pre > [16672] dbg: config: read file /etc/mail/spamassassin/v312.pre > [16672] dbg: config: using "/usr/share/spamassassin" for sys rules pre > files > [16672] dbg: config: using "/usr/share/spamassassin" for default rules > dir > ... > > Didn't find it. > > So.. my hat is off, Phil - you were correct - there is a mistake and > /var/lib is clearly wrong. > > I pose a new question: Given it behaved correctly with a null value in > Spamassassin Local State, is the setting required at all? > > Stef > Stefan Morrell | Operations Director > Tel: 0845 3452820 | Alpha Omega Computers Ltd > Fax: 0845 3452830 | Incorporating Level 5 Internet > stef@aoc-uk.com | stef@l5net.net > > > > > Phil > > -- > > Phil Randal > > Network Engineer > > Herefordshire Council > > Hereford, UK > > > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info > >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > >> Stef Morrell Sent: 23 November 2006 10:03 > >> To: MailScanner discussion > >> Subject: RE: Patch to default MailScanner.conf for correct > >> SpamAssassin Local State Dir > >> > >> Hello, > >> > >> Randal, Phil [prandal@herefordshire.gov.uk] wrote: > >>> As Theo van Dinter notes in > >>> http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4952#c11 > >>> , the spamassassin local_state_dir includes /spamassassin, e.g. > >>> /var/lib/spamassassin, and not /var/lib. > >> > >> Might want to be a bit careful with this. My spamassassin installs, > >> which are from Julian's most recent bundle have the following code: > >> > >> # note that the CWD takes priority. This is required in > case a user > >> # is testing a new version of SpamAssassin on a machine with an > >> older # version installed. Unless you can come up with a fix for > >> this that # allows "make test" to work, don't change this. > >> @default_rules_path = ( > >> '__local_state_dir__/__version__', > >> '__def_rules_dir__', > >> '__prefix__/share/spamassassin', > >> '/usr/local/share/spamassassin', > >> '/usr/share/spamassassin', > >> ); > >> > >> As you can see, /spamassassin is NOT included in the > >> _local_state_dir_ line. Accordingly, MailScanner.conf should not be > >> changed at this time. > >> > >> It will need to be checked again after the next release of SA, I > >> would guess. > >> > >> Regards > >> > >> Stef > >> Stefan Morrell | Operations Director > >> Tel: 0845 3452820 | Alpha Omega Computers Ltd > >> Fax: 0845 3452830 | Incorporating Level 5 Internet > >> stef@aoc-uk.com | stef@l5net.net > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From vinay_poojary2000 at yahoo.co.in Thu Nov 23 12:31:13 2006 From: vinay_poojary2000 at yahoo.co.in (vinay poojary) Date: Thu Nov 23 12:31:19 2006 Subject: quarantine management Message-ID: <616991.29448.qm@web8320.mail.in.yahoo.com> Dear Sir, I am using mailscanner and i have also installed the mailwatch to view the mails graphically . Is there any tool by which user can log in the web based tool and check their own quarantine and release their own mail . Regards, Vinay Poojary --------------------------------- Find out what India is talking about on - Yahoo! Answers India Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8. Get it NOW -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061123/6985dec2/attachment.html From markee at bandwidthco.com Thu Nov 23 14:31:28 2006 From: markee at bandwidthco.com (markee) Date: Thu Nov 23 14:26:59 2006 Subject: Sendmail gateway using mailertable and access db In-Reply-To: <1840.172.16.1.115.1164194339.squirrel@www.caleotech.com> Message-ID: <002401c70f0c$0fbf54d0$0300a8c0@bandwidthco.com> Jens - this is the same setup I have (sendmail gateway before exchange) I started getting bombarded with unknown recipients on exchange myself about three weeks ago. I also tried to stop them at the SMTP "Connection" on sendmail with access.db. Wasn't working and it was killing my entire mail system. Yesterday I found this: http://www.technoids.org/procmailfilter.html Don't let the procmail part confuse you. Skip that part. Check the last few pages of this. It tells you (and explains why) how to set up the access.db. It really works and cleaned things up immediately for me. The key is to use "OK" and not "RELAY" with you "To:" entries in access.db. I am one happy camper now. And I know what you are going through exactly. If you can't get it to work correctly, let me know and I will send you the applicable sections of my access file. ########################################## This is coming from the home and office of: Mark E. Donaldson Bandwidthco Computer Security markee@bandwidthco.com http://www.bandwidthco.com/ Copyright C 1999 Bandwidthco.com. All rights reserved. 4500 0028 a66b 4000 8006 d307 c0a8 000a c0a8 0002 0871 0bc3 572b 25f7 ca7d 1b60 5010 f64c c0f6 0000 0000 0000 0000 ########################################## CCNA, OCP, GSEC, GCFW, GCIH, GCIA, GCUX, GCFA, GAWN, X-Ways (WinHex) Forensics Certified ########################################## Hacking is the process of influencing a computer system in such a way that it performs an action that is useful to you. ########################################## .~. /V\ /( )\ ^^-^^ -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jens Ahlin Sent: Wednesday, November 22, 2006 3:19 AM To: mailscanner@lists.mailscanner.info Subject: OT: Sendmail gateway using mailertable and access db Hi All, I have a MailScanner box (CentOS 4) with sendmail-8.13.1-3 acting gateway in front of an Exchange server (Not my decision). Now all mails for all domains handled are scanned and forwarded to the exchange server. Lately the amount of mail for unknown recipients has exploded over the roof and I need to implement a quick solution. The server is dying and I don't want to be "that guy" that send undeliverable reports for spam/virus. I'm using access db for another installation and it works fine there but the MailScanner box is not a gateway. All mails are delivered locally. Now with a sendmail installation in gateway mode this doesn't work. I have a script that pulls all valid email addresses from the exchange server and want to use access db to block all but my valid users. I have looked at milter-ahead but I could not figure out if this is the right thing for me. My config using test.com as domain and xxx.xxx.xxx.xxx as the Exchange server IP address. mailertable: test.com smtp[xxx.xxx.xxx.xxx] access db: test.com RELAY xxx.xxx.xxx.xxx RELAY TO:user@test.com RELAY TO:test.com ERROR:5.1.1:550 User unknown I have no "relay" FEATURE in my sendmail.mc. Using this config results in all mails sent to user@test.com are rejected with error 550 User unknown. I have read the sendmail documentation regarding access db and tried a lot of different settings (Only TO:, Only Connect:, TO: and Connect:) Any idea of how to do this? Jens -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ######################################################## This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. postmaster@bandwidthco.com MailScanner at Bandwidthco Computer Security is for your absolute protection. ######################################################## ######################################################## This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. postmaster@bandwidthco.com MailScanner at Bandwidthco Computer Security is for your absolute protection. ######################################################## From mailing_lists+mailscanner at caleotech.com Thu Nov 23 14:47:04 2006 From: mailing_lists+mailscanner at caleotech.com (Jens Ahlin) Date: Thu Nov 23 14:47:14 2006 Subject: [SOLVED]RE: Sendmail gateway using mailertable and access db In-Reply-To: <002401c70f0c$0fbf54d0$0300a8c0@bandwidthco.com> References: <002401c70f0c$0fbf54d0$0300a8c0@bandwidthco.com> Message-ID: <1557.172.16.1.115.1164293224.squirrel@www.caleotech.com> > Jens - this is the same setup I have (sendmail gateway before exchange) I > started getting bombarded with unknown recipients on exchange myself about > three weeks ago. I also tried to stop them at the SMTP "Connection" on > sendmail with access.db. Wasn't working and it was killing my entire mail > system. Yesterday I found this: > > http://www.technoids.org/procmailfilter.html > > Don't let the procmail part confuse you. Skip that part. Check the last > few > pages of this. It tells you (and explains why) how to set up the > access.db. > It really works and cleaned things up immediately for me. The key is to > use > "OK" and not "RELAY" with you "To:" entries in access.db. I am one happy > camper now. And I know what you are going through exactly. If you can't > get > it to work correctly, let me know and I will send you the applicable > sections of my access file. > > > ########################################## > This is coming from the home and office of: > > Mark E. Donaldson > Bandwidthco Computer Security > markee@bandwidthco.com > http://www.bandwidthco.com/ > > Copyright C 1999 Bandwidthco.com. All rights reserved. > > 4500 0028 a66b 4000 8006 d307 c0a8 000a > c0a8 0002 0871 0bc3 572b 25f7 ca7d 1b60 > 5010 f64c c0f6 0000 0000 0000 0000 > ########################################## > CCNA, OCP, GSEC, GCFW, GCIH, GCIA, GCUX, GCFA, GAWN, X-Ways (WinHex) > Forensics Certified > ########################################## > Hacking is the process of influencing a computer system > in such a way that it performs an action that is useful to you. > ########################################## > .~. > /V\ > /( )\ > ^^-^^ > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jens > Ahlin > Sent: Wednesday, November 22, 2006 3:19 AM > To: mailscanner@lists.mailscanner.info > Subject: OT: Sendmail gateway using mailertable and access db > > Hi All, > > I have a MailScanner box (CentOS 4) with sendmail-8.13.1-3 acting gateway > in > front of an Exchange server (Not my decision). Now all mails for all > domains > handled are scanned and forwarded to the exchange server. Lately the > amount > of mail for unknown recipients has exploded over the roof and I need to > implement a quick solution. The server is dying and I don't want to be > "that guy" that send undeliverable reports for spam/virus. > > I'm using access db for another installation and it works fine there but > the > MailScanner box is not a gateway. All mails are delivered locally. Now > with > a sendmail installation in gateway mode this doesn't work. I have a script > that pulls all valid email addresses from the exchange server and want to > use access db to block all but my valid users. I have looked at > milter-ahead > but I could not figure out if this is the right thing for me. > > My config using test.com as domain and xxx.xxx.xxx.xxx as the Exchange > server IP address. > > mailertable: > > test.com smtp[xxx.xxx.xxx.xxx] > > access db: > test.com RELAY > xxx.xxx.xxx.xxx RELAY > > TO:user@test.com RELAY > TO:test.com ERROR:5.1.1:550 User unknown > > I have no "relay" FEATURE in my sendmail.mc. > > Using this config results in all mails sent to user@test.com are rejected > with error 550 User unknown. > > I have read the sendmail documentation regarding access db and tried a lot > of different settings (Only TO:, Only Connect:, TO: and Connect:) > > Any idea of how to do this? > > Jens > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > ######################################################## > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > > postmaster@bandwidthco.com > MailScanner at Bandwidthco Computer Security is for your absolute > protection. > ######################################################## > > > > > ######################################################## > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. > > postmaster@bandwidthco.com > MailScanner at Bandwidthco Computer Security is for your absolute > protection. > ######################################################## > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Hi, I solved this yesterday as I stated before. But thanks for the input. The thing that solved it for me was that I (stupid idiot) had configured sendmail wrong when I set it up. When I added all my domains in relay-domains file and removed them from access.db it worked like a charm. If you run sendmail with local mailboxes and don't use mailertable for routing you can have the relay information in the access.db file instead of relay-domains. Jens From alvaro at hostalia.com Thu Nov 23 16:02:27 2006 From: alvaro at hostalia.com (=?ISO-8859-1?Q?Alvaro_Mar=EDn?=) Date: Thu Nov 23 16:02:32 2006 Subject: quarantine management In-Reply-To: <616991.29448.qm@web8320.mail.in.yahoo.com> References: <616991.29448.qm@web8320.mail.in.yahoo.com> Message-ID: <4565C613.70202@hostalia.com> Hello, > I am using mailscanner and i have also installed the mailwatch to view the mails graphically . > > Is there any tool by which user can log in the web based tool and check their own quarantine and release their own mail . MailWatch? :) http://mailwatch.sourceforge.net/doku.php?id=mailwatch:documentation:user_administration Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From martinh at solidstatelogic.com Thu Nov 23 16:08:12 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Thu Nov 23 16:08:19 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: References: <20061115093217.I48256@mikea.ath.cx> <200611160346.kAG3kmX6020205@bkserver.blacknight.ie> Message-ID: <4565C76C.9000206@solidstatelogic.com> pawel wrote: > > IN RCPT SECTION: > > deny senders = ^debora.*@.* > err could lead to ALOT of false positives... upgrade to SA 3.1.7, use the SARE and freds rules from www.rulesemporium.com, also razor and pyzor are picking these up now as well. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From rob at dido.ca Thu Nov 23 16:43:49 2006 From: rob at dido.ca (Rob Morin) Date: Thu Nov 23 16:43:57 2006 Subject: Installed the OCR thingy and i still get those darn imgae spams going through..... Message-ID: <4565CFC5.1090702@dido.ca> .... is there anything i should check for in the logs to indicate where there is an error of sorts or if it did actually catch anything.... ??? I installed this yesterday... i received 4 spams with gifs in them thanks.. -- Rob Morin Dido InterNet Inc. Montreal, Canada Http://www.dido.ca 514-990-4444 From daniel.maher at ubisoft.com Thu Nov 23 16:55:33 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Thu Nov 23 16:55:43 2006 Subject: Installed the OCR thingy and i still get those darn imgae spams going through..... In-Reply-To: <4565CFC5.1090702@dido.ca> Message-ID: <1E293D3FF63A3740B10AD5AAD88535D203C00E54@UBIMAIL1.ubisoft.org> Hi Rob, First thing to note: FuzzyOCR - which I can only assume is what you're talking about - is not perfect. It requires tuning (sometimes quite extensively), and should not be considered production-ready out of the box. I would suggest that you join the FuzzyOCR mailing list directly, as there is a great wealth of knowledge and testing results being shared there. Good luck! -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Rob Morin > Sent: November 23, 2006 11:44 AM > To: MailScanner discussion > Subject: Installed the OCR thingy and i still get those darn imgae spams > going through..... > > .... is there anything i should check for in the logs to indicate where > there is an error of sorts or if it did actually catch anything.... ??? > > I installed this yesterday... i received 4 spams with gifs in them > > thanks.. > > -- > > Rob Morin > Dido InterNet Inc. > Montreal, Canada > Http://www.dido.ca > 514-990-4444 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From rob at dido.ca Thu Nov 23 19:03:39 2006 From: rob at dido.ca (Rob Morin) Date: Thu Nov 23 19:04:23 2006 Subject: Installed the OCR thingy and i still get those darn imgae spams going through..... In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D203C00E54@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D203C00E54@UBIMAIL1.ubisoft.org> Message-ID: <4565F08B.2050103@dido.ca> Thanks for the tip I shall go get on that list.... Thanks.. Rob Morin Dido InterNet Inc. Montreal, Canada Http://www.dido.ca 514-990-4444 Daniel Maher wrote: > Hi Rob, > > First thing to note: FuzzyOCR - which I can only assume is what you're talking about - is not perfect. > > It requires tuning (sometimes quite extensively), and should not be considered production-ready out of the box. I would suggest that you join the FuzzyOCR mailing list directly, as there is a great wealth of knowledge and testing results being shared there. > > Good luck! > > -- > _ > ?v? Daniel Maher > /(_)\ Administrateur Syst?me Unix > ^ ^ Unix System Administrator > > Sentio aliquos togatos contra me conspirare. > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Rob Morin >> Sent: November 23, 2006 11:44 AM >> To: MailScanner discussion >> Subject: Installed the OCR thingy and i still get those darn imgae spams >> going through..... >> >> .... is there anything i should check for in the logs to indicate where >> there is an error of sorts or if it did actually catch anything.... ??? >> >> I installed this yesterday... i received 4 spams with gifs in them >> >> thanks.. >> >> -- >> >> Rob Morin >> Dido InterNet Inc. >> Montreal, Canada >> Http://www.dido.ca >> 514-990-4444 >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > From res at ausics.net Thu Nov 23 20:11:19 2006 From: res at ausics.net (Res) Date: Thu Nov 23 20:11:28 2006 Subject: log is flotting with messages In-Reply-To: <223f97700611230126k7c5b30c8r84fbeeca07e96f@mail.gmail.com> References: <20061117232222.he2i3uhkysw0k4cc@www.intranet> <20061121181255.4tkj4b7i8484osgg@www.intranet> <223f97700611211223r2d9ddf9dh5416fc8988097157@mail.gmail.com> <45636DAA.30807@techspace.nl> <223f97700611220132n7cc4d3f0p26739c55772348ee@mail.gmail.com> <20061122182423.d0l1plbegwg0kkw8@www.intranet> <223f97700611230126k7c5b30c8r84fbeeca07e96f@mail.gmail.com> Message-ID: On Thu, 23 Nov 2006, Glenn Steen wrote: > On 22/11/06, redhat@techspace.nl wrote: >> tried to run mailscanner as user and group root no diverance. >> >> waaaaaaaaaaaaaaaa!!! >> close to give up. >> greets. >> > I totally understand your frustration... And I might have some good Maybe I should do what all the postmix trolls always do and suggest he uses pos... sendmail ;) -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Thu Nov 23 20:20:42 2006 From: res at ausics.net (Res) Date: Thu Nov 23 20:20:52 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: <4565C76C.9000206@solidstatelogic.com> References: <20061115093217.I48256@mikea.ath.cx> <200611160346.kAG3kmX6020205@bkserver.blacknight.ie> <4565C76C.9000206@solidstatelogic.com> Message-ID: On Thu, 23 Nov 2006, Martin Hepworth wrote: > pawel wrote: >> >> IN RCPT SECTION: >> >> deny senders = ^debora.*@.* >> > > err could lead to ALOT of false positives... > > upgrade to SA 3.1.7, use the SARE and freds rules from www.rulesemporium.com, > also razor and pyzor are picking these up now as well. > The problem with that is it marks them low, so the damned email still get delivered, therefore ppl STILL get them. I have put a modified regex in the spamassassin prefs to mark them at 100 so my users dont get it. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From redhat at techspace.nl Thu Nov 23 20:53:45 2006 From: redhat at techspace.nl (redhat@techspace.nl) Date: Thu Nov 23 20:54:14 2006 Subject: log is flotting with messages solved In-Reply-To: References: <20061117232222.he2i3uhkysw0k4cc@www.intranet> <20061121181255.4tkj4b7i8484osgg@www.intranet> <223f97700611211223r2d9ddf9dh5416fc8988097157@mail.gmail.com> <45636DAA.30807@techspace.nl> <223f97700611220132n7cc4d3f0p26739c55772348ee@mail.gmail.com> <20061122182423.d0l1plbegwg0kkw8@www.intranet> <223f97700611230126k7c5b30c8r84fbeeca07e96f@mail.gmail.com> Message-ID: <20061123215345.xnigdp5jsc008k0w@www.intranet> Quoting Res : > On Thu, 23 Nov 2006, Glenn Steen wrote: > >> On 22/11/06, redhat@techspace.nl wrote: > >>> tried to run mailscanner as user and group root no diverance. >>> >>> waaaaaaaaaaaaaaaa!!! >>> close to give up. >>> greets. >>> >> I totally understand your frustration... And I might have some good > > > Maybe I should do what all the postmix trolls always do and suggest he > uses pos... sendmail ;) > > > -- > Cheers > Res > yesssssssssssssssssssssssss thats it its so simpel waaaaa thanks al lot, now i can go to sleep. one stange thing stil the messages still keep komming until a mails has gone trug but i can live with that. sorry for my poor englis got to get some sleep. thanks jasper. -- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door Dark Eagle mail scanner en lijkt schoon te zijn. From glenn.steen at gmail.com Thu Nov 23 21:01:29 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 23 21:01:32 2006 Subject: log is flotting with messages In-Reply-To: References: <20061117232222.he2i3uhkysw0k4cc@www.intranet> <20061121181255.4tkj4b7i8484osgg@www.intranet> <223f97700611211223r2d9ddf9dh5416fc8988097157@mail.gmail.com> <45636DAA.30807@techspace.nl> <223f97700611220132n7cc4d3f0p26739c55772348ee@mail.gmail.com> <20061122182423.d0l1plbegwg0kkw8@www.intranet> <223f97700611230126k7c5b30c8r84fbeeca07e96f@mail.gmail.com> Message-ID: <223f97700611231301m3c6ee5f4ue9163da96ad3915f@mail.gmail.com> On 23/11/06, Res wrote: (snip) > > Maybe I should do what all the postmix trolls always do and suggest he > uses pos... sendmail ;) > Lucky for me that I'm not a troll then:-):-) Of course he could switch to any ol' MTA, even rendmail... But that would only cover up the underlying problem... Which seems to be when nss is configured to use ldap for shadow, and seemingly getting "cucumber" (or less:-) as response, then exrement hitting cooling devices... Which could feasibly pop up as a problem in anything not running as root... So trying to fix it, or work around it seems like a better solution:-). Cheers to you too () -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Nov 23 21:11:50 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 23 21:11:53 2006 Subject: log is flotting with messages solved In-Reply-To: <20061123215345.xnigdp5jsc008k0w@www.intranet> References: <20061117232222.he2i3uhkysw0k4cc@www.intranet> <20061121181255.4tkj4b7i8484osgg@www.intranet> <223f97700611211223r2d9ddf9dh5416fc8988097157@mail.gmail.com> <45636DAA.30807@techspace.nl> <223f97700611220132n7cc4d3f0p26739c55772348ee@mail.gmail.com> <20061122182423.d0l1plbegwg0kkw8@www.intranet> <223f97700611230126k7c5b30c8r84fbeeca07e96f@mail.gmail.com> <20061123215345.xnigdp5jsc008k0w@www.intranet> Message-ID: <223f97700611231311j335db5b9g837f714945421b71@mail.gmail.com> On 23/11/06, redhat@techspace.nl wrote: > Quoting Res : > > > On Thu, 23 Nov 2006, Glenn Steen wrote: > > > >> On 22/11/06, redhat@techspace.nl wrote: > > > >>> tried to run mailscanner as user and group root no diverance. > >>> > >>> waaaaaaaaaaaaaaaa!!! > >>> close to give up. > >>> greets. > >>> > >> I totally understand your frustration... And I might have some good > > > > > > Maybe I should do what all the postmix trolls always do and suggest he > > uses pos... sendmail ;) > > > > > > -- > > Cheers > > Res > > > > yesssssssssssssssssssssssss thats it its so simpel waaaaa > > thanks al lot, now i can go to sleep. > > one stange thing stil the messages still keep komming until a mails > has gone trug but i can live with that. > > sorry for my poor englis got to get some sleep. Um, either I've looked a bit too deep into that glass of liquid gold, or I simply am a bit daft... Which was it, the ldap fix or sendmail? Or do you mean that you still see the error log, even though you've switched to sendmail? That's because you still have the error.... Unless you "fixed" it via the shadow/ldap edit, or by an update (of nss_ldap). If you just switched to rendmaul, uh .. sendmail, one can ask oneself... What will break next? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From redhat at techspace.nl Thu Nov 23 21:32:15 2006 From: redhat at techspace.nl (redhat@techspace.nl) Date: Thu Nov 23 21:32:44 2006 Subject: log is flotting with messages solved In-Reply-To: <223f97700611231311j335db5b9g837f714945421b71@mail.gmail.com> References: <20061117232222.he2i3uhkysw0k4cc@www.intranet> <20061121181255.4tkj4b7i8484osgg@www.intranet> <223f97700611211223r2d9ddf9dh5416fc8988097157@mail.gmail.com> <45636DAA.30807@techspace.nl> <223f97700611220132n7cc4d3f0p26739c55772348ee@mail.gmail.com> <20061122182423.d0l1plbegwg0kkw8@www.intranet> <223f97700611230126k7c5b30c8r84fbeeca07e96f@mail.gmail.com> <20061123215345.xnigdp5jsc008k0w@www.intranet> <223f97700611231311j335db5b9g837f714945421b71@mail.gmail.com> Message-ID: <20061123223215.6m6br97xz44o4sc0@www.intranet> Quoting Glenn Steen : > On 23/11/06, redhat@techspace.nl wrote: >> Quoting Res : >> >>> On Thu, 23 Nov 2006, Glenn Steen wrote: >>> >>>> On 22/11/06, redhat@techspace.nl wrote: >>> >>>>> tried to run mailscanner as user and group root no diverance. >>>>> >>>>> waaaaaaaaaaaaaaaa!!! >>>>> close to give up. >>>>> greets. >>>>> >>>> I totally understand your frustration... And I might have some good >>> >>> >>> Maybe I should do what all the postmix trolls always do and suggest he >>> uses pos... sendmail ;) >>> >>> >>> -- >>> Cheers >>> Res >>> >> >> yesssssssssssssssssssssssss thats it its so simpel waaaaa >> >> thanks al lot, now i can go to sleep. >> >> one stange thing stil the messages still keep komming until a mails >> has gone trug but i can live with that. >> >> sorry for my poor englis got to get some sleep. > Um, either I've looked a bit too deep into that glass of liquid gold, > or I simply am a bit daft... Which was it, the ldap fix or sendmail? > Or do you mean that you still see the error log, even though you've > switched to sendmail? That's because you still have the error.... > Unless you "fixed" it via the shadow/ldap edit, or by an update (of > nss_ldap). If you just switched to rendmaul, uh .. sendmail, one can > ask oneself... What will break next? > > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- it was the the ldap fix that dit the trix no sendmail on my box. no real errors yust repeating that the everytings starts up an connecting to the data basses wite list enz. until a mail is gone tru greets jasper -- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door Dark Eagle mail scanner en lijkt schoon te zijn. From jrudd at ucsc.edu Thu Nov 23 21:38:11 2006 From: jrudd at ucsc.edu (John Rudd) Date: Thu Nov 23 21:39:20 2006 Subject: Installed the OCR thingy and i still get those darn imgae spams going through..... In-Reply-To: <4565CFC5.1090702@dido.ca> References: <4565CFC5.1090702@dido.ca> Message-ID: <456614C3.8020104@ucsc.edu> Rob Morin wrote: > .... is there anything i should check for in the logs to indicate where > there is an error of sorts or if it did actually catch anything.... ??? > > I installed this yesterday... i received 4 spams with gifs in them > > thanks.. > Have you tried my Botnet plugin? It doesn't look at the images directly, but it does seem to catch just about all of those messages, because they're coming from botnet hosts. From Jeff.Mills at versacold.com.au Thu Nov 23 21:48:07 2006 From: Jeff.Mills at versacold.com.au (Jeff Mills) Date: Thu Nov 23 21:46:31 2006 Subject: Installed the OCR thingy and i still get those darn imgae spams going through..... Message-ID: <197F21E06E4D2A478519EA9078D6AA1C0466D11D@poclexch.AU.POCOLD.POCL> Where does one get your botnet plugin? I'll give it a shot! > > Have you tried my Botnet plugin? It doesn't look at the images > directly, but it does seem to catch just about all of those messages, > because they're coming from botnet hosts. > *** "This company is now part of the Versacold Holdings Corp. and is no longer owned by or affiliated with the P&O Group" *** Please update your address books: Was: firstname.lastname@pocold.com.au Now: firstname.lastname@versacold.com.au ************** www.versacold.com ************** From res at ausics.net Thu Nov 23 21:51:06 2006 From: res at ausics.net (Res) Date: Thu Nov 23 21:51:15 2006 Subject: log is flotting with messages solved In-Reply-To: <20061123215345.xnigdp5jsc008k0w@www.intranet> References: <20061117232222.he2i3uhkysw0k4cc@www.intranet> <20061121181255.4tkj4b7i8484osgg@www.intranet> <223f97700611211223r2d9ddf9dh5416fc8988097157@mail.gmail.com> <45636DAA.30807@techspace.nl> <223f97700611220132n7cc4d3f0p26739c55772348ee@mail.gmail.com> <20061122182423.d0l1plbegwg0kkw8@www.intranet> <223f97700611230126k7c5b30c8r84fbeeca07e96f@mail.gmail.com> <20061123215345.xnigdp5jsc008k0w@www.intranet> Message-ID: On Thu, 23 Nov 2006, redhat@techspace.nl wrote: > Quoting Res : > >> On Thu, 23 Nov 2006, Glenn Steen wrote: >> >>> On 22/11/06, redhat@techspace.nl wrote: >> >>>> tried to run mailscanner as user and group root no diverance. >>>> >>>> waaaaaaaaaaaaaaaa!!! >>>> close to give up. >>>> greets. >>>> >>> I totally understand your frustration... And I might have some good >> >> >> Maybe I should do what all the postmix trolls always do and suggest he >> uses pos... sendmail ;) >> >> >> -- >> Cheers >> Res >> > > yesssssssssssssssssssssssss thats it its so simpel waaaaa > > thanks al lot, now i can go to sleep. Yes us sendmail admins tend to get a lot of sleep hehehe ;) > sorry for my poor englis got to get some sleep. Thats ok, I'm on a few international lists, and trust me, your english is not too bad at all compared to some (or mine afer i had a few lol) nite! -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From jrudd at ucsc.edu Thu Nov 23 21:53:07 2006 From: jrudd at ucsc.edu (John Rudd) Date: Thu Nov 23 21:53:52 2006 Subject: Installed the OCR thingy and i still get those darn imgae spams going through..... In-Reply-To: <197F21E06E4D2A478519EA9078D6AA1C0466D11D@poclexch.AU.POCOLD.POCL> References: <197F21E06E4D2A478519EA9078D6AA1C0466D11D@poclexch.AU.POCOLD.POCL> Message-ID: <45661843.8030806@ucsc.edu> Jeff Mills wrote: > >> Have you tried my Botnet plugin? It doesn't look at the images >> directly, but it does seem to catch just about all of those messages, >> because they're coming from botnet hosts. >> > Where does one get your botnet plugin? > I'll give it a shot! > > I had just announced the latest release here this morning. Here's the announcement: (since I've recently mentioned this plugin on the mailscanner and communigate pro mailing lists, as an effective means of catching spam from botnets, I'm cross-posting this message) I've changed RelayChecker's name to Botnet (since that's its real purpose: identify potential botnet submitted messages). Here's the 0.4 release. Botnet is a spam assassin plugin which attempts to identify whether or not a message was submitted via a botnet host. It does this by looking at its DNS characteristics. http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar Install instructions are in the Botnet.txt file and in the INSTALL text file. Changes: 1) Changed all of the rules from RELAY_CHECKER_* to BOTNET_* 2) Changed all of the config items from relaychecker_* to botnet_* 3) While the config items were stored in the global Spam Assassin Config hash, they were stored with names like "skip_ip" instead of relaychecker_skip_ip. Now they're stored with botnet_skip_ip, so that they don't conflict with any other plugin's potential "skip_ip" configuration parameter. 4) I've removed the '*_reduced_dns' option. Instead, Botnet automatically uses the rdns= part of the Untrusted Relay pseudo-header for the hostname. This reduces the number of DNS checks by up to 5 checks. It still does a DNS check in the BOTNET_BADDNS rule. You can avoid that one DNS check if you set that rule's score to 0. 5) BOTNET_BADDNS has a 4 part score now (0.01 0.01 0.00 0.01) so that it will properly be disabled if you're not doing network checks. 6) the *_IPHOSTNAME rule changed to BOTNET_IPINHOSTNAME. Similarly, the corresponding function is botnet_ipinhostname. 7) There are now two keyword checks. BOTNET_CLIENTWORDS is the same as the old keyword rule: it looks for words that look like client hostnames. Now there is also a BOTNET_SERVERWORDS for words that look like mail server hostnames. It acts as a counter to BOTNET_CLIENTWORDS and BOTNET_IPINHOSTNAME. (I honestly wasn't sure what to think of what became the SERVERWORDS feature when it was suggested ... but it hasn't been causing any problems with its default word list ("mail" and "smtp")) 8) The botnet_serverwords config option works like the old relaychecker_keywords config option (space delimited regular expressions for words to use in the BOTNET_SERVERWORDS rule). The relaychecker_keywords config has been changed to botnet_clientwords. 9) The BOTNET meta rule has 3 things it looks at: BOTNET_NORDNS, BOTNET_BADDNS and a new meta rule BOTNET_CLIENT. BOTNET_CLIENT is as follows: (BOTNET_IPINHOSTNAME || BOTNET_CLIENTWORDS) && !BOTNET_SERVERWORDS 10) There's now an INSTALL file with very general installation instructions, and some install instructions in Botnet.txt (less general than the INSTALL file). 11) Oh, and, the included cf file had one of my own local address exceptions in it (my mail server subnet at work). I have taken that out of the released cf file. (I was surprised no one had mentioned it) 12) The BOTNET rule is now worth 5 points, instead of 6. It would be interesting to know what people have found as useful scores for the plugin. So, let me know what you think. Let me know if you find any bugs, what your hit/miss/fp stats are (one person said 78% accuracy with 1% fp's), things like that. I hope no one has any new feature suggestions... it seems like it's pretty close to addressing the complete picture. I'm hoping my next release is going to be 1.0. Also, I'm trying to decide on two things: a) Does anyone think I _should_ switch to Net::DNS for the botnet_baddns function? Or is the gethostbyname() call good enough? b) It seems kind of cluttered to have all of the various BOTNET_* rules show up in the test list and detailed report. But I have kept it that way, instead of changing their names to have __ in front, so that I can see what sub-rules were specifically triggered. What are people's opinions on that, for the 1.0 release: i) do you want me to leave it as it is, or ii) put in the __ so that the sub-rules stop showing up in the final report? From res at ausics.net Thu Nov 23 21:54:42 2006 From: res at ausics.net (Res) Date: Thu Nov 23 21:54:52 2006 Subject: log is flotting with messages In-Reply-To: <223f97700611231301m3c6ee5f4ue9163da96ad3915f@mail.gmail.com> References: <20061117232222.he2i3uhkysw0k4cc@www.intranet> <20061121181255.4tkj4b7i8484osgg@www.intranet> <223f97700611211223r2d9ddf9dh5416fc8988097157@mail.gmail.com> <45636DAA.30807@techspace.nl> <223f97700611220132n7cc4d3f0p26739c55772348ee@mail.gmail.com> <20061122182423.d0l1plbegwg0kkw8@www.intranet> <223f97700611230126k7c5b30c8r84fbeeca07e96f@mail.gmail.com> <223f97700611231301m3c6ee5f4ue9163da96ad3915f@mail.gmail.com> Message-ID: On Thu, 23 Nov 2006, Glenn Steen wrote: > On 23/11/06, Res wrote: > (snip) >> >> Maybe I should do what all the postmix trolls always do and suggest he >> uses pos... sendmail ;) >> > Lucky for me that I'm not a troll then:-):-) hahahaha just as well :) > Of course he could switch to any ol' MTA, even rendmail... But that glad you didnt suggest that pretend thing starting with q :P > would only cover up the underlying problem... Which seems to be when > nss is configured to use ldap for shadow, and seemingly getting > "cucumber" (or less:-) as response, then exrement hitting cooling > devices... Which could feasibly pop up as a problem in anything not > running as root... So trying to fix it, or work around it seems like a > better solution:-). But you can only bang your heaed agaisnt teh wall for so long before you use alternatives hehe > Cheers to you too ( cost!) in your general direction>) Bugger! its only almost 8am here, GRR.. I know! i'll remark this unread and re read it tonight :D -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From pascal.maes at elec.ucl.ac.be Fri Nov 24 07:15:03 2006 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Fri Nov 24 07:15:20 2006 Subject: Quarantine Infection ruleset In-Reply-To: References: Message-ID: <965A91B7-E308-4B92-ADFA-3E6FE3A3A18F@elec.ucl.ac.be> hello, In rules/README, I see that the direction could be Virus: Is Virus: acting also for Filename ? I think it should be interesting to have different directions for these cases as the viruses could be easily dropped but the attachments which are put in quarantine because of their names should be kept. -- Pascal From pascal.maes at elec.ucl.ac.be Fri Nov 24 07:16:35 2006 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Fri Nov 24 07:16:41 2006 Subject: Filename checking In-Reply-To: <41EA997496BB5542BDA52CFA44FE78FC9A6C6F@AHMAIL.ah.ahnet.local> References: <41EA997496BB5542BDA52CFA44FE78FC9A6C6F@AHMAIL.ah.ahnet.local> Message-ID: <3BA4B1CE-3E29-44F6-87B8-9226B66C9AA8@elec.ucl.ac.be> > hello, > > > i habe a big problem here : > > In MailScanner.conf (MailScanner version 4.56.7), I have > > Allow Filenames = > > Deny Filenames = \.zip$ \.com$ \.exe$ \.cpl$ \.pif$ Update-KB.* > > Filename Rules = %etc-dir%/filename.rules.conf > > and in filename.rules.conf, I have > > # These 2 added by popular demand - Very often used by viruses > deny \.com$ Windows/DOS Executable Executable DOS/Windows > programs are dangerous in email > deny \.exe$ Windows/DOS Executable Executable DOS/Windows > programs are dangerous in email > > > but I can still send (and receive !) .exe file > > > What's wrong ? > It seems that "Dangerous Content Scanning" must be set to "yes" to allow filename checking Is it really true ? As the two paragraphs (dangerous content and attachment filename checking) are distinct, it is not obvious that the parameters are not independant. -- Pascal -- Pascal From glenn.steen at gmail.com Fri Nov 24 07:27:49 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 24 07:27:55 2006 Subject: log is flotting with messages solved In-Reply-To: <20061123223215.6m6br97xz44o4sc0@www.intranet> References: <20061117232222.he2i3uhkysw0k4cc@www.intranet> <223f97700611211223r2d9ddf9dh5416fc8988097157@mail.gmail.com> <45636DAA.30807@techspace.nl> <223f97700611220132n7cc4d3f0p26739c55772348ee@mail.gmail.com> <20061122182423.d0l1plbegwg0kkw8@www.intranet> <223f97700611230126k7c5b30c8r84fbeeca07e96f@mail.gmail.com> <20061123215345.xnigdp5jsc008k0w@www.intranet> <223f97700611231311j335db5b9g837f714945421b71@mail.gmail.com> <20061123223215.6m6br97xz44o4sc0@www.intranet> Message-ID: <223f97700611232327v59ea7590t1261172b7115f6a4@mail.gmail.com> On 23/11/06, redhat@techspace.nl wrote: > Quoting Glenn Steen : (snip) > > Um, either I've looked a bit too deep into that glass of liquid gold, > > or I simply am a bit daft... Which was it, the ldap fix or sendmail? > > Or do you mean that you still see the error log, even though you've > > switched to sendmail? That's because you still have the error.... > > Unless you "fixed" it via the shadow/ldap edit, or by an update (of > > nss_ldap). If you just switched to rendmaul, uh .. sendmail, one can > > ask oneself... What will break next? > > > > it was the the ldap fix that dit the trix no sendmail on my box. > > no real errors yust repeating that the everytings starts up an > connecting to the data basses wite list enz. > until a mail is gone tru > Ah, great to know... if someone else hits the same stumbling block:). Depending on how many children are to be started, your "repeting messages" might just be normal:-). Anyway, as said.... Great to know. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From uxbod at splatnix.net Fri Nov 24 07:36:03 2006 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Nov 24 07:35:38 2006 Subject: OT: Greylisting Message-ID: <20061124073603.6a38c2e1@localhost> I am been trying out different Greylist applications and came across policyd (http://policyd.sourceforge.net) which appears to work extremely well. It has a nice blacklist feature, that will either 4XX or 5XX reject emails, so I thought about how it could be used with Mailwatch/Mailscanner. I have written a little perl script that looks though the Mailwatch MySQL table maillog for rows that have > X SA score, extracts the relays from the headers, and if the resolved domain name has more that three '.' it writes it to the blacklist table. Any emails from that IP will then be blacklisted for three days. It is not fancy but may be of use to someone. Available http://www.splatnix.net/update_blacklist.pl Feedback appreciated, whether postive or negative ;) TIA -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From filip.nollet at hogent.be Fri Nov 24 08:27:02 2006 From: filip.nollet at hogent.be (Filip Nollet) Date: Fri Nov 24 08:27:29 2006 Subject: Filename checking In-Reply-To: <3BA4B1CE-3E29-44F6-87B8-9226B66C9AA8@elec.ucl.ac.be> Message-ID: <000001c70fa2$51ac3f70$9fe21005@hogent.be> Hi, I had the same problem here a few weeks ago. I think it even changed compared to the ealier versions as the filename scanner function just stopped with me after an upgrade. There is - I think - also no real clue in the manual or wiki about this. Maybe this is something to change in a next version or so? Greetings, Filip ====================================== Filip Nollet System & Network Management Hogeschool Gent Department ICT Schoonmeersstraat 52 9000 Gent Belgium Tel: +32 (0)9 248 88 87 Fax: +32 (0)9 243 87 70 E-Mail: filip.nollet@hogent.be GPG info: ED892C1B Fingerprint: 265E CFDE 6880 A968 64F4 85E6 4DC4 353C ED89 2C1B -----Oorspronkelijk bericht----- Van: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Namens Pascal Maes Verzonden: vrijdag 24 november 2006 8:17 Aan: MailScanner discussion Onderwerp: Filename checking > hello, > > > i habe a big problem here : > > In MailScanner.conf (MailScanner version 4.56.7), I have > > Allow Filenames = > > Deny Filenames = \.zip$ \.com$ \.exe$ \.cpl$ \.pif$ Update-KB.* > > Filename Rules = %etc-dir%/filename.rules.conf > > and in filename.rules.conf, I have > > # These 2 added by popular demand - Very often used by viruses > deny \.com$ Windows/DOS Executable Executable DOS/Windows > programs are dangerous in email > deny \.exe$ Windows/DOS Executable Executable DOS/Windows > programs are dangerous in email > > > but I can still send (and receive !) .exe file > > > What's wrong ? > It seems that "Dangerous Content Scanning" must be set to "yes" to allow filename checking Is it really true ? As the two paragraphs (dangerous content and attachment filename checking) are distinct, it is not obvious that the parameters are not independant. -- Pascal -- Pascal -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From technician at cenpac.net.nr Fri Nov 24 13:18:09 2006 From: technician at cenpac.net.nr (Jon Leeman) Date: Fri Nov 24 13:18:11 2006 Subject: warning.txt format In-Reply-To: <000001c70fa2$51ac3f70$9fe21005@hogent.be> References: <000001c70fa2$51ac3f70$9fe21005@hogent.be> Message-ID: <4566F111.8010002@cenpac.net.nr> Group, MS 4.51.6 Mandrake 10.2 Noticed a while back that the 'warning.txt' attachments generated by MS were being read by M$ email clients default txt reader (notepad.exe) as Unix style with the CRLF different. Found http://soft.zoneo.net/Linux/dos_to_unix.php as a way to fix this. It's probably been discussed / bug fixed / whatever, before, but thought I'd share it with those either new to MS/Linux or behind a very thin/congested pipe that makes searching difficult. Regards, Jon (Nauru....clear sky, calm sea, and a mild 24 deg. C. at 0110 Hrs. {no Glenn, I am not suggesting cold weather is 'bad' :-) From dean.plant at roke.co.uk Fri Nov 24 14:56:29 2006 From: dean.plant at roke.co.uk (Plant, Dean) Date: Fri Nov 24 14:56:58 2006 Subject: Orphan files in /var/spool/mqueue.in Message-ID: <2181C5F19DD0254692452BFF3EAF1D6802671B28@rsys005a.comm.ad.roke.co.uk> I am curious if the orphan files that I have to clear out of /var/spool/mqueue.in every so often is something that other people experience or do I have a problem that should be investigated further. These files build up at the rate of about 3-4 a day on each server which deal with about 30,000 messages a day, I have the lock type set to posix and I am using the standard sendmail 8.13 rpm's from CentOS 4 with MailScanner v4.52.2 Thanks Dean From bryan.guest at bmts.com Fri Nov 24 15:09:30 2006 From: bryan.guest at bmts.com (Bryan Guest) Date: Fri Nov 24 15:09:37 2006 Subject: TNEF loop infinite loop problem? Message-ID: <011401c70fda$8a8fb730$0b01010a@DGPTBH91> Hi: One of my mail blades running Mailscanner got stuck in some sort of loop this morning, dealing with a TNEF attachment/message. The Inbound Queue shot up because MailScanner was accepted new messages but not processing any of them while it choked on this message. I stopped mailscanner and pulled this message out of the queue and everthing recovered. Has anyone seen this before, and is there some config change I need to make to prevent it? Redhat ES 4 Mailscanner 4.56.8-1 tnef 1.4.3-1 (redhat native) MailScanner.conf TNEF settings: Expand TNEF = yes Use TNEF Contents = replace Deliver Unparsable TNEF = no TNEF Expander = /usr/bin/tnef --maxsize=100000000 TNEF Timeout = 120 MailScanner log sample (repeats ad nauseum): Nov 24 09:00:35 nicole MailScanner[1865]: Expanding TNEF archive at /var/spool/MailScanner/incoming/1865 /kAOE0YNV012894/winmail.dat Nov 24 09:00:35 nicole MailScanner[1865]: Message kAOE0YNV012894 added TNEF contents Header1,msg-1865-63 31.txt Nov 24 09:00:35 nicole MailScanner[1865]: Message kAOE0YNV012894 has had TNEF winmail.dat removed Nov 24 09:00:39 nicole MailScanner[13029]: Expanding TNEF archive at /var/spool/MailScanner/incoming/130 29/kAOE0YNV012894/winmail.dat Nov 24 09:00:39 nicole MailScanner[13029]: Message kAOE0YNV012894 added TNEF contents msg-13029-81.txt,H eader1 Nov 24 09:00:39 nicole MailScanner[13029]: Message kAOE0YNV012894 has had TNEF winmail.dat removed Nov 24 09:00:45 nicole MailScanner[29696]: Expanding TNEF archive at /var/spool/MailScanner/incoming/296 96/kAOE0YNV012894/winmail.dat Nov 24 09:00:45 nicole MailScanner[29696]: Message kAOE0YNV012894 added TNEF contents msg-29696-6701.txt ,Header1 Sanitized sendmail log (only one entry for this message): Nov 24 09:00:35 nicole sendmail[12894]: kAOE0YNV012894: from=, size=8929, class=0, nrcpts=1, msgid=A4743E08F9EAC04183A5119255AB9AE808C1B46D@exchange1.someplace, proto=ESMTP, daemon=MSA, relay=bastion.someplace [some IP addr] Nov 24 09:00:35 nicole sendmail[12894]: kAOE0YNV012894: to=, delay=00:00:00, mailer=relay, pri=38929, stat=queued Many Thanks for any help! Bryan Guest ( I bought the book!) From gborders at jlewiscooper.com Fri Nov 24 15:12:24 2006 From: gborders at jlewiscooper.com (Greg Borders) Date: Fri Nov 24 15:10:32 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: References: <20061115093217.I48256@mikea.ath.cx> <200611160346.kAG3kmX6020205@bkserver.blacknight.ie> <4565C76C.9000206@solidstatelogic.com> Message-ID: <45670BD8.3060604@jlewiscooper.com> Res wrote: > On Thu, 23 Nov 2006, Martin Hepworth wrote: > >> pawel wrote: >>> >>> IN RCPT SECTION: >>> >>> deny senders = ^debora.*@.* >>> >> >> err could lead to ALOT of false positives... >> >> upgrade to SA 3.1.7, use the SARE and freds rules from >> www.rulesemporium.com, also razor and pyzor are picking these up now >> as well. >> > > The problem with that is it marks them low, so the damned email still > get delivered, therefore ppl STILL get them. > > I have put a modified regex in the spamassassin prefs to mark them at > 100 so my users dont get it. > I SA-learned a *ton* of them comming in, and my Bayes 99% kicks in and takes the score high enough to prevent users from seeing them. -- This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solidstatelogic.com Fri Nov 24 15:46:13 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Fri Nov 24 15:46:30 2006 Subject: Orphan files in /var/spool/mqueue.in In-Reply-To: <2181C5F19DD0254692452BFF3EAF1D6802671B28@rsys005a.comm.ad.roke.co.uk> References: <2181C5F19DD0254692452BFF3EAF1D6802671B28@rsys005a.comm.ad.roke.co.uk> Message-ID: <456713C5.6040304@solidstatelogic.com> Plant, Dean wrote: > I am curious if the orphan files that I have to clear out of > /var/spool/mqueue.in every so often is something that other people > experience or do I have a problem that should be investigated further. > These files build up at the rate of about 3-4 a day on each server which > deal with about 30,000 messages a day, I have the lock type set to posix > and I am using the standard sendmail 8.13 rpm's from CentOS 4 with > MailScanner v4.52.2 > > Thanks > > Dean > > > > Dean make sure you have "Lock Type = posix" in MailScanner.conf -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From dean.plant at roke.co.uk Fri Nov 24 16:06:11 2006 From: dean.plant at roke.co.uk (Plant, Dean) Date: Fri Nov 24 16:06:22 2006 Subject: Orphan files in /var/spool/mqueue.in Message-ID: <2181C5F19DD0254692452BFF3EAF1D6802671B2C@rsys005a.comm.ad.roke.co.uk> Martin Hepworth wrote: > Plant, Dean wrote: >> I am curious if the orphan files that I have to clear out of >> /var/spool/mqueue.in every so often is something that other people >> experience or do I have a problem that should be investigated >> further. These files build up at the rate of about 3-4 a day on each >> server which deal with about 30,000 messages a day, I have the lock >> type set to posix and I am using the standard sendmail 8.13 rpm's >> from CentOS 4 with MailScanner v4.52.2 >> > > make sure you have "Lock Type = posix" in MailScanner.conf > Thanks for your reply, I do have posix set, that is why im curious to find out if this occurs on other peoples servers or is just a problem with my servers, as CentOS/RHEL seems to be in widespread use with MailScanner. # grep "Lock Type" /etc/MailScanner/MailScanner.conf Lock Type = posix Dean From nerijus at users.sourceforge.net Fri Nov 24 16:02:43 2006 From: nerijus at users.sourceforge.net (Nerijus Baliunas) Date: Fri Nov 24 16:10:09 2006 Subject: Orphan files in /var/spool/mqueue.in In-Reply-To: <456713C5.6040304@solidstatelogic.com> References: <2181C5F19DD0254692452BFF3EAF1D6802671B28@rsys005a.comm.ad.roke.co.uk> <456713C5.6040304@solidstatelogic.com> Message-ID: <20061124161237.1B4EFFF2A@mx-a.vdnet.lt> On Fri, 24 Nov 2006 15:46:13 +0000 Martin Hepworth wrote: > > I have the lock type set to posix > > and I am using the standard sendmail 8.13 rpm's from CentOS 4 with > > MailScanner v4.52.2 > > Dean > > make sure you have "Lock Type = posix" in MailScanner.conf From prandal at herefordshire.gov.uk Fri Nov 24 16:06:48 2006 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Nov 24 16:10:20 2006 Subject: Orphan files in /var/spool/mqueue.in Message-ID: <86144ED6CE5B004DA23E1EAC0B569B5810BA6F0A@isabella.herefordshire.gov.uk> That is an ancient version of MailScanner. You should upgrade it to the latest version and then see what happens. Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Plant, Dean > Sent: 24 November 2006 14:56 > To: MailScanner discussion > Subject: Orphan files in /var/spool/mqueue.in > > I am curious if the orphan files that I have to clear out of > /var/spool/mqueue.in every so often is something that other people > experience or do I have a problem that should be investigated further. > These files build up at the rate of about 3-4 a day on each > server which > deal with about 30,000 messages a day, I have the lock type > set to posix > and I am using the standard sendmail 8.13 rpm's from CentOS 4 with > MailScanner v4.52.2 > > Thanks > > Dean > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From glenn.steen at gmail.com Fri Nov 24 16:44:16 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 24 16:44:18 2006 Subject: Orphan files in /var/spool/mqueue.in In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B5810BA6F0A@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B5810BA6F0A@isabella.herefordshire.gov.uk> Message-ID: <223f97700611240844i1368e272r622d5c5269c5673c@mail.gmail.com> On 24/11/06, Randal, Phil wrote: > That is an ancient version of MailScanner. You should upgrade it to the > latest version and then see what happens. > > Phil > > -- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > > Of Plant, Dean > > Sent: 24 November 2006 14:56 > > To: MailScanner discussion > > Subject: Orphan files in /var/spool/mqueue.in > > > > I am curious if the orphan files that I have to clear out of > > /var/spool/mqueue.in every so often is something that other people > > experience or do I have a problem that should be investigated further. > > These files build up at the rate of about 3-4 a day on each > > server which > > deal with about 30,000 messages a day, I have the lock type > > set to posix > > and I am using the standard sendmail 8.13 rpm's from CentOS 4 with > > MailScanner v4.52.2 > > > > Thanks > > > > Dean > > Another thought is that that few a message "corrupted" might actually be quite normal with that amount of messages. AFAICR, there are a couple of situations where those might occur... Please correct me if I'm wrong... Client dropping connection during DATA could be it (should have a matching entry in the logs then), or forcibly interrupting sendmail while it is transferring data from the client come to mind. Both should be visible in the logs. Me not being a rendmaul admin (any more:-), I might be completely wrong;-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ylacan at teicam.com Fri Nov 24 17:06:56 2006 From: ylacan at teicam.com (Youri LACAN-BARTLEY) Date: Fri Nov 24 17:07:09 2006 Subject: Upgrading SA on Debian In-Reply-To: <45655FA8.5080108@teicam.com> References: <45655FA8.5080108@teicam.com> Message-ID: <456726B0.1050909@teicam.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Is this such a hard question to answer ? :) I can't seem to find any old changelogs for SA 3.0.x which could provide me with some insight on the major changes between SA 3.0.x and 3.1.x ... Any help would really be appreciated, Thanks. Youri LACAN-BARTLEY wrote: > Hi folks, > > I've been wanting to upgrade my version of SpamAssassin from > stable/Sarge to testing/Etch for a while now. > > I've already upgraded MailScanner from 4.41.3-2 (stable) to 4.51.5-1.1 > (testing) without any issues. > > However, looking through the archives I've stumbled on many posts > mentioning problems with MailScanner after updating from SA 3.0.x to 3.1.x. > > So my question is pretty straightforward, will I run into problems when > upgrading SpamAssassin from 3.0.3-2sarge1 (stable) to 3.1.7-1 (testing)? > Ie. different config file formats, different defaults, buggy behaviors, > etc? (I've just have a nice surprise when upgrading Dovecot which > grounded me all morning yesterday ... ) > > Basically, should I plan this when I have loads of time on my hands or > can I trust the upgrade to be smooth? > > Thanks for the tips -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) iD8DBQFFZyawWC9/YPePNU4RAiYEAJ0cDZEw5TLGZTRm259oR2fiTvcW4wCggMch 2S+PshlLRTBaYUF3ZKKD2ro= =77Cp -----END PGP SIGNATURE----- From fernando at unimep.br Fri Nov 24 17:27:55 2006 From: fernando at unimep.br (FERNANDO COELHO MONTEIRO) Date: Fri Nov 24 17:30:25 2006 Subject: Orphan files in /var/spool/mqueue.in In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B5810BA6F0A@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B5810BA6F0A@isabella.herefordshire.gov.uk> Message-ID: <20061124172033.M9817@unimep.br> Hi. I am using the latest version and this problem also occurs. Debian sendmail-8.13.8 mailscanner-4.56.7 Fernando On Fri, 24 Nov 2006 16:06:48 -0000, Randal, Phil wrote > That is an ancient version of MailScanner. You should upgrade it to > the latest version and then see what happens. > > Phil > > -- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > > Of Plant, Dean > > Sent: 24 November 2006 14:56 > > To: MailScanner discussion > > Subject: Orphan files in /var/spool/mqueue.in > > > > I am curious if the orphan files that I have to clear out of > > /var/spool/mqueue.in every so often is something that other people > > experience or do I have a problem that should be investigated further. > > These files build up at the rate of about 3-4 a day on each > > server which > > deal with about 30,000 messages a day, I have the lock type > > set to posix > > and I am using the standard sendmail 8.13 rpm's from CentOS 4 with > > MailScanner v4.52.2 > > > > Thanks > > > > Dean > > > > > > > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From martinh at solidstatelogic.com Fri Nov 24 17:35:44 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Fri Nov 24 17:36:04 2006 Subject: Orphan files in /var/spool/mqueue.in In-Reply-To: <20061124172033.M9817@unimep.br> References: <86144ED6CE5B004DA23E1EAC0B569B5810BA6F0A@isabella.herefordshire.gov.uk> <20061124172033.M9817@unimep.br> Message-ID: <45672D70.2010700@solidstatelogic.com> FERNANDO COELHO MONTEIRO wrote: > Hi. > > I am using the latest version and this problem also occurs. > > Debian > sendmail-8.13.8 > mailscanner-4.56.7 > > Fernando > > On Fri, 24 Nov 2006 16:06:48 -0000, Randal, Phil wrote >> That is an ancient version of MailScanner. You should upgrade it to >> the latest version and then see what happens. >> >> Phil >> >> -- >> Phil Randal >> Network Engineer >> Herefordshire Council >> Hereford, UK >> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >>> Of Plant, Dean >>> Sent: 24 November 2006 14:56 >>> To: MailScanner discussion >>> Subject: Orphan files in /var/spool/mqueue.in >>> >>> I am curious if the orphan files that I have to clear out of >>> /var/spool/mqueue.in every so often is something that other people >>> experience or do I have a problem that should be investigated further. >>> These files build up at the rate of about 3-4 a day on each >>> server which >>> deal with about 30,000 messages a day, I have the lock type >>> set to posix >>> and I am using the standard sendmail 8.13 rpm's from CentOS 4 with >>> MailScanner v4.52.2 >>> >>> Thanks >>> >>> Dean >>> latest is 4.56.8 ! -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From veliogluh at itu.edu.tr Fri Nov 24 18:01:39 2006 From: veliogluh at itu.edu.tr (Hakan VELIOGLU) Date: Fri Nov 24 18:01:49 2006 Subject: Orphan files in /var/spool/mqueue.in In-Reply-To: <45672D70.2010700@solidstatelogic.com> References: <86144ED6CE5B004DA23E1EAC0B569B5810BA6F0A@isabella.herefordshire.gov.uk> <20061124172033.M9817@unimep.br> <45672D70.2010700@solidstatelogic.com> Message-ID: <20061124200139.79w4xfhr4r4gc0go@webmail.itu.edu.tr> Hi I got the same problem and also doing the same clear operation for twice a day. I think the reason of orphan files is spam bombers. Spam servers sending mail without waiting a response from mail servers. For this reason, their df file could be corrupt, so they couldn't be processed by MailScanner. You could use sendmail greet_pause feature to stop spam bombers. However, this feature comes with sendmail 8.13 not with 8.12 Hakan VEL?O?LU ----- Message from martinh@solidstatelogic.com --------- Tarih: Fri, 24 Nov 2006 17:35:44 +0000 Kimden: Martin Hepworth Cevap:MailScanner discussion Konu: Re: Orphan files in /var/spool/mqueue.in Kime: MailScanner discussion > FERNANDO COELHO MONTEIRO wrote: >> Hi. >> >> I am using the latest version and this problem also occurs. Debian >> sendmail-8.13.8 >> mailscanner-4.56.7 >> >> Fernando >> >> On Fri, 24 Nov 2006 16:06:48 -0000, Randal, Phil wrote >>> That is an ancient version of MailScanner. You should upgrade it >>> to the latest version and then see what happens. >>> >>> Phil >>> >>> -- >>> Phil Randal >>> Network Engineer >>> Herefordshire Council >>> Hereford, UK >>> >>>> -----Original Message----- >>>> From: mailscanner-bounces@lists.mailscanner.info >>>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >>>> Plant, Dean >>>> Sent: 24 November 2006 14:56 >>>> To: MailScanner discussion >>>> Subject: Orphan files in /var/spool/mqueue.in >>>> >>>> I am curious if the orphan files that I have to clear out of >>>> /var/spool/mqueue.in every so often is something that other people >>>> experience or do I have a problem that should be investigated further. >>>> These files build up at the rate of about 3-4 a day on each server which >>>> deal with about 30,000 messages a day, I have the lock type set to posix >>>> and I am using the standard sendmail 8.13 rpm's from CentOS 4 with >>>> MailScanner v4.52.2 >>>> >>>> Thanks >>>> >>>> Dean >>>> > > latest is 4.56.8 ! > > -- Martin Hepworth > Senior Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > ********************************************************************** > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote confirms that this email message has been swept > for the presence of computer viruses and is believed to be clean. > > ********************************************************************** > > -- MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ----- End message from martinh@solidstatelogic.com ----- ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From matt at coders.co.uk Fri Nov 24 19:32:30 2006 From: matt at coders.co.uk (Matt Hampton) Date: Fri Nov 24 19:32:56 2006 Subject: Orphan files in /var/spool/mqueue.in In-Reply-To: <20061124200139.79w4xfhr4r4gc0go@webmail.itu.edu.tr> References: <86144ED6CE5B004DA23E1EAC0B569B5810BA6F0A@isabella.herefordshire.gov.uk> <20061124172033.M9817@unimep.br> <45672D70.2010700@solidstatelogic.com> <20061124200139.79w4xfhr4r4gc0go@webmail.itu.edu.tr> Message-ID: <456748CE.70807@coders.co.uk> Hakan VELIOGLU wrote: > Hi > > I got the same problem and also doing the same clear operation for twice > a day. > > I think the reason of orphan files is spam bombers. Spam servers sending > mail > without waiting a response from mail servers. For this reason, their df > file > could be corrupt, so they couldn't be processed by MailScanner. This is a known issue with a particualr version of 8.13 which I don't have access to to check. This is when a milter or other connection checker times out and the orphan files are left behind. CHeck on the sendmail site for the bug matt From cconn at abacom.com Fri Nov 24 19:57:39 2006 From: cconn at abacom.com (Chris Conn) Date: Fri Nov 24 19:57:42 2006 Subject: Orphan files in /var/spool/mqueue.in In-Reply-To: <456748CE.70807@coders.co.uk> References: <86144ED6CE5B004DA23E1EAC0B569B5810BA6F0A@isabella.herefordshire.gov.uk> <20061124172033.M9817@unimep.br> <45672D70.2010700@solidstatelogic.com> <20061124200139.79w4xfhr4r4gc0go@webmail.itu.edu.tr> <456748CE.70807@coders.co.uk> Message-ID: <45674EB3.2090407@abacom.com> > This is a known issue with a particualr version of 8.13 which I don't > have access to to check. This is when a milter or other connection > checker times out and the orphan files are left behind. > > CHeck on the sendmail site for the bug > > matt I am looking for this info, as I have the problem as well; however, I do not use any milters? I have several servers that do this. I see this on servers running both sendmail 8.12 and sendmail 8.13? I run a script now and again #!/bin/sh cd /var/spool/mqueue.in/ find ./ -daystart -ctime +1|xargs rm Chris From jrudd at ucsc.edu Fri Nov 24 20:26:33 2006 From: jrudd at ucsc.edu (John Rudd) Date: Fri Nov 24 20:27:17 2006 Subject: Orphan files in /var/spool/mqueue.in In-Reply-To: <86144ED6CE5B004DA23E1EAC0B569B5810BA6F0A@isabella.herefordshire.gov.uk> References: <86144ED6CE5B004DA23E1EAC0B569B5810BA6F0A@isabella.herefordshire.gov.uk> Message-ID: <45675579.8020701@ucsc.edu> Randal, Phil wrote: > That is an ancient version of MailScanner. You should upgrade it to the > latest version and then see what happens. > > Um, no, they should not. Upgrading just for the sake of upgrading is silly. Upgrading just to see if things got better, with no real expectation of things having gotten better, is irresponsible. They should upgrade only if: a) this is a known bug that was fixed during the intervening versions, or b) there are compelling features (from _their_ point of view) that make such an upgrade attractive. Otherwise, they shouldn't introduce unplanned changes to their production systems just because "maybe" it'll fix a bug, and someone out there thinks their version is "ancient". From res at ausics.net Fri Nov 24 22:00:02 2006 From: res at ausics.net (Res) Date: Fri Nov 24 22:00:13 2006 Subject: Orphan files in /var/spool/mqueue.in In-Reply-To: <2181C5F19DD0254692452BFF3EAF1D6802671B2C@rsys005a.comm.ad.roke.co.uk> References: <2181C5F19DD0254692452BFF3EAF1D6802671B2C@rsys005a.comm.ad.roke.co.uk> Message-ID: On Fri, 24 Nov 2006, Plant, Dean wrote: > Martin Hepworth wrote: >> Plant, Dean wrote: >>> I am curious if the orphan files that I have to clear out of >>> /var/spool/mqueue.in every so often is something that other people >>> experience or do I have a problem that should be investigated >>> further. These files build up at the rate of about 3-4 a day on each >>> server which deal with about 30,000 messages a day, I have the lock >>> type set to posix and I am using the standard sendmail 8.13 rpm's >>> from CentOS 4 with MailScanner v4.52.2 >>> >> >> make sure you have "Lock Type = posix" in MailScanner.conf >> > > Thanks for your reply, > > I do have posix set, that is why im curious to find out if this occurs > on other peoples servers or is just a problem with my servers, as > CentOS/RHEL seems to be in widespread use with MailScanner. > > # grep "Lock Type" /etc/MailScanner/MailScanner.conf > Lock Type = posix IIRC, there was an issue with a version of MailScanner not handing that correctly, it was an old version, as you are using an old version maybe it's worth your while to update MailScanner and see if the problem goes away. -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From res at ausics.net Fri Nov 24 22:12:42 2006 From: res at ausics.net (Res) Date: Fri Nov 24 22:12:46 2006 Subject: Orphan files in /var/spool/mqueue.in In-Reply-To: <223f97700611240844i1368e272r622d5c5269c5673c@mail.gmail.com> References: <86144ED6CE5B004DA23E1EAC0B569B5810BA6F0A@isabella.herefordshire.gov.uk> <223f97700611240844i1368e272r622d5c5269c5673c@mail.gmail.com> Message-ID: On Fri, 24 Nov 2006, Glenn Steen wrote: > AFAICR, there are a couple of situations where those might occur... > Please correct me if I'm wrong... Client dropping connection during > DATA could be it (should have a matching entry in the logs then), or nope shouldn't do this > forcibly interrupting sendmail while it is transferring data from the > client come to mind. Both should be visible in the logs. nor this, if it's not completely accepted it wont keep it, log indications will be 'lost input channel' or 'timeout waiting' 'connection reset' or blah.blah did not issue mail/expn etc type message unless its 100% succesful you wont see qf or df files for it. > Me not being a rendmaul admin (any more:-), I might be completely wrong;-) your just too rusty :) -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From naolson at gmail.com Fri Nov 24 22:26:34 2006 From: naolson at gmail.com (Nathan Olson) Date: Fri Nov 24 22:26:38 2006 Subject: Orphan files in /var/spool/mqueue.in In-Reply-To: References: <2181C5F19DD0254692452BFF3EAF1D6802671B2C@rsys005a.comm.ad.roke.co.uk> Message-ID: <8f54b4330611241426v55606f08o1d9a310484dbcca@mail.gmail.com> >From http://www.sendmail.org/releases/8.13.7.php "If a timeout occurs while reading a message (during the DATA phase) a df file might have been left behind in the queue. This was another side effect of the changes to the I/O layer made in 8.13.6." Nate From cconn at abacom.com Fri Nov 24 22:33:35 2006 From: cconn at abacom.com (Chris Conn) Date: Fri Nov 24 22:33:42 2006 Subject: Orphan files in /var/spool/mqueue.in In-Reply-To: <8f54b4330611241426v55606f08o1d9a310484dbcca@mail.gmail.com> References: <2181C5F19DD0254692452BFF3EAF1D6802671B2C@rsys005a.comm.ad.roke.co.uk> <8f54b4330611241426v55606f08o1d9a310484dbcca@mail.gmail.com> Message-ID: <4567733F.6000908@abacom.com> Nathan Olson wrote: >> From http://www.sendmail.org/releases/8.13.7.php > > "If a timeout occurs while reading a message (during the DATA phase) > a df file might have been left behind in the queue. > This was another side effect of the changes to the I/O > layer made in 8.13.6." > > Nate I have a sendmail 8.12 on a few systems where I am seeing this problem, the locktype is not defined; I will try and force it to flock.... Chris From matt at coders.co.uk Fri Nov 24 22:33:22 2006 From: matt at coders.co.uk (Matt Hampton) Date: Fri Nov 24 22:33:48 2006 Subject: Orphan files in /var/spool/mqueue.in In-Reply-To: <8f54b4330611241426v55606f08o1d9a310484dbcca@mail.gmail.com> References: <2181C5F19DD0254692452BFF3EAF1D6802671B2C@rsys005a.comm.ad.roke.co.uk> <8f54b4330611241426v55606f08o1d9a310484dbcca@mail.gmail.com> Message-ID: <45677332.8020006@coders.co.uk> Nathan Olson wrote: >> From http://www.sendmail.org/releases/8.13.7.php > > "If a timeout occurs while reading a message (during the DATA phase) > a df file might have been left behind in the queue. > This was another side effect of the changes to the I/O > layer made in 8.13.6." > > Nate That's the one - sorry I could post the link earlier I was on the train and kept dropping connection out. matt From res at ausics.net Fri Nov 24 22:40:35 2006 From: res at ausics.net (Res) Date: Fri Nov 24 22:40:43 2006 Subject: Orphan files in /var/spool/mqueue.in In-Reply-To: <4567733F.6000908@abacom.com> References: <2181C5F19DD0254692452BFF3EAF1D6802671B2C@rsys005a.comm.ad.roke.co.uk> <8f54b4330611241426v55606f08o1d9a310484dbcca@mail.gmail.com> <4567733F.6000908@abacom.com> Message-ID: On Fri, 24 Nov 2006, Chris Conn wrote: > > > Nathan Olson wrote: >>> From http://www.sendmail.org/releases/8.13.7.php >> >> "If a timeout occurs while reading a message (during the DATA phase) >> a df file might have been left behind in the queue. >> This was another side effect of the changes to the I/O >> layer made in 8.13.6." >> >> Nate > > I have a sendmail 8.12 on a few systems where I am seeing this problem, the > locktype is not defined; I will try and force it to flock.... > > Chris or maybe take the few seconds it takes to build sendmail 8.13.8 we do 1700 msgs a minute and I have never seen this sympton, even when it was supposed to be in .6 -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From ugob at camo-route.com Fri Nov 24 23:38:36 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Fri Nov 24 23:38:50 2006 Subject: TNEF loop infinite loop problem? In-Reply-To: <011401c70fda$8a8fb730$0b01010a@DGPTBH91> References: <011401c70fda$8a8fb730$0b01010a@DGPTBH91> Message-ID: Bryan Guest wrote: > Hi: > > One of my mail blades running Mailscanner got stuck in some sort of loop > this morning, dealing with a TNEF attachment/message. The Inbound > Queue shot up because MailScanner was accepted new messages but not > processing any of them while it choked on this message. > > I stopped mailscanner and pulled this message out of the queue and > everthing recovered. > > Has anyone seen this before, and is there some config change I need to > make to prevent it? Yes, I've seen it, what you can do is try using the internal tnef expander. Ugo From arturs at netvision.net.il Fri Nov 24 23:46:51 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Fri Nov 24 23:49:40 2006 Subject: Bayes mistery Message-ID: <002901c71022$d072b7a0$3701a8c0@lapxp> Howdy, I must say Bayes is a mistery for me... Check this: --- [root@ns1 log]# sa-learn --spam /home/sites/www.cpt.co.il/users/spam.hole/mbox [2006] info: archive-iterator: skipping large message Learned tokens from 0 message(s) (0 message(s) examined) [root@ns1 log]# ls -lah /home/sites/www.cpt.co.il/users/spam.hole/mbox -rw------- 1 spam.hole site6 686K Nov 25 01:46 /home/sites/www.cpt.co.il/users/spam.hole/mbox --- The mbox has ~40 messages right know. What am I doing wrong? Best, -- Arthur Sherman +972-52-4878851 CPTeam From r.berber at computer.org Sat Nov 25 00:56:44 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Sat Nov 25 00:57:00 2006 Subject: Botnet 0.4 Spam Assassin plugin In-Reply-To: <45657EBE.9030508@ucsc.edu> References: <45657EBE.9030508@ucsc.edu> Message-ID: John Rudd wrote: [snip] > 12) The BOTNET rule is now worth 5 points, instead of 6. It would be interesting to know what people have found as useful scores for the plugin. Too high, I wouldn't use anything above 2.5 and reason is I don't trust any one rule that much. > Also, I'm trying to decide on two things: > > a) Does anyone think I _should_ switch to Net::DNS for the botnet_baddns > function? Or is the gethostbyname() call good enough? Same thing, I see no advantage in one or the other. > b) It seems kind of cluttered to have all of the various BOTNET_* rules > show up in the test list and detailed report. But I have kept it that > way, instead of changing their names to have __ in front, so that I can > see what sub-rules were specifically triggered. What are people's > opinions on that, for the 1.0 release: > i) do you want me to leave it as it is, or > ii) put in the __ so that the sub-rules stop showing up in the > final report? As long as there is a debug option, the long report should be limited for debug info and the short one for normal operation. -- Ren? Berber From pravin.rane at gmail.com Sat Nov 25 06:50:01 2006 From: pravin.rane at gmail.com (Pravin Rane) Date: Sat Nov 25 06:50:10 2006 Subject: TNEF loop infinite loop problem? In-Reply-To: References: <011401c70fda$8a8fb730$0b01010a@DGPTBH91> Message-ID: <13c021a90611242250n600fe1fbrd7e78c8198ec30e5@mail.gmail.com> Yes it happens, In my case I was getting problem while using internal TNEF, I then used to solve the problem TNEF Expander = /usr/bin/tnef --maxsize=100000000 On 11/25/06, Ugo Bellavance wrote: > > Bryan Guest wrote: > > Hi: > > > > One of my mail blades running Mailscanner got stuck in some sort of loop > > this morning, dealing with a TNEF attachment/message. The Inbound > > Queue shot up because MailScanner was accepted new messages but not > > processing any of them while it choked on this message. > > > > I stopped mailscanner and pulled this message out of the queue and > > everthing recovered. > > > > Has anyone seen this before, and is there some config change I need to > > make to prevent it? > > Yes, I've seen it, what you can do is try using the internal tnef > expander. > > Ugo > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Regards Pravin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061125/c031c75b/attachment.html From dudi at kolcore.com Sat Nov 25 08:13:26 2006 From: dudi at kolcore.com (Dudi Goldenberg) Date: Sat Nov 25 08:12:19 2006 Subject: Bayes mistery Message-ID: <858B5F3269A8F147AD4A615A91327FEA099599@prince.kolcore.local> > [root@ns1 log]# sa-learn --spam /home/sites/www.cpt.co.il/users/spam.hole/mbox Try adding --mbox to sa-learn options. Dudi Goldenberg Kolcore Ltd. +972(5)2430-4000 From admin at thenamegame.com Sat Nov 25 08:41:24 2006 From: admin at thenamegame.com (Michael S.) Date: Sat Nov 25 08:33:48 2006 Subject: Debora is a huge spammers!!!! In-Reply-To: <4565C76C.9000206@solidstatelogic.com> Message-ID: <200611250833.kAP8Xl9l008698@bkserver.blacknight.ie> Yes, I think we all know that. I'd much rather catch the Debora spammer at SMTP time instead of relying on SA and MS + freds rules to kill of the junk. It only makes sense. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Thursday, November 23, 2006 11:08 AM To: MailScanner discussion Subject: Re: Debora is a huge spammers!!!! pawel wrote: > > IN RCPT SECTION: > > deny senders = ^debora.*@.* > err could lead to ALOT of false positives... upgrade to SA 3.1.7, use the SARE and freds rules from www.rulesemporium.com, also razor and pyzor are picking these up now as well. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Sat Nov 25 09:40:56 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Nov 25 09:41:00 2006 Subject: warning.txt format In-Reply-To: <4566F111.8010002@cenpac.net.nr> References: <000001c70fa2$51ac3f70$9fe21005@hogent.be> <4566F111.8010002@cenpac.net.nr> Message-ID: <223f97700611250140r7a74b6eanee11846e238d9458@mail.gmail.com> On 24/11/06, Jon Leeman wrote: > Group, > > MS 4.51.6 > Mandrake 10.2 Methinks it's time to look at upgrading both OS and MS:-):-). > Noticed a while back that the 'warning.txt' attachments generated by MS > were being read by M$ email clients default txt reader (notepad.exe) as > Unix style with the CRLF different. > > Found http://soft.zoneo.net/Linux/dos_to_unix.php as a way to fix this. > > It's probably been discussed / bug fixed / whatever, before, but thought > I'd share it with those either new to MS/Linux or behind a very > thin/congested pipe that makes searching difficult. Thanks for the info. Might come in handy one of these days:-). > Regards, > > Jon (Nauru....clear sky, calm sea, and a mild 24 deg. C. at 0110 Hrs. > {no Glenn, I am not suggesting cold weather is 'bad' :-) What?! Me jealous of your perpetual summer? Naaah....:-) (Dreary drizzle and 5-6 degrees C here... How could I be longing for anything but this:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Nov 25 10:07:45 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Nov 25 10:07:48 2006 Subject: Upgrading SA on Debian In-Reply-To: <456726B0.1050909@teicam.com> References: <45655FA8.5080108@teicam.com> <456726B0.1050909@teicam.com> Message-ID: <223f97700611250207s61116e30hb558bcd614e2107@mail.gmail.com> On 24/11/06, Youri LACAN-BARTLEY wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Is this such a hard question to answer ? :) > I can't seem to find any old changelogs for SA 3.0.x which could provide > me with some insight on the major changes between SA 3.0.x and 3.1.x ... No no, not that hard... Just that I stopped reading when you mentioned Etch (since I'm really just a dabbler when it comes to Debian:-). More below. > Any help would really be appreciated, > > Thanks. > > Youri LACAN-BARTLEY wrote: > > Hi folks, > > > > I've been wanting to upgrade my version of SpamAssassin from > > stable/Sarge to testing/Etch for a while now. > > > > I've already upgraded MailScanner from 4.41.3-2 (stable) to 4.51.5-1.1 > > (testing) without any issues. It's not really a good thing that it lags as much as it does. This in part is what keeps me from switching to a debian-based distro... Yes, I'm familiar with the way the Debian process works...:-). > > However, looking through the archives I've stumbled on many posts > > mentioning problems with MailScanner after updating from SA 3.0.x to 3.1.x. Most recent problems are more from running sa-update and it (MS/SA) missing some rules dir or other after that. If one is aware of the situations that might arise, and prepared to make necessary changes, that shouldn't be a problem:-) > > So my question is pretty straightforward, will I run into problems when > > upgrading SpamAssassin from 3.0.3-2sarge1 (stable) to 3.1.7-1 (testing)? > > Ie. different config file formats, different defaults, buggy behaviors, > > etc? (I've just have a nice surprise when upgrading Dovecot which > > grounded me all morning yesterday ... ) No big surprises... Just see to it that you load all the plugins you need (razor, pyzor and dcc come to mind) or else you might get an error on config options in mailscanner.cf (really spam.assassin.prefs.conf) that those plugins provide (No, I don't remember if those were plugins in 3.0). The biggest change is perhaps that "spamassassin --lint" doesn't run any network tests anymore, so to check them you'll have to run a real message through (something like "spamassassin -D -t < /path/to/message/file"). > > Basically, should I plan this when I have loads of time on my hands or > > can I trust the upgrade to be smooth? The prudent approach would be to have adequate time, yes. Then again, it should be fairly straightforward. If one can use Jules excellent package (the Clam+SA one), the whole process is done in a matter of minutes (including checking through the *.pre files, running a lint or two, and running a message through manually). I imagine your dpkg/apt-based update should be as easy:-). As always, keeping a backup handy isn't a badidea either, although you really shouldn't run into much problems with a thing like this... Just save a copy of the config files you know you've altered, run the update... If it borks out, reinstall the old one and remake your changes... Should be safe and quick. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From lodder at delodder.be Sat Nov 25 10:56:45 2006 From: lodder at delodder.be (Philippe Delodder) Date: Sat Nov 25 10:57:03 2006 Subject: Problem with installation Message-ID: <4568216D.4050500@delodder.be> Hi, when i start MailScanner i'm getting this error: Could not use Custom Function code MailScanner::CustomConfig::InitMailWatchLogging, it could not be "eval"ed. Make sure the module is correct with perl -wc i'm using gentoo Philippe Delodder From arturs at netvision.net.il Sat Nov 25 13:48:52 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Sat Nov 25 13:51:49 2006 Subject: Bayes mistery In-Reply-To: <858B5F3269A8F147AD4A615A91327FEA099599@prince.kolcore.local> Message-ID: <004f01c71098$71a57250$3701a8c0@lapxp> > > [root@ns1 log]# sa-learn --spam > /home/sites/www.cpt.co.il/users/spam.hole/mbox > > Try adding --mbox to sa-learn options. > > Dudi Goldenberg > Kolcore Ltd. > +972(5)2430-4000 Yeah, right, stupid me... Thanks, Dudi! Best, -- Arthur Sherman +972-52-4878851 CPTeam From glenn.steen at gmail.com Sat Nov 25 15:44:22 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Nov 25 15:44:28 2006 Subject: Orphan files in /var/spool/mqueue.in In-Reply-To: References: <86144ED6CE5B004DA23E1EAC0B569B5810BA6F0A@isabella.herefordshire.gov.uk> <223f97700611240844i1368e272r622d5c5269c5673c@mail.gmail.com> Message-ID: <223f97700611250744x2cbde799m38faa619fa3cc7e0@mail.gmail.com> On 24/11/06, Res wrote: > On Fri, 24 Nov 2006, Glenn Steen wrote: > > > AFAICR, there are a couple of situations where those might occur... > > Please correct me if I'm wrong... Client dropping connection during > > DATA could be it (should have a matching entry in the logs then), or > > nope shouldn't do this > > > forcibly interrupting sendmail while it is transferring data from the > > client come to mind. Both should be visible in the logs. > > nor this, if it's not completely accepted it wont keep it, log indications > will be 'lost input channel' or 'timeout waiting' > 'connection reset' or blah.blah did not issue mail/expn etc type message > unless its 100% succesful you wont see qf or df files for it. > > > Me not being a rendmaul admin (any more:-), I might be completely wrong;-) > > your just too rusty :) Yep. And this in the face of all the lubricants I use ... (tips a nice Claret) ... Or is it "because of" rather than "in the face of":-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From kopels at english.fsu.edu Sat Nov 25 22:41:32 2006 From: kopels at english.fsu.edu (Scott Kopel) Date: Sat Nov 25 22:29:51 2006 Subject: filetype.rules and filename.rules syntax Message-ID: <2262.71.12.192.74.1164494492.squirrel@english3.fsu.edu> I've noticed that I'm getting the following errors in my maillogs I'm using the rules exactly as supplied by mailscanner I'm using MailScanner version 4.42.9-1 can anyone tell me what's wrong with my setup? thanks a bunch Scott Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first field in line 93 of ruleset /opt/MailScanner/etc/filename.rules Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first field in line 96 of ruleset /opt/MailScanner/etc/filename.rules Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first field in line 8 of ruleset /opt/MailScanner/etc/filetype.rules Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first field in line 9 of ruleset /opt/MailScanner/etc/filetype.rules Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first field in line 10 of ruleset /opt/MailScanner/etc/filetype.rules Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first field in line 11 of ruleset /opt/MailScanner/etc/filetype.rules Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first field in line 12 of ruleset /opt/MailScanner/etc/filetype.rules Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first field in line 13 of ruleset /opt/MailScanner/etc/filetype.rules Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first field in line 14 of ruleset /opt/MailScanner/etc/filetype.rules Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first field in line 15 of ruleset /opt/MailScanner/etc/filetype.rules I'm using the rules files exactly as supplied by MailScanner eg allow text - - allow script - - allow archive - - allow postscript - - deny self-extract No self-extracting archives No self-extracting archives allowed deny ELF No executables No programs allowed deny executable No executables No programs allowed deny MPEG No MPEG movies No MPEG movies allowed deny AVI No AVI movies No AVI movies allowed deny MNG No MNG/PNG movies No MNG movies allowed deny QuickTime No QuickTime movies No QuickTime movies allowed deny ASF No Windows media No Windows media files allowed deny Registry No Windows Registry entries No Windows Registry files allowed Scott Kopel English Department - FSU 850 644 6177 From arturs at netvision.net.il Sat Nov 25 22:35:29 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Sat Nov 25 22:38:20 2006 Subject: filetype.rules and filename.rules syntax In-Reply-To: <2262.71.12.192.74.1164494492.squirrel@english3.fsu.edu> Message-ID: <00a701c710e2$02bfb540$3701a8c0@lapxp> > I've noticed that I'm getting the following errors in my maillogs > I'm using the rules exactly as supplied by mailscanner > I'm using MailScanner version 4.42.9-1 > can anyone tell me what's wrong with my setup? > thanks a bunch > Scott > > Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first > field in line 93 of ruleset /opt/MailScanner/etc/filename.rules > Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first > field in line 96 of ruleset /opt/MailScanner/etc/filename.rules > Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first > field in line 8 of ruleset /opt/MailScanner/etc/filetype.rules > Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first > field in line 9 of ruleset /opt/MailScanner/etc/filetype.rules > Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first > field in line 10 of ruleset /opt/MailScanner/etc/filetype.rules > Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first > field in line 11 of ruleset /opt/MailScanner/etc/filetype.rules > Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first > field in line 12 of ruleset /opt/MailScanner/etc/filetype.rules > Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first > field in line 13 of ruleset /opt/MailScanner/etc/filetype.rules > Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first > field in line 14 of ruleset /opt/MailScanner/etc/filetype.rules > Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first > field in line 15 of ruleset /opt/MailScanner/etc/filetype.rules > > I'm using the rules files exactly as supplied by MailScanner > eg > allow text - - > allow script - - > allow archive - - > allow postscript - - > deny self-extract No self-extracting archives No > self-extracting > archives allowed > deny ELF No executables No programs allowed > deny executable No executables No programs allowed > deny MPEG No MPEG movies No MPEG movies allowed > deny AVI No AVI movies No AVI movies allowed > deny MNG No MNG/PNG movies No MNG movies allowed > deny QuickTime No QuickTime movies No QuickTime > movies allowed > deny ASF No Windows media No Windows media files > allowed > deny Registry No Windows Registry entries No Windows > Registry files allowed > > Scott Kopel > English Department - FSU > 850 644 6177 What editor do you use to format the file? Best, -- Arthur Sherman +972-52-4878851 CPTeam From kopels at english.fsu.edu Sat Nov 25 23:01:36 2006 From: kopels at english.fsu.edu (Scott Kopel) Date: Sat Nov 25 22:49:57 2006 Subject: filetype.rules and filename.rules syntax In-Reply-To: <00a701c710e2$02bfb540$3701a8c0@lapxp> References: <2262.71.12.192.74.1164494492.squirrel@english3.fsu.edu> <00a701c710e2$02bfb540$3701a8c0@lapxp> Message-ID: <2430.71.12.192.74.1164495696.squirrel@english3.fsu.edu> pico is the editor i use however, when I noticed the errors, I substituted the sample files that came with my installation of MailScanner and I don't believe those have been edited at all - still produced the errors, then I made a test file with pico with only one line as follows: allow jpg - - and that file also generated an error s >> I've noticed that I'm getting the following errors in my maillogs >> I'm using the rules exactly as supplied by mailscanner >> I'm using MailScanner version 4.42.9-1 >> can anyone tell me what's wrong with my setup? >> thanks a bunch >> Scott >> >> Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first >> field in line 93 of ruleset /opt/MailScanner/etc/filename.rules >> Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first >> field in line 96 of ruleset /opt/MailScanner/etc/filename.rules >> Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first >> field in line 8 of ruleset /opt/MailScanner/etc/filetype.rules >> Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first >> field in line 9 of ruleset /opt/MailScanner/etc/filetype.rules >> Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first >> field in line 10 of ruleset /opt/MailScanner/etc/filetype.rules >> Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first >> field in line 11 of ruleset /opt/MailScanner/etc/filetype.rules >> Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first >> field in line 12 of ruleset /opt/MailScanner/etc/filetype.rules >> Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first >> field in line 13 of ruleset /opt/MailScanner/etc/filetype.rules >> Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first >> field in line 14 of ruleset /opt/MailScanner/etc/filetype.rules >> Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first >> field in line 15 of ruleset /opt/MailScanner/etc/filetype.rules >> >> I'm using the rules files exactly as supplied by MailScanner >> eg >> allow text - - >> allow script - - >> allow archive - - >> allow postscript - - >> deny self-extract No self-extracting archives No >> self-extracting >> archives allowed >> deny ELF No executables No programs allowed >> deny executable No executables No programs allowed >> deny MPEG No MPEG movies No MPEG movies allowed >> deny AVI No AVI movies No AVI movies allowed >> deny MNG No MNG/PNG movies No MNG movies allowed >> deny QuickTime No QuickTime movies No QuickTime >> movies allowed >> deny ASF No Windows media No Windows media files >> allowed >> deny Registry No Windows Registry entries No Windows >> Registry files allowed >> >> Scott Kopel >> English Department - FSU >> 850 644 6177 > > What editor do you use to format the file? > > > Best, > > -- > Arthur Sherman > > +972-52-4878851 > CPTeam > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Scott Kopel English Department - FSU 850 644 6177 From glenn.steen at gmail.com Sun Nov 26 09:47:34 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Nov 26 09:47:36 2006 Subject: filetype.rules and filename.rules syntax In-Reply-To: <2430.71.12.192.74.1164495696.squirrel@english3.fsu.edu> References: <2262.71.12.192.74.1164494492.squirrel@english3.fsu.edu> <00a701c710e2$02bfb540$3701a8c0@lapxp> <2430.71.12.192.74.1164495696.squirrel@english3.fsu.edu> Message-ID: <223f97700611260147y41391be8l6321f7c9587f5799@mail.gmail.com> On 26/11/06, Scott Kopel wrote: > pico is the editor i use > however, when I noticed the errors, I substituted the sample files that > came with my installation of MailScanner and I don't believe those have > been edited at all - still produced the errors, then > I made a test file with pico with only one line as follows: > allow jpg - - > and that file also generated an error > s > > > > >> I've noticed that I'm getting the following errors in my maillogs > >> I'm using the rules exactly as supplied by mailscanner > >> I'm using MailScanner version 4.42.9-1 > >> can anyone tell me what's wrong with my setup? > >> thanks a bunch > >> Scott > >> > >> Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first > >> field in line 93 of ruleset /opt/MailScanner/etc/filename.rules Well, did you restart after editing/changing the file? The error is indicative of a syntax error (could be that you've accidentally converted the characters that separate the "columns" to spaces, or something similar). But you have another "problem"... You're using a quite old MailScanner. There have been quite a few improvements (like the --lint and other syntax/ruletesting options) since then, so please do consider spending the minutes it takes to perform an upgrade. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From steve.freegard at fsl.com Sun Nov 26 13:33:51 2006 From: steve.freegard at fsl.com (Steve Freegard) Date: Sun Nov 26 13:34:11 2006 Subject: filetype.rules and filename.rules syntax In-Reply-To: <2430.71.12.192.74.1164495696.squirrel@english3.fsu.edu> References: <2262.71.12.192.74.1164494492.squirrel@english3.fsu.edu> <00a701c710e2$02bfb540$3701a8c0@lapxp> <2430.71.12.192.74.1164495696.squirrel@english3.fsu.edu> Message-ID: <456997BF.8040705@fsl.com> Hi Scott, Scott Kopel wrote: > I made a test file with pico with only one line as follows: > allow jpg - - > and that file also generated an error >>> Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first >>> field in line 93 of ruleset /opt/MailScanner/etc/filename.rules >>> I'm using the rules files exactly as supplied by MailScanner >>> eg >>> allow text - - >>> allow script - - >>> allow archive - - If the file name ends in .rules - MailScanner is expecting a *ruleset* - not the file[name|type] rules e.g. To: domain.com /etc/MailScanner/rules/filename.expection.rules.conf FromOrTo: default /etc/MailScanner/rules/filename.rules.conf In short - change the filename to end in .rules.conf and put the original file back (and change the relevant line in MailScanner.conf) and it will start working properly again without the syntax errors. And - as Glenn says too - Upgrade!! Cheers, Steve. From glenn.steen at gmail.com Sun Nov 26 14:06:20 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Nov 26 14:06:23 2006 Subject: filetype.rules and filename.rules syntax In-Reply-To: <456997BF.8040705@fsl.com> References: <2262.71.12.192.74.1164494492.squirrel@english3.fsu.edu> <00a701c710e2$02bfb540$3701a8c0@lapxp> <2430.71.12.192.74.1164495696.squirrel@english3.fsu.edu> <456997BF.8040705@fsl.com> Message-ID: <223f97700611260606p51f3355oa156114003ebf692@mail.gmail.com> On 26/11/06, Steve Freegard wrote: > Hi Scott, > > Scott Kopel wrote: > > I made a test file with pico with only one line as follows: > > allow jpg - - > > and that file also generated an error > > >>> Nov 25 06:16:53 englishmail MailScanner[21763]: Syntax error in first > >>> field in line 93 of ruleset /opt/MailScanner/etc/filename.rules > > >>> I'm using the rules files exactly as supplied by MailScanner > >>> eg > >>> allow text - - > >>> allow script - - > >>> allow archive - - > > > If the file name ends in .rules - MailScanner is expecting a *ruleset* - > not the file[name|type] rules e.g. > > To: domain.com /etc/MailScanner/rules/filename.expection.rules.conf > FromOrTo: default /etc/MailScanner/rules/filename.rules.conf > > In short - change the filename to end in .rules.conf and put the > original file back (and change the relevant line in MailScanner.conf) > and it will start working properly again without the syntax errors. > > And - as Glenn says too - Upgrade!! > Good spot there Steve! Have to get better glasses:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From chris at scorpion.nl Sun Nov 26 20:41:11 2006 From: chris at scorpion.nl (Christiaan den Besten) Date: Sun Nov 26 20:41:47 2006 Subject: TNEF loop infinite loop problem? References: <011401c70fda$8a8fb730$0b01010a@DGPTBH91> <13c021a90611242250n600fe1fbrd7e78c8198ec30e5@mail.gmail.com> Message-ID: <02f501c7119b$35880c20$3d64880a@speedy> This is a 'known' issue that has been reported before ... but has never been fixed unfortunately. Switching to internal tnef does 'fix it' ... If you can call it a fix :) bye, Chris ----- Original Message ----- From: Pravin Rane To: MailScanner discussion Sent: Saturday, November 25, 2006 7:50 AM Subject: Re: TNEF loop infinite loop problem? Yes it happens, In my case I was getting problem while using internal TNEF, I then used to solve the problem TNEF Expander = /usr/bin/tnef --maxsize=100000000 On 11/25/06, Ugo Bellavance wrote: Bryan Guest wrote: > Hi: > > One of my mail blades running Mailscanner got stuck in some sort of loop > this morning, dealing with a TNEF attachment/message. The Inbound > Queue shot up because MailScanner was accepted new messages but not > processing any of them while it choked on this message. > > I stopped mailscanner and pulled this message out of the queue and > everthing recovered. > > Has anyone seen this before, and is there some config change I need to > make to prevent it? Yes, I've seen it, what you can do is try using the internal tnef expander. Ugo -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Regards Pravin ------------------------------------------------------------------------------ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061126/b3c7a10c/attachment.html From ssilva at sgvwater.com Sun Nov 26 21:30:34 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Sun Nov 26 21:30:47 2006 Subject: Orphan files in /var/spool/mqueue.in In-Reply-To: <2181C5F19DD0254692452BFF3EAF1D6802671B28@rsys005a.comm.ad.roke.co.uk> References: <2181C5F19DD0254692452BFF3EAF1D6802671B28@rsys005a.comm.ad.roke.co.uk> Message-ID: Plant, Dean spake the following on 11/24/2006 6:56 AM: > I am curious if the orphan files that I have to clear out of > /var/spool/mqueue.in every so often is something that other people > experience or do I have a problem that should be investigated further. > These files build up at the rate of about 3-4 a day on each server which > deal with about 30,000 messages a day, I have the lock type set to posix > and I am using the standard sendmail 8.13 rpm's from CentOS 4 with > MailScanner v4.52.2 > > Thanks > > Dean > > > > I get them occasionally, usually the same messages that get dropped by greetpause or bad recipient throttling. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From arturs at netvision.net.il Sun Nov 26 22:05:26 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Sun Nov 26 22:11:09 2006 Subject: each MS child using ~70MB of RAM Message-ID: <012601c711a6$fa8964a0$3701a8c0@lapxp> I have now each MS child using ~70MB. Is this normal? I would like to reduce it - is it safe to drop some rulesets from /var/lib/spamassassin? If yes, which would you suggest? Best, -- Arthur Sherman +972-52-4878851 CPTeam From mrm at medicine.wisc.edu Sun Nov 26 22:29:48 2006 From: mrm at medicine.wisc.edu (Michael Masse) Date: Sun Nov 26 22:30:17 2006 Subject: Orphan files in /var/spool/mqueue.in In-Reply-To: <20061124172033.M9817@unimep.br> References: <86144ED6CE5B004DA23E1EAC0B569B5810BA6F0A@isabella.herefordshire.gov.uk> <20061124172033.M9817@unimep.br> Message-ID: <4569C115.7FBE.00FC.3@medicine.wisc.edu> >>> On 11/24/2006 at 11:27 AM, in message <20061124172033.M9817@unimep.br>, "FERNANDO COELHO MONTEIRO" wrote: > Hi. > > I am using the latest version and this problem also occurs. > > Debian > sendmail-8.13.8 > mailscanner-4.56.7 > > Fernando > I am using the latest version as well on Centos 4.4 and get the exact same problem. 3-4 orphans per day. Lock type is definately posix. Mike From r.berber at computer.org Sun Nov 26 22:53:33 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Sun Nov 26 22:53:43 2006 Subject: Orphan files in /var/spool/mqueue.in In-Reply-To: References: <2181C5F19DD0254692452BFF3EAF1D6802671B28@rsys005a.comm.ad.roke.co.uk> Message-ID: Scott Silva wrote: > Plant, Dean spake the following on 11/24/2006 6:56 AM: >> I am curious if the orphan files that I have to clear out of >> /var/spool/mqueue.in every so often is something that other people >> experience or do I have a problem that should be investigated further. >> These files build up at the rate of about 3-4 a day on each server which >> deal with about 30,000 messages a day, I have the lock type set to posix >> and I am using the standard sendmail 8.13 rpm's from CentOS 4 with >> MailScanner v4.52.2 >> > I get them occasionally, usually the same messages that get dropped by > greetpause or bad recipient throttling. Uh!? Messages don't get dropped by greet pause or any throttling, not even connections, the sender gets a full error reply. So your premise is invalid to the problem described in this thread, no message or message part is received at all. -- Ren? Berber From carock at epconline.net Mon Nov 27 00:41:14 2006 From: carock at epconline.net (Chuck Rock) Date: Mon Nov 27 01:10:23 2006 Subject: use spamcop and bounce with spamcop response help. Message-ID: I am bouncing messages with MailScanner that match the Spamcop list. I see in the latest version I'm using 4.56.8 you can modify message headers with actions. Is there a way to modify the message header to the spamcop address is listed with the proper IP like if you just used Sendmail to bounce it? This is what Spamcop tells you to di if you run Sendmail. FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}', `t')dnl I was thinking of adding the message header in MailScanner similar to this. Spam Actions = bounce header "X-Spam-Status: Yes : 'http://spamcop.net/bl.shtml?'(flagged_IP) Is there a syntax in Mailscanner to provide that IP to that header line so a person could get to the spamcop site with their IP address information? Thanks, Chuck From ssilva at sgvwater.com Mon Nov 27 02:44:18 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Nov 27 02:44:48 2006 Subject: use spamcop and bounce with spamcop response help. In-Reply-To: References: Message-ID: Chuck Rock spake the following on 11/26/2006 4:41 PM: > I am bouncing messages with MailScanner that match the Spamcop list. > > I see in the latest version I'm using 4.56.8 you can modify message headers > with actions. > > Is there a way to modify the message header to the spamcop address is listed > with the proper IP like if you just used Sendmail to bounce it? > > This is what Spamcop tells you to di if you run Sendmail. > > FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see: > http://spamcop.net/bl.shtml?"$&{client_addr}', `t')dnl > > I was thinking of adding the message header in MailScanner similar to this. > > Spam Actions = bounce header "X-Spam-Status: > Yes : 'http://spamcop.net/bl.shtml?'(flagged_IP) > > Is there a syntax in Mailscanner to provide that IP to that header line so a > person could get to the spamcop site with their IP address information? > > Thanks, > Chuck > If you want that "feature", and are dropping the message anyway, why not just drop it at the MTA. You will save yourself the load, and get the desired result. You really should never bounce messages after you receive them. If they are dropped during the connection phase, you get the rejection to the proper server, but if you have received it, then all you have is the possibly forged sender address to rely on. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From martinh at solidstatelogic.com Mon Nov 27 09:14:36 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Mon Nov 27 09:14:46 2006 Subject: each MS child using ~70MB of RAM In-Reply-To: <012601c711a6$fa8964a0$3701a8c0@lapxp> References: <012601c711a6$fa8964a0$3701a8c0@lapxp> Message-ID: <456AAC7C.30307@solidstatelogic.com> Arthur Sherman wrote: > I have now each MS child using ~70MB. > Is this normal? > > I would like to reduce it - is it safe to drop some rulesets from > /var/lib/spamassassin? > If yes, which would you suggest? > > > Best, > > -- > Arthur Sherman > > +972-52-4878851 > CPTeam > I wouldn't drop any of these....they are the defaults. How many children are you running? How much Ram have you got (and what CPU)? How many messages per day? Are you swapping? -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From glenn.steen at gmail.com Mon Nov 27 09:26:00 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Nov 27 09:26:10 2006 Subject: each MS child using ~70MB of RAM In-Reply-To: <012601c711a6$fa8964a0$3701a8c0@lapxp> References: <012601c711a6$fa8964a0$3701a8c0@lapxp> Message-ID: <223f97700611270126p1214353ds9d7695812516e25a@mail.gmail.com> On 26/11/06, Arthur Sherman wrote: > > I have now each MS child using ~70MB. > Is this normal? > > I would like to reduce it - is it safe to drop some rulesets from > /var/lib/spamassassin? > If yes, which would you suggest? > Memory usage of MS is dominated by SA, which in turn usually is dominated by size and complexity of the included rules. Mine average about 42 MiB, but then I don't run many SARE rules:-), so which to keep and which to drop... I'll leave to others... -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From pete at enitech.com.au Mon Nov 27 09:33:08 2006 From: pete at enitech.com.au (Pete Russell) Date: Mon Nov 27 09:33:11 2006 Subject: Problem with installation In-Reply-To: <4568216D.4050500@delodder.be> References: <4568216D.4050500@delodder.be> Message-ID: <456AB0D4.2080306@enitech.com.au> Have you been trying to install MailWatch? Philippe Delodder wrote: > Hi, > > when i start MailScanner i'm getting this error: > > Could not use Custom Function code > MailScanner::CustomConfig::InitMailWatchLogging, it could not be > "eval"ed. Make sure the module is correct with perl -wc > > i'm using gentoo > > Philippe Delodder > From lodder at delodder.be Mon Nov 27 09:50:10 2006 From: lodder at delodder.be (lodder@delodder.be) Date: Mon Nov 27 09:45:53 2006 Subject: Problem with installation In-Reply-To: <456AB0D4.2080306@enitech.com.au> References: <4568216D.4050500@delodder.be> <456AB0D4.2080306@enitech.com.au> Message-ID: <1139.80.200.243.137.1164621010.squirrel@mail.delodder.be> > Have you been trying to install MailWatch? > Yes but it has beel solved > Philippe Delodder wrote: >> Hi, >> >> when i start MailScanner i'm getting this error: >> >> Could not use Custom Function code >> MailScanner::CustomConfig::InitMailWatchLogging, it could not be >> "eval"ed. Make sure the module is correct with perl -wc >> >> i'm using gentoo >> >> Philippe Delodder >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From dean.plant at roke.co.uk Mon Nov 27 10:35:30 2006 From: dean.plant at roke.co.uk (Plant, Dean) Date: Mon Nov 27 10:35:48 2006 Subject: Orphan files in /var/spool/mqueue.in Message-ID: <2181C5F19DD0254692452BFF3EAF1D6802671B2D@rsys005a.comm.ad.roke.co.uk> Glenn Steen wrote: > On 24/11/06, Randal, Phil wrote: >> That is an ancient version of MailScanner. You should upgrade it to >> the latest version and then see what happens. >> >> Phil >> >> -- >> Phil Randal >> Network Engineer >> Herefordshire Council >> Hereford, UK >> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >>> Of Plant, Dean >>> Sent: 24 November 2006 14:56 >>> To: MailScanner discussion >>> Subject: Orphan files in /var/spool/mqueue.in >>> >>> I am curious if the orphan files that I have to clear out of >>> /var/spool/mqueue.in every so often is something that other people >>> experience or do I have a problem that should be investigated >>> further. These files build up at the rate of about 3-4 a day on each >>> server which >>> deal with about 30,000 messages a day, I have the lock type >>> set to posix >>> and I am using the standard sendmail 8.13 rpm's from CentOS 4 with >>> MailScanner v4.52.2 >>> >>> Thanks >>> >>> Dean >>> > Another thought is that that few a message "corrupted" might actually > be quite normal with that amount of messages. > AFAICR, there are a couple of situations where those might occur... > Please correct me if I'm wrong... Client dropping connection during > DATA could be it (should have a matching entry in the logs then), or > forcibly interrupting sendmail while it is transferring data from the > client come to mind. Both should be visible in the logs. > > Me not being a rendmaul admin (any more:-), I might be completely > wrong;-) Cheers Thanks for everyone's replies and suggestions. The mail log does indeed show what is happening (Slap on the wrist for not checking this first). All the orphan files are from lost connections which, as suggested in another reply, is probably fixed in a later sendmail release. It does give me piece of mind now I know why these are left in mqueue.in and am a lot happier removing them via a cron job. Also we are using sendmail's greet_pause feature and milter-ahead. And yes our MailScanner version is ancient but similar to John Rudd we tend to upgrade only if we know it is going to fix our problem. In fact apart from this issue our mail servers run without problem. I did also check the change log to see if any fixes were listed for orphan files. Mail log entries for orphan messages left in /var/spool/mqueue.in Nov 24 09:49:17 rsys002x milter-ahead[12570]: 32953 kAO9nAif023022: recipient <********@******> (0) cached, skipping Nov 24 10:59:51 rsys002x sendmail[23022]: kAO9nAif023022: SYSERR(root): collect: read timeout on connection from [89.108.144.156], from= Nov 24 10:59:51 rsys002x sendmail[23022]: kAO9nAif023022: from=, size=7883, class=0, nrcpts=1, proto=SMTP, daemon=MTA, relay=[89.108.144.156] Nov 21 21:25:15 rsys002x milter-ahead[12570]: 29208 kALLOsBe013833: recipient <********@******> (0) cached, skipping Nov 21 22:33:39 rsys002x sendmail[13833]: kALLOsBe013833: SYSERR(root): collect: read timeout on connection from [80.50.62.218], from= Nov 21 22:33:39 rsys002x sendmail[13833]: kALLOsBe013833: from=, size=5727, class=0, nrcpts=1, proto=SMTP, daemon=MTA, relay=[80.50.62.218] Nov 21 13:58:06 rsys002x milter-ahead[12570]: 20431 kALDvvG0018349: recipient <********@******> (0) cached, skipping Nov 21 14:58:11 rsys002x sendmail[18349]: kALDvvG0018349: SYSERR(root): collect: read timeout on connection from 59.161.71.187.del-cdma.dialup.vsnl.net.in, from=<********@******> Nov 21 14:58:11 rsys002x sendmail[18349]: kALDvvG0018349: from=<********@******>, size=5579, class=0, nrcpts=1, proto=ESMTP, daemon=MTA, relay=59.161.71.187.del-cdma.dialup.vsnl.net.in [59.161.71.187] (may be forged) Thanks again. Dean. From mailscanner at barendse.to Mon Nov 27 11:06:47 2006 From: mailscanner at barendse.to (Remco Barendse) Date: Mon Nov 27 11:06:54 2006 Subject: freshclam path? Message-ID: Hi list! I am MS and clamav on CentOS 4 boxes and for clam I am using the RPMS from Dag Wieers' repository. I noticed that freshclam is not working as the MS wrapper script is looking for freshclam here : /usr/local/bin/freshclam whereas freshclam from the RPM is located /usr/bin/freshclam I can simply create a symlink but shouldn't ClamAV-autoupdate look for freshclam in both locations? Thanks!! Remco From tony.johansson at svenskakyrkan.se Mon Nov 27 11:27:06 2006 From: tony.johansson at svenskakyrkan.se (Tony Johansson) Date: Mon Nov 27 11:27:45 2006 Subject: 70k mqueue.in but load under 1 ?? Message-ID: I've reinstalled our MailScanner servers with CentOS4.4 (previous centos3.x) and upgraded memory from 1 to 2Gb. Servers are HP Proliant DL380G3 running at 3.0Ghz They process about 80k messages/day each with round-robin dns records. On occasion the queues build up (this morning it was 70k!) but the load on the machines go way down, usually under 1. "sar" shows: 10:00:01 AM CPU %user %nice %system %iowait %idle 10:10:02 AM all 49.72 0.00 10.70 1.60 37.98 10:20:01 AM all 45.30 0.00 10.20 1.54 42.96 10:30:02 AM all 47.36 0.00 10.24 1.58 40.82 MailScanner version 4.56.8 5 children 30 messages SpamAssassin 3.1.7 with use_bayes 0 time spamassassin --lint -D real 0m2.596s user 0m1.345s sys 0m0.097s rules_du_jour not active clamav and bitdefender local caching dns (named) 2.6.9-42.EL kernel bonnie++ looks fine?: ms01 2G 24176 77 52571 24 20910 7 25757 69 57056 8 558.2 1 16 +++++ +++ +++++ +++ +++++ +++ +++++ +++ +++++ +++ +++++ +++ Used to run smoothly until the upgrade. Any ideas on whats going on here and what I can do to troubleshoot? Regards, Tony From glenn.steen at gmail.com Mon Nov 27 11:28:34 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Nov 27 11:28:37 2006 Subject: freshclam path? In-Reply-To: References: Message-ID: <223f97700611270328v2fe90bedj35e51c970b207548@mail.gmail.com> On 27/11/06, Remco Barendse wrote: > Hi list! > > I am MS and clamav on CentOS 4 boxes and for clam I am using the RPMS from > Dag Wieers' repository. > > I noticed that freshclam is not working as the MS wrapper script is > looking for freshclam here : /usr/local/bin/freshclam > whereas freshclam from the RPM is located /usr/bin/freshclam > > I can simply create a symlink but shouldn't ClamAV-autoupdate look for > freshclam in both locations? > > Thanks!! > Remco It will rely on the information in virus.scanners.conf ... Both the clamscan and freshclam wrappers will. But you are perhaps using the clamavmodule thing? If so, freshclam will still rely on the info for clamscan. Third column should likely read /usr instead of /usr/local, is all. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From martinh at solidstatelogic.com Mon Nov 27 11:37:16 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Mon Nov 27 11:37:24 2006 Subject: 70k mqueue.in but load under 1 ?? In-Reply-To: References: Message-ID: <456ACDEC.8020907@solidstatelogic.com> Tony Johansson wrote: > I've reinstalled our MailScanner servers with CentOS4.4 (previous > centos3.x) and upgraded memory from 1 to 2Gb. > Servers are HP Proliant DL380G3 running at 3.0Ghz > > They process about 80k messages/day each with round-robin dns records. > > On occasion the queues build up (this morning it was 70k!) but the load > on the machines go way down, usually under 1. > > "sar" shows: > 10:00:01 AM CPU %user %nice %system %iowait %idle > 10:10:02 AM all 49.72 0.00 10.70 1.60 37.98 > 10:20:01 AM all 45.30 0.00 10.20 1.54 42.96 > 10:30:02 AM all 47.36 0.00 10.24 1.58 40.82 > > MailScanner version 4.56.8 > 5 children 30 messages > SpamAssassin 3.1.7 with use_bayes 0 > > time spamassassin --lint -D > real 0m2.596s > user 0m1.345s > sys 0m0.097s > > rules_du_jour not active > clamav and bitdefender > local caching dns (named) > 2.6.9-42.EL kernel > > bonnie++ looks fine?: > ms01 2G 24176 77 52571 24 20910 7 25757 69 57056 8 558.2 1 16 +++++ +++ > +++++ +++ +++++ +++ +++++ +++ +++++ +++ +++++ +++ > > Used to run smoothly until the upgrade. > > Any ideas on whats going on here and what I can do to troubleshoot? > > Regards, Tony > Tony what MTA? Recent MS versions assume if you are using sendmail, it's 8.13.x and thus the lock type is posix, not flock as is for v 8.12.x and previous. if you are using sendmail 8.12 you'll need to force the lock type to 'flock' in mailScanner.conf. Another issue is the way certain spam is using email, it can cause a big problem with sendmail 8.12. Only solution is to upgrade to 8.13 and use the greet_pause feature. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From tony.johansson at svenskakyrkan.se Mon Nov 27 11:46:47 2006 From: tony.johansson at svenskakyrkan.se (Tony Johansson) Date: Mon Nov 27 11:47:25 2006 Subject: 70k mqueue.in but load under 1 ?? In-Reply-To: <456ACDEC.8020907@solidstatelogic.com> References: <456ACDEC.8020907@solidstatelogic.com> Message-ID: Martin, I'm running Sendmail 8.13.1 with a 3 second greet_pause maillog says: Nov 27 12:28:54 ms01 MailScanner[17258]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Nov 27 12:32:59 ms01 MailScanner[17707]: Using locktype = posix Regards, Tony Martin Hepworth skrev: >> > Tony > > what MTA? > > Recent MS versions assume if you are using sendmail, it's 8.13.x and > thus the lock type is posix, not flock as is for v 8.12.x and previous. > > if you are using sendmail 8.12 you'll need to force the lock type to > 'flock' in mailScanner.conf. > > Another issue is the way certain spam is using email, it can cause a big > problem with sendmail 8.12. Only solution is to upgrade to 8.13 and use > the greet_pause feature. > > From jrudd at ucsc.edu Mon Nov 27 12:19:57 2006 From: jrudd at ucsc.edu (John Rudd) Date: Mon Nov 27 12:21:02 2006 Subject: SA plugins in MailScanner Message-ID: <456AD7ED.5000403@ucsc.edu> Outside of mailscanner, I've written a plugin that I install by just putting the .cf and .pm files into /etc/mail/spamassassin Will that be enough for MailScanner, or do I need to put the .cf data into /opt/mailscanner/etc/spam.assassin.prefs.conf file instead of having it be an independent file? (note: this is specific to mailscanner-4.41.3 ... I know some of the file locations have changed since then ... I wont be upgrading mailscanner, so please don't suggest that; just answer in terms of "what do I need to do in order to load a SA plugin into mailscanner-4.41.3) From glenn.steen at gmail.com Mon Nov 27 12:29:51 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Nov 27 12:29:55 2006 Subject: SA plugins in MailScanner In-Reply-To: <456AD7ED.5000403@ucsc.edu> References: <456AD7ED.5000403@ucsc.edu> Message-ID: <223f97700611270429l7d9cb6e0hcbdcaa0ba14a0fbe@mail.gmail.com> On 27/11/06, John Rudd wrote: > > Outside of mailscanner, I've written a plugin that I install by just > putting the .cf and .pm files into /etc/mail/spamassassin > > Will that be enough for MailScanner, or do I need to put the .cf data > into /opt/mailscanner/etc/spam.assassin.prefs.conf file instead of > having it be an independent file? > > (note: this is specific to mailscanner-4.41.3 ... I know some of the > file locations have changed since then ... I wont be upgrading > mailscanner, so please don't suggest that; just answer in terms of "what > do I need to do in order to load a SA plugin into mailscanner-4.41.3) > I'd suppose version of SA to be more important than MS:-). IIRC you should just pop the .pm file into the SA plugin directory ("locate SpamAssassin|grep Plugin" or similar), and the .cf where you put it. Should be fine. If this has changed from how older version did it, I wouldn't know. But basically... if spamassassin finds it, so will likely MailScanner. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From martinh at solidstatelogic.com Mon Nov 27 12:32:02 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Mon Nov 27 12:32:18 2006 Subject: SA plugins in MailScanner In-Reply-To: <456AD7ED.5000403@ucsc.edu> References: <456AD7ED.5000403@ucsc.edu> Message-ID: <456ADAC2.6010102@solidstatelogic.com> John Rudd wrote: > > Outside of mailscanner, I've written a plugin that I install by just > putting the .cf and .pm files into /etc/mail/spamassassin > > Will that be enough for MailScanner, or do I need to put the .cf data > into /opt/mailscanner/etc/spam.assassin.prefs.conf file instead of > having it be an independent file? > > (note: this is specific to mailscanner-4.41.3 ... I know some of the > file locations have changed since then ... I wont be upgrading > mailscanner, so please don't suggest that; just answer in terms of "what > do I need to do in order to load a SA plugin into mailscanner-4.41.3) > John same place you'd put plugins normally....... suggested place for the .pm is the directory you find spammassin.pm and the others. Otherwise you have to specify the full path name in the .pre file you use to load the plugin. for the .cf, yes /etc/mail/spamassassin -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From glenn.steen at gmail.com Mon Nov 27 12:35:06 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Nov 27 12:35:08 2006 Subject: SA plugins in MailScanner In-Reply-To: <223f97700611270429l7d9cb6e0hcbdcaa0ba14a0fbe@mail.gmail.com> References: <456AD7ED.5000403@ucsc.edu> <223f97700611270429l7d9cb6e0hcbdcaa0ba14a0fbe@mail.gmail.com> Message-ID: <223f97700611270435u30ceae64xedce5dd6893c1d28@mail.gmail.com> On 27/11/06, Glenn Steen wrote: > On 27/11/06, John Rudd wrote: > > > > Outside of mailscanner, I've written a plugin that I install by just > > putting the .cf and .pm files into /etc/mail/spamassassin > > > > Will that be enough for MailScanner, or do I need to put the .cf data > > into /opt/mailscanner/etc/spam.assassin.prefs.conf file instead of > > having it be an independent file? > > > > (note: this is specific to mailscanner-4.41.3 ... I know some of the > > file locations have changed since then ... I wont be upgrading > > mailscanner, so please don't suggest that; just answer in terms of "what > > do I need to do in order to load a SA plugin into mailscanner-4.41.3) > > > I'd suppose version of SA to be more important than MS:-). > IIRC you should just pop the .pm file into the SA plugin directory > ("locate SpamAssassin|grep Plugin" or similar), and the .cf where you > put it. Should be fine. > If this has changed from how older version did it, I wouldn't know. > But basically... if spamassassin finds it, so will likely MailScanner. > BTW (no, I'm not suggesting an upgrade, just advertising new functionality)... In newer versions of MailScanner you could do a --debug-sa to see that it loads... Equivalent to setting "SpamAssassin Debug = yes" I guess, so no reason to upgrade there:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jrudd at ucsc.edu Mon Nov 27 12:38:20 2006 From: jrudd at ucsc.edu (John Rudd) Date: Mon Nov 27 12:40:42 2006 Subject: SA plugins in MailScanner In-Reply-To: <456ADAC2.6010102@solidstatelogic.com> References: <456AD7ED.5000403@ucsc.edu> <456ADAC2.6010102@solidstatelogic.com> Message-ID: <456ADC3C.5010301@ucsc.edu> Martin Hepworth wrote: > John Rudd wrote: >> >> Outside of mailscanner, I've written a plugin that I install by just >> putting the .cf and .pm files into /etc/mail/spamassassin >> >> Will that be enough for MailScanner, or do I need to put the .cf data >> into /opt/mailscanner/etc/spam.assassin.prefs.conf file instead of >> having it be an independent file? >> >> (note: this is specific to mailscanner-4.41.3 ... I know some of the >> file locations have changed since then ... I wont be upgrading >> mailscanner, so please don't suggest that; just answer in terms of >> "what do I need to do in order to load a SA plugin into >> mailscanner-4.41.3) >> > John > > same place you'd put plugins normally....... > > suggested place for the .pm is the directory you find spammassin.pm and > the others. Otherwise you have to specify the full path name in the .pre > file you use to load the plugin. Actually, I have been putting the load directive in the (plugin-name).cf file. That seems to do the trick. I wonder if that's why it works to have the .pm file in the same directory... Thanks for the answers! From jrudd at ucsc.edu Mon Nov 27 12:41:26 2006 From: jrudd at ucsc.edu (John Rudd) Date: Mon Nov 27 12:44:35 2006 Subject: SA plugins in MailScanner In-Reply-To: <223f97700611270429l7d9cb6e0hcbdcaa0ba14a0fbe@mail.gmail.com> References: <456AD7ED.5000403@ucsc.edu> <223f97700611270429l7d9cb6e0hcbdcaa0ba14a0fbe@mail.gmail.com> Message-ID: <456ADCF6.3000908@ucsc.edu> Glenn Steen wrote: > On 27/11/06, John Rudd wrote: >> (note: this is specific to mailscanner-4.41.3 >> > I'd suppose version of SA to be more important than MS:-). > Yup, I expect that too. And my question isn't meant to call MS's practices into question. It's more of a "due diligence" issue. I want to make sure I've thought of all of the issues. (I was about to say "covering all of the bases", but then realized I'm not speaking to an exclusively USA crowd, and wasn't sure if that phrase is specific to baseball or not... I'm not even a baseball fan, but I can't escape it!) From alex at nkpanama.com Mon Nov 27 13:56:13 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Mon Nov 27 13:57:31 2006 Subject: each MS child using ~70MB of RAM In-Reply-To: <456AAC7C.30307@solidstatelogic.com> References: <012601c711a6$fa8964a0$3701a8c0@lapxp> <456AAC7C.30307@solidstatelogic.com> Message-ID: <456AEE7D.6080401@nkpanama.com> Martin Hepworth wrote: > I wouldn't drop any of these....they are the defaults. > > How many children are you running? > How much Ram have you got (and what CPU)? > How many messages per day? > Are you swapping? > If he's using MailScanner, he's going to be swapping! ;-) From martinh at solidstatelogic.com Mon Nov 27 14:09:50 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Mon Nov 27 14:10:37 2006 Subject: each MS child using ~70MB of RAM In-Reply-To: <456AEE7D.6080401@nkpanama.com> References: <012601c711a6$fa8964a0$3701a8c0@lapxp> <456AAC7C.30307@solidstatelogic.com> <456AEE7D.6080401@nkpanama.com> Message-ID: <456AF1AE.3000707@solidstatelogic.com> Alex Neuman van der Hans wrote: > Martin Hepworth wrote: > >> I wouldn't drop any of these....they are the defaults. >> >> How many children are you running? >> How much Ram have you got (and what CPU)? >> How many messages per day? >> Are you swapping? >> > > If he's using MailScanner, he's going to be swapping! ;-) Nope, I don't swap....! 1GB ram per CPU core is recommended and then you have not swap...assuming you're not running any nasty old SA rulesets of course. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From rob at dido.ca Mon Nov 27 14:11:21 2006 From: rob at dido.ca (Rob Morin) Date: Mon Nov 27 14:11:28 2006 Subject: SA-learn question... Message-ID: <456AF209.9050701@dido.ca> Ok i have been searching around looking to see which is the proper way to use the SA-learn command, but it only made me more confused... as if i run it as root it only learns for the user root? how do i make it work for all incoming emails for all users? I have uncommented and added the below to my local.cf file... i am also confused about which file to modify for SA related stuff /opt/MailScanner/etc/spam.assassin.prefs.conf or /etc/mail/spamassassin/local.cf as there are entries for the same thing in both files.??? Any help appreciated.... ------------- # Use Bayesian classifier (default: 1) # use_bayes 1 # Bayesian classifier auto-learning (default: 1) # bayes_auto_learn 1 bayes_auto_learn_threshold_nonspam 0.1 bayes_auto_learn_threshold_spam 6.0 -------------------------------------------------- Thanks... -- Rob Morin Dido InterNet Inc. Montreal, Canada Http://www.dido.ca 514-990-4444 From MailScanner at ecs.soton.ac.uk Mon Nov 27 14:08:11 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Nov 27 14:13:51 2006 Subject: Please test: Last beta before 4.57 final release Message-ID: <456AF14B.5020802@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Please can you test the latest beta I have put up? If this works, it will become the final version of 4.57. Thanks folks! Download as usual from www.mailscanner.info P.S. Sorry for not being around much, things are so busy at work it's silly :-( The last quiet day I had was about May some time. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.1 (Build 1557) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFavJoEfZZRxQVtlQRAn62AKDaypeHs3OMze4rLdBQpqb+loNvGQCfTRfr o8AR6sZ2qt+3mu1rHg8IZgk= =wbdE -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From daniel.maher at ubisoft.com Mon Nov 27 14:17:52 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Mon Nov 27 14:17:56 2006 Subject: Botnet 0.4 Spam Assassin plugin In-Reply-To: Message-ID: <1E293D3FF63A3740B10AD5AAD88535D203C27B0D@UBIMAIL1.ubisoft.org> > > 12) The BOTNET rule is now worth 5 points, instead of 6. It would be > interesting to know what people have found as useful scores for the > plugin. > > Too high, I wouldn't use anything above 2.5 and reason is I don't trust > any one > rule that much. I'm inclined to agree - the scores are too high for my tastes as well. My threshold is 6 to be marked as spam; one rule which applies 5 directly is simply too dangerous to be useful. > > i) do you want me to leave it as it is, or > > ii) put in the __ so that the sub-rules stop showing up in the > > final report? > > As long as there is a debug option, the long report should be limited for > debug > info and the short one for normal operation. > -- > Ren? Berber Definitely use the __ format, and provide a debug option to see the individually triggered rules on demand. -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. From root at doctor.nl2k.ab.ca Mon Nov 27 14:18:53 2006 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Mon Nov 27 14:19:51 2006 Subject: Please test: Last beta before 4.57 final release In-Reply-To: <456AF14B.5020802@ecs.soton.ac.uk> References: <456AF14B.5020802@ecs.soton.ac.uk> Message-ID: <20061127141853.GA21734@doctor.nl2k.ab.ca> On Mon, Nov 27, 2006 at 02:08:11PM +0000, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Please can you test the latest beta I have put up? If this works, it > will become the final version of 4.57. > Thanks folks! > Download as usual from > www.mailscanner.info > > > P.S. Sorry for not being around much, things are so busy at work it's > silly :-( > The last quiet day I had was about May some time. > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.1 (Build 1557) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFFavJoEfZZRxQVtlQRAn62AKDaypeHs3OMze4rLdBQpqb+loNvGQCfTRfr > o8AR6sZ2qt+3mu1rHg8IZgk= > =wbdE > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! Shall do. Is their any way of integrating CPAN into your install? BTW 4.57.1 is working nicely. From daniel.maher at ubisoft.com Mon Nov 27 14:21:18 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Mon Nov 27 14:21:22 2006 Subject: warning.txt format In-Reply-To: <223f97700611250140r7a74b6eanee11846e238d9458@mail.gmail.com> Message-ID: <1E293D3FF63A3740B10AD5AAD88535D203C5E412@UBIMAIL1.ubisoft.org> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Glenn Steen > Sent: November 25, 2006 4:41 AM > To: MailScanner discussion > Subject: Re: warning.txt format > > On 24/11/06, Jon Leeman wrote: > > Group, > > > > MS 4.51.6 > > Mandrake 10.2 > Methinks it's time to look at upgrading both OS and MS:-):-). > A fair warning - I'm still running 4.51.6, because whenever I try to upgrade, "something breaks" and SpamAssassin no longer reads any of the site specific rules. It also ignores options in MailScanner.conf which should tell it where to look. Nobody on the list appears to have a solution either, unfortunately. So, again, if you do decide to upgrade, be careful and pay attention... -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. From kopels at english.fsu.edu Mon Nov 27 14:57:53 2006 From: kopels at english.fsu.edu (Scott Kopel) Date: Mon Nov 27 14:45:48 2006 Subject: more SA-learn question... In-Reply-To: <456AF209.9050701@dido.ca> References: <456AF209.9050701@dido.ca> Message-ID: <2782.146.201.34.30.1164639473.squirrel@english3.fsu.edu> do I need these in my local.cf? what are the default values? thanks Scott > > bayes_auto_learn_threshold_nonspam 0.1 > bayes_auto_learn_threshold_spam 6.0 > > -------------------------------------------------- > From glenn.steen at gmail.com Mon Nov 27 15:37:38 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Nov 27 15:37:44 2006 Subject: SA plugins in MailScanner In-Reply-To: <456ADCF6.3000908@ucsc.edu> References: <456AD7ED.5000403@ucsc.edu> <223f97700611270429l7d9cb6e0hcbdcaa0ba14a0fbe@mail.gmail.com> <456ADCF6.3000908@ucsc.edu> Message-ID: <223f97700611270737l4257a998rfe0d18a0a732ff73@mail.gmail.com> On 27/11/06, John Rudd wrote: > Glenn Steen wrote: > > On 27/11/06, John Rudd wrote: > > >> (note: this is specific to mailscanner-4.41.3 > >> > > I'd suppose version of SA to be more important than MS:-). > > > > Yup, I expect that too. And my question isn't meant to call MS's > practices into question. It's more of a "due diligence" issue. I want > to make sure I've thought of all of the issues. Prudent. > (I was about to say "covering all of the bases", but then realized I'm > not speaking to an exclusively USA crowd, and wasn't sure if that phrase > is specific to baseball or not... I'm not even a baseball fan, but I > can't escape it!) AFAIK it is "endemic" to USA (and base-/softball), but .... with information being what it is in this day and age, I suppose most would understand the underlying meaning:-)... Heck, Swedish schools has let go of the strict British English edict and now only require that you choose one (American or British ... No Australian, unfortunately:-) and stick with it. Being taught in the old tradition, I of course find this abominable:-):-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Mon Nov 27 15:46:45 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Nov 27 15:46:48 2006 Subject: SA-learn question... In-Reply-To: <456AF209.9050701@dido.ca> References: <456AF209.9050701@dido.ca> Message-ID: <223f97700611270746u7e902db9hc941ddb94f0f25c0@mail.gmail.com> On 27/11/06, Rob Morin wrote: > Ok i have been searching around looking to see which is the proper way > to use the SA-learn command, but it only made me more confused... > > as if i run it as root it only learns for the user root? how do i make > it work for all incoming emails for all users? > > I have uncommented and added the below to my local.cf file... i am also > confused about which file to modify for SA related stuff > > /opt/MailScanner/etc/spam.assassin.prefs.conf > or > /etc/mail/spamassassin/local.cf > > as there are entries for the same thing in both files.??? > > Any help appreciated.... > > ------------- > > # Use Bayesian classifier (default: 1) > # > use_bayes 1 > > > # Bayesian classifier auto-learning (default: 1) > # > bayes_auto_learn 1 > > bayes_auto_learn_threshold_nonspam 0.1 > bayes_auto_learn_threshold_spam 6.0 > If you have a fairly modern MS, then you'll have a symbolic link from /etc/mail/spamassassin/mailscanner.cf to spam.assass.prefs.conf ... Since this will come after local.cf ... it'll "win". Best is to only set them in one place, so choose one and stick with it:-). The name of spam.assassin.prefs.conf isn't quite correct anymore... It isn't a user preference file anymore... So one shouldn't specify it as such... SA will find it through the link. The reason for the shift was mainly because some non-prefs are set in it... And the added bonus of not needing to specify it anymore (not to mention making Matt K. happy:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From carock at epconline.net Mon Nov 27 15:47:11 2006 From: carock at epconline.net (Chuck Rock) Date: Mon Nov 27 15:48:34 2006 Subject: use spamcop and bounce with spamcop response help. References: Message-ID: Scott Silva sgvwater.com> writes: > > Chuck Rock spake the following on 11/26/2006 4:41 PM: > > I am bouncing messages with MailScanner that match the Spamcop list. > > > > I see in the latest version I'm using 4.56.8 you can modify message headers > > with actions. > > > > Is there a way to modify the message header to the spamcop address is listed > > with the proper IP like if you just used Sendmail to bounce it? > > > > This is what Spamcop tells you to di if you run Sendmail. > > > > FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see: > > http://spamcop.net/bl.shtml?"$&{client_addr}', `t')dnl > > > > I was thinking of adding the message header in MailScanner similar to this. > > > > Spam Actions = bounce header "X-Spam-Status: > > Yes : 'http://spamcop.net/bl.shtml?'(flagged_IP) > > > > Is there a syntax in Mailscanner to provide that IP to that header line so a > > person could get to the spamcop site with their IP address information? > > > > Thanks, > > Chuck > > > If you want that "feature", and are dropping the message anyway, why not just > drop it at the MTA. You will save yourself the load, and get the desired > result. You really should never bounce messages after you receive them. If > they are dropped during the connection phase, you get the rejection to the > proper server, but if you have received it, then all you have is the possibly > forged sender address to rely on. So basically, if I can have MailScanner skip the spam lists check altogether and just put the spamcop config in the proper sendmail config file for my inbound sendmail process? Is there another benefit of having MailScanner check the rbl's instead of or in addition to Sendmail? Thanks, Chuck From glenn.steen at gmail.com Mon Nov 27 15:51:07 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Nov 27 15:51:11 2006 Subject: warning.txt format In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D203C5E412@UBIMAIL1.ubisoft.org> References: <223f97700611250140r7a74b6eanee11846e238d9458@mail.gmail.com> <1E293D3FF63A3740B10AD5AAD88535D203C5E412@UBIMAIL1.ubisoft.org> Message-ID: <223f97700611270751g7e112b85r6e77cd2dd02eb5e1@mail.gmail.com> On 27/11/06, Daniel Maher wrote: > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Glenn Steen > > Sent: November 25, 2006 4:41 AM > > To: MailScanner discussion > > Subject: Re: warning.txt format > > > > On 24/11/06, Jon Leeman wrote: > > > Group, > > > > > > MS 4.51.6 > > > Mandrake 10.2 > > Methinks it's time to look at upgrading both OS and MS:-):-). > > > > A fair warning - I'm still running 4.51.6, because whenever I try to upgrade, "something breaks" and SpamAssassin no longer reads any of the site specific rules. It also ignores options in MailScanner.conf which should tell it where to look. > > Nobody on the list appears to have a solution either, unfortunately. So, again, if you do decide to upgrade, be careful and pay attention... > Thing is I can't repeat your particular failure... Would be a lot easier if I could (at least on the testbed... Wouldn?t want production messed up:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Mon Nov 27 15:59:48 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Nov 27 15:59:57 2006 Subject: more SA-learn question... In-Reply-To: <2782.146.201.34.30.1164639473.squirrel@english3.fsu.edu> References: <456AF209.9050701@dido.ca> <2782.146.201.34.30.1164639473.squirrel@english3.fsu.edu> Message-ID: <223f97700611270759h4dba7368m2f82a783daf9be50@mail.gmail.com> On 27/11/06, Scott Kopel wrote: > do I need these in my local.cf? > what are the default values? > thanks > Scott > > > > bayes_auto_learn_threshold_nonspam 0.1 > > bayes_auto_learn_threshold_spam 6.0 > > Either of man Mail::SpamAssassin::Plugin::AutoLearnThreshold or perldoc Mail::SpamAssassin::Plugin::AutoLearnThreshold will tell you what the defaults are... Seems to be 0.1 and 12.0 respectively. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From daniel.maher at ubisoft.com Mon Nov 27 16:00:33 2006 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Mon Nov 27 16:00:36 2006 Subject: warning.txt format In-Reply-To: <223f97700611270751g7e112b85r6e77cd2dd02eb5e1@mail.gmail.com> Message-ID: <1E293D3FF63A3740B10AD5AAD88535D203C5E6B9@UBIMAIL1.ubisoft.org> > Thing is I can't repeat your particular failure... Would be a lot > easier if I could (at least on the testbed... Wouldn?t want production > messed up:-). > Hehe, yeah, this one is a bit of a stinker. I can reproduce it easily on this end. I'd be more than happy to supply any sorts of debug output, config snippets, whatever, to anybody who might be able to help. It's a bizarre problem that really shouldn't happen, which makes it all the more irritating. -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Sentio aliquos togatos contra me conspirare. From glenn.steen at gmail.com Mon Nov 27 16:01:54 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Nov 27 16:01:58 2006 Subject: more SA-learn question... In-Reply-To: <223f97700611270759h4dba7368m2f82a783daf9be50@mail.gmail.com> References: <456AF209.9050701@dido.ca> <2782.146.201.34.30.1164639473.squirrel@english3.fsu.edu> <223f97700611270759h4dba7368m2f82a783daf9be50@mail.gmail.com> Message-ID: <223f97700611270801l1f22cb06o6331eb5aab0cef9e@mail.gmail.com> On 27/11/06, Glenn Steen wrote: > On 27/11/06, Scott Kopel wrote: > > do I need these in my local.cf? > > what are the default values? > > thanks > > Scott > > > > > > bayes_auto_learn_threshold_nonspam 0.1 > > > bayes_auto_learn_threshold_spam 6.0 > > > > Either of > man Mail::SpamAssassin::Plugin::AutoLearnThreshold > or > perldoc Mail::SpamAssassin::Plugin::AutoLearnThreshold > will tell you what the defaults are... Seems to be 0.1 and 12.0 respectively. > BTW, as can be seen in that doc, the minimum value possible is 6.0 (at least 3 from the header, as well as 3 from the body). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Mon Nov 27 16:06:41 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Nov 27 16:06:46 2006 Subject: use spamcop and bounce with spamcop response help. In-Reply-To: References: Message-ID: <223f97700611270806u5cae8c0et118e4a8b57ba65da@mail.gmail.com> On 27/11/06, Chuck Rock wrote: > Scott Silva sgvwater.com> writes: > > > > > Chuck Rock spake the following on 11/26/2006 4:41 PM: > > > I am bouncing messages with MailScanner that match the Spamcop list. > > > > > > I see in the latest version I'm using 4.56.8 you can modify message > headers > > > with actions. > > > > > > Is there a way to modify the message header to the spamcop address is > listed > > > with the proper IP like if you just used Sendmail to bounce it? > > > > > > This is what Spamcop tells you to di if you run Sendmail. > > > > > > FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see: > > > http://spamcop.net/bl.shtml?"$&{client_addr}', `t')dnl > > > > > > I was thinking of adding the message header in MailScanner similar to this. > > > > > > Spam Actions = bounce header "X-Spam-Status: > > > Yes : 'http://spamcop.net/bl.shtml?'(flagged_IP) > > > > > > Is there a syntax in Mailscanner to provide that IP to that header line so > a > > > person could get to the spamcop site with their IP address information? > > > > > > Thanks, > > > Chuck > > > > > If you want that "feature", and are dropping the message anyway, why not just > > drop it at the MTA. You will save yourself the load, and get the desired > > result. You really should never bounce messages after you receive them. If > > they are dropped during the connection phase, you get the rejection to the > > proper server, but if you have received it, then all you have is the possibly > > forged sender address to rely on. > > So basically, if I can have MailScanner skip the spam lists check altogether > and just put the spamcop config in the proper sendmail config file for my > inbound sendmail process? Yes. > Is there another benefit of having MailScanner check the rbl's instead of or > in addition to Sendmail? The only benefit is that you can have a more easily deciphered bounce message (easy for humans, that is) at the cost mentioned by Scott. If you are planning to ditch those mails anyway, there's no point in doing it later than the MTA (if you trust SC that much)... The odd user being rejected will get a normal NDR from the sending MTA, and you save some resources by not handling it further... Not to mention the "false bounces" you avoid. If you don't trust SC implicitly, doing this in SA (or MS -> quarantine) is the way to go. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From martinh at solidstatelogic.com Mon Nov 27 16:11:31 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Mon Nov 27 16:11:45 2006 Subject: Please test: Last beta before 4.57 final release In-Reply-To: <456AF14B.5020802@ecs.soton.ac.uk> References: <456AF14B.5020802@ecs.soton.ac.uk> Message-ID: <456B0E33.1070507@solidstatelogic.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Please can you test the latest beta I have put up? If this works, it > will become the final version of 4.57. > Thanks folks! > Download as usual from > www.mailscanner.info > > > P.S. Sorry for not being around much, things are so busy at work it's > silly :-( > The last quiet day I had was about May some time. > > Jules > > - -- > Julian Field MEng CITP > Jules Problem with logging to the quarantine directories - its not happening at all.. ;-( -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From alex at nkpanama.com Mon Nov 27 16:30:11 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Mon Nov 27 16:37:05 2006 Subject: each MS child using ~70MB of RAM In-Reply-To: <456AF1AE.3000707@solidstatelogic.com> References: <012601c711a6$fa8964a0$3701a8c0@lapxp> <456AAC7C.30307@solidstatelogic.com> <456AEE7D.6080401@nkpanama.com> <456AF1AE.3000707@solidstatelogic.com> Message-ID: <456B1293.5000300@nkpanama.com> Martin Hepworth wrote: > Alex Neuman van der Hans wrote: >> Martin Hepworth wrote: >> >>> I wouldn't drop any of these....they are the defaults. >>> >>> How many children are you running? >>> How much Ram have you got (and what CPU)? >>> How many messages per day? >>> Are you swapping? >>> >> >> If he's using MailScanner, he's going to be swapping! ;-) > Nope, I don't swap....! > > 1GB ram per CPU core is recommended and then you have not > swap...assuming you're not running any nasty old SA rulesets of course. > But OMFG MailScanner causes swapping!!! ;-) It said so on the mailing list!!! :D From t.d.lee at durham.ac.uk Mon Nov 27 16:51:29 2006 From: t.d.lee at durham.ac.uk (David Lee) Date: Mon Nov 27 16:52:22 2006 Subject: Please test: Last beta before 4.57 final release In-Reply-To: <456AF14B.5020802@ecs.soton.ac.uk> References: <456AF14B.5020802@ecs.soton.ac.uk> Message-ID: On Mon, 27 Nov 2006, Julian Field wrote: > Please can you test the latest beta I have put up? If this works, it > will become the final version of 4.57. > Thanks folks! > Download as usual from > www.mailscanner.info Did you see the thread leading to: "MailScanner bug [Was: Re: SA 3.1.7 returning no result to MS?]" http://lists.mailscanner.info/pipermail/mailscanner/2006-November/067706.html about what can happens when SA crashes? Any thoughts? -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : Durham University : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From edwardbruce at sbcglobal.net Mon Nov 27 17:04:34 2006 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Mon Nov 27 17:04:39 2006 Subject: Please test: Last beta before 4.57 final release In-Reply-To: <456B0E33.1070507@solidstatelogic.com> References: <456AF14B.5020802@ecs.soton.ac.uk> <456B0E33.1070507@solidstatelogic.com> Message-ID: <456B1AA2.7010100@sbcglobal.net> Martin Hepworth wrote: > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Please can you test the latest beta I have put up? If this works, it >> will become the final version of 4.57. >> Thanks folks! >> Download as usual from >> www.mailscanner.info >> >> >> P.S. Sorry for not being around much, things are so busy at work it's >> silly :-( >> The last quiet day I had was about May some time. >> >> Jules >> >> - -- Julian Field MEng CITP >> > Jules > > Problem with logging to the quarantine directories - its not happening > at all.. ;-( > I'm getting the same problem. Nothing is being logged in the quarantine directories. From martinh at solidstatelogic.com Mon Nov 27 17:19:10 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Mon Nov 27 17:19:45 2006 Subject: Please test: Last beta before 4.57 final release In-Reply-To: <456B1AA2.7010100@sbcglobal.net> References: <456AF14B.5020802@ecs.soton.ac.uk> <456B0E33.1070507@solidstatelogic.com> <456B1AA2.7010100@sbcglobal.net> Message-ID: <456B1E0E.9010300@solidstatelogic.com> Ed Bruce wrote: > Martin Hepworth wrote: >> Julian Field wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Please can you test the latest beta I have put up? If this works, it >>> will become the final version of 4.57. >>> Thanks folks! >>> Download as usual from >>> www.mailscanner.info >>> >>> >>> P.S. Sorry for not being around much, things are so busy at work it's >>> silly :-( >>> The last quiet day I had was about May some time. >>> >>> Jules >>> >>> - -- Julian Field MEng CITP >>> >> Jules >> >> Problem with logging to the quarantine directories - its not happening >> at all.. ;-( >> > I'm getting the same problem. Nothing is being logged in the quarantine > directories. Good - at least it's not just me then, I hate that ;-) -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From rob at dido.ca Mon Nov 27 17:29:14 2006 From: rob at dido.ca (Rob Morin) Date: Mon Nov 27 17:29:23 2006 Subject: SA-learn question... In-Reply-To: <223f97700611270746u7e902db9hc941ddb94f0f25c0@mail.gmail.com> References: <456AF209.9050701@dido.ca> <223f97700611270746u7e902db9hc941ddb94f0f25c0@mail.gmail.com> Message-ID: <456B206A.1090608@dido.ca> Thanks for the info.... But what about my question regarding what user should run the sa-learn command, can i simply use root? Since the bayes is all in one place.... Thanks... Rob Morin Dido InterNet Inc. Montreal, Canada Http://www.dido.ca 514-990-4444 Glenn Steen wrote: > On 27/11/06, Rob Morin wrote: >> Ok i have been searching around looking to see which is the proper way >> to use the SA-learn command, but it only made me more confused... >> >> as if i run it as root it only learns for the user root? how do i make >> it work for all incoming emails for all users? >> >> I have uncommented and added the below to my local.cf file... i am also >> confused about which file to modify for SA related stuff >> >> /opt/MailScanner/etc/spam.assassin.prefs.conf >> or >> /etc/mail/spamassassin/local.cf >> >> as there are entries for the same thing in both files.??? >> >> Any help appreciated.... >> >> ------------- >> >> # Use Bayesian classifier (default: 1) >> # >> use_bayes 1 >> >> >> # Bayesian classifier auto-learning (default: 1) >> # >> bayes_auto_learn 1 >> >> bayes_auto_learn_threshold_nonspam 0.1 >> bayes_auto_learn_threshold_spam 6.0 >> > If you have a fairly modern MS, then you'll have a symbolic link from > /etc/mail/spamassassin/mailscanner.cf to spam.assass.prefs.conf ... > Since this will come after local.cf ... it'll "win". Best is to only > set them in one place, so choose one and stick with it:-). > The name of spam.assassin.prefs.conf isn't quite correct anymore... It > isn't a user preference file anymore... So one shouldn't specify it as > such... SA will find it through the link. > The reason for the shift was mainly because some non-prefs are set in > it... And the added bonus of not needing to specify it anymore (not to > mention making Matt K. happy:-). > From martinh at solidstatelogic.com Mon Nov 27 17:35:02 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Mon Nov 27 17:35:22 2006 Subject: SA-learn question... In-Reply-To: <456B206A.1090608@dido.ca> References: <456AF209.9050701@dido.ca> <223f97700611270746u7e902db9hc941ddb94f0f25c0@mail.gmail.com> <456B206A.1090608@dido.ca> Message-ID: <456B21C6.1060909@solidstatelogic.com> Rob Morin wrote: > Thanks for the info.... > > But what about my question regarding what user should run the sa-learn > command, can i simply use root? > > Since the bayes is all in one place.... > > Thanks... > > Rob Morin > Dido InterNet Inc. > Montreal, Canada > Http://www.dido.ca > 514-990-4444 what user the mailscanner normally runs as, otherwise you'll get permissions problems. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From TGFurnish at herffjones.com Mon Nov 27 18:03:34 2006 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Mon Nov 27 18:03:42 2006 Subject: 70k mqueue.in but load under 1 ?? Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC45C@inex3.herffjones.hj-int> I'm experiencing very similar symptoms here. My queue is very backed up, but my load average is much lower than normal, and I'm not noticing an obvious cause. Iowait is similarly low. I've noticed that while mail is flowing in at a quick rate, the MailScanner processing is not keeping up at all. With 10 children and batches of 30 messages each, I'm seeing batch processing taking 300 seconds per batch and that only translates to 1 message processed per second. Eyeballing the maillog I think I'm actually getting even less than that. System normally processes much more quickly. I ran a batch using debugging for both MailScanner and SpamAssassin, but it doesn't seem to have any timing info in the lines so after the batch ran I can't tell how long each line took to appear. Anyone know if there's a way to get timing info in the spamassassin debugging output? I'm thinking of trying to write a little perl script to accept the output of MailScanner in debugging mode and inject timestamps after each newline... > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Tony Johansson > Sent: Monday, November 27, 2006 6:47 AM > To: mailscanner@lists.mailscanner.info > Subject: Re: 70k mqueue.in but load under 1 ?? > > Martin, > > I'm running Sendmail 8.13.1 with a 3 second greet_pause > > maillog says: > Nov 27 12:28:54 ms01 MailScanner[17258]: Creating hardcoded > struct_flock subroutine for linux (Linux-type) Nov 27 > 12:32:59 ms01 MailScanner[17707]: Using locktype = posix > > Regards, Tony > > > > Martin Hepworth skrev: > >> > > Tony > > > > what MTA? > > > > Recent MS versions assume if you are using sendmail, it's > 8.13.x and > > thus the lock type is posix, not flock as is for v 8.12.x > and previous. > > > > if you are using sendmail 8.12 you'll need to force the > lock type to > > 'flock' in mailScanner.conf. > > > > Another issue is the way certain spam is using email, it > can cause a > > big problem with sendmail 8.12. Only solution is to upgrade to 8.13 > > and use the greet_pause feature. > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From ssilva at sgvwater.com Mon Nov 27 18:09:19 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Nov 27 18:10:11 2006 Subject: Please test: Last beta before 4.57 final release In-Reply-To: <456AF14B.5020802@ecs.soton.ac.uk> References: <456AF14B.5020802@ecs.soton.ac.uk> Message-ID: Julian Field spake the following on 11/27/2006 6:08 AM: > Please can you test the latest beta I have put up? If this works, it > will become the final version of 4.57. > Thanks folks! > Download as usual from > www.mailscanner.info > > > P.S. Sorry for not being around much, things are so busy at work it's > silly :-( > The last quiet day I had was about May some time. > > Jules > May of what year? ;-) -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Mon Nov 27 18:25:26 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Nov 27 18:26:41 2006 Subject: use spamcop and bounce with spamcop response help. In-Reply-To: References: Message-ID: Chuck Rock spake the following on 11/27/2006 7:47 AM: > Scott Silva sgvwater.com> writes: > >> Chuck Rock spake the following on 11/26/2006 4:41 PM: >>> I am bouncing messages with MailScanner that match the Spamcop list. >>> >>> I see in the latest version I'm using 4.56.8 you can modify message > headers >>> with actions. >>> >>> Is there a way to modify the message header to the spamcop address is > listed >>> with the proper IP like if you just used Sendmail to bounce it? >>> >>> This is what Spamcop tells you to di if you run Sendmail. >>> >>> FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see: >>> http://spamcop.net/bl.shtml?"$&{client_addr}', `t')dnl >>> >>> I was thinking of adding the message header in MailScanner similar to this. >>> >>> Spam Actions = bounce header "X-Spam-Status: >>> Yes : 'http://spamcop.net/bl.shtml?'(flagged_IP) >>> >>> Is there a syntax in Mailscanner to provide that IP to that header line so > a >>> person could get to the spamcop site with their IP address information? >>> >>> Thanks, >>> Chuck >>> >> If you want that "feature", and are dropping the message anyway, why not just >> drop it at the MTA. You will save yourself the load, and get the desired >> result. You really should never bounce messages after you receive them. If >> they are dropped during the connection phase, you get the rejection to the >> proper server, but if you have received it, then all you have is the possibly >> forged sender address to rely on. > > So basically, if I can have MailScanner skip the spam lists check altogether > and just put the spamcop config in the proper sendmail config file for my > inbound sendmail process? > > Is there another benefit of having MailScanner check the rbl's instead of or > in addition to Sendmail? > > Thanks, > Chuck > > The only benefit I know of is if you want to store the bad stuff in quarantine. The best in order are ; MTA Spamassassin Mailscanner If you have no problem dropping every message that hits spamcop, then dropping at the MTA is the safest and least processor intensive. After that, you have the message on your server, and bouncing it will make you many enemies, and maybe get you listed on a blacklist yourself. I am using sbl-xbl and combined.njabl.org at the mta with no complaints. You should open up your abuse and postmaster addresses, but spamassassin and mailscanner can catch a lot of the garbage there. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From matt at coders.co.uk Mon Nov 27 18:28:08 2006 From: matt at coders.co.uk (Matt Hampton) Date: Mon Nov 27 18:28:43 2006 Subject: Please test: Last beta before 4.57 final release In-Reply-To: <456B1E0E.9010300@solidstatelogic.com> References: <456AF14B.5020802@ecs.soton.ac.uk> <456B0E33.1070507@solidstatelogic.com> <456B1AA2.7010100@sbcglobal.net> <456B1E0E.9010300@solidstatelogic.com> Message-ID: <456B2E38.3000303@coders.co.uk> >>> Jules >>> >>> Problem with logging to the quarantine directories - its not happening >>> at all.. ;-( >>> >> I'm getting the same problem. Nothing is being logged in the quarantine >> directories. > > Good - at least it's not just me then, I hate that ;-) > And me - other than that issue didn't find any other problems. matt From Richard.Frovarp at sendit.nodak.edu Mon Nov 27 19:18:08 2006 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Mon Nov 27 19:18:14 2006 Subject: 70k mqueue.in but load under 1 ?? In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC45C@inex3.herffjones.hj-int> References: <57573D714A832C43B9D80EAFBDA48D0302BAC45C@inex3.herffjones.hj-int> Message-ID: <456B39F0.9070800@sendit.nodak.edu> Is anything timing out? If you are doing one a second with 10 children, that is about a 10 second timeout. Is Razor, Pyzor, DCC, or DNS lookups timing out? RBL is 20 seconds with Razor and Pyzor at a 10 second timeout. I don't see a default setting for DCC. Running a lint on SpamAssissin might help you figure out if anything is timing out. Richard Furnish, Trever G wrote: > I'm experiencing very similar symptoms here. My queue is very backed > up, but my load average is much lower than normal, and I'm not noticing > an obvious cause. Iowait is similarly low. > > I've noticed that while mail is flowing in at a quick rate, the > MailScanner processing is not keeping up at all. With 10 children and > batches of 30 messages each, I'm seeing batch processing taking 300 > seconds per batch and that only translates to 1 message processed per > second. Eyeballing the maillog I think I'm actually getting even less > than that. System normally processes much more quickly. > > I ran a batch using debugging for both MailScanner and SpamAssassin, but > it doesn't seem to have any timing info in the lines so after the batch > ran I can't tell how long each line took to appear. Anyone know if > there's a way to get timing info in the spamassassin debugging output? > > I'm thinking of trying to write a little perl script to accept the > output of MailScanner in debugging mode and inject timestamps after each > newline... > > > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Tony Johansson >> Sent: Monday, November 27, 2006 6:47 AM >> To: mailscanner@lists.mailscanner.info >> Subject: Re: 70k mqueue.in but load under 1 ?? >> >> Martin, >> >> I'm running Sendmail 8.13.1 with a 3 second greet_pause >> >> maillog says: >> Nov 27 12:28:54 ms01 MailScanner[17258]: Creating hardcoded >> struct_flock subroutine for linux (Linux-type) Nov 27 >> 12:32:59 ms01 MailScanner[17707]: Using locktype = posix >> >> Regards, Tony >> >> >> >> Martin Hepworth skrev: >> >>> Tony >>> >>> what MTA? >>> >>> Recent MS versions assume if you are using sendmail, it's >>> >> 8.13.x and >> >>> thus the lock type is posix, not flock as is for v 8.12.x >>> >> and previous. >> >>> if you are using sendmail 8.12 you'll need to force the >>> >> lock type to >> >>> 'flock' in mailScanner.conf. >>> >>> Another issue is the way certain spam is using email, it >>> >> can cause a >> >>> big problem with sendmail 8.12. Only solution is to upgrade to 8.13 >>> and use the greet_pause feature. >>> >>> >>> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From glenn.steen at gmail.com Mon Nov 27 19:21:38 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Nov 27 19:21:42 2006 Subject: 70k mqueue.in but load under 1 ?? In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC45C@inex3.herffjones.hj-int> References: <57573D714A832C43B9D80EAFBDA48D0302BAC45C@inex3.herffjones.hj-int> Message-ID: <223f97700611271121u6b0ff0a0xf6c7bf4f81ae7b6a@mail.gmail.com> On 27/11/06, Furnish, Trever G wrote: > I'm experiencing very similar symptoms here. My queue is very backed > up, but my load average is much lower than normal, and I'm not noticing > an obvious cause. Iowait is similarly low. > > I've noticed that while mail is flowing in at a quick rate, the > MailScanner processing is not keeping up at all. With 10 children and > batches of 30 messages each, I'm seeing batch processing taking 300 > seconds per batch and that only translates to 1 message processed per > second. Eyeballing the maillog I think I'm actually getting even less > than that. System normally processes much more quickly. > > I ran a batch using debugging for both MailScanner and SpamAssassin, but > it doesn't seem to have any timing info in the lines so after the batch > ran I can't tell how long each line took to appear. Anyone know if > there's a way to get timing info in the spamassassin debugging output? Running the spamassassin --lint in MailWatch gives you timing info... Perhaps not that useful with modern SA (3.1.7), but ... there it is. Is this perhaps some digest (dcc?) or BL lookup (in MS?) bogging down? First thing to look for would otherwise be to turn on the log timing in MS.... If you haven't already. > I'm thinking of trying to write a little perl script to accept the > output of MailScanner in debugging mode and inject timestamps after each > newline... Could be useful... Please do:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jaearick at colby.edu Mon Nov 27 19:29:23 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Mon Nov 27 19:29:42 2006 Subject: Please test: Last beta before 4.57 final release In-Reply-To: <456B0E33.1070507@solidstatelogic.com> References: <456AF14B.5020802@ecs.soton.ac.uk> <456B0E33.1070507@solidstatelogic.com> Message-ID: On Mon, 27 Nov 2006, Martin Hepworth wrote: > Jules > > Problem with logging to the quarantine directories - its not happening at > all.. ;-( Martin, Do you mean that messages that should be quarantined don't end up in the quarantine directory? Any trace of where they go from your syslog? Just installed 4.57.4 on my Solaris 10 box, watching things now... Jeff Earickson Colby College From hmkash at arl.army.mil Mon Nov 27 19:47:51 2006 From: hmkash at arl.army.mil (Kash, Howard (Civ, ARL/CISD)) Date: Mon Nov 27 19:47:56 2006 Subject: Please test: Last beta before 4.57 final release (UNCLASSIFIED) In-Reply-To: <456AF14B.5020802@ecs.soton.ac.uk> Message-ID: <229A346E44379140A59A48951B56E0C00260CF3D@ARLABML01.DS.ARL.ARMY.MIL> Classification: UNCLASSIFIED Caveats: NONE Still have the issue of silent viruses not being properly detected as silent when spam checks are skipped (using new "Max Spam Check Size" setting). See http://lists.mailscanner.info/pipermail/mailscanner/2006-October/066261. html plus several off-list emails. Howard Classification: UNCLASSIFIED Caveats: NONE From wjohns at balita.ph Mon Nov 27 20:27:55 2006 From: wjohns at balita.ph (Wayne) Date: Mon Nov 27 20:28:30 2006 Subject: Botnet 0.4 Spam Assassin plugin In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D203C27B0D@UBIMAIL1.ubisoft. org> References: <1E293D3FF63A3740B10AD5AAD88535D203C27B0D@UBIMAIL1.ubisoft.org> Message-ID: <200611272027.kARKRqbn031785@balita.ph> At 14:17 27/11/2006, you wrote: Do not know if I am alone with this problem but I have had to remove BOTNET as it was doing it's job too well - it was deleting all mail which originated from genuine ADSL addresses I even tried adding these addresses to white-lists and other files saying not to be read as spam - they still were. If the problem of genuine use of adsl addresses can be addressed I will try again. - Wayne - > > > 12) The BOTNET rule is now worth 5 points, instead of 6. It would be > > interesting to know what people have found as useful scores for the > > plugin. > > > > Too high, I wouldn't use anything above 2.5 and reason is I don't trust > > any one > > rule that much. > >I'm inclined to agree - the scores are too high >for my tastes as well. My threshold is 6 to be >marked as spam; one rule which applies 5 >directly is simply too dangerous to be useful. > > > > i) do you want me to leave it as it is, or > > > ii) put in the __ so that the sub-rules stop showing up in the > > > final report? > > > > As long as there is a debug option, the long report should be limited for > > debug > > info and the short one for normal operation. > > -- > > Ren? Berber > >Definitely use the __ format, and provide a >debug option to see the individually triggered rules on demand. > > >-- > _ > ?v? Daniel Maher >/(_)\ Administrateur Syst?me Unix > ^ ^ Unix System Administrator > >Sentio aliquos togatos contra me conspirare. >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! > >-- >This email has been scanned by the Balita server. -- This email has been scanned by the Balita server. From ssilva at sgvwater.com Mon Nov 27 20:40:37 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Nov 27 20:41:22 2006 Subject: Botnet 0.4 Spam Assassin plugin In-Reply-To: <200611272027.kARKRqbn031785@balita.ph> References: <1E293D3FF63A3740B10AD5AAD88535D203C27B0D@UBIMAIL1.ubisoft.org> <1E293D3FF63A3740B10AD5AAD88535D203C27B0D@UBIMAIL1.ubisoft. org> <200611272027.kARKRqbn031785@balita.ph> Message-ID: Wayne spake the following on 11/27/2006 12:27 PM: > At 14:17 27/11/2006, you wrote: > > Do not know if I am alone with this problem but I have had to remove > BOTNET as it was doing it's job too well - it was deleting all mail > which originated from genuine ADSL addresses I even tried adding these > addresses to white-lists and other files saying not to be read as spam - > they still were. If the problem of genuine use of adsl addresses can be > addressed I will try again. > > - Wayne - That is a problem. There is so little "genuine" use of ADSL for mail that the author might not have took that into account. I am very resistant to accept e-mail from ADSL or cable connections because it is 99.9% spam, and the originator should be using a smarthost on their ISP. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From raymond at prolocation.net Mon Nov 27 20:46:45 2006 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Mon Nov 27 20:46:42 2006 Subject: Botnet 0.4 Spam Assassin plugin In-Reply-To: <200611272027.kARKRqbn031785@balita.ph> References: <1E293D3FF63A3740B10AD5AAD88535D203C27B0D@UBIMAIL1.ubisoft.org> <200611272027.kARKRqbn031785@balita.ph> Message-ID: Hi! > Do not know if I am alone with this problem but I have had to remove BOTNET > as it was doing it's job too well - it was deleting all mail which originated > from genuine ADSL addresses I even tried adding these addresses to > white-lists and other files saying not to be read as spam - they still were. > If the problem of genuine use of adsl addresses can be addressed I will try > again. Why dont those 'genuine' adsl addresses simply smart relay over their isp? More and more providers block dsl/cable ranges. And also providers are locking out port 25 outbound so they are forced to do so... Bye, Raymond. From jaearick at colby.edu Mon Nov 27 20:54:49 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Mon Nov 27 20:55:12 2006 Subject: 4.57.4: SA score big, yet delivered Message-ID: Gang, I've had to roll back to 4.56.7 because a bunch of spam got delivered to people, including me, with no {Spam?} for a score 5< x < 10, and no delete for High Spam. I've stared at my debug output, nothing strange. The emails in question got properly tagged with SA scores (in the header and in the syslog output). Yet nothing got tagged in the Subject line or deleted. Any ideas??? My setup: Solaris 10, SA 3.1.7, DCC, Razor. An example set of relevent mail headers: To: Subject: Your health, your care Date: Mon, 27 Nov 2006 20:29:57 +0000 X-Colby-MailScanner: ftbc X-Colby-MailScanner-SpamCheck: spam, SORBS-DNSBL, SpamAssassin (not cached, score=12.908, required 5, BAYES_99 3.50, DC_IMG_HTML_RATIO 1.00, DC_IMG_TEXT_RATIO 1.00, HTML_IMAGE_ONLY_16 0.50, HTML_MESSAGE 0.00, INLINE_IMAGE 2.00, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CHECK 0.50, SARE_GIF_ATTACH 0.75, SARE_GIF_STOX 1.66) X-Colby-MailScanner-SpamScore: 12.91 My MailScanner.conf settings: Spam Modify Subject = start Spam Subject Text = {Spam?} High Scoring Spam Modify Subject = no Spam Actions = deliver header "X-Spam-Status: Yes" High Scoring Spam Actions = delete Required SpamAssassin Score = 5 High SpamAssassin Score = 10 Jeff Earickson Colby College From jrudd at ucsc.edu Mon Nov 27 21:05:14 2006 From: jrudd at ucsc.edu (John Rudd) Date: Mon Nov 27 21:06:30 2006 Subject: Botnet 0.4 Spam Assassin plugin In-Reply-To: <200611272027.kARKRqbn031785@balita.ph> References: <1E293D3FF63A3740B10AD5AAD88535D203C27B0D@UBIMAIL1.ubisoft.org> <200611272027.kARKRqbn031785@balita.ph> Message-ID: <456B530A.5040004@ucsc.edu> Did you add the address (as a regular expression) to the skip list with one of these lines: botnet_skip_ip ^A\.B\.C\.D$ (where the machine's IP addr is A.B.C.D) That would cause it to skip past that Received header (and if that's the last/oldest received header, then it will pass the message entirely). Also, was it triggering on BOTNET_CLIENTWORDS or BOTNET_IPINHOSTNAME or both? If it's only triggering BOTNET_CLIENTWORDS, then try seeing which of the client words its triggering, and remove that from the cf file. For example, if "dsl" is the only one of the clientwords its triggering on, then remove "dsl" form the botnet_clientwords setting. Last, you could also set the score for BOTNET_CLIENT to 0. This means you'll only be triggering the BOTNET score if the message has no rdns (BOTNET_NORDNS), or lacks full-circle dns (BOTNET_BADDNS). The other thing I would ask is: What value do you set for deleting/rejecting (without human review) spam? It seems to me that if you've set it lower than 10, that's an incredibly bad idea (even without botnet installed). If you've set it higher than 10, then Botnet wouldn't be causing you to delete/reject anything that SpamAssassin didn't already think was spam. For the question about the score: the score is intended to automatically cause the message to be quarantined/delivered-to-a-spam-folder. That's why it's at 5: unless the message's score is otherwise negative, this is effectively flagged for "needs human review". Even if you've set your high spam value to 10, it wouldn't apply high spam actions unless the message was already considered to be spam. (for me, I reject messages, during SMTP, at an SA score of 10 ... so I only reject a message if it is otherwise considered spam AND a botnet ... or if it's REALLY bad spam; otherwise I deliver it ... I don't consider it a problem to have a false positive quarantined or delivered to my spam folder: that's what "delivery/quarantining of spam" is for) Feel free to adjust the score to your tastes... but that's why I've set it where I set it. I suppose one idea would be to set the score to be no more than "High Spam - Spam". Wayne wrote: > At 14:17 27/11/2006, you wrote: > > Do not know if I am alone with this problem but I have had to remove > BOTNET as it was doing it's job too well - it was deleting all mail > which originated from genuine ADSL addresses I even tried adding these > addresses to white-lists and other files saying not to be read as spam - > they still were. If the problem of genuine use of adsl addresses can be > addressed I will try again. > > - Wayne - > > >> > > 12) The BOTNET rule is now worth 5 points, instead of 6. It would be >> > interesting to know what people have found as useful scores for the >> > plugin. >> > >> > Too high, I wouldn't use anything above 2.5 and reason is I don't trust >> > any one >> > rule that much. >> >> I'm inclined to agree - the scores are too high for my tastes as >> well. My threshold is 6 to be marked as spam; one rule which applies >> 5 directly is simply too dangerous to be useful. >> >> > > i) do you want me to leave it as it is, or >> > > ii) put in the __ so that the sub-rules stop showing up in the >> > > final report? >> > >> > As long as there is a debug option, the long report should be >> limited for >> > debug >> > info and the short one for normal operation. >> > -- >> > Ren? Berber >> >> Definitely use the __ format, and provide a debug option to see the >> individually triggered rules on demand. >> >> >> -- >> _ >> ?v? Daniel Maher >> /(_)\ Administrateur Syst?me Unix >> ^ ^ Unix System Administrator >> >> Sentio aliquos togatos contra me conspirare. >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> This email has been scanned by the Balita server. > > From jrudd at ucsc.edu Mon Nov 27 21:09:43 2006 From: jrudd at ucsc.edu (John Rudd) Date: Mon Nov 27 21:11:21 2006 Subject: Botnet 0.4 Spam Assassin plugin In-Reply-To: References: <1E293D3FF63A3740B10AD5AAD88535D203C27B0D@UBIMAIL1.ubisoft.org> <1E293D3FF63A3740B10AD5AAD88535D203C27B0D@UBIMAIL1.ubisoft. org> <200611272027.kARKRqbn031785@balita.ph> Message-ID: <456B5417.20408@ucsc.edu> Scott Silva wrote: > Wayne spake the following on 11/27/2006 12:27 PM: >> At 14:17 27/11/2006, you wrote: >> >> Do not know if I am alone with this problem but I have had to remove >> BOTNET as it was doing it's job too well - it was deleting all mail >> which originated from genuine ADSL addresses I even tried adding these >> addresses to white-lists and other files saying not to be read as spam - >> they still were. If the problem of genuine use of adsl addresses can be >> addressed I will try again. >> > That is a problem. There is so little "genuine" use of ADSL for mail that the > author might not have took that into account. I am very resistant to accept > e-mail from ADSL or cable connections because it is 99.9% spam, and the > originator should be using a smarthost on their ISP. > I did take it into account. I'm of the "they should be using their Corporate/ISP's mail server, or get their DNS fixed" opinion. Or use a hosted email server that has better RDNS if their ISP is lame. My means of mitigating the problem are the "botnet_pass_auth", "botnet_skip_ip", and "botnet_pass_ip" options, which allow you to handle known good senders. Or you can set the score for BOTNET_CLIENT to 0. That will, however, significantly reduce the effectiveness of the plugin. From res at ausics.net Mon Nov 27 21:24:09 2006 From: res at ausics.net (Res) Date: Mon Nov 27 21:24:21 2006 Subject: 70k mqueue.in but load under 1 ?? In-Reply-To: References: <456ACDEC.8020907@solidstatelogic.com> Message-ID: On Mon, 27 Nov 2006, Tony Johansson wrote: > Martin, > > I'm running Sendmail 8.13.1 with a 3 second greet_pause This will be a spamasassin problem, we suffered the same fate, disable SA and it will skim through your queue in a couple minutes. You will need to fine tune SA, if you have 2 CPUs in that box, make number of mailscanner processes 10, batches of 50, and SA scan msg of no more than 30k. To get through them now just disable spam assassin and sighup mailscanner, else things will only get worse. > > maillog says: > Nov 27 12:28:54 ms01 MailScanner[17258]: Creating hardcoded struct_flock > subroutine for linux (Linux-type) > Nov 27 12:32:59 ms01 MailScanner[17707]: Using locktype = posix > > Regards, Tony > > > > Martin Hepworth skrev: >>> >> Tony >> >> what MTA? >> >> Recent MS versions assume if you are using sendmail, it's 8.13.x and thus >> the lock type is posix, not flock as is for v 8.12.x and previous. >> >> if you are using sendmail 8.12 you'll need to force the lock type to >> 'flock' in mailScanner.conf. >> >> Another issue is the way certain spam is using email, it can cause a big >> problem with sendmail 8.12. Only solution is to upgrade to 8.13 and use the >> greet_pause feature. >> >> > > -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From r.berber at computer.org Mon Nov 27 21:43:55 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Mon Nov 27 21:44:42 2006 Subject: Botnet 0.4 Spam Assassin plugin In-Reply-To: <456B5417.20408@ucsc.edu> References: <1E293D3FF63A3740B10AD5AAD88535D203C27B0D@UBIMAIL1.ubisoft.org> <1E293D3FF63A3740B10AD5AAD88535D203C27B0D@UBIMAIL1.ubisoft. org> <200611272027.kARKRqbn031785@balita.ph> <456B5417.20408@ucsc.edu> Message-ID: John Rudd wrote: > Scott Silva wrote: >> Wayne spake the following on 11/27/2006 12:27 PM: >>> At 14:17 27/11/2006, you wrote: >>> >>> Do not know if I am alone with this problem but I have had to remove >>> BOTNET as it was doing it's job too well - it was deleting all mail >>> which originated from genuine ADSL addresses I even tried adding these >>> addresses to white-lists and other files saying not to be read as spam - >>> they still were. If the problem of genuine use of adsl addresses can be >>> addressed I will try again. >>> >> That is a problem. There is so little "genuine" use of ADSL for mail >> that the >> author might not have took that into account. I am very resistant to >> accept >> e-mail from ADSL or cable connections because it is 99.9% spam, and the >> originator should be using a smarthost on their ISP. >> > > I did take it into account. I'm of the "they should be using their > Corporate/ISP's mail server, or get their DNS fixed" opinion. Or use a > hosted email server that has better RDNS if their ISP is lame. Question: If someone sends a message from home to their workplace, there is only one relay line (two if you count the local delivery line which usually does not have an IP address) and it contains a ADSL address, does your plugin score on that relay line or skips? The point here being that if it scores it gives a false score, just like the useless half point I see SA adds to that line by using RBLs that list dynamic addresses... the first relay line should be ignored, and that makes bot-net detection ineffective. > My means of mitigating the problem are the "botnet_pass_auth", > "botnet_skip_ip", and "botnet_pass_ip" options, which allow you to > handle known good senders. Not very usefull since dynamic IP addresses are "dynamic". > Or you can set the score for BOTNET_CLIENT to 0. That will, however, > significantly reduce the effectiveness of the plugin. -- Ren? Berber From TGFurnish at herffjones.com Mon Nov 27 22:17:21 2006 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Mon Nov 27 22:22:11 2006 Subject: Botnet 0.4 Spam Assassin plugin Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC46D@inex3.herffjones.hj-int> Is there any known minimum version of spamassassin that this plugin requires? I'm still on 3.0, not planning to upgrade to 3.1 for another couple of months yet. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of John Rudd > Sent: Thursday, November 23, 2006 5:58 AM > To: MailScanner discussion > Subject: Botnet 0.4 Spam Assassin plugin > > > (since I've recently mentioned this plugin on the mailscanner > and communigate pro mailing lists, as an effective means of > catching spam from botnets, I'm cross-posting this message) > > > I've changed RelayChecker's name to Botnet (since that's its real > purpose: identify potential botnet submitted messages). > Here's the 0.4 release. From TGFurnish at herffjones.com Mon Nov 27 22:23:18 2006 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Mon Nov 27 22:29:55 2006 Subject: 70k mqueue.in but load under 1 ?? Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC46E@inex3.herffjones.hj-int> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Res > Sent: Monday, November 27, 2006 4:24 PM > To: MailScanner discussion > Subject: Re: 70k mqueue.in but load under 1 ?? > This will be a spamasassin problem, we suffered the same > fate, disable SA and it will skim through your queue in a > couple minutes. > > You will need to fine tune SA, if you have 2 CPUs in that > box, make number of mailscanner processes 10, batches of 50, > and SA scan msg of no more than 30k. > > To get through them now just disable spam assassin and sighup > mailscanner, else things will only get worse. That's a bit drastic. In my case I'm still looking for the reason MS+SA are slower than normal, but if I turn off SA I may as well turn off MS too -- without SA, MS catches almost nothing. I added SBL+XBL at the MTA level and my queue size is now dropping again. Shockingly (to me) SBL+XBL is blocking a *very* large percentage of the inbound connections -- >99% each time I've checked this afternoon. No reported false positives yet though (only been running a few hours) and no one's loaded the web page I put into the SMTP rejection response -- I'm pleasantly surprised. Didn't expect it to catch so much. > -- > Cheers > Res -- Trever From wjohns at balita.ph Mon Nov 27 22:37:02 2006 From: wjohns at balita.ph (wjohns@balita.ph) Date: Mon Nov 27 22:37:07 2006 Subject: Botnet 0.4 Spam Assassin plugin Message-ID: <1164667022.14092@balita.ph> Scott Silva wrote .. My server is in London and I work from Shropshire I have eight statics and the one I use mangga. (82-xx-xx-2x5.dsl.in-addr.zen.co.uk[82.xx.xx.2x5] the static is in my server zone file but no matter how I set up the Cisco I cannot get the ip id to show just mangga.. So all my outgoing mail is flagged by the BOT plugin. Worse is the fact much of my email received comes from journalist in Asia where they have similar adsl addresses, these people like me operate away from their company servers. I cannot loose or afford to loose these emails. So to be sure I had to delete, for the time being the BOTNET plugin. My ISP is doing what they can to resolve the address on my 'satellite' machines. Thanks for the many replies even if I don't understand the reasons of what is happening. - Wayne - > Wayne spake the following on 11/27/2006 12:27 PM: > > At 14:17 27/11/2006, you wrote: > > > > Do not know if I am alone with this problem but I have had to remove > > BOTNET as it was doing it's job too well - it was deleting all mail > > which originated from genuine ADSL addresses I even tried adding these > > addresses to white-lists and other files saying not to be read as spam > - > > they still were. If the problem of genuine use of adsl addresses can > be > > addressed I will try again. > > > > - Wayne - > That is a problem. There is so little "genuine" use of ADSL for mail that > the > author might not have took that into account. I am very resistant to accept > e-mail from ADSL or cable connections because it is 99.9% spam, and the > originator should be using a smarthost on their ISP. > > -- > > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This email has been scanned by the Balita server. From jrudd at ucsc.edu Mon Nov 27 22:40:51 2006 From: jrudd at ucsc.edu (John Rudd) Date: Mon Nov 27 22:42:02 2006 Subject: Botnet 0.4 Spam Assassin plugin In-Reply-To: References: <1E293D3FF63A3740B10AD5AAD88535D203C27B0D@UBIMAIL1.ubisoft.org> <1E293D3FF63A3740B10AD5AAD88535D203C27B0D@UBIMAIL1.ubisoft. org> <200611272027.kARKRqbn031785@balita.ph> <456B5417.20408@ucsc.edu> Message-ID: <456B6973.2060006@ucsc.edu> Ren? Berber wrote: > John Rudd wrote: > >> Scott Silva wrote: >>> Wayne spake the following on 11/27/2006 12:27 PM: >>>> At 14:17 27/11/2006, you wrote: >>>> >>>> Do not know if I am alone with this problem but I have had to remove >>>> BOTNET as it was doing it's job too well - it was deleting all mail >>>> which originated from genuine ADSL addresses I even tried adding these >>>> addresses to white-lists and other files saying not to be read as spam - >>>> they still were. If the problem of genuine use of adsl addresses can be >>>> addressed I will try again. >>>> >>> That is a problem. There is so little "genuine" use of ADSL for mail >>> that the >>> author might not have took that into account. I am very resistant to >>> accept >>> e-mail from ADSL or cable connections because it is 99.9% spam, and the >>> originator should be using a smarthost on their ISP. >>> >> I did take it into account. I'm of the "they should be using their >> Corporate/ISP's mail server, or get their DNS fixed" opinion. Or use a >> hosted email server that has better RDNS if their ISP is lame. > > Question: If someone sends a message from home to their workplace, there is only > one relay line (two if you count the local delivery line which usually does not > have an IP address) and it contains a ADSL address, does your plugin score on > that relay line or skips? It will not skip that received line unless you specifically put that relay into your skip/pass list ... or if they're using SMTP-AUTH and SA correctly puts that information into the pseudo-header AND you've set the botnet_pass_auth option. > The point here being that if it scores it gives a false score, just like the > useless half point I see SA adds to that line by using RBLs that list dynamic > addresses... the first relay line should be ignored, and that makes bot-net > detection ineffective. I would say that the first line should NOT be ignored. Instead: 1) You should require that such submitters use SMTP-AUTH, and possibly have them connect to a back-end system (where spam scanning happens on your front-end systems). To avoid having your back-end systems targeted by adversaries (to get around your AV/AS scanning), have them require SMTP-AUTH and only allow non-SMTP-AUTH transactions from trusted IP addresses (such as your front end systems). 2) You shouldn't spam scan messages at all if they've come from an SMTP-AUTH transaction OR make sure that your MTA's SMTP-AUTH fingerprints are properly recognized by SA and use the botnet_pass_auth option. In my setups, I have the arrangements: 1) front end and back end systems: the front ends to the spam scanning but don't spam scan messages relayed from the back ends; the back ends only accept messages from local IPs or via SMTP-AUTH. 2) 2 MTA's on one host, which act like the above front end and back end arrangement, except that the 'back end' MTA doesn't relay out through the 'front end' MTA. For example, I have sendmail listening on port 25, and doing AV/AS scanning; then I have CommuniGate Pro running on another port and "blacklisting the world" (which can only be bypassed by SMTP-AUTH or being on a "client IP address). Sendmail then relays messages to CGP when its done with them. Legitimate users (local or not) submit messages to CommuniGate Pro with SMTP-AUTH, and thus their messages never get seen by SpamAssassin nor the Botnet plugin. 3) One MTA that only passes messages to SpamAssassin if they weren't from an SMTP-AUTH session, nor from a local IP. (I will soon be retiring sendmail on the machine in example #2, and the CGP rule which will be invoking SpamAssassin will exempt for messages that are authenticated) In any of those cases, the answer is "make the legitimate but non-local user use SMTP-AUTH to one of the SMTP-AUTH enabled hosts". This doesn't even require the use of multiple machines (and thus a higher cost of operation). >> My means of mitigating the problem are the "botnet_pass_auth", >> "botnet_skip_ip", and "botnet_pass_ip" options, which allow you to >> handle known good senders. > > Not very usefull since dynamic IP addresses are "dynamic". botnet_pass_auth would be useful in that case, if your MTA is able to properly inform SA when a message was authenticated. >> Or you can set the score for BOTNET_CLIENT to 0. That will, however, >> significantly reduce the effectiveness of the plugin. And, of course, this one is still an option. BOTNET_NORDNS alone is what AOL does. Add BOTNET_BADDNS to that, and you're slightly better than AOL at blocking botnets. It's not as good as the full effect of BOTNET, but it's better than nothing, IMO. Other things that will help: zen.spamhaus.org a Greet-Pause of 20-30 seconds (you'll need exemptions for verizon, livejournal, .mac, I think myspace, and facebook) some amount of Greylisting (in my experience, these 4 techniques have HUGE overlap in results, so if you do 2 or 3 of them, you get a small trickle or results on the other 1 or 2; my preference is: 3 second greet pause, zen.spamhaus.org, direct botnet blocking in the milter (ie. same code, but applied before spam assassin, and only applied to the direct mail relay; exempts if postmaster or abuse are the only recipients or for smtp-auth), no greylisting) From jrudd at ucsc.edu Mon Nov 27 22:41:45 2006 From: jrudd at ucsc.edu (John Rudd) Date: Mon Nov 27 22:42:39 2006 Subject: Botnet 0.4 Spam Assassin plugin In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC46D@inex3.herffjones.hj-int> References: <57573D714A832C43B9D80EAFBDA48D0302BAC46D@inex3.herffjones.hj-int> Message-ID: <456B69A9.90703@ucsc.edu> I've only tried it on 3.1. I don't know when the plugin API actually started, though. Furnish, Trever G wrote: > Is there any known minimum version of spamassassin that this plugin > requires? I'm still on 3.0, not planning to upgrade to 3.1 for another > couple of months yet. > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of John Rudd >> Sent: Thursday, November 23, 2006 5:58 AM >> To: MailScanner discussion >> Subject: Botnet 0.4 Spam Assassin plugin >> >> >> (since I've recently mentioned this plugin on the mailscanner >> and communigate pro mailing lists, as an effective means of >> catching spam from botnets, I'm cross-posting this message) >> >> >> I've changed RelayChecker's name to Botnet (since that's its real >> purpose: identify potential botnet submitted messages). >> Here's the 0.4 release. From res at ausics.net Mon Nov 27 22:51:36 2006 From: res at ausics.net (Res) Date: Mon Nov 27 22:51:46 2006 Subject: 70k mqueue.in but load under 1 ?? In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC46E@inex3.herffjones.hj-int> References: <57573D714A832C43B9D80EAFBDA48D0302BAC46E@inex3.herffjones.hj-int> Message-ID: On Mon, 27 Nov 2006, Furnish, Trever G wrote: >> To get through them now just disable spam assassin and sighup >> mailscanner, else things will only get worse. > > That's a bit drastic. In my case I'm still looking for the reason MS+SA > are slower than normal, but if I turn off SA I may as well turn off MS > too -- without SA, MS catches almost nothing. It depends on how critical it is for those 70K+ emails to be delivered in a timely manor. one thing that could be tried is disable all the auto learn and bayes stuff in spam.assassin.prefs this can speed up SA by a factor of 10 > > I added SBL+XBL at the MTA level and my queue size is now dropping > again. Shockingly (to me) SBL+XBL is blocking a *very* large percentage Yes it does :) enforce RFC1912 and you'll see an even bigger reduction -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From FStein at thehill.org Mon Nov 27 23:00:29 2006 From: FStein at thehill.org (Stein, Mr. Fred) Date: Mon Nov 27 23:02:22 2006 Subject: 4.57.4: SA score big, yet delivered In-Reply-To: Message-ID: I am experiencing the same thing. Big spam numbers and still being delivered. Fred Stein Network Administrator The Hill School 717 E. High Street Pottstown, PA 19464 fstein@thehill.org www.thehill.org -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jeff A. Earickson Sent: Monday, November 27, 2006 3:55 PM To: mailscanner mailing list Subject: 4.57.4: SA score big, yet delivered Gang, I've had to roll back to 4.56.7 because a bunch of spam got delivered to people, including me, with no {Spam?} for a score 5< x < 10, and no delete for High Spam. I've stared at my debug output, nothing strange. The emails in question got properly tagged with SA scores (in the header and in the syslog output). Yet nothing got tagged in the Subject line or deleted. Any ideas??? My setup: Solaris 10, SA 3.1.7, DCC, Razor. An example set of relevent mail headers: To: Subject: Your health, your care Date: Mon, 27 Nov 2006 20:29:57 +0000 X-Colby-MailScanner: ftbc X-Colby-MailScanner-SpamCheck: spam, SORBS-DNSBL, SpamAssassin (not cached, score=12.908, required 5, BAYES_99 3.50, DC_IMG_HTML_RATIO 1.00, DC_IMG_TEXT_RATIO 1.00, HTML_IMAGE_ONLY_16 0.50, HTML_MESSAGE 0.00, INLINE_IMAGE 2.00, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CHECK 0.50, SARE_GIF_ATTACH 0.75, SARE_GIF_STOX 1.66) X-Colby-MailScanner-SpamScore: 12.91 My MailScanner.conf settings: Spam Modify Subject = start Spam Subject Text = {Spam?} High Scoring Spam Modify Subject = no Spam Actions = deliver header "X-Spam-Status: Yes" High Scoring Spam Actions = delete Required SpamAssassin Score = 5 High SpamAssassin Score = 10 Jeff Earickson Colby College -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From TGFurnish at herffjones.com Mon Nov 27 23:06:56 2006 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Mon Nov 27 23:07:38 2006 Subject: Botnet 0.4 Spam Assassin plugin Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC46F@inex3.herffjones.hj-int> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of John Rudd > Sent: Monday, November 27, 2006 5:41 PM > To: MailScanner discussion > Subject: Re: Botnet 0.4 Spam Assassin plugin > > Ren? Berber wrote: > > John Rudd wrote: > > 2) You shouldn't spam scan messages at all if they've come > from an SMTP-AUTH transaction OR make sure that your MTA's > SMTP-AUTH fingerprints are properly recognized by SA and use > the botnet_pass_auth option. But the point is that if my trusted users authenticate themselves using SMTP-AUTH, then someone using your plugin at some OTHER site should not block them based on their client IP address. If you don't exclude the first received 'from' address, then you're going to blocking well-behaved users who send mail through well-behaved relays that have forced the user to authenticate. > In any of those cases, the answer is "make the legitimate but > non-local user use SMTP-AUTH to one of the SMTP-AUTH enabled > hosts". This doesn't even require the use of multiple > machines (and thus a higher cost of operation). ...which seems perfectly reasonable -- except that it would seem to me that it is only perfect when the sender is one of your users authenticating against your authentication system -- it ought to unfairly score any messages from anyone else's system that include a Received header for the client, which is pretty much everything except Mickeysoft Exchange, EVEN IF they are authenticating to some properly configured relay. Am I missing something? :-) From jrudd at ucsc.edu Mon Nov 27 23:26:37 2006 From: jrudd at ucsc.edu (John Rudd) Date: Mon Nov 27 23:27:39 2006 Subject: Botnet 0.4 Spam Assassin plugin In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC46F@inex3.herffjones.hj-int> References: <57573D714A832C43B9D80EAFBDA48D0302BAC46F@inex3.herffjones.hj-int> Message-ID: <456B742D.3070701@ucsc.edu> Furnish, Trever G wrote: > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of John Rudd >> Sent: Monday, November 27, 2006 5:41 PM >> To: MailScanner discussion >> Subject: Re: Botnet 0.4 Spam Assassin plugin >> >> Ren? Berber wrote: >>> John Rudd wrote: >> 2) You shouldn't spam scan messages at all if they've come >> from an SMTP-AUTH transaction OR make sure that your MTA's >> SMTP-AUTH fingerprints are properly recognized by SA and use >> the botnet_pass_auth option. > > But the point is that if my trusted users authenticate themselves using SMTP-AUTH, then someone using your plugin at some OTHER site should not block them based on their client IP address. If you don't exclude the first received 'from' address, then you're going to blocking well-behaved users who send mail through well-behaved relays that have forced the user to authenticate. > Only if they trust YOUR mail server. If they don't have your server listed in their Spam Assassin Trusted Networks, then the host their Botnet plugin will look at will be YOUR mail server, not the address of your client. Botnet doesn't look at _EVERY_ received header (the way the RBL functions in SA do). It only looks at the untrusted received headers, and only the first one (after skipping any in the botnet_skip_ip list). Looking at _every_ received header, or even every untrusted received header, wouldn't have made sense. I don't know about you, but I don't have anyone outside of my own servers (not even the IPs within my own network, but outside of my server subnet) listed as "trusted networks". Therefore, my Botnet install will not look at the IP's of your users. It will only look at the IP of your mail server. It wont care one little bit about the IP addresses of your users. From TGFurnish at herffjones.com Tue Nov 28 00:07:50 2006 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Tue Nov 28 00:08:55 2006 Subject: Botnet 0.4 Spam Assassin plugin Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC471@inex3.herffjones.hj-int> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of John Rudd > Sent: Monday, November 27, 2006 6:27 PM > To: MailScanner discussion > Subject: Re: Botnet 0.4 Spam Assassin plugin > > Furnish, Trever G wrote: >>But the point is that if my trusted users authenticate >>themselves using SMTP-AUTH, then someone using your plugin at >>some OTHER site should not block them based on their client >>IP address. If you don't exclude the first received 'from' >>address, then you're going to blocking well-behaved users who >>send mail through well-behaved relays that have forced the >>user to authenticate. >> > > Only if they trust YOUR mail server. If they don't have your > server listed in their Spam Assassin Trusted Networks, then > the host their Botnet plugin will look at will be YOUR mail > server, not the address of your client. Botnet doesn't look > at _EVERY_ received header (the way the RBL functions in SA > do). It only looks at the untrusted received headers, and > only the first one (after skipping any in the botnet_skip_ip > list). Looking at _every_ received header, or even every > untrusted received header, wouldn't have made sense. Perhaps my confusion is just that: confusion on my part about what you mean by "the first one". When I refered to the "first" received header I meant the one that was chronologically oldest. If you were refering instead to the one that is chronologically youngest, then I'd completely agree with you. Forgive me if I seem obtuse, but I'm looking so closely in preparation for deploying the plugin on a site that gets 200,000+ messages per day, so I'm hoping to be certain of my understanding first. In the following message headers, which one will Botnet look at? The one at the bottom of this message would represent an untrusted client (12.24.233.2) in my case. The top two headers are from trusted hosts (relay2 and inex3). The "oldest" header is the one at the bottom. Received: from relay2.public.herff-jones.com ([192.168.252.241]) by inex3.herffjones.hj-int with Microsoft SMTPSVC(6.0.3790.1830); Mon, 27 Nov 2006 19:01:22 -0500 Received: from wondious.com (wondious.com [207.250.51.59]) by relay2.public.herff-jones.com (8.12.11/8.12.11) with ESMTP id kARNwQGg010874 for ; Mon, 27 Nov 2006 18:58:28 -0500 Received: from wondious.com (localhost.localdomain [127.0.0.1]) by wondious.com (8.13.1/8.13.1) with ESMTP id kARNvYV7031426 for ; Mon, 27 Nov 2006 18:57:34 -0500 Received: (from apache@localhost) by wondious.com (8.13.1/8.13.1/Submit) id kARNvYkG031425; Mon, 27 Nov 2006 18:57:34 -0500 Received: from 12.24.233.2 (SquirrelMail authenticated user trever); by wondious.com with HTTP; Mon, 27 Nov 2006 18:57:34 -0500 (EST) From ssilva at sgvwater.com Tue Nov 28 00:09:41 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Nov 28 00:10:10 2006 Subject: 4.57.4: SA score big, yet delivered In-Reply-To: References: Message-ID: Stein, Mr. Fred spake the following on 11/27/2006 3:00 PM: > I am experiencing the same thing. Big spam numbers and still being > delivered. > 'm sure Julian will get to this when he is free. Maybe someone in the trusted circle will copy him on this as he has been real busy at the paying job, and hasn't had much time to be on the list. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From jrudd at ucsc.edu Tue Nov 28 00:22:51 2006 From: jrudd at ucsc.edu (John Rudd) Date: Tue Nov 28 00:23:39 2006 Subject: Botnet 0.4 Spam Assassin plugin In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC471@inex3.herffjones.hj-int> References: <57573D714A832C43B9D80EAFBDA48D0302BAC471@inex3.herffjones.hj-int> Message-ID: <456B815B.4090001@ucsc.edu> Furnish, Trever G wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of John Rudd >> Sent: Monday, November 27, 2006 6:27 PM >> To: MailScanner discussion >> Subject: Re: Botnet 0.4 Spam Assassin plugin >> >> Furnish, Trever G wrote: >>> But the point is that if my trusted users authenticate >>> themselves using SMTP-AUTH, then someone using your plugin at >>> some OTHER site should not block them based on their client >>> IP address. If you don't exclude the first received 'from' >>> address, then you're going to blocking well-behaved users who >>> send mail through well-behaved relays that have forced the >>> user to authenticate. >>> >> Only if they trust YOUR mail server. If they don't have your >> server listed in their Spam Assassin Trusted Networks, then >> the host their Botnet plugin will look at will be YOUR mail >> server, not the address of your client. Botnet doesn't look >> at _EVERY_ received header (the way the RBL functions in SA >> do). It only looks at the untrusted received headers, and >> only the first one (after skipping any in the botnet_skip_ip >> list). Looking at _every_ received header, or even every >> untrusted received header, wouldn't have made sense. > > Perhaps my confusion is just that: confusion on my part about what you > mean by "the first one". When I refered to the "first" received header > I meant the one that was chronologically oldest. If you were refering > instead to the one that is chronologically youngest, then I'd completely > agree with you. By "first one" I mean the one that is closest to the top of the message. The chronologically youngest one. > Forgive me if I seem obtuse, but I'm looking so closely in preparation > for deploying the plugin on a site that gets 200,000+ messages per day, > so I'm hoping to be certain of my understanding first. > > In the following message headers, which one will Botnet look at? The > one at the bottom of this message would represent an untrusted client > (12.24.233.2) in my case. The top two headers are from trusted hosts > (relay2 and inex3). The "oldest" header is the one at the bottom. Well, going with the default config of skipping 127.0.0.1, it would probably look at: > Received: (from apache@localhost) > by wondious.com (8.13.1/8.13.1/Submit) id kARNvYkG031425; > Mon, 27 Nov 2006 18:57:34 -0500 > And I have no idea how SpamAssassin will read that into the Untrusted Relays pseudo-header. If you _don't_ skip nor trust 127.0.0.1, then THAT header will be the one Botnet looks at ... and it shouldn't trigger a score for it. From ka at pacific.net Tue Nov 28 00:28:50 2006 From: ka at pacific.net (Ken A) Date: Tue Nov 28 00:26:20 2006 Subject: O.T. milter-null experiences, whitelists? Message-ID: <456B82C2.70009@pacific.net> Anyone have any experience with snertsoft's milter-null? I've installed it, and it seems to identify backscatter quite well. I'm a bit concerned about roaming users not getting failed delivery notifications if they send out through an outside smtp server though. Any thoughts on this, or whitelists of stupid autoresponders or CR systems that send from <>? Earthlink's C/R Anti-spam system used to do this. Thanks, Ken A. Pacific.Net From TGFurnish at herffjones.com Tue Nov 28 00:31:49 2006 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Tue Nov 28 00:32:06 2006 Subject: Botnet 0.4 Spam Assassin plugin Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC472@inex3.herffjones.hj-int> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of John Rudd > Sent: Monday, November 27, 2006 7:23 PM > To: MailScanner discussion > Subject: Re: Botnet 0.4 Spam Assassin plugin > By "first one" I mean the one that is closest to the top of > the message. > The chronologically youngest one. Makes perfect sense now. Thank you very much, John, for the patient explanation. -- Trever From ssilva at sgvwater.com Tue Nov 28 00:41:05 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Nov 28 00:41:32 2006 Subject: Botnet 0.4 Spam Assassin plugin In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC471@inex3.herffjones.hj-int> References: <57573D714A832C43B9D80EAFBDA48D0302BAC471@inex3.herffjones.hj-int> Message-ID: Furnish, Trever G spake the following on 11/27/2006 4:07 PM: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of John Rudd >> Sent: Monday, November 27, 2006 6:27 PM >> To: MailScanner discussion >> Subject: Re: Botnet 0.4 Spam Assassin plugin >> >> Furnish, Trever G wrote: >>> But the point is that if my trusted users authenticate >>> themselves using SMTP-AUTH, then someone using your plugin at >>> some OTHER site should not block them based on their client >>> IP address. If you don't exclude the first received 'from' >>> address, then you're going to blocking well-behaved users who >>> send mail through well-behaved relays that have forced the >>> user to authenticate. >>> >> Only if they trust YOUR mail server. If they don't have your >> server listed in their Spam Assassin Trusted Networks, then >> the host their Botnet plugin will look at will be YOUR mail >> server, not the address of your client. Botnet doesn't look >> at _EVERY_ received header (the way the RBL functions in SA >> do). It only looks at the untrusted received headers, and >> only the first one (after skipping any in the botnet_skip_ip >> list). Looking at _every_ received header, or even every >> untrusted received header, wouldn't have made sense. > > Perhaps my confusion is just that: confusion on my part about what you > mean by "the first one". When I refered to the "first" received header > I meant the one that was chronologically oldest. If you were refering > instead to the one that is chronologically youngest, then I'd completely > agree with you. > > Forgive me if I seem obtuse, but I'm looking so closely in preparation > for deploying the plugin on a site that gets 200,000+ messages per day, > so I'm hoping to be certain of my understanding first. Why not install it with a very low score at first to test it with your system? Then you can see where it hits and where it misses. I just put it in with a score of 1.0 just to see how it does. One shouldn't be enough to FP something, but it will give me something to look at in the logs. I left the individual tests at 0.1. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From r.berber at computer.org Tue Nov 28 01:19:27 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Tue Nov 28 01:20:06 2006 Subject: Botnet 0.4 Spam Assassin plugin In-Reply-To: <456B6973.2060006@ucsc.edu> References: <1E293D3FF63A3740B10AD5AAD88535D203C27B0D@UBIMAIL1.ubisoft.org> <1E293D3FF63A3740B10AD5AAD88535D203C27B0D@UBIMAIL1.ubisoft. org> <200611272027.kARKRqbn031785@balita.ph> <456B5417.20408@ucsc.edu> <456B6973.2060006@ucsc.edu> Message-ID: John Rudd wrote: > Ren? Berber wrote: [snip] >> Question: If someone sends a message from home to their workplace, there is only >> one relay line (two if you count the local delivery line which usually does not >> have an IP address) and it contains a ADSL address, does your plugin score on >> that relay line or skips? > > It will not skip that received line unless you specifically put that > relay into your skip/pass list ... or if they're using SMTP-AUTH and SA > correctly puts that information into the pseudo-header AND you've set > the botnet_pass_auth option. I haven't seen where SA can be configured to add the information that the user used smtp_auth. >> The point here being that if it scores it gives a false score, just like the >> useless half point I see SA adds to that line by using RBLs that list dynamic >> addresses... the first relay line should be ignored, and that makes bot-net >> detection ineffective. > > I would say that the first line should NOT be ignored. Instead: > > 1) You should require that such submitters use SMTP-AUTH, and possibly > have them connect to a back-end system (where spam scanning happens on > your front-end systems). To avoid having your back-end systems targeted > by adversaries (to get around your AV/AS scanning), have them require > SMTP-AUTH and only allow non-SMTP-AUTH transactions from trusted IP > addresses (such as your front end systems). But if you use your ISP and it doesn't require authentication then the first line is going to produce a score always... > 2) You shouldn't spam scan messages at all if they've come from an > SMTP-AUTH transaction OR make sure that your MTA's SMTP-AUTH > fingerprints are properly recognized by SA and use the botnet_pass_auth > option. > > > In my setups, I have the arrangements: > > 1) front end and back end systems: the front ends to the spam scanning > but don't spam scan messages relayed from the back ends; the back ends > only accept messages from local IPs or via SMTP-AUTH. > > 2) 2 MTA's on one host, which act like the above front end and back end > arrangement, except that the 'back end' MTA doesn't relay out through > the 'front end' MTA. For example, I have sendmail listening on port 25, > and doing AV/AS scanning; then I have CommuniGate Pro running on another > port and "blacklisting the world" (which can only be bypassed by > SMTP-AUTH or being on a "client IP address). Sendmail then relays > messages to CGP when its done with them. Legitimate users (local or > not) submit messages to CommuniGate Pro with SMTP-AUTH, and thus their > messages never get seen by SpamAssassin nor the Botnet plugin. > > 3) One MTA that only passes messages to SpamAssassin if they weren't > from an SMTP-AUTH session, nor from a local IP. (I will soon be > retiring sendmail on the machine in example #2, and the CGP rule which > will be invoking SpamAssassin will exempt for messages that are > authenticated) > > In any of those cases, the answer is "make the legitimate but non-local > user use SMTP-AUTH to one of the SMTP-AUTH enabled hosts". This doesn't > even require the use of multiple machines (and thus a higher cost of > operation). > > >>> My means of mitigating the problem are the "botnet_pass_auth", >>> "botnet_skip_ip", and "botnet_pass_ip" options, which allow you to >>> handle known good senders. >> >> Not very usefull since dynamic IP addresses are "dynamic". > > botnet_pass_auth would be useful in that case, if your MTA is able to > properly inform SA when a message was authenticated. > >>> Or you can set the score for BOTNET_CLIENT to 0. That will, however, >>> significantly reduce the effectiveness of the plugin. > > And, of course, this one is still an option. BOTNET_NORDNS alone is > what AOL does. Add BOTNET_BADDNS to that, and you're slightly better > than AOL at blocking botnets. It's not as good as the full effect of > BOTNET, but it's better than nothing, IMO. > > Other things that will help: > > zen.spamhaus.org > a Greet-Pause of 20-30 seconds (you'll need exemptions for verizon, > livejournal, .mac, I think myspace, and facebook) > some amount of Greylisting > > (in my experience, these 4 techniques have HUGE overlap in results, so > if you do 2 or 3 of them, you get a small trickle or results on the > other 1 or 2; my preference is: 3 second greet pause, zen.spamhaus.org, > direct botnet blocking in the milter (ie. same code, but applied before > spam assassin, and only applied to the direct mail relay; exempts if > postmaster or abuse are the only recipients or for smtp-auth), no > greylisting) Thanks for your reply, I'm already using most of your recommendations (smtp_auth, greet pause, gray-list) I'll just have to put together the pieces to reach full benefit. -- Ren? Berber From jrudd at ucsc.edu Tue Nov 28 02:07:05 2006 From: jrudd at ucsc.edu (John Rudd) Date: Tue Nov 28 02:08:08 2006 Subject: Botnet 0.4 Spam Assassin plugin In-Reply-To: References: <1E293D3FF63A3740B10AD5AAD88535D203C27B0D@UBIMAIL1.ubisoft.org> <1E293D3FF63A3740B10AD5AAD88535D203C27B0D@UBIMAIL1.ubisoft. org> <200611272027.kARKRqbn031785@balita.ph> <456B5417.20408@ucsc.edu> <456B6973.2060006@ucsc.edu> Message-ID: <456B99C9.5050203@ucsc.edu> Ren? Berber wrote: > John Rudd wrote: >> Ren? Berber wrote: > [snip] >>> Question: If someone sends a message from home to their workplace, there is only >>> one relay line (two if you count the local delivery line which usually does not >>> have an IP address) and it contains a ADSL address, does your plugin score on >>> that relay line or skips? >> It will not skip that received line unless you specifically put that >> relay into your skip/pass list ... or if they're using SMTP-AUTH and SA >> correctly puts that information into the pseudo-header AND you've set >> the botnet_pass_auth option. > > I haven't seen where SA can be configured to add the information that the user > used smtp_auth. One of the fields in the Untrusted Relays pseudo-header (and presumably in the Trusted Relays psuedo-header) is "auth=". I have _no_ idea how that field get set. I am merely trusting SA to do the right thing. >>> The point here being that if it scores it gives a false score, just like the >>> useless half point I see SA adds to that line by using RBLs that list dynamic >>> addresses... the first relay line should be ignored, and that makes bot-net >>> detection ineffective. >> I would say that the first line should NOT be ignored. Instead: >> >> 1) You should require that such submitters use SMTP-AUTH, and possibly >> have them connect to a back-end system (where spam scanning happens on >> your front-end systems). To avoid having your back-end systems targeted >> by adversaries (to get around your AV/AS scanning), have them require >> SMTP-AUTH and only allow non-SMTP-AUTH transactions from trusted IP >> addresses (such as your front end systems). > > But if you use your ISP and it doesn't require authentication then the first > line is going to produce a score always... I'm not sure what you're saying. If you're saying your ISP might be using BOTNET and BOTNET might trigger on you submitting messages to them: They should have you in their trusted_networks configuration for SA, and then BOTNET will skip you. If you're saying some remote receiver might be using BOTNET, then, as long as they don't have your ISP in their trusted_networks config, then their BOTNET will only look at your ISP's mail server IP, not your end client IP. By "first line", I am referring to the newst/top-most (most recent) Received header. Not the oldest/bottom-most Received header. From r.berber at computer.org Tue Nov 28 04:50:50 2006 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Tue Nov 28 04:51:19 2006 Subject: Botnet 0.4 Spam Assassin plugin In-Reply-To: <456B99C9.5050203@ucsc.edu> References: <1E293D3FF63A3740B10AD5AAD88535D203C27B0D@UBIMAIL1.ubisoft.org> <1E293D3FF63A3740B10AD5AAD88535D203C27B0D@UBIMAIL1.ubisoft. org> <200611272027.kARKRqbn031785@balita.ph> <456B5417.20408@ucsc.edu> <456B6973.2060006@ucsc.edu> <456B99C9.5050203@ucsc.edu> Message-ID: John Rudd wrote: > Ren? Berber wrote: >> I haven't seen where SA can be configured to add the information that >> the user used smtp_auth. > > One of the fields in the Untrusted Relays pseudo-header (and presumably > in the Trusted Relays psuedo-header) is "auth=". I have _no_ idea how > that field get set. I am merely trusting SA to do the right thing. In http://wiki.apache.org/spamassassin/DynablockIssues there is something about adding header LOCAL_AUTH_RCVD, I'll test that and see if that makes SA stop DNSBL checking authenticated users. The documentation seems to imply that SA cannot do this alone, in fact the example which may be for postfix is different from what I see with sendmail. Interesting. I only bring it up because it may be helpful for the use of the Botnet plugin, as you showed in another message of this thread. [snip] -- Ren? Berber From gordon at itnt.co.za Tue Nov 28 05:49:02 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Tue Nov 28 05:49:45 2006 Subject: Help - New version not storing spam in quarantine Message-ID: <007401c712b0$f920aa00$0a02a8c0@Gordon> ITNT Banner CampaignI have just upgraded to 4.57.4. All went well and I upgraded the conf files, but now none of the spam is being stored, it is being delivered. How do I sort this out? Regards Gordon Colyn InTheNet Technologies www.itnt.co.za MSN: gordoncolyn@hotmail.com SKYPE: gordoncolyn 086 123 ITNT (4868) 086 682 5204 (Fax) +27 (0)83 296 7534 Confidentiality: This e-mail including any attachments is intended for the above named addressee(s) only and contains confidential information. If you have received this email in error you must take no action based on its contents, nor must you reproduce or show the e-mail or any attachments or any part thereof or communicate the contents to anyone; please reply to the sender of this e-mail informing them of the error. Viruses: We recommend that in keeping with good computing practice the recipient should ensure that e-mails received are virus free before opening. From res at ausics.net Tue Nov 28 06:34:40 2006 From: res at ausics.net (Res) Date: Tue Nov 28 06:35:01 2006 Subject: Help - New version not storing spam in quarantine In-Reply-To: <007401c712b0$f920aa00$0a02a8c0@Gordon> References: <007401c712b0$f920aa00$0a02a8c0@Gordon> Message-ID: On Tue, 28 Nov 2006, Gordon Colyn wrote: > ITNT Banner CampaignI have just upgraded to 4.57.4. All went well and I > upgraded the conf files, but now none of the spam is being stored, it is > being delivered. > > How do I sort this out? Please see other existing thread, this is a beta release oly and there will be a fix soon enough, so if you installed this on a production machine, tst tst :) But if so, an advantage of using the source package just stop MS, rm the sylink and recreate it to the current stable. > > > Regards > Gordon Colyn > InTheNet Technologies > www.itnt.co.za > MSN: gordoncolyn@hotmail.com > SKYPE: gordoncolyn > 086 123 ITNT (4868) > 086 682 5204 (Fax) > +27 (0)83 296 7534 > Confidentiality: This e-mail including any attachments is intended for the > above named addressee(s) only and contains confidential information. If you > have received this email in error you must take no action based on its > contents, nor must you reproduce or show the e-mail or any attachments or > any part thereof or communicate the contents to anyone; please reply to the > sender of this e-mail informing them of the error. > Viruses: We recommend that in keeping with good computing practice the > recipient should ensure that e-mails received are virus free before opening. > > -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From gordon at itnt.co.za Tue Nov 28 06:50:31 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Tue Nov 28 06:51:09 2006 Subject: Help - New version not storing spam in quarantine References: <007401c712b0$f920aa00$0a02a8c0@Gordon> Message-ID: <00c801c712b9$83f01eb0$0a02a8c0@Gordon> ok, thanks. Where do I rm the sylink ? I think I missed this when I tried to roll back, so previous version is doing the same... ----- Original Message ----- From: "Res" To: "MailScanner discussion" Sent: Tuesday, November 28, 2006 8:34 AM Subject: Re: Help - New version not storing spam in quarantine On Tue, 28 Nov 2006, Gordon Colyn wrote: > ITNT Banner CampaignI have just upgraded to 4.57.4. All went well and I > upgraded the conf files, but now none of the spam is being stored, it is > being delivered. > > How do I sort this out? Please see other existing thread, this is a beta release oly and there will be a fix soon enough, so if you installed this on a production machine, tst tst :) But if so, an advantage of using the source package just stop MS, rm the sylink and recreate it to the current stable. > > > Regards > Gordon Colyn > InTheNet Technologies > www.itnt.co.za > MSN: gordoncolyn@hotmail.com > SKYPE: gordoncolyn > 086 123 ITNT (4868) > 086 682 5204 (Fax) > +27 (0)83 296 7534 > Confidentiality: This e-mail including any attachments is intended for the > above named addressee(s) only and contains confidential information. If > you > have received this email in error you must take no action based on its > contents, nor must you reproduce or show the e-mail or any attachments or > any part thereof or communicate the contents to anyone; please reply to > the > sender of this e-mail informing them of the error. > Viruses: We recommend that in keeping with good computing practice the > recipient should ensure that e-mails received are virus free before > opening. > > -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From res at ausics.net Tue Nov 28 07:14:41 2006 From: res at ausics.net (Res) Date: Tue Nov 28 07:14:52 2006 Subject: Help - New version not storing spam in quarantine In-Reply-To: <00c801c712b9$83f01eb0$0a02a8c0@Gordon> References: <007401c712b0$f920aa00$0a02a8c0@Gordon> <00c801c712b9$83f01eb0$0a02a8c0@Gordon> Message-ID: On Tue, 28 Nov 2006, Gordon Colyn wrote: > ok, thanks. > > Where do I rm the sylink ? If you are useing the source rollback is as simple as cd /opt rm MailScanner ln -s MailScanner-last-stable-version/ MailScanner and restarting MS of course :) RPM can't not be done this way because it doesn't use this method, useing the tarball is far more efficient, dead simple for upgrades and emergency rollbacks and most importantly backups, all taking literally only a few seconds. Even on my RPM based machines I use tarballs. > > I think I missed this when I tried to roll back, so previous version is > doing the same... > > ----- Original Message ----- > From: "Res" > To: "MailScanner discussion" > Sent: Tuesday, November 28, 2006 8:34 AM > Subject: Re: Help - New version not storing spam in quarantine > > > On Tue, 28 Nov 2006, Gordon Colyn wrote: > >> ITNT Banner CampaignI have just upgraded to 4.57.4. All went well and I >> upgraded the conf files, but now none of the spam is being stored, it is >> being delivered. >> >> How do I sort this out? > > Please see other existing thread, this is a beta release oly and there > will be a fix soon enough, so if you installed this on a production > machine, tst tst :) But if so, an advantage of using the source package > just stop MS, rm the sylink and recreate it to the current stable. > > > >> >> >> Regards >> Gordon Colyn >> InTheNet Technologies >> www.itnt.co.za >> MSN: gordoncolyn@hotmail.com >> SKYPE: gordoncolyn >> 086 123 ITNT (4868) >> 086 682 5204 (Fax) >> +27 (0)83 296 7534 >> Confidentiality: This e-mail including any attachments is intended for the >> above named addressee(s) only and contains confidential information. If >> you >> have received this email in error you must take no action based on its >> contents, nor must you reproduce or show the e-mail or any attachments or >> any part thereof or communicate the contents to anyone; please reply to >> the >> sender of this e-mail informing them of the error. >> Viruses: We recommend that in keeping with good computing practice the >> recipient should ensure that e-mails received are virus free before >> opening. >> >> > > -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From glenn.steen at gmail.com Tue Nov 28 09:51:51 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Nov 28 09:51:56 2006 Subject: Help - New version not storing spam in quarantine In-Reply-To: References: <007401c712b0$f920aa00$0a02a8c0@Gordon> <00c801c712b9$83f01eb0$0a02a8c0@Gordon> Message-ID: <223f97700611280151o14bb60b3sfdaad3dcbb3a12be@mail.gmail.com> On 28/11/06, Res wrote: > On Tue, 28 Nov 2006, Gordon Colyn wrote: > > > ok, thanks. > > > > Where do I rm the sylink ? > > If you are useing the source rollback is as simple as > cd /opt > rm MailScanner > ln -s MailScanner-last-stable-version/ MailScanner > > and restarting MS of course :) > > RPM can't not be done this way because it doesn't use this method, > useing the tarball is far more efficient, dead simple for > upgrades and emergency rollbacks and most importantly backups, all taking > literally only a few seconds. Even on my RPM based machines I use > tarballs. > Well, if you followed the instructions in the wiki/MAQ for doing an update (and what to save a copy of, you could rather easily roll back with that for RPM (both /usr/lib/MailScanner and /etc/MailScanner ...). In a pinch, "rpm -e mailscanner" then "restore" /etc/MailScanner to previous version, then finally reinstall that version. Not as simpel as the source, no ... Still doable though:-). If it still behaves badly after that, one has to start wondering if it is some insidious bug regarding some of the perl modules. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From martinh at solidstatelogic.com Tue Nov 28 09:51:58 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Tue Nov 28 09:52:19 2006 Subject: Please test: Last beta before 4.57 final release In-Reply-To: References: <456AF14B.5020802@ecs.soton.ac.uk> <456B0E33.1070507@solidstatelogic.com> Message-ID: <456C06BE.1000905@solidstatelogic.com> Jeff A. Earickson wrote: > > > On Mon, 27 Nov 2006, Martin Hepworth wrote: > >> Jules >> >> Problem with logging to the quarantine directories - its not happening >> at all.. ;-( > > Martin, > > Do you mean that messages that should be quarantined don't end up in > the quarantine directory? Any trace of where they go from your syslog? > > Just installed 4.57.4 on my Solaris 10 box, watching things now... > > Jeff Earickson > Colby College yes, they get delivered OK, Archived OK, but not placed in the quarantine directory. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From gordon at itnt.co.za Tue Nov 28 09:58:51 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Tue Nov 28 09:59:14 2006 Subject: Help - New version not storing spam in quarantine References: <007401c712b0$f920aa00$0a02a8c0@Gordon><00c801c712b9$83f01eb0$0a02a8c0@Gordon> Message-ID: <002d01c712d3$d5b3fa90$0a02a8c0@Gordon> Thanks, all sorted ----- Original Message ----- From: "Res" To: "MailScanner discussion" Sent: Tuesday, November 28, 2006 9:14 AM Subject: Re: Help - New version not storing spam in quarantine On Tue, 28 Nov 2006, Gordon Colyn wrote: > ok, thanks. > > Where do I rm the sylink ? If you are useing the source rollback is as simple as cd /opt rm MailScanner ln -s MailScanner-last-stable-version/ MailScanner and restarting MS of course :) RPM can't not be done this way because it doesn't use this method, useing the tarball is far more efficient, dead simple for upgrades and emergency rollbacks and most importantly backups, all taking literally only a few seconds. Even on my RPM based machines I use tarballs. > > I think I missed this when I tried to roll back, so previous version is > doing the same... > > ----- Original Message ----- > From: "Res" > To: "MailScanner discussion" > Sent: Tuesday, November 28, 2006 8:34 AM > Subject: Re: Help - New version not storing spam in quarantine > > > On Tue, 28 Nov 2006, Gordon Colyn wrote: > >> ITNT Banner CampaignI have just upgraded to 4.57.4. All went well and I >> upgraded the conf files, but now none of the spam is being stored, it is >> being delivered. >> >> How do I sort this out? > > Please see other existing thread, this is a beta release oly and there > will be a fix soon enough, so if you installed this on a production > machine, tst tst :) But if so, an advantage of using the source package > just stop MS, rm the sylink and recreate it to the current stable. > > > >> >> >> Regards >> Gordon Colyn >> InTheNet Technologies >> www.itnt.co.za >> MSN: gordoncolyn@hotmail.com >> SKYPE: gordoncolyn >> 086 123 ITNT (4868) >> 086 682 5204 (Fax) >> +27 (0)83 296 7534 >> Confidentiality: This e-mail including any attachments is intended for >> the >> above named addressee(s) only and contains confidential information. If >> you >> have received this email in error you must take no action based on its >> contents, nor must you reproduce or show the e-mail or any attachments or >> any part thereof or communicate the contents to anyone; please reply to >> the >> sender of this e-mail informing them of the error. >> Viruses: We recommend that in keeping with good computing practice the >> recipient should ensure that e-mails received are virus free before >> opening. >> >> > > -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From tony.johansson at svenskakyrkan.se Tue Nov 28 10:17:27 2006 From: tony.johansson at svenskakyrkan.se (Tony Johansson) Date: Tue Nov 28 10:17:39 2006 Subject: 70k mqueue.in but load under 1 ?? In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC46E@inex3.herffjones.hj-int> References: <57573D714A832C43B9D80EAFBDA48D0302BAC46E@inex3.herffjones.hj-int> Message-ID: I've added sbl-xbl.spamhaus.org, dnsbl.sorbs.net and relays.ordb.org at the MTA level as well as upped greet_pause to 10 seconds. The queue problem is now gone (for the moment) but I still dont get how a mailscanner installation could drop to under 1 in load and just sit there watching the queue build. Would it be possible do define some dynamic variables? Load under 1, queue over 1k - start another mailscanner child (or whatever appropriate) Regards, Tony Furnish, Trever G skrev: > I added SBL+XBL at the MTA level and my queue size is now dropping > again. Shockingly (to me) SBL+XBL is blocking a *very* large percentage > of the inbound connections -- >99% each time I've checked this > afternoon. No reported false positives yet though (only been running a > few hours) and no one's loaded the web page I put into the SMTP > rejection response -- I'm pleasantly surprised. Didn't expect it to > catch so much. > >> -- >> Cheers >> Res > > -- > Trever From glenn.steen at gmail.com Tue Nov 28 12:07:41 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Nov 28 12:07:49 2006 Subject: 70k mqueue.in but load under 1 ?? In-Reply-To: References: <57573D714A832C43B9D80EAFBDA48D0302BAC46E@inex3.herffjones.hj-int> Message-ID: <223f97700611280407r45b02efvd1c9aad9722700f6@mail.gmail.com> On 28/11/06, Tony Johansson wrote: > I've added sbl-xbl.spamhaus.org, dnsbl.sorbs.net and relays.ordb.org at > the MTA level as well as upped greet_pause to 10 seconds. > > The queue problem is now gone (for the moment) but I still dont get how > a mailscanner installation could drop to under 1 in load and just sit > there watching the queue build. > > Would it be possible do define some dynamic variables? Load under 1, > queue over 1k - start another mailscanner child (or whatever appropriate) > When MailScanner "detects" there are more than "Max Normal Queue Size" it'll stop trying to process mails in a FIFO manner and switch to just grabbing the "Max Unsafe Messages Per Scan" number of messages (unsorted... Probably makes it more like LIFO). So in a way, it already tries to do something like that. As to why... Well, the processes are likely waiting for something... Most likely some network resource, or something equally slow, since you see only a modest wait in sar (and some Idle...). What did vmstat have to say during the same period? Not swapping are you? iostat? Any "hot disks"? One can also wonder if a --debug --debug-sa didn't show "perceptible" pauses, so that one could make a betrter guess at _what_ was having a slow time of it. Tjena -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jaearick at colby.edu Tue Nov 28 13:02:38 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Tue Nov 28 13:02:49 2006 Subject: 4.57.4: SA score big, yet delivered In-Reply-To: References: Message-ID: On Mon, 27 Nov 2006, Jeff A. Earickson wrote: > Date: Mon, 27 Nov 2006 15:54:49 -0500 (EST) > From: Jeff A. Earickson > Reply-To: MailScanner discussion > To: mailscanner mailing list > Subject: 4.57.4: SA score big, yet delivered > > Gang, > > I've had to roll back to 4.56.7 because a bunch of spam got > delivered to people, including me, with no {Spam?} for a > score 5< x < 10, and no delete for High Spam. I've stared at my > debug output, nothing strange. The emails in question got properly tagged > with SA scores (in the header and in the syslog output). Yet nothing got > tagged in the Subject line > or deleted. Any ideas??? In my previous test, the MailScanner.conf file had: Spam Modify Subject = start I changed the "start" to "yes" to see if it makes a difference. Nope. Spam gets scored properly and then gets delivered, no matter what. Jeff Earickson Colby College From evanderleun at hal9000.nl Tue Nov 28 13:53:11 2006 From: evanderleun at hal9000.nl (Erik van der Leun) Date: Tue Nov 28 13:53:13 2006 Subject: 4.57.4: SA score big, yet delivered In-Reply-To: References: Message-ID: <456C3F47.4050809@hal9000.nl> I've had this problem once (with an older version) The SpamAssassin Cache was the problem back then... When I disabled this, it worked like a charm again... :) Erik > On Mon, 27 Nov 2006, Jeff A. Earickson wrote: > >> Date: Mon, 27 Nov 2006 15:54:49 -0500 (EST) >> From: Jeff A. Earickson >> Reply-To: MailScanner discussion >> To: mailscanner mailing list >> Subject: 4.57.4: SA score big, yet delivered >> >> Gang, >> >> I've had to roll back to 4.56.7 because a bunch of spam got >> delivered to people, including me, with no {Spam?} for a >> score 5< x < 10, and no delete for High Spam. I've stared at my >> debug output, nothing strange. The emails in question got properly >> tagged with SA scores (in the header and in the syslog output). Yet >> nothing got tagged in the Subject line >> or deleted. Any ideas??? > > In my previous test, the MailScanner.conf file had: > > Spam Modify Subject = start > > I changed the "start" to "yes" to see if it makes a difference. Nope. > Spam gets scored properly and then gets delivered, no matter what. > > Jeff Earickson > Colby College From martin.lyberg at gmail.com Tue Nov 28 13:59:13 2006 From: martin.lyberg at gmail.com (Martin) Date: Tue Nov 28 13:59:42 2006 Subject: bayes_journal - Bad permissions Message-ID: Hi, I keep getting permission errors when learning messages through Mailwatch: SA_Learn: bayes: bad permissions on journal, can't read: /var/spool/MailScanner/spamassassin/bayes_journal This is my permissions of /var/spool/MailScanner/spamassassin/: drwxrws--- 2 postfix www-data 12288 2006-11-28 14:57 . drwxr-xr-x 6 postfix postfix 4096 2006-04-24 17:07 .. -rw-rwS--- 1 postfix www-data 1331200 2006-11-28 14:57 auto-whitelist -rw------- 1 postfix www-data 10632 2006-11-28 14:57 bayes_journal -rw-rwS--- 1 postfix www-data 36 2006-11-28 14:55 bayes.mutex -rw-rwS--- 1 postfix www-data 1318912 2006-11-28 14:53 bayes_seen -rw-rwS--- 1 postfix www-data 5160960 2006-11-28 14:55 bayes_toks Even if i change the permissions of bayes_journal. It keeps resetting the permissions. Any clues? Thank you From cristi at elvsoft.com Tue Nov 28 14:23:17 2006 From: cristi at elvsoft.com (Tomoiaga Cristian) Date: Tue Nov 28 14:23:27 2006 Subject: Enable DCC Message-ID: <018001c712f8$c2795770$6802a8c0@Marian> Hello, I am trying to get DCC work in MailScanner. Untill now no luck. Some output of spamassassin -D --lint [25638] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC [25638] dbg: dcc: local tests only, disabling DCC In spam.assassin.prefs.conf I have uncommented the following: dcc_path /usr/local/bin/dccproc use_dcc 1 Plugin is present in v310.pre and also dns is enabled in SA I am not shure about this but I think that if only local tests are enabled then URIBL should not work, but it does. I need some help or hints on this, thanks Regards, Tomoiaga Cristian From edwardbruce at sbcglobal.net Tue Nov 28 14:26:39 2006 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Tue Nov 28 14:26:43 2006 Subject: Please test: Last beta before 4.57 final release In-Reply-To: <456C06BE.1000905@solidstatelogic.com> References: <456AF14B.5020802@ecs.soton.ac.uk> <456B0E33.1070507@solidstatelogic.com> <456C06BE.1000905@solidstatelogic.com> Message-ID: <456C471F.1040409@sbcglobal.net> Martin Hepworth wrote: > Jeff A. Earickson wrote: >> >> >> On Mon, 27 Nov 2006, Martin Hepworth wrote: >> >>> Jules >>> >>> Problem with logging to the quarantine directories - its not >>> happening at all.. ;-( >> >> Martin, >> >> Do you mean that messages that should be quarantined don't end up in >> the quarantine directory? Any trace of where they go from your syslog? >> >> Just installed 4.57.4 on my Solaris 10 box, watching things now... >> >> Jeff Earickson >> Colby College > > yes, they get delivered OK, Archived OK, but not placed in the > quarantine directory. > > Just checked this morning and MS failed to create today's quarantine directory. From edwardbruce at sbcglobal.net Tue Nov 28 14:29:06 2006 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Tue Nov 28 14:29:10 2006 Subject: Please test: Last beta before 4.57 final release In-Reply-To: <456C06BE.1000905@solidstatelogic.com> References: <456AF14B.5020802@ecs.soton.ac.uk> <456B0E33.1070507@solidstatelogic.com> <456C06BE.1000905@solidstatelogic.com> Message-ID: <456C47B2.7010005@sbcglobal.net> Martin Hepworth wrote: > Jeff A. Earickson wrote: >> >> >> On Mon, 27 Nov 2006, Martin Hepworth wrote: >> >>> Jules >>> >>> Problem with logging to the quarantine directories - its not >>> happening at all.. ;-( >> >> Martin, >> >> Do you mean that messages that should be quarantined don't end up in >> the quarantine directory? Any trace of where they go from your syslog? >> >> Just installed 4.57.4 on my Solaris 10 box, watching things now... >> >> Jeff Earickson >> Colby College > > yes, they get delivered OK, Archived OK, but not placed in the > quarantine directory. > > So only infected or blocked email is not being saved. In my case spam and nonspam directories are not being created and no email is being archived. From glenn.steen at gmail.com Tue Nov 28 14:50:28 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Nov 28 14:50:30 2006 Subject: bayes_journal - Bad permissions In-Reply-To: References: Message-ID: <223f97700611280650t7e3eabc9i874c6186ab35acb7@mail.gmail.com> On 28/11/06, Martin wrote: > Hi, > > I keep getting permission errors when learning messages through Mailwatch: > > SA_Learn: bayes: bad permissions on journal, can't read: > /var/spool/MailScanner/spamassassin/bayes_journal > > This is my permissions of /var/spool/MailScanner/spamassassin/: > > drwxrws--- 2 postfix www-data 12288 2006-11-28 14:57 . > drwxr-xr-x 6 postfix postfix 4096 2006-04-24 17:07 .. > -rw-rwS--- 1 postfix www-data 1331200 2006-11-28 14:57 auto-whitelist > -rw------- 1 postfix www-data 10632 2006-11-28 14:57 bayes_journal > -rw-rwS--- 1 postfix www-data 36 2006-11-28 14:55 bayes.mutex > -rw-rwS--- 1 postfix www-data 1318912 2006-11-28 14:53 bayes_seen > -rw-rwS--- 1 postfix www-data 5160960 2006-11-28 14:55 bayes_toks > > Even if i change the permissions of bayes_journal. It keeps resetting > the permissions. > > Any clues? > Hej Martin, (Apart from this being the wrong mailing list:-)... Have you set bayes_file_mode 0770 (at least) in either /etc/mail/spamassassin/local.cf or /etc/mail/spamassassin/mailscanner.cf ? Why do you have them all with s? Effective group is immaterial, since these aren't executable... The only one that might have the effect you want is the "." directory one:-). Do a chmod 0660 * to clear that (no, it doesn't hurt anything either, and don't clear it on the directory:-). Then check in MailScanner.conf that you have: Incoming Work Permissions = 0660 Quarantine Permissions = 0660 as well as the Run As User = postfix Run As Group = postfix Quarantine User = postfix Quarantine Group = www-data Most important is the bayes_file_mode "mask". -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Nov 28 14:53:09 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Nov 28 14:53:13 2006 Subject: Enable DCC In-Reply-To: <018001c712f8$c2795770$6802a8c0@Marian> References: <018001c712f8$c2795770$6802a8c0@Marian> Message-ID: <223f97700611280653o3aceb60bl6c77f3977ca6c8e@mail.gmail.com> On 28/11/06, Tomoiaga Cristian wrote: > Hello, > I am trying to get DCC work in MailScanner. > Untill now no luck. > > Some output of spamassassin -D --lint > > [25638] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC > [25638] dbg: dcc: local tests only, disabling DCC > > In spam.assassin.prefs.conf I have uncommented the following: > > dcc_path /usr/local/bin/dccproc > use_dcc 1 > > Plugin is present in v310.pre and also dns is enabled in SA > I am not shure about this but I think that if only local tests are enabled > then URIBL should not work, but it does. > > I need some help or hints on this, thanks > > > Regards, > > Tomoiaga Cristian Since version 3.1.7 of SpamAssassin it no longer performs any network tests when you run a lint, only syntactical tests are performed. To check whether it really works, you need to run a message through like this: spamassassin -D -t < /path/to/message/file Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From cristi at elvsoft.com Tue Nov 28 15:01:57 2006 From: cristi at elvsoft.com (Tomoiaga Cristian) Date: Tue Nov 28 15:02:11 2006 Subject: Enable DCC In-Reply-To: <223f97700611280653o3aceb60bl6c77f3977ca6c8e@mail.gmail.com> Message-ID: You are right. After doing that, I got DCC check ok. Thanks -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: Tuesday, November 28, 2006 4:53 PM To: MailScanner discussion Subject: Re: Enable DCC On 28/11/06, Tomoiaga Cristian wrote: > Hello, > I am trying to get DCC work in MailScanner. > Untill now no luck. > > Some output of spamassassin -D --lint > > [25638] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC > [25638] dbg: dcc: local tests only, disabling DCC > > In spam.assassin.prefs.conf I have uncommented the following: > > dcc_path /usr/local/bin/dccproc > use_dcc 1 > > Plugin is present in v310.pre and also dns is enabled in SA > I am not shure about this but I think that if only local tests are enabled > then URIBL should not work, but it does. > > I need some help or hints on this, thanks > > > Regards, > > Tomoiaga Cristian Since version 3.1.7 of SpamAssassin it no longer performs any network tests when you run a lint, only syntactical tests are performed. To check whether it really works, you need to run a message through like this: spamassassin -D -t < /path/to/message/file Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2619 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061128/41fcf826/smime.bin From dstraka at caspercollege.edu Tue Nov 28 15:56:50 2006 From: dstraka at caspercollege.edu (Daniel Straka) Date: Tue Nov 28 15:57:32 2006 Subject: Grep Patterns for MailScanner Statistics Message-ID: <456BF9D2.61A4.0000.0@caspercollege.edu> I've been trying to find a grep pattern to use with the mail log file to get an accurate count of: 1. Total Incoming Messages: (I'm using sendmail), been using (grep -c "daemon=MTA" mail) 2. Total Outgoing Messages: been using (grep -c "to=<" mail) 3. Messages identified as spam by MailScanner: been using (grep -c "actions are delete" mail) 4. Total number of messages sent and received: help! Does anyone have a list of grep patterns they use and would like to share? Dan Straka Systems Coordinator Casper College 307.268.2399 -- This message has been scanned for viruses and dangerous content by MailScanner at caspercollege.edu and is believed to be clean. -------------- next part -------------- BEGIN:VCARD VERSION:2.1 FN:Straka, Daniel TEL:307.268.2399 EMAIL:Dstraka@caspercollege.edu ORG:Casper College TITLE:Systems Coordinator URL:http://wind.caspercollege.edu/~dstraka/ END:VCARD From carock at epconline.net Tue Nov 28 16:12:41 2006 From: carock at epconline.net (Chuck Rock) Date: Tue Nov 28 16:14:41 2006 Subject: use spamcop and bounce with spamcop response help. References: Message-ID: Scott Silva sgvwater.com> writes: > > Chuck Rock spake the following on 11/27/2006 7:47 AM: > > Scott Silva sgvwater.com> writes: > > > >> Chuck Rock spake the following on 11/26/2006 4:41 PM: > >>> I am bouncing messages with MailScanner that match the Spamcop list. > >>> > >>> I see in the latest version I'm using 4.56.8 you can modify message > > headers > >>> with actions. > >>> > >>> Is there a way to modify the message header to the spamcop address is > > listed > >>> with the proper IP like if you just used Sendmail to bounce it? > >>> > >>> This is what Spamcop tells you to di if you run Sendmail. > >>> > >>> FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see: > >>> http://spamcop.net/bl.shtml?"$&{client_addr}', `t')dnl > >>> > >>> I was thinking of adding the message header in MailScanner similar to this. > >>> > >>> Spam Actions = bounce header "X-Spam-Status: > >>> Yes : 'http://spamcop.net/bl.shtml?'(flagged_IP) > >>> > >>> Is there a syntax in Mailscanner to provide that IP to that header line so > > a > >>> person could get to the spamcop site with their IP address information? > >>> > >>> Thanks, > >>> Chuck > >>> > >> If you want that "feature", and are dropping the message anyway, why not just > >> drop it at the MTA. You will save yourself the load, and get the desired > >> result. You really should never bounce messages after you receive them. If > >> they are dropped during the connection phase, you get the rejection to the > >> proper server, but if you have received it, then all you have is the possibly > >> forged sender address to rely on. > > > > So basically, if I can have MailScanner skip the spam lists check altogether > > and just put the spamcop config in the proper sendmail config file for my > > inbound sendmail process? > > > > Is there another benefit of having MailScanner check the rbl's instead of or > > in addition to Sendmail? > > > > Thanks, > > Chuck > > > > > The only benefit I know of is if you want to store the bad stuff in > quarantine. The best in order are ; > MTA > Spamassassin > Mailscanner > > If you have no problem dropping every message that hits spamcop, then dropping > at the MTA is the safest and least processor intensive. After that, you have > the message on your server, and bouncing it will make you many enemies, and > maybe get you listed on a blacklist yourself. I am using sbl-xbl and > combined.njabl.org at the mta with no complaints. You should open up your > abuse and postmaster addresses, but spamassassin and mailscanner can catch a > lot of the garbage there. > Thanks everyone for the valuable input. I run a small ISP with a few thousand mailboxes and I'm very very tired of spending so much time and money to "handle" the onslaught of spam. I have too many customers complaining and when my servers have problems, all the business customers complain because they can't do business... I have received messages from Spamcop with enough information for me to find the problem. I would go as far to say that if a sender is listed in the spamcop database, I'm secure enough to assume it's for a good reason and whomever owns that IP, needs to know and do something about it. Bounces are good for me because they at least will let a legitimate sender know that their message didn't reach the destination and the server resources and bandwidth are not used. I guess one other bonus to using MailScanner would be that for certain recipients, I could make it ignore the spamlist test so if people really didn't want to reject messages from senders found in Spamcop, then I could allow that. Thanks again for your time. Chuck From jaearick at colby.edu Tue Nov 28 16:25:50 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Tue Nov 28 16:27:02 2006 Subject: 4.57.4: SA score big, yet delivered In-Reply-To: <456C3F47.4050809@hal9000.nl> References: <456C3F47.4050809@hal9000.nl> Message-ID: On Tue, 28 Nov 2006, Erik van der Leun wrote: > Date: Tue, 28 Nov 2006 14:53:11 +0100 > From: Erik van der Leun > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: 4.57.4: SA score big, yet delivered > > I've had this problem once (with an older version) > > The SpamAssassin Cache was the problem back then... > When I disabled this, it worked like a charm again... > > :) > Erik > >> On Mon, 27 Nov 2006, Jeff A. Earickson wrote: >> >>> Date: Mon, 27 Nov 2006 15:54:49 -0500 (EST) >>> From: Jeff A. Earickson >>> Reply-To: MailScanner discussion >>> To: mailscanner mailing list >>> Subject: 4.57.4: SA score big, yet delivered >>> >>> Gang, >>> >>> I've had to roll back to 4.56.7 because a bunch of spam got >>> delivered to people, including me, with no {Spam?} for a >>> score 5< x < 10, and no delete for High Spam. I've stared at my >>> debug output, nothing strange. The emails in question got properly >>> tagged with SA scores (in the header and in the syslog output). Yet >>> nothing got tagged in the Subject line >>> or deleted. Any ideas??? >> >> In my previous test, the MailScanner.conf file had: >> >> Spam Modify Subject = start >> >> I changed the "start" to "yes" to see if it makes a difference. Nope. >> Spam gets scored properly and then gets delivered, no matter what. >> Thanks for the tip on the SA cache. I stopped MS, blew away the SA cache.db file, changed the symlink to MS 4.57.4, restarted. Same result, spam sails right thru to delivery, no change. Bummer. :( Jeff Earickson Colby College From Denis.Beauchemin at USherbrooke.ca Tue Nov 28 16:39:35 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Tue Nov 28 16:39:53 2006 Subject: Grep Patterns for MailScanner Statistics In-Reply-To: <456BF9D2.61A4.0000.0@caspercollege.edu> References: <456BF9D2.61A4.0000.0@caspercollege.edu> Message-ID: <456C6647.7030709@USherbrooke.ca> Daniel Straka a ?crit : > I've been trying to find a grep pattern to use with the mail log file to > get an accurate count of: > 1. Total Incoming Messages: (I'm using sendmail), been using (grep -c > "daemon=MTA" mail) > 2. Total Outgoing Messages: been using (grep -c "to=<" mail) > 3. Messages identified as spam by MailScanner: been using (grep -c > "actions are delete" mail) > 4. Total number of messages sent and received: help! > Does anyone have a list of grep patterns they use and would like to > share? > Dan, You can't use these grep to differentiate between incoming and outgoing messages because all messages have a "to=<". I think you would have to look at the IP address of the sender that you can find on the "from=" line: Nov 28 00:15:15 smtpe3 sendmail[8590]: kAS5F3JI008590: from=<.....@.....>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=[218.201.66.34] Look at the "relay=" for the IP address. Then decide which ones are incoming and outgoing based on that information. I use Mailscanner-MRTG for this kind of information while others use MailWatch. Look into the wiki for pointers to both. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061128/8666d111/smime.bin From Richard.Frovarp at sendit.nodak.edu Tue Nov 28 16:54:52 2006 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Tue Nov 28 16:54:55 2006 Subject: 70k mqueue.in but load under 1 ?? In-Reply-To: References: <57573D714A832C43B9D80EAFBDA48D0302BAC46E@inex3.herffjones.hj-int> Message-ID: <456C69DC.50402@sendit.nodak.edu> Tony Johansson wrote: > I've added sbl-xbl.spamhaus.org, dnsbl.sorbs.net and relays.ordb.org > at the MTA level as well as upped greet_pause to 10 seconds. > > The queue problem is now gone (for the moment) but I still dont get > how a mailscanner installation could drop to under 1 in load and just > sit there watching the queue build. > > Would it be possible do define some dynamic variables? Load under 1, > queue over 1k - start another mailscanner child (or whatever appropriate) > > > Regards, Tony If the queue is still building up, something is most likely timing out. Are you running Pyzor, Razor, or DCC? Using any odd URIBLs or DNSBLs that could be timing out? Several months ago Pyzor timed out (10 seconds per message) on me for a while, that really hurt performance. Do a lint or debug and see if anything hangs for a noticeable time period as Glenn suggested. From AHKAPLAN at PARTNERS.ORG Tue Nov 28 17:45:41 2006 From: AHKAPLAN at PARTNERS.ORG (Kaplan, Andrew H.) Date: Tue Nov 28 17:45:50 2006 Subject: Allowing .bmp files Message-ID: <9C63A4713C4E3342B90428CE44806A7302679A59@PHSXMB5.partners.org> Hi there - Several of our users get messages with .bmp files included as attachments. The current settings of our MailScanner/ClamAV configuration does not allow these files to get through. The request has been made to allow these files. To allow this, my plan was to modify the filename.rules.conf file by commenting out the following line: deny \.bmp$ Windows bitmap... After that, my next step would be adding the following line further down in the file: allow \.bmp$ - - After that, I would restart the mail server. Will this approach work, or is there a better way? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061128/ec01de6b/attachment.html From ssilva at sgvwater.com Tue Nov 28 18:49:19 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Nov 28 18:50:11 2006 Subject: use spamcop and bounce with spamcop response help. In-Reply-To: References: Message-ID: Chuck Rock spake the following on 11/28/2006 8:12 AM: > Scott Silva sgvwater.com> writes: > >> Chuck Rock spake the following on 11/27/2006 7:47 AM: >>> Scott Silva sgvwater.com> writes: >>> >>>> Chuck Rock spake the following on 11/26/2006 4:41 PM: >>>>> I am bouncing messages with MailScanner that match the Spamcop list. >>>>> >>>>> I see in the latest version I'm using 4.56.8 you can modify message >>> headers >>>>> with actions. >>>>> >>>>> Is there a way to modify the message header to the spamcop address is >>> listed >>>>> with the proper IP like if you just used Sendmail to bounce it? >>>>> >>>>> This is what Spamcop tells you to di if you run Sendmail. >>>>> >>>>> FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see: >>>>> http://spamcop.net/bl.shtml?"$&{client_addr}', `t')dnl >>>>> >>>>> I was thinking of adding the message header in MailScanner similar to > this. >>>>> Spam Actions = bounce header "X-Spam-Status: >>>>> Yes : 'http://spamcop.net/bl.shtml?'(flagged_IP) >>>>> >>>>> Is there a syntax in Mailscanner to provide that IP to that header line > so >>> a >>>>> person could get to the spamcop site with their IP address information? >>>>> >>>>> Thanks, >>>>> Chuck >>>>> >>>> If you want that "feature", and are dropping the message anyway, why not > just >>>> drop it at the MTA. You will save yourself the load, and get the desired >>>> result. You really should never bounce messages after you receive them. If >>>> they are dropped during the connection phase, you get the rejection to the >>>> proper server, but if you have received it, then all you have is the > possibly >>>> forged sender address to rely on. >>> So basically, if I can have MailScanner skip the spam lists check > altogether >>> and just put the spamcop config in the proper sendmail config file for my >>> inbound sendmail process? >>> >>> Is there another benefit of having MailScanner check the rbl's instead of > or >>> in addition to Sendmail? >>> >>> Thanks, >>> Chuck >>> >>> >> The only benefit I know of is if you want to store the bad stuff in >> quarantine. The best in order are ; >> MTA >> Spamassassin >> Mailscanner >> >> If you have no problem dropping every message that hits spamcop, then > dropping >> at the MTA is the safest and least processor intensive. After that, you have >> the message on your server, and bouncing it will make you many enemies, and >> maybe get you listed on a blacklist yourself. I am using sbl-xbl and >> combined.njabl.org at the mta with no complaints. You should open up your >> abuse and postmaster addresses, but spamassassin and mailscanner can catch a >> lot of the garbage there. >> > > Thanks everyone for the valuable input. I run a small ISP with a few thousand > mailboxes and I'm very very tired of spending so much time and money > to "handle" the onslaught of spam. I have too many customers complaining and > when my servers have problems, all the business customers complain because > they can't do business... > > I have received messages from Spamcop with enough information for me to find > the problem. I would go as far to say that if a sender is listed in the > spamcop database, I'm secure enough to assume it's for a good reason and > whomever owns that IP, needs to know and do something about it. Bounces are > good for me because they at least will let a legitimate sender know that their > message didn't reach the destination and the server resources and bandwidth > are not used. I guess one other bonus to using MailScanner would be that for > certain recipients, I could make it ignore the spamlist test so if people > really didn't want to reject messages from senders found in Spamcop, then I > could allow that. > > Thanks again for your time. > > Chuck > > As was stated before, a bounce is usually not good, but if they get a reject at the MTA, that is totally different. A bounce will imply that you recieved the message and are returning it. But when you use the blacklists you in effect stop the sending server as it starts to "talk" to your receiving server and tell it to "stop! I don't want this message!" A bounce will be at the mercy of any forgery in the message, but the MTA is in direct communication during the transaction, and doesn't need to rely on those forged addresses. And you can also "whitelist" certain addresses at the MTA of you want to exempt certain senders or recipients from the MTA blacklists. In sendmail, this is fairly easy, so the postfix and exim people can jump in and say that it is easy there also. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Tue Nov 28 18:51:48 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Nov 28 18:55:36 2006 Subject: 70k mqueue.in but load under 1 ?? In-Reply-To: <456C69DC.50402@sendit.nodak.edu> References: <57573D714A832C43B9D80EAFBDA48D0302BAC46E@inex3.herffjones.hj-int> <456C69DC.50402@sendit.nodak.edu> Message-ID: Richard Frovarp spake the following on 11/28/2006 8:54 AM: > Tony Johansson wrote: >> I've added sbl-xbl.spamhaus.org, dnsbl.sorbs.net and relays.ordb.org >> at the MTA level as well as upped greet_pause to 10 seconds. >> >> The queue problem is now gone (for the moment) but I still dont get >> how a mailscanner installation could drop to under 1 in load and just >> sit there watching the queue build. >> >> Would it be possible do define some dynamic variables? Load under 1, >> queue over 1k - start another mailscanner child (or whatever appropriate) >> >> >> Regards, Tony > > If the queue is still building up, something is most likely timing out. > Are you running Pyzor, Razor, or DCC? Using any odd URIBLs or DNSBLs > that could be timing out? Several months ago Pyzor timed out (10 seconds > per message) on me for a while, that really hurt performance. Do a lint > or debug and see if anything hangs for a noticeable time period as Glenn > suggested. Pyzor times out quite regularly as the Pyzor server seems to have trouble keeping up with the load. There is a thread about an alternate server, but I suppose that as more people find out about that one it will start to timeout also. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From Richard.Frovarp at sendit.nodak.edu Tue Nov 28 19:20:09 2006 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Tue Nov 28 19:20:12 2006 Subject: 70k mqueue.in but load under 1 ?? In-Reply-To: References: <57573D714A832C43B9D80EAFBDA48D0302BAC46E@inex3.herffjones.hj-int> <456C69DC.50402@sendit.nodak.edu> Message-ID: <456C8BE9.5010805@sendit.nodak.edu> Scott Silva wrote: > Richard Frovarp spake the following on 11/28/2006 8:54 AM: > >> Tony Johansson wrote: >> >>> I've added sbl-xbl.spamhaus.org, dnsbl.sorbs.net and relays.ordb.org >>> at the MTA level as well as upped greet_pause to 10 seconds. >>> >>> The queue problem is now gone (for the moment) but I still dont get >>> how a mailscanner installation could drop to under 1 in load and just >>> sit there watching the queue build. >>> >>> Would it be possible do define some dynamic variables? Load under 1, >>> queue over 1k - start another mailscanner child (or whatever appropriate) >>> >>> >>> Regards, Tony >>> >> If the queue is still building up, something is most likely timing out. >> Are you running Pyzor, Razor, or DCC? Using any odd URIBLs or DNSBLs >> that could be timing out? Several months ago Pyzor timed out (10 seconds >> per message) on me for a while, that really hurt performance. Do a lint >> or debug and see if anything hangs for a noticeable time period as Glenn >> suggested. >> > Pyzor times out quite regularly as the Pyzor server seems to have trouble > keeping up with the load. There is a thread about an alternate server, but I > suppose that as more people find out about that one it will start to timeout also. > > I have since switched to Razor and have not had an issue. 10 seconds per message for a timeout can be brutal at 200K messages/day (our volume at time which of course has increased). The timeout can be changed in the configuration as well. From taz at taz-mania.com Tue Nov 28 19:39:24 2006 From: taz at taz-mania.com (Dennis Willson) Date: Tue Nov 28 19:39:27 2006 Subject: New Milter coming In-Reply-To: <456C8BE9.5010805@sendit.nodak.edu> Message-ID: I have been writing a milter I call milter-spamtrap. It allows an active sendmail server to also be a spamtrap or honeypot. You can have email addresses within a domain that is actually used for real users or dedicate entire domains or any combination of both as your honeypots. Upon receiving an email for an email address defined as a honeypot/SpamTrap, the milter will log the IP address and optionally the headers and/or body of the email in either a text file or to a MySQL database or both. It can cache in memory the IP addresses of offending servers and from then on block them upon connection. A future enhancement will be to scan the database via a cron job and create a DNSBL zone file for publishing a blacklist. The saved headers/body can be used as evidence as to why a server was blacklisted. Many, many configurable options including Whitelisting via CIDR block so some servers will never be listed as an offending server if you want. I believe I will have it ready for Beta (although I am testing/using it myself right now) sometime next week. I'm 'pre-announceing' so that if there is any interest I will package it for others to use and make it available and I need to do additional documenation if others are going to use it. If there's no interest I will just use it myself. -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham (Extra Class): ka6lsw Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Owner: Kepnet Internet Services Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" From dyioulos at firstbhph.com Tue Nov 28 20:05:46 2006 From: dyioulos at firstbhph.com (Dimitri) Date: Tue Nov 28 20:10:09 2006 Subject: MCP and sa-update References: <1951DC816E1A9F469307B05FA183F4385FF825@corpatsmail1.corp.sensis.com> Message-ID: Desai, Jason sensis.com> writes: [CLIP] > I have come across what I think is a bug in MCP. It appears to pick up > rules from sa-update when doing MCP checks, causing a higher MCP score > and possible false positives. [CLIP] Any update on this issue, as I'm facing it too? Dimitri From alex at nkpanama.com Tue Nov 28 20:10:57 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Tue Nov 28 20:13:37 2006 Subject: Allowing .bmp files In-Reply-To: <9C63A4713C4E3342B90428CE44806A7302679A59@PHSXMB5.partners.org> References: <9C63A4713C4E3342B90428CE44806A7302679A59@PHSXMB5.partners.org> Message-ID: <456C97D1.8020901@nkpanama.com> Just commenting out the deny line will work, although adding the allow *before* the "deny double extensions" would allow you to receive "filename.no.1.bmp", which would be blocked by the "double extensions rule", for example. Kaplan, Andrew H. wrote: > Hi there ? > > > > Several of our users get messages with .bmp files included as > attachments. The current settings of our MailScanner/ClamAV configuration > > does not allow these files to get through. The request has been made to > allow these files. To allow this, my plan was to modify the > filename.rules.conf > > file by commenting out the following line: > > > > deny \.bmp$ Windows bitmap? > > > > After that, my next step would be adding the following line further down > in the file: > > > > allow \.bmp$ - - > > > > After that, I would restart the mail server. Will this approach work, or > is there a better way? Thanks. > From taz at taz-mania.com Tue Nov 28 20:26:09 2006 From: taz at taz-mania.com (Dennis Willson) Date: Tue Nov 28 20:26:12 2006 Subject: New Milter coming In-Reply-To: <20061128151359.CAA7.GERARD@seibercom.net> Message-ID: I don't use postfix and I have not looked at their interface so probably not. I will do some looking around for their interface information and see what it would take to make it work there. On Tue, 28 Nov 2006 15:14:01 -0500 Gerard Seibert wrote: >On Tuesday November 28, 2006 at 02:39:24 (PM) Dennis Willson wrote: > >> I have been writing a milter I call milter-spamtrap. It allows an >> active sendmail server to also be a spamtrap or honeypot. >> >> You can have email addresses within a domain that is actually used >>for >> real users or dedicate entire domains or any combination of both as >> your honeypots. >> >> Upon receiving an email for an email address defined as a >> honeypot/SpamTrap, the milter will log the IP address and optionally >> the headers and/or body of the email in either a text file or to a >> MySQL database or both. It can cache in memory the IP addresses of >> offending servers and from then on block them upon connection. >> >> A future enhancement will be to scan the database via a cron job and >> create a DNSBL zone file for publishing a blacklist. The saved >> headers/body can be used as evidence as to why a server was >> blacklisted. Many, many configurable options including Whitelisting >> via CIDR block so some servers will never be listed as an offending >> server if you want. >> >> I believe I will have it ready for Beta (although I am testing/using >> it myself right now) sometime next week. I'm 'pre-announceing' so >>that >> if there is any interest I will package it for others to use and >>make >> it available and I need to do additional documenation if others are >> going to use it. If there's no interest I will just use it myself. > > >Will this milter be compatible with Postfix. I presently have the >development version -- 2.4 -- installed. I know that clamav-milter >does >not work correctly which is one of the reasons I abandoned it. > > >-- >Gerard -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham (Extra Class): ka6lsw Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Owner: Kepnet Internet Services Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" From ka at pacific.net Tue Nov 28 23:34:41 2006 From: ka at pacific.net (Ken A) Date: Tue Nov 28 23:32:11 2006 Subject: sa caching mechanism Message-ID: <456CC791.9060505@pacific.net> Is there any way to tell MailScanner that some SA scores should NOT be cached? I'd like to be able to have MailScanner cache scores unless certain (per user) SA rules are hit. For example: If a milter puts a header into a message that is based on a user preference that is later used by SA to subtract or add to that message's score, I'd like that score to NOT be cached, since it should only apply to that message. I know Julian is quite busy, so I'm going to go beat on the code, but hoping perhaps someone else has come across this? Thanks, Ken A Pacific.Net From csweeney at osubucks.org Tue Nov 28 23:32:54 2006 From: csweeney at osubucks.org (Chris Sweeney) Date: Tue Nov 28 23:33:15 2006 Subject: New Milter coming In-Reply-To: References: Message-ID: <456CC726.1060504@osubucks.org> Sounds interesting I would be interested in checking it out. Dennis Willson wrote: > I have been writing a milter I call milter-spamtrap. It allows an > active sendmail server to also be a spamtrap or honeypot. > You can have email addresses within a domain that is actually used for > real users or dedicate entire domains or any combination of both as > your honeypots. > > Upon receiving an email for an email address defined as a > honeypot/SpamTrap, the milter will log the IP address and optionally > the headers and/or body of the email in either a text file or to a > MySQL database or both. It can cache in memory the IP addresses of > offending servers and from then on block them upon connection. > > A future enhancement will be to scan the database via a cron job and > create a DNSBL zone file for publishing a blacklist. The saved > headers/body can be used as evidence as to why a server was > blacklisted. Many, many configurable options including Whitelisting > via CIDR block so some servers will never be listed as an offending > server if you want. > > I believe I will have it ready for Beta (although I am testing/using > it myself right now) sometime next week. I'm 'pre-announceing' so that > if there is any interest I will package it for others to use and make > it available and I need to do additional documenation if others are > going to use it. If there's no interest I will just use it myself. > > -------------------------------------------------- > Dennis Willson > > taz@taz-mania.com > http://www.taz-mania.com > > Ham (Extra Class): ka6lsw > Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, > Gas Blender > > Owner: Kepnet Internet Services > > Life should not be a journey to the grave with the intention of > arriving safely in a nice looking and well preserved body, but rather > to skid in broadside, thoroughly used up, totally worn out, and loudly > proclaiming, "WOW! WHAT A RIDE!" -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5188 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061128/7c75c850/smime-0001.bin From gordon at itnt.co.za Wed Nov 29 04:39:07 2006 From: gordon at itnt.co.za (Gordon Colyn) Date: Wed Nov 29 04:39:22 2006 Subject: New Milter coming References: Message-ID: <013001c71370$51dab0e0$0d02a8c0@Gordon> Sounds good. Please send it to me, will test to for you with plsr. ----- Original Message ----- From: "Dennis Willson" To: "MailScanner discussion" Sent: Tuesday, November 28, 2006 9:39 PM Subject: New Milter coming I have been writing a milter I call milter-spamtrap. It allows an active sendmail server to also be a spamtrap or honeypot. You can have email addresses within a domain that is actually used for real users or dedicate entire domains or any combination of both as your honeypots. Upon receiving an email for an email address defined as a honeypot/SpamTrap, the milter will log the IP address and optionally the headers and/or body of the email in either a text file or to a MySQL database or both. It can cache in memory the IP addresses of offending servers and from then on block them upon connection. A future enhancement will be to scan the database via a cron job and create a DNSBL zone file for publishing a blacklist. The saved headers/body can be used as evidence as to why a server was blacklisted. Many, many configurable options including Whitelisting via CIDR block so some servers will never be listed as an offending server if you want. I believe I will have it ready for Beta (although I am testing/using it myself right now) sometime next week. I'm 'pre-announceing' so that if there is any interest I will package it for others to use and make it available and I need to do additional documenation if others are going to use it. If there's no interest I will just use it myself. -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham (Extra Class): ka6lsw Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Owner: Kepnet Internet Services Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Wed Nov 29 07:31:41 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 29 07:31:45 2006 Subject: use spamcop and bounce with spamcop response help. In-Reply-To: References: Message-ID: <223f97700611282331s230c33fbhdc69a80008515c97@mail.gmail.com> On 28/11/06, Scott Silva wrote: > Chuck Rock spake the following on 11/28/2006 8:12 AM: > > Scott Silva sgvwater.com> writes: > > > >> Chuck Rock spake the following on 11/27/2006 7:47 AM: > >>> Scott Silva sgvwater.com> writes: > >>> > >>>> Chuck Rock spake the following on 11/26/2006 4:41 PM: > >>>>> I am bouncing messages with MailScanner that match the Spamcop list. > >>>>> > >>>>> I see in the latest version I'm using 4.56.8 you can modify message > >>> headers > >>>>> with actions. > >>>>> > >>>>> Is there a way to modify the message header to the spamcop address is > >>> listed > >>>>> with the proper IP like if you just used Sendmail to bounce it? > >>>>> > >>>>> This is what Spamcop tells you to di if you run Sendmail. > >>>>> > >>>>> FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see: > >>>>> http://spamcop.net/bl.shtml?"$&{client_addr}', `t')dnl > >>>>> > >>>>> I was thinking of adding the message header in MailScanner similar to > > this. > >>>>> Spam Actions = bounce header "X-Spam-Status: > >>>>> Yes : 'http://spamcop.net/bl.shtml?'(flagged_IP) > >>>>> > >>>>> Is there a syntax in Mailscanner to provide that IP to that header line > > so > >>> a > >>>>> person could get to the spamcop site with their IP address information? > >>>>> > >>>>> Thanks, > >>>>> Chuck > >>>>> > >>>> If you want that "feature", and are dropping the message anyway, why not > > just > >>>> drop it at the MTA. You will save yourself the load, and get the desired > >>>> result. You really should never bounce messages after you receive them. If > >>>> they are dropped during the connection phase, you get the rejection to the > >>>> proper server, but if you have received it, then all you have is the > > possibly > >>>> forged sender address to rely on. > >>> So basically, if I can have MailScanner skip the spam lists check > > altogether > >>> and just put the spamcop config in the proper sendmail config file for my > >>> inbound sendmail process? > >>> > >>> Is there another benefit of having MailScanner check the rbl's instead of > > or > >>> in addition to Sendmail? > >>> > >>> Thanks, > >>> Chuck > >>> > >>> > >> The only benefit I know of is if you want to store the bad stuff in > >> quarantine. The best in order are ; > >> MTA > >> Spamassassin > >> Mailscanner > >> > >> If you have no problem dropping every message that hits spamcop, then > > dropping > >> at the MTA is the safest and least processor intensive. After that, you have > >> the message on your server, and bouncing it will make you many enemies, and > >> maybe get you listed on a blacklist yourself. I am using sbl-xbl and > >> combined.njabl.org at the mta with no complaints. You should open up your > >> abuse and postmaster addresses, but spamassassin and mailscanner can catch a > >> lot of the garbage there. > >> > > > > Thanks everyone for the valuable input. I run a small ISP with a few thousand > > mailboxes and I'm very very tired of spending so much time and money > > to "handle" the onslaught of spam. I have too many customers complaining and > > when my servers have problems, all the business customers complain because > > they can't do business... > > > > I have received messages from Spamcop with enough information for me to find > > the problem. I would go as far to say that if a sender is listed in the > > spamcop database, I'm secure enough to assume it's for a good reason and > > whomever owns that IP, needs to know and do something about it. Bounces are > > good for me because they at least will let a legitimate sender know that their > > message didn't reach the destination and the server resources and bandwidth > > are not used. I guess one other bonus to using MailScanner would be that for > > certain recipients, I could make it ignore the spamlist test so if people > > really didn't want to reject messages from senders found in Spamcop, then I > > could allow that. > > > > Thanks again for your time. > > > > Chuck > > > > > As was stated before, a bounce is usually not good, but if they get a reject > at the MTA, that is totally different. A bounce will imply that you recieved > the message and are returning it. But when you use the blacklists you in > effect stop the sending server as it starts to "talk" to your receiving server > and tell it to "stop! I don't want this message!" A bounce will be at the > mercy of any forgery in the message, but the MTA is in direct communication > during the transaction, and doesn't need to rely on those forged addresses. Just to make it real clear: Rejections will also result in a "bounce" (well... Non Delivery Notice ...) being sent to the sender of legitimate mail... Only difference is that it is the responsibility of the sending MTA (!=yours) to generate it. For spam, there might be no MTA in the other end, so ... :-). If law and policy permitt you to reject via BLs at the MTA, then for $DEITYs sake, do so. > And you can also "whitelist" certain addresses at the MTA of you want to > exempt certain senders or recipients from the MTA blacklists. In sendmail, > this is fairly easy, so the postfix and exim people can jump in and say that > it is easy there also. > Jump jump:-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From martin.lyberg at gmail.com Wed Nov 29 08:14:22 2006 From: martin.lyberg at gmail.com (Martin) Date: Wed Nov 29 08:14:59 2006 Subject: bayes_journal - Bad permissions In-Reply-To: <223f97700611280650t7e3eabc9i874c6186ab35acb7@mail.gmail.com> References: <223f97700611280650t7e3eabc9i874c6186ab35acb7@mail.gmail.com> Message-ID: Glenn Steen wrote: > Hej Martin, Hej Glenn :) > > (Apart from this being the wrong mailing list:-)... Have you set > bayes_file_mode 0770 > (at least) in either /etc/mail/spamassassin/local.cf or > /etc/mail/spamassassin/mailscanner.cf ? Yes, 0770 is set in /etc/MailScanner/spam.assassin.prefs.conf: bayes_file_mode 0770 > Why do you have them all with s? Effective group is immaterial, since > these aren't executable... The only one that might have the effect you > want is the "." directory one:-). Do a > chmod 0660 * > to clear that (no, it doesn't hurt anything either, and don't clear it > on the directory:-). I've changed it to +s yesterday when i read in a thread in this list (or in the mailwatch-list) about someone having the same problem. Anyway, i've changed /var/spool/MailScanner/spamassassin/ back to 0660 now. As it was before. > > Then check in MailScanner.conf that you have: > Incoming Work Permissions = 0660 > Quarantine Permissions = 0660 > as well as the > Run As User = postfix > Run As Group = postfix > Quarantine User = postfix > Quarantine Group = www-data There were one difference in my config. my Incoming Work Permissions was set to 0600, and not 0660. Could this been causing the problem? I've changed it now and will see if it helps. > > Most important is the bayes_file_mode "mask". > / Martin From glenn.steen at gmail.com Wed Nov 29 09:03:58 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 29 09:04:01 2006 Subject: sa caching mechanism In-Reply-To: <456CC791.9060505@pacific.net> References: <456CC791.9060505@pacific.net> Message-ID: <223f97700611290103r2ebdc29btf56175f00e1d9f5a@mail.gmail.com> On 29/11/06, Ken A wrote: > > Is there any way to tell MailScanner that some SA scores should NOT be > cached? I'd like to be able to have MailScanner cache scores unless > certain (per user) SA rules are hit. > > For example: If a milter puts a header into a message that is based on a > user preference that is later used by SA to subtract or add to that > message's score, I'd like that score to NOT be cached, since it should > only apply to that message. > > I know Julian is quite busy, so I'm going to go beat on the code, but > hoping perhaps someone else has come across this? > Not much help, but the "Cache SpamAssassin Results" setting can eb a ruleset... And it could be a CustomFunction... So if you can (somehow) in that function get hold of the info you need to decide, that would likely be the best way to go. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Nov 29 09:25:46 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 29 09:25:49 2006 Subject: bayes_journal - Bad permissions In-Reply-To: References: <223f97700611280650t7e3eabc9i874c6186ab35acb7@mail.gmail.com> Message-ID: <223f97700611290125y49fb3e96mea2134450d0d3dc7@mail.gmail.com> On 29/11/06, Martin wrote: > Glenn Steen wrote: > > > Hej Martin, > > Hej Glenn :) We'll have to be careful with using Swedish here... Otherwise the "bork-bork-bork" fanatics will start up...:-) > > > > (Apart from this being the wrong mailing list:-)... Have you set > > bayes_file_mode 0770 > > (at least) in either /etc/mail/spamassassin/local.cf or > > /etc/mail/spamassassin/mailscanner.cf ? > > Yes, 0770 is set in /etc/MailScanner/spam.assassin.prefs.conf: > > bayes_file_mode 0770 Good. > > Why do you have them all with s? Effective group is immaterial, since > > these aren't executable... The only one that might have the effect you > > want is the "." directory one:-). Do a > > chmod 0660 * > > to clear that (no, it doesn't hurt anything either, and don't clear it > > on the directory:-). > > I've changed it to +s yesterday when i read in a thread in this list (or > in the mailwatch-list) about someone having the same problem. Hm, let me demonstrate why setgid is a good idea for directories (and not much else:-): [root@mail ~]# mkdir a [root@mail ~]# chown glenn.glenn a [root@mail ~]# touch a/a [root@mail ~]# ls -la a totalt 12 drwxr-xr-x 2 glenn glenn 4096 nov 29 10:18 ./ drwx------ 69 root root 8192 nov 29 10:18 ../ -rw-r--r-- 1 root root 0 nov 29 10:18 a [root@mail ~]# chmod 2755 a [root@mail ~]# touch a/b [root@mail ~]# ls -la a totalt 12 drwxr-sr-x 2 glenn glenn 4096 nov 29 10:19 ./ drwx------ 69 root root 8192 nov 29 10:18 ../ -rw-r--r-- 1 root root 0 nov 29 10:18 a -rw-r--r-- 1 root glenn 0 nov 29 10:19 b [root@mail ~]# ... as you can see, after setting the setgid bit on the directory, files put into that directory is "forced" to be owned by the directorys group. This piece of "magic" isn't present in all *nix systems, so do try it before setting it. Setting the setgid bit has no real effect on regular files (hence "ls -l" showing it as capital S). So not really a problem, but not beneficial either. No such "magic" exist for directories and the setuid bit, so that shouldn't be set either. > Anyway, i've changed /var/spool/MailScanner/spamassassin/ back to 0660 > now. As it was before. I hope you ment that you set the _files_ in /var/spool/MailScanner/spamassassin/ to 0660, not the directory... That should be mode 2770, in your case;-). > > Then check in MailScanner.conf that you have: > > Incoming Work Permissions = 0660 > > Quarantine Permissions = 0660 > > as well as the > > Run As User = postfix > > Run As Group = postfix > > Quarantine User = postfix > > Quarantine Group = www-data > > There were one difference in my config. > > my Incoming Work Permissions was set to 0600, and not 0660. Could this > been causing the problem? I've changed it now and will see if it helps. Yes, that seems rather likely. > > Most important is the bayes_file_mode "mask". > > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From martin.lyberg at gmail.com Wed Nov 29 10:04:19 2006 From: martin.lyberg at gmail.com (Martin) Date: Wed Nov 29 10:04:51 2006 Subject: bayes_journal - Bad permissions In-Reply-To: <223f97700611290125y49fb3e96mea2134450d0d3dc7@mail.gmail.com> References: <223f97700611280650t7e3eabc9i874c6186ab35acb7@mail.gmail.com> <223f97700611290125y49fb3e96mea2134450d0d3dc7@mail.gmail.com> Message-ID: Glenn Steen wrote: > We'll have to be careful with using Swedish here... Otherwise the > "bork-bork-bork" fanatics will start up...:-) :) > Hm, let me demonstrate why setgid is a good idea for directories (and > not much else:-): > [root@mail ~]# mkdir a > [root@mail ~]# chown glenn.glenn a > [root@mail ~]# touch a/a > [root@mail ~]# ls -la a > totalt 12 > drwxr-xr-x 2 glenn glenn 4096 nov 29 10:18 ./ > drwx------ 69 root root 8192 nov 29 10:18 ../ > -rw-r--r-- 1 root root 0 nov 29 10:18 a > [root@mail ~]# chmod 2755 a > [root@mail ~]# touch a/b > [root@mail ~]# ls -la a > totalt 12 > drwxr-sr-x 2 glenn glenn 4096 nov 29 10:19 ./ > drwx------ 69 root root 8192 nov 29 10:18 ../ > -rw-r--r-- 1 root root 0 nov 29 10:18 a > -rw-r--r-- 1 root glenn 0 nov 29 10:19 b > [root@mail ~]# > ... as you can see, after setting the setgid bit on the directory, > files put into that directory is "forced" to be owned by the > directorys group. This piece of "magic" isn't present in all *nix > systems, so do try it before setting it. Setting the setgid bit has no > real effect on regular files (hence "ls -l" showing it as capital S). > So not really a problem, but not beneficial either. > No such "magic" exist for directories and the setuid bit, so that > shouldn't be set either. Ok, thanks for the clarification > I hope you ment that you set the _files_ in > /var/spool/MailScanner/spamassassin/ to 0660, not the directory... > That should be mode 2770, in your case;-). Yes, i meant on the files, not the directory itself :) > Yes, that seems rather likely. Unfortunately it didn't help. It still looks the same. I've restarted both postfix and mailscanner: /var/spool/MailScanner/spamassassin# ls -al total 6272 drwxrws--- 2 postfix www-data 12288 2006-11-29 11:01 . drwxr-xr-x 6 postfix postfix 4096 2006-04-24 17:07 .. -rw-rw---- 1 postfix www-data 1331200 2006-11-29 11:01 auto-whitelist -rw------- 1 postfix www-data 38376 2006-11-29 11:01 bayes_journal -rw-rw---- 1 postfix www-data 36 2006-11-29 08:36 bayes.mutex -rw-rw---- 1 postfix www-data 1318912 2006-11-29 11:01 bayes_seen -rw-rw---- 1 postfix www-data 5156864 2006-11-29 11:01 bayes_toks /var/spool/MailScanner# ls -al total 32 drwxr-xr-x 6 postfix postfix 4096 2006-04-24 17:07 . drwxr-xr-x 6 root root 4096 2006-04-24 16:27 .. drwxr-x--- 2 postfix postfix 4096 2006-03-06 02:29 archive drwxr-x--- 21 postfix postfix 4096 2006-11-29 11:02 incoming drwxrwx--- 4 postfix www-data 4096 2006-11-29 01:03 quarantine drwxrws--- 2 postfix www-data 12288 2006-11-29 11:02 spamassassin Got any more ideas? / Martin From arturs at netvision.net.il Wed Nov 29 11:21:54 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Wed Nov 29 11:24:47 2006 Subject: OT: Spamcop BL - good or dangerous? Message-ID: <033f01c713a8$9301ca30$3701a8c0@lapxp> Hi, Sometimes I get a message from any of lists I'm subscribed to, that mail to my address bounces. And as a reason I see Spamcop blocking sender's (legitimate) server. Here comes the question: What would you use instead of Spamcop? It gotta be free service, and the more lists the better: right now, Spamcop is #1 blocking BL in the logs. I am afraid if I drop it, the blocking will be worse. Best, -- Arthur Sherman +972-52-4878851 CPTeam From glenn.steen at gmail.com Wed Nov 29 11:28:34 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 29 11:28:36 2006 Subject: bayes_journal - Bad permissions In-Reply-To: References: <223f97700611280650t7e3eabc9i874c6186ab35acb7@mail.gmail.com> <223f97700611290125y49fb3e96mea2134450d0d3dc7@mail.gmail.com> Message-ID: <223f97700611290328g29e6166fmfbc3c4c9820bb347@mail.gmail.com> On 29/11/06, Martin wrote: > Glenn Steen wrote: (snip) > > Yes, that seems rather likely. > > Unfortunately it didn't help. It still looks the same. I've restarted > both postfix and mailscanner: > > /var/spool/MailScanner/spamassassin# ls -al > total 6272 > drwxrws--- 2 postfix www-data 12288 2006-11-29 11:01 . > drwxr-xr-x 6 postfix postfix 4096 2006-04-24 17:07 .. > -rw-rw---- 1 postfix www-data 1331200 2006-11-29 11:01 auto-whitelist > -rw------- 1 postfix www-data 38376 2006-11-29 11:01 bayes_journal > -rw-rw---- 1 postfix www-data 36 2006-11-29 08:36 bayes.mutex > -rw-rw---- 1 postfix www-data 1318912 2006-11-29 11:01 bayes_seen > -rw-rw---- 1 postfix www-data 5156864 2006-11-29 11:01 bayes_toks > > /var/spool/MailScanner# ls -al > total 32 > drwxr-xr-x 6 postfix postfix 4096 2006-04-24 17:07 . > drwxr-xr-x 6 root root 4096 2006-04-24 16:27 .. > drwxr-x--- 2 postfix postfix 4096 2006-03-06 02:29 archive > drwxr-x--- 21 postfix postfix 4096 2006-11-29 11:02 incoming > drwxrwx--- 4 postfix www-data 4096 2006-11-29 01:03 quarantine > drwxrws--- 2 postfix www-data 12288 2006-11-29 11:02 spamassassin > > Got any more ideas? > > / Martin > Hm. Not many, no. Do you run expiry from a cron job? Are you entirely sure you checked/changed the permission on the journal _after_ restarting MS? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From gerard at seibercom.net Wed Nov 29 11:58:24 2006 From: gerard at seibercom.net (Gerard Seibert) Date: Wed Nov 29 11:58:19 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <033f01c713a8$9301ca30$3701a8c0@lapxp> References: <033f01c713a8$9301ca30$3701a8c0@lapxp> Message-ID: <20061129064650.794D.GERARD@seibercom.net> On Wednesday November 29, 2006 at 06:21:54 (AM) Arthur Sherman wrote: > Sometimes I get a message from any of lists I'm subscribed to, that mail to > my address bounces. > And as a reason I see Spamcop blocking sender's (legitimate) server. > > Here comes the question: > What would you use instead of Spamcop? > It gotta be free service, and the more lists the better: right now, Spamcop > is #1 blocking BL in the logs. > I am afraid if I drop it, the blocking will be worse. SpamCop does not block legitimate servers. I use SpamCop myself. Do you have your own Domain Name and dedicated IP or are you utilizing an ISP? If the latter, then you need to contact them and get them to correct the problem. If the former, then contact SpamCop directly and find out exactly why you are being BL'd. For the record, SpamCop uses a conglomerate of other RSB's and DNS's to filter mail. The problem may very well lie with one of them. I just did a SPAM database look-up and you were not listed. I did discover this though regarding your mail servers: ********************************************************************* WARNING: One or more of your mailservers is claiming to be a host other than what it really is (the SMTP greeting should be a 3-digit code, followed by a space or a dash, then the host name). If your mailserver sends out E-mail using this domain in its EHLO or HELO, your E-mail might get blocked by anti-spam software. This is also a technical violation of RFC821 4.3 (and RFC2821 4.3.1). Note that the hostname given in the SMTP greeting should have an A record pointing back to the same server. Note that this one test may use a cached DNS record. mx20.netvision.net.il claims to be host mxin6.netvision.net.il [but that host is at 194.90.9.40 (may be cached), not 194.90.9.19]. ********************************************************************* You might want to correct that problem before simply blaming an arbitrary RSBL service. -- Gerard From paul at blacknight.ie Wed Nov 29 12:11:36 2006 From: paul at blacknight.ie (Paul Kelly :: Blacknight Solutions) Date: Wed Nov 29 12:11:18 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <20061129064650.794D.GERARD@seibercom.net> References: <033f01c713a8$9301ca30$3701a8c0@lapxp> <20061129064650.794D.GERARD@seibercom.net> Message-ID: <456D78F8.6020302@blacknight.ie> Gerard Seibert wrote: > On Wednesday November 29, 2006 at 06:21:54 (AM) Arthur Sherman wrote: > >> Sometimes I get a message from any of lists I'm subscribed to, that mail to >> my address bounces. >> And as a reason I see Spamcop blocking sender's (legitimate) server. >> >> Here comes the question: >> What would you use instead of Spamcop? >> It gotta be free service, and the more lists the better: right now, Spamcop >> is #1 blocking BL in the logs. >> I am afraid if I drop it, the blocking will be worse. > > > SpamCop does not block legitimate servers. I use SpamCop myself. I'm sorry, but that is complete rubbish. SpamCop users blatantly report every and any e-mail they receive even double opt-in mailing lists etc. It is an extremely dangerous BL to use if you wish to get legitimate e-mail. The only rbl of use (at smtp transaction time) is xbl. Anything else will drop legitimate mail, that is a fact. We host 16k domains, of which we're scanning around 5000 for spam and other nasties. We see 200k mails a day through mailscanner with a factor of 5 being rejected at smtp time by xbl. We use spamcop in SA to add a few points to the spam score, we've found that this is the only use for spamcop today. Anything else results in users complaining on a daily basis that mail is being lost. Bottom line, Spamcop should not be used by ISP's, HSP's at a bare minimum at smtp time and for the rest of the people who admin their own mail servers I would highly recommend not using it. xbl is extremely safe to use. -- Paul Kelly Technical Director Blacknight Internet Solutions ltd Hosting, Colocation, Dedicated servers IP Transit Services Lo-call: 1850 927 280 DDI: 059 9183091 e-mail: paul@blacknight.ie web: http://www.blacknight.ie From Cornek at synaq.com Wed Nov 29 12:17:07 2006 From: Cornek at synaq.com (Corne Kotze) Date: Wed Nov 29 12:16:23 2006 Subject: Allow and block filenames on same domain Message-ID: <456D7A43.1070004@synaq.com> Hi all, I have MailScanner setup on Linux, all is working 100%, but now the company wants to allow all managers and directors to receive almost anything, while the rest of the users are blocked. In /etc/MailScanner/filename.rules.conf - I have made some changes to allow for zip files etc for the managers and directors. Then I copied the file to: /etc/MailScanner/filename.rules.users.conf - Here I made all the changes to block all files needed to be blocked for the users. In /etc/MailScanner/rules/filename.rules - I have a number of entries for the managers and directors looking like this: To: email addres@domain.com /etc/MailScanner/filename.rules.conf And for the rest of the users it looks like this: *@domain.com /etc/MailScanner/filename.rules.users.conf Now for some reason if an email is sent with a .ppt attachment to a director that is supposed to be allowed, that email is blocked by one of the custom rules, example: ################################################################# Our e-mail content detector has just been triggered by a message you sent: To: email address@domain.com Subject: test 123 Date: Wed Nov 29 14:07:51 2006 One or more of the attachments (Test.pps) are on the list of unacceptable attachments for this site and will not have been delivered. Consider renaming the files to avoid this constraint. The virus detector said this about the message: Report: Report: ScanSrv: Custom block (Test.pps) ########################################################################## But this attachment is allowed in: /etc/MailScanner/filename.rules.conf And the directors email address is pointing to this file. Any help please... Thank you From jaearick at colby.edu Wed Nov 29 12:17:53 2006 From: jaearick at colby.edu (Jeff A. Earickson) Date: Wed Nov 29 12:18:13 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <033f01c713a8$9301ca30$3701a8c0@lapxp> References: <033f01c713a8$9301ca30$3701a8c0@lapxp> Message-ID: I quit using Spamcop, both as an RBL with sendmail and within MailScanner, over a year ago. They are way overzealous in blocking legit sites, IMHO. Avoid them. Jeff Earickson Colby College On Wed, 29 Nov 2006, Arthur Sherman wrote: > Date: Wed, 29 Nov 2006 13:21:54 +0200 > From: Arthur Sherman > Reply-To: MailScanner discussion > To: 'MailScanner discussion' > Subject: OT: Spamcop BL - good or dangerous? > > Hi, > > Sometimes I get a message from any of lists I'm subscribed to, that mail to > my address bounces. > And as a reason I see Spamcop blocking sender's (legitimate) server. > > Here comes the question: > What would you use instead of Spamcop? > It gotta be free service, and the more lists the better: right now, Spamcop > is #1 blocking BL in the logs. > I am afraid if I drop it, the blocking will be worse. > > > Best, > > -- > Arthur Sherman > > +972-52-4878851 > CPTeam > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From jrudd at ucsc.edu Wed Nov 29 12:31:28 2006 From: jrudd at ucsc.edu (John Rudd) Date: Wed Nov 29 12:31:51 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <456D78F8.6020302@blacknight.ie> References: <033f01c713a8$9301ca30$3701a8c0@lapxp> <20061129064650.794D.GERARD@seibercom.net> <456D78F8.6020302@blacknight.ie> Message-ID: <456D7DA0.1070900@ucsc.edu> Paul Kelly :: Blacknight Solutions wrote: > Gerard Seibert wrote: >> On Wednesday November 29, 2006 at 06:21:54 (AM) Arthur Sherman wrote: >> >>> Sometimes I get a message from any of lists I'm subscribed to, that mail to >>> my address bounces. >>> And as a reason I see Spamcop blocking sender's (legitimate) server. >>> >>> Here comes the question: >>> What would you use instead of Spamcop? >>> It gotta be free service, and the more lists the better: right now, Spamcop >>> is #1 blocking BL in the logs. >>> I am afraid if I drop it, the blocking will be worse. >> >> SpamCop does not block legitimate servers. I use SpamCop myself. > > I'm sorry, but that is complete rubbish. SpamCop users blatantly report > every and any e-mail they receive even double opt-in mailing lists etc. > It is an extremely dangerous BL to use if you wish to get legitimate e-mail. > > The only rbl of use (at smtp transaction time) is xbl. Anything else > will drop legitimate mail, that is a fact. > I'm with you up until this point. Spamcop is absolute trash when it comes to just about every aspect of their operations ... so I wouldn't trust their RBL at all. At most, I might use it in SpamAssassin with a _VERY_ low score. Even then, I would be suspicious of their reliability. However, I don't think XBL is the only valid RBL to use at SMTP time. I've found SBL to be useful, and spamhaus in general to be reliable and accurate (not just their XBL). I therefore expect that I'll also be using the PBL (and thus zen.spamhaus.org) in the near future. The other RBLs are all rather questionable to me for use in blocking (or quarantining in MS). At most, I'd use them for SpamAssassin scoring. For that, I also like RFCI (even though lots of other people don't) with a low to moderate score. I'm told MAPS is reliable, but they're also expensive, so I haven't really looked at them. From cristi at elvsoft.com Wed Nov 29 12:34:21 2006 From: cristi at elvsoft.com (Tomoiaga Cristian) Date: Wed Nov 29 12:34:29 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <456D78F8.6020302@blacknight.ie> Message-ID: SpamCop is #1 in blocking mail from yahoo and yahoogroups at my server. Is there a solution except spam.whitelist to tell MailScanner not to do any checks on yahoogroups and yahoo ? (*@yahoo.com and yahoogroups is already in spam.shitelist but It is marked as spam because it is listed in spamcop) -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Paul Kelly :: Blacknight Solutions Sent: Wednesday, November 29, 2006 2:12 PM To: MailScanner discussion Subject: Re: OT: Spamcop BL - good or dangerous? Gerard Seibert wrote: > On Wednesday November 29, 2006 at 06:21:54 (AM) Arthur Sherman wrote: > >> Sometimes I get a message from any of lists I'm subscribed to, that mail to >> my address bounces. >> And as a reason I see Spamcop blocking sender's (legitimate) server. >> >> Here comes the question: >> What would you use instead of Spamcop? >> It gotta be free service, and the more lists the better: right now, Spamcop >> is #1 blocking BL in the logs. >> I am afraid if I drop it, the blocking will be worse. > > > SpamCop does not block legitimate servers. I use SpamCop myself. I'm sorry, but that is complete rubbish. SpamCop users blatantly report every and any e-mail they receive even double opt-in mailing lists etc. It is an extremely dangerous BL to use if you wish to get legitimate e-mail. The only rbl of use (at smtp transaction time) is xbl. Anything else will drop legitimate mail, that is a fact. We host 16k domains, of which we're scanning around 5000 for spam and other nasties. We see 200k mails a day through mailscanner with a factor of 5 being rejected at smtp time by xbl. We use spamcop in SA to add a few points to the spam score, we've found that this is the only use for spamcop today. Anything else results in users complaining on a daily basis that mail is being lost. Bottom line, Spamcop should not be used by ISP's, HSP's at a bare minimum at smtp time and for the rest of the people who admin their own mail servers I would highly recommend not using it. xbl is extremely safe to use. -- Paul Kelly Technical Director Blacknight Internet Solutions ltd Hosting, Colocation, Dedicated servers IP Transit Services Lo-call: 1850 927 280 DDI: 059 9183091 e-mail: paul@blacknight.ie web: http://www.blacknight.ie -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2619 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061129/17f08c5a/smime.bin From gerard at seibercom.net Wed Nov 29 12:38:43 2006 From: gerard at seibercom.net (Gerard Seibert) Date: Wed Nov 29 12:38:37 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <456D78F8.6020302@blacknight.ie> References: <20061129064650.794D.GERARD@seibercom.net> <456D78F8.6020302@blacknight.ie> Message-ID: <20061129073454.601F.GERARD@seibercom.net> On Wednesday November 29, 2006 at 07:11:36 (AM) Paul Kelly :: Blacknight Solutions wrote: > Gerard Seibert wrote: > > On Wednesday November 29, 2006 at 06:21:54 (AM) Arthur Sherman wrote: > > > >> Sometimes I get a message from any of lists I'm subscribed to, that mail to > >> my address bounces. > >> And as a reason I see Spamcop blocking sender's (legitimate) server. > >> > >> Here comes the question: > >> What would you use instead of Spamcop? > >> It gotta be free service, and the more lists the better: right now, Spamcop > >> is #1 blocking BL in the logs. > >> I am afraid if I drop it, the blocking will be worse. > > > > > > SpamCop does not block legitimate servers. I use SpamCop myself. > > I'm sorry, but that is complete rubbish. SpamCop users blatantly report > every and any e-mail they receive even double opt-in mailing lists etc. > It is an extremely dangerous BL to use if you wish to get legitimate e-mail. > > The only rbl of use (at smtp transaction time) is xbl. Anything else > will drop legitimate mail, that is a fact. > > We host 16k domains, of which we're scanning around 5000 for spam and > other nasties. We see 200k mails a day through mailscanner with a factor > of 5 being rejected at smtp time by xbl. > > We use spamcop in SA to add a few points to the spam score, we've found > that this is the only use for spamcop today. Anything else results in > users complaining on a daily basis that mail is being lost. > > Bottom line, Spamcop should not be used by ISP's, HSP's at a bare > minimum at smtp time and for the rest of the people who admin their own > mail servers I would highly recommend not using it. xbl is extremely > safe to use. You are missing the point here. The OP has a misconfigured mailserver. That is the primary cause of his/her problems. Correct that problem then see what transpires. Given the way they are sending mail, there is a good chance that they will be blocked by more than just SpamCop. -- Gerard From brose at med.wayne.edu Wed Nov 29 13:19:26 2006 From: brose at med.wayne.edu (Rose, Bobby) Date: Wed Nov 29 13:19:34 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <456D78F8.6020302@blacknight.ie> Message-ID: <8F2A53954C22554EB75D9643FCCE0C6B02640D86@MED-CORE03-MS1.med.wayne.edu> Mostly when I've looked at addresses that are listed at spamcop, the addresses are on the temporary blocklist due to the address sending messages to Spamcop's spamtraps. It's pretty hard to say it's a mistake that a legit system emailed a spamtrap unless they are relaying which then raises other questions. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Paul Kelly :: Blacknight Solutions Sent: Wednesday, November 29, 2006 7:12 AM To: MailScanner discussion Subject: Re: OT: Spamcop BL - good or dangerous? Gerard Seibert wrote: > On Wednesday November 29, 2006 at 06:21:54 (AM) Arthur Sherman wrote: > >> Sometimes I get a message from any of lists I'm subscribed to, that >> mail to my address bounces. >> And as a reason I see Spamcop blocking sender's (legitimate) server. >> >> Here comes the question: >> What would you use instead of Spamcop? >> It gotta be free service, and the more lists the better: right now, >> Spamcop is #1 blocking BL in the logs. >> I am afraid if I drop it, the blocking will be worse. > > > SpamCop does not block legitimate servers. I use SpamCop myself. I'm sorry, but that is complete rubbish. SpamCop users blatantly report every and any e-mail they receive even double opt-in mailing lists etc. It is an extremely dangerous BL to use if you wish to get legitimate e-mail. The only rbl of use (at smtp transaction time) is xbl. Anything else will drop legitimate mail, that is a fact. We host 16k domains, of which we're scanning around 5000 for spam and other nasties. We see 200k mails a day through mailscanner with a factor of 5 being rejected at smtp time by xbl. We use spamcop in SA to add a few points to the spam score, we've found that this is the only use for spamcop today. Anything else results in users complaining on a daily basis that mail is being lost. Bottom line, Spamcop should not be used by ISP's, HSP's at a bare minimum at smtp time and for the rest of the people who admin their own mail servers I would highly recommend not using it. xbl is extremely safe to use. From drew at technologytiger.net Wed Nov 29 13:53:18 2006 From: drew at technologytiger.net (Drew Marshall) Date: Wed Nov 29 13:53:32 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <8F2A53954C22554EB75D9643FCCE0C6B02640D86@MED-CORE03-MS1.med.wayne.edu > References: <8F2A53954C22554EB75D9643FCCE0C6B02640D86@MED-CORE03-MS1.med.wayne.edu> Message-ID: <38280.194.70.180.170.1164808398.squirrel@www.technologytiger.net> On Wed, November 29, 2006 13:19, Rose, Bobby wrote: > Mostly when I've looked at addresses that are listed at spamcop, the > addresses are on the temporary blocklist due to the address sending > messages to Spamcop's spamtraps. It's pretty hard to say it's a mistake > that a legit system emailed a spamtrap unless they are relaying which > then raises other questions. It's not so much if it's a mistake as you are right, some one deliberatly sent the sample mail to Spamcop but more about who and what is making the classification. As just about anyone can send 'Spam' to Spamcop, who in turn will list the relay(s) (Albeit for varying amounts of time based on frequency), it becomes a question of who does the vetting. The problem with Spamcop is that 'no one' is the answer. You can end up being listed if some takes a dislike to your e-mail and sends it on to them enough. This is what makes Spamcop dangerous to use at MTA. Of cause this raises the point 'What is Spam?'. Because there is no real, definitive answer other than 'unsolicited 'junk' mail' how do you define what users should forward, particularly to a global black list (How many times do we see requests to this list about configuring MS for individual black/ white lists, SA settings etc?). I very much like and support the idea of collaborative anti-spam measures but in the same way that bayes works on the specific mail characteristics of your mail, so, I think, should RBLs like Spamcop be used in a measured, weighted way (As it does in SA). I do block using the Spamhaus RBLs as not only do I find them less aggressive but they are (Seem?) better moderated and audited. This means that, in my experience, fewer false positives and more of the true 'bad guys' being listed and with less chance of removal. /Throws his final 2p into the air and steps off soap box... Drew From glenn.steen at gmail.com Wed Nov 29 13:57:44 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 29 13:57:48 2006 Subject: Allow and block filenames on same domain In-Reply-To: <456D7A43.1070004@synaq.com> References: <456D7A43.1070004@synaq.com> Message-ID: <223f97700611290557o3486cf82laa800da2823dfff3@mail.gmail.com> On 29/11/06, Corne Kotze wrote: > Hi all, > > I have MailScanner setup on Linux, all is working 100%, but now the > company wants to allow all managers and directors to receive almost > anything, while the rest of the users are blocked. > In /etc/MailScanner/filename.rules.conf - I have made some changes to > allow for zip files etc for the managers and directors. > Then I copied the file to: > /etc/MailScanner/filename.rules.users.conf - Here I made all the changes > to block all files needed to be blocked for the users. > > In /etc/MailScanner/rules/filename.rules - I have a number of entries > for the managers and directors looking like this: > To: email addres@domain.com /etc/MailScanner/filename.rules.conf > And for the rest of the users it looks like this: > *@domain.com /etc/MailScanner/filename.rules.users.conf > > Now for some reason if an email is sent with a .ppt attachment to a > director that is supposed to be allowed, that email is blocked by one of > the custom rules, example: > > ################################################################# > > Our e-mail content detector has just been triggered by a message you sent: > To: email address@domain.com > Subject: test 123 > Date: Wed Nov 29 14:07:51 2006 > > One or more of the attachments (Test.pps) are on > the list of unacceptable attachments for this site and will not have > been delivered. > > Consider renaming the files to avoid this constraint. > > The virus detector said this about the message: > Report: Report: ScanSrv: Custom block (Test.pps) > > ########################################################################## > > But this attachment is allowed in: /etc/MailScanner/filename.rules.conf > And the directors email address is pointing to this file. > > Any help please... > > Thank you > Your ruleset seems to be rather wrong. Take a look at the EXAMPLES in the rules directory, and also look at the wiki... http://wiki.mailscanner.info/doku.php?id=&idx=documentation:configuration:rulesets and more specifically http://wiki.mailscanner.info/doku.php?id=documentation:configuration:rulesets:overloading -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From davi at jvsinfo.com.br Wed Nov 29 15:02:58 2006 From: davi at jvsinfo.com.br (davi@jvsinfo.com.br) Date: Wed Nov 29 14:03:17 2006 Subject: Write $message into RFC 822 Mail file using Always Looked Up Last Message-ID: I whant to write message to file using format RFC 822 using custom function after e-mail process. I think that awnser are $message->{metadata} but in this place, a have only records from MTA., i whant: open(FH,">file"); print FH $message; close(FH); this code are sample and i know this dosent work, but a think to, the rfc mail are spreed into $message-{}, and how to join all variable (and correct variables) to get rid this.... allot thanks.... Davi Baldin S?o Paulo, Brasil -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061129/a1045700/attachment.html From brose at med.wayne.edu Wed Nov 29 14:33:47 2006 From: brose at med.wayne.edu (Rose, Bobby) Date: Wed Nov 29 14:34:10 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <38280.194.70.180.170.1164808398.squirrel@www.technologytiger.net> Message-ID: <8F2A53954C22554EB75D9643FCCE0C6B02640D8A@MED-CORE03-MS1.med.wayne.edu> Your not distinguishing between a spamtrap issue vs a spam reporting issue. Spamtrap domains/addresses are not public known as such. Spamcop has dummy mail domains that doesn't have any users that send any mail out so it's not reasonable for people to be replying to them, or those addresses opting into mailings. The spamtrap addresses are then seeded on the net so spammers who spider thru google and such to get email addresses will pick them up. Also based on what I recall reading on Spamcop, they supposedly contact the ISP on spam reports (my guess postmaster@domain or based on whois info )and if the receive no response or no action is taken, then the host is added to the list of reported spam sources. So if that's the case, they are still leaving it up to the ISP to make that determination. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Drew Marshall Sent: Wednesday, November 29, 2006 8:53 AM To: MailScanner discussion Subject: RE: OT: Spamcop BL - good or dangerous? On Wed, November 29, 2006 13:19, Rose, Bobby wrote: > Mostly when I've looked at addresses that are listed at spamcop, the > addresses are on the temporary blocklist due to the address sending > messages to Spamcop's spamtraps. It's pretty hard to say it's a > mistake that a legit system emailed a spamtrap unless they are > relaying which then raises other questions. It's not so much if it's a mistake as you are right, some one deliberatly sent the sample mail to Spamcop but more about who and what is making the classification. As just about anyone can send 'Spam' to Spamcop, who in turn will list the relay(s) (Albeit for varying amounts of time based on frequency), it becomes a question of who does the vetting. The problem with Spamcop is that 'no one' is the answer. You can end up being listed if some takes a dislike to your e-mail and sends it on to them enough. This is what makes Spamcop dangerous to use at MTA. Of cause this raises the point 'What is Spam?'. Because there is no real, definitive answer other than 'unsolicited 'junk' mail' how do you define what users should forward, particularly to a global black list (How many times do we see requests to this list about configuring MS for individual black/ white lists, SA settings etc?). I very much like and support the idea of collaborative anti-spam measures but in the same way that bayes works on the specific mail characteristics of your mail, so, I think, should RBLs like Spamcop be used in a measured, weighted way (As it does in SA). I do block using the Spamhaus RBLs as not only do I find them less aggressive but they are (Seem?) better moderated and audited. This means that, in my experience, fewer false positives and more of the true 'bad guys' being listed and with less chance of removal. /Throws his final 2p into the air and steps off soap box... Drew -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From edwardbruce at sbcglobal.net Wed Nov 29 14:35:04 2006 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Wed Nov 29 14:35:09 2006 Subject: MCP and sa-update In-Reply-To: References: <1951DC816E1A9F469307B05FA183F4385FF825@corpatsmail1.corp.sensis.com> Message-ID: <456D9A98.7040907@sbcglobal.net> Dimitri wrote: > Desai, Jason sensis.com> writes: > [CLIP] > >> I have come across what I think is a bug in MCP. It appears to pick up >> rules from sa-update when doing MCP checks, causing a higher MCP score >> and possible false positives. >> > [CLIP] > > > Any update on this issue, as I'm facing it too? > > Dimitri > > > Just to add my me too. I've had to disable it. From dave.list at pixelhammer.com Wed Nov 29 15:29:39 2006 From: dave.list at pixelhammer.com (DAve) Date: Wed Nov 29 15:29:52 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <456D7DA0.1070900@ucsc.edu> References: <033f01c713a8$9301ca30$3701a8c0@lapxp> <20061129064650.794D.GERARD@seibercom.net> <456D78F8.6020302@blacknight.ie> <456D7DA0.1070900@ucsc.edu> Message-ID: <456DA763.10308@pixelhammer.com> John Rudd wrote: > Paul Kelly :: Blacknight Solutions wrote: >> Gerard Seibert wrote: >>> On Wednesday November 29, 2006 at 06:21:54 (AM) Arthur Sherman wrote: >>> >>>> Sometimes I get a message from any of lists I'm subscribed to, that >>>> mail to >>>> my address bounces. >>>> And as a reason I see Spamcop blocking sender's (legitimate) server. >>>> >>>> Here comes the question: >>>> What would you use instead of Spamcop? >>>> It gotta be free service, and the more lists the better: right now, >>>> Spamcop >>>> is #1 blocking BL in the logs. >>>> I am afraid if I drop it, the blocking will be worse. >>> >>> SpamCop does not block legitimate servers. I use SpamCop myself. >> >> I'm sorry, but that is complete rubbish. SpamCop users blatantly report >> every and any e-mail they receive even double opt-in mailing lists etc. >> It is an extremely dangerous BL to use if you wish to get legitimate >> e-mail. >> >> The only rbl of use (at smtp transaction time) is xbl. Anything else >> will drop legitimate mail, that is a fact. >> > > I'm with you up until this point. > > Spamcop is absolute trash when it comes to just about every aspect of > their operations ... so I wouldn't trust their RBL at all. At most, I > might use it in SpamAssassin with a _VERY_ low score. Even then, I > would be suspicious of their reliability. > > However, I don't think XBL is the only valid RBL to use at SMTP time. > I've found SBL to be useful, and spamhaus in general to be reliable and > accurate (not just their XBL). I therefore expect that I'll also be > using the PBL (and thus zen.spamhaus.org) in the near future. > We have been using zen.spamhaus.org for about two weeks now with excellent results, not one reported false positive. My users would let me know in a heartbeat if there were. It's too new to recommend, but I would certainly suggest doing your own testing as it is looking very promising. The big plus for us was PBL replaced our dialup RBL with better results, and no FP. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From dave.list at pixelhammer.com Wed Nov 29 15:34:04 2006 From: dave.list at pixelhammer.com (DAve) Date: Wed Nov 29 15:34:17 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <8F2A53954C22554EB75D9643FCCE0C6B02640D8A@MED-CORE03-MS1.med.wayne.edu> References: <8F2A53954C22554EB75D9643FCCE0C6B02640D8A@MED-CORE03-MS1.med.wayne.edu> Message-ID: <456DA86C.1070404@pixelhammer.com> Rose, Bobby wrote: > Your not distinguishing between a spamtrap issue vs a spam reporting > issue. Spamtrap domains/addresses are not public known as such. > Spamcop has dummy mail domains that doesn't have any users that send any > mail out so it's not reasonable for people to be replying to them, or > those addresses opting into mailings. The spamtrap addresses are then > seeded on the net so spammers who spider thru google and such to get > email addresses will pick them up. > > Also based on what I recall reading on Spamcop, they supposedly contact > the ISP on spam reports (my guess postmaster@domain or based on whois > info )and if the receive no response or no action is taken, then the > host is added to the list of reported spam sources. So if that's the > case, they are still leaving it up to the ISP to make that > determination. > Contact the ISP? You get an automated response that says nothing more than "You're it". If you try to make contact with SpamCop you get an automated response claiming to be checking to make sure YOU are not using automated responses (Apparently SpamCop's time is more important than mine). Once you jump through the final hoop, you never hear back from them again. Been there, done that, got that Tee shirt. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From dhawal at netmagicsolutions.com Wed Nov 29 15:44:29 2006 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Wed Nov 29 15:44:43 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <456DA763.10308@pixelhammer.com> References: <033f01c713a8$9301ca30$3701a8c0@lapxp> <20061129064650.794D.GERARD@seibercom.net> <456D78F8.6020302@blacknight.ie> <456D7DA0.1070900@ucsc.edu> <456DA763.10308@pixelhammer.com> Message-ID: <456DAADD.5020000@netmagicsolutions.com> DAve wrote: > We have been using zen.spamhaus.org for about two weeks now with > excellent results, not one reported false positive. My users would let > me know in a heartbeat if there were. > > It's too new to recommend, but I would certainly suggest doing your own > testing as it is looking very promising. The big plus for us was PBL > replaced our dialup RBL with better results, and no FP. > > DAve umm pbl is yet to be published and as of now zen == sbl-xbl, see http://www.spamhaus.org/pbl/ Also see: http://groups-beta.google.com/group/news.admin.net-abuse.email/msg/2d050ab220faf931 Also is anyone using psbl.surriel.com? We've had some good results for the last 3 weeks (with low FPs) in a warn_if_reject mode. - dhawal From TGFurnish at herffjones.com Wed Nov 29 15:58:02 2006 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Wed Nov 29 15:58:18 2006 Subject: 70k mqueue.in but load under 1 ?? Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC499@inex3.herffjones.hj-int> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Richard Frovarp > Sent: Tuesday, November 28, 2006 11:55 AM > To: MailScanner discussion > Subject: Re: 70k mqueue.in but load under 1 ?? > If the queue is still building up, something is most likely > timing out. > Are you running Pyzor, Razor, or DCC? Using any odd URIBLs or > DNSBLs that could be timing out? Several months ago Pyzor > timed out (10 seconds per message) on me for a while, that > really hurt performance. Do a lint or debug and see if > anything hangs for a noticeable time period as Glenn suggested. Just some random follow-up thoughts. My own problem became less urgent when I went ahead and put SBL+XBL in at the MTA level, which has effectively cut our inbound message count in half. Pleasant surprise there. I looked for things timing out, but I didn't get far enough to get exact timing information for the spamassassin lint output. I wish I had been keeping a history of how long the razor and bayes checks take on my system on a single test message every day. I'm adding that to my to-do list so that I have a baseline in the future. I expected to find an RBL timing out or spamassassin timing out, but I didn't find that. I did note that for most of the morning on the day I had the biggest problem our internet pipe was maxed out, so DNS checks may have been slower, which would of course slow SA more than the MTA (cuz I only do a couple of dns checks in the MTA, many in SA). In the past I've gotten a boost in performance by starting with a fresh Bayes db after the db had grown very large. Haven't done that in a while, might be part of the slowdown. From arturs at netvision.net.il Wed Nov 29 15:57:45 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Wed Nov 29 16:00:40 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <456D78F8.6020302@blacknight.ie> Message-ID: <039801c713cf$1bfea620$3701a8c0@lapxp> > >> Sometimes I get a message from any of lists I'm subscribed > to, that mail to > >> my address bounces. > >> And as a reason I see Spamcop blocking sender's > (legitimate) server. > >> > >> Here comes the question: > >> What would you use instead of Spamcop? > >> It gotta be free service, and the more lists the better: > right now, Spamcop > >> is #1 blocking BL in the logs. > >> I am afraid if I drop it, the blocking will be worse. > > > > > > SpamCop does not block legitimate servers. I use SpamCop myself. > > I'm sorry, but that is complete rubbish. SpamCop users > blatantly report > every and any e-mail they receive even double opt-in mailing > lists etc. > It is an extremely dangerous BL to use if you wish to get > legitimate e-mail. > > The only rbl of use (at smtp transaction time) is xbl. Anything else > will drop legitimate mail, that is a fact. > > We host 16k domains, of which we're scanning around 5000 for spam and > other nasties. We see 200k mails a day through mailscanner > with a factor > of 5 being rejected at smtp time by xbl. > > We use spamcop in SA to add a few points to the spam score, > we've found > that this is the only use for spamcop today. Anything else results in > users complaining on a daily basis that mail is being lost. > > Bottom line, Spamcop should not be used by ISP's, HSP's at a bare > minimum at smtp time and for the rest of the people who admin > their own > mail servers I would highly recommend not using it. xbl is extremely > safe to use. > > > -- > Paul Kelly Just as I thought. Thanks! Best, -- Arthur Sherman +972-52-4878851 CPTeam From arturs at netvision.net.il Wed Nov 29 15:57:45 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Wed Nov 29 16:00:45 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <20061129064650.794D.GERARD@seibercom.net> Message-ID: <039901c713cf$1c24cbc0$3701a8c0@lapxp> > > Sometimes I get a message from any of lists I'm subscribed > to, that mail to > > my address bounces. > > And as a reason I see Spamcop blocking sender's (legitimate) server. > > > > Here comes the question: > > What would you use instead of Spamcop? > > It gotta be free service, and the more lists the better: > right now, Spamcop > > is #1 blocking BL in the logs. > > I am afraid if I drop it, the blocking will be worse. > > > SpamCop does not block legitimate servers. I use SpamCop myself. > > Do you have your own Domain Name and dedicated IP or are you > utilizing an > ISP? If the latter, then you need to contact them and get them to > correct the problem. If the former, then contact SpamCop directly and > find out exactly why you are being BL'd. For the record, > SpamCop uses a > conglomerate of other RSB's and DNS's to filter mail. The problem may > very well lie with one of them. > > I just did a SPAM database look-up and you were not listed. I did > discover this though regarding your mail servers: > > ********************************************************************* > > WARNING: One or more of your mailservers is claiming to be a > host other > than what it really is (the SMTP greeting should be a 3-digit code, > followed by a space or a dash, then the host name). If your mailserver > sends out E-mail using this domain in its EHLO or HELO, your E-mail > might get blocked by anti-spam software. This is also a technical > violation of RFC821 4.3 (and RFC2821 4.3.1). Note that the hostname > given in the SMTP greeting should have an A record pointing > back to the > same server. Note that this one test may use a cached DNS record. > > mx20.netvision.net.il claims to be host > mxin6.netvision.net.il [but that > host is at 194.90.9.40 (may be cached), not 194.90.9.19]. > > ********************************************************************* > > You might want to correct that problem before simply blaming > an arbitrary > RSBL service. > > > -- > Gerard The address that was blocked belongs to spamassassin.apache.org, not to me. The address you mention (netvision.net.il) is my ISP, and has nothing to do with my server, which is cpt.co.il Best, -- Arthur Sherman +972-52-4878851 CPTeam From dave.list at pixelhammer.com Wed Nov 29 16:03:11 2006 From: dave.list at pixelhammer.com (DAve) Date: Wed Nov 29 16:03:24 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <456DAADD.5020000@netmagicsolutions.com> References: <033f01c713a8$9301ca30$3701a8c0@lapxp> <20061129064650.794D.GERARD@seibercom.net> <456D78F8.6020302@blacknight.ie> <456D7DA0.1070900@ucsc.edu> <456DA763.10308@pixelhammer.com> <456DAADD.5020000@netmagicsolutions.com> Message-ID: <456DAF3F.9070703@pixelhammer.com> Dhawal Doshy wrote: > DAve wrote: >> We have been using zen.spamhaus.org for about two weeks now with >> excellent results, not one reported false positive. My users would let >> me know in a heartbeat if there were. >> >> It's too new to recommend, but I would certainly suggest doing your >> own testing as it is looking very promising. The big plus for us was >> PBL replaced our dialup RBL with better results, and no FP. >> >> DAve > > umm pbl is yet to be published and as of now zen == sbl-xbl, see > http://www.spamhaus.org/pbl/ > > Also see: > http://groups-beta.google.com/group/news.admin.net-abuse.email/msg/2d050ab220faf931 > > > Also is anyone using psbl.surriel.com? We've had some good results for > the last 3 weeks (with low FPs) in a warn_if_reject mode. > > - dhawal I saw the announcement around the 15th. http://www.spamhaus.org/zen/ "ZEN is the combination of all Spamhaus DNSBLs into one single powerful and comprehensive blocklist to make querying faster and simpler. It contains the SBL, the XBL and the new PBL blocklist." I don't recall seeing the PBL notice on http://www.spamhaus.org/pbl the day I turned it up. Using ZEN certainly raised my block rate over using only sbl-xbl, mrtg shows the improvement. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From dave.list at pixelhammer.com Wed Nov 29 16:09:04 2006 From: dave.list at pixelhammer.com (DAve) Date: Wed Nov 29 16:09:16 2006 Subject: 70k mqueue.in but load under 1 ?? In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC499@inex3.herffjones.hj-int> References: <57573D714A832C43B9D80EAFBDA48D0302BAC499@inex3.herffjones.hj-int> Message-ID: <456DB0A0.3080204@pixelhammer.com> Furnish, Trever G wrote: > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Richard Frovarp >> Sent: Tuesday, November 28, 2006 11:55 AM >> To: MailScanner discussion >> Subject: Re: 70k mqueue.in but load under 1 ?? > >> If the queue is still building up, something is most likely >> timing out. >> Are you running Pyzor, Razor, or DCC? Using any odd URIBLs or >> DNSBLs that could be timing out? Several months ago Pyzor >> timed out (10 seconds per message) on me for a while, that >> really hurt performance. Do a lint or debug and see if >> anything hangs for a noticeable time period as Glenn suggested. > > Just some random follow-up thoughts. > > My own problem became less urgent when I went ahead and put SBL+XBL in > at the MTA level, which has effectively cut our inbound message count in > half. Pleasant surprise there. > > I looked for things timing out, but I didn't get far enough to get exact > timing information for the spamassassin lint output. I wish I had been > keeping a history of how long the razor and bayes checks take on my > system on a single test message every day. I'm adding that to my to-do > list so that I have a baseline in the future. > > I expected to find an RBL timing out or spamassassin timing out, but I > didn't find that. I did note that for most of the morning on the day I > had the biggest problem our internet pipe was maxed out, so DNS checks > may have been slower, which would of course slow SA more than the MTA > (cuz I only do a couple of dns checks in the MTA, many in SA). > > In the past I've gotten a boost in performance by starting with a fresh > Bayes db after the db had grown very large. Haven't done that in a > while, might be part of the slowdown. Possibly you have already mentioned this, if so just shake your head and ignore me. Are you running a DNS cache on your server? I found that improved things a great deal. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From matt at coders.co.uk Wed Nov 29 16:13:16 2006 From: matt at coders.co.uk (Matt Hampton) Date: Wed Nov 29 16:13:48 2006 Subject: OT: sendmail question Message-ID: <456DB19C.7020706@coders.co.uk> Evening Does anyone know how to configure sendmail to restrict which domains an IP can send from? I.e. 123.123.123.123 is allowed to send email from domain.com, example.com 123.123.123.124 is allowed to send email from domain.co.uk, example.com (I could do this in a milter but would prefer to do this in an database file like the access map) regards Matt From mkettler at evi-inc.com Wed Nov 29 16:17:38 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Nov 29 16:17:50 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <20061129073454.601F.GERARD@seibercom.net> References: <20061129064650.794D.GERARD@seibercom.net> <456D78F8.6020302@blacknight.ie> <20061129073454.601F.GERARD@seibercom.net> Message-ID: <456DB2A2.9060001@evi-inc.com> Gerard Seibert wrote: > On Wednesday November 29, 2006 at 07:11:36 (AM) Paul Kelly :: Blacknight Solutions wrote: > >> Gerard Seibert wrote: >>> On Wednesday November 29, 2006 at 06:21:54 (AM) Arthur Sherman wrote: >>> >>>> Sometimes I get a message from any of lists I'm subscribed to, that mail to >>>> my address bounces. >>>> And as a reason I see Spamcop blocking sender's (legitimate) server. >>>> >>>> Here comes the question: >>>> What would you use instead of Spamcop? >>>> It gotta be free service, and the more lists the better: right now, Spamcop >>>> is #1 blocking BL in the logs. >>>> I am afraid if I drop it, the blocking will be worse. >>> >>> SpamCop does not block legitimate servers. I use SpamCop myself. >> I'm sorry, but that is complete rubbish. SpamCop users blatantly report >> every and any e-mail they receive even double opt-in mailing lists etc. >> It is an extremely dangerous BL to use if you wish to get legitimate e-mail. > > You are missing the point here. The OP has a misconfigured mailserver. > That is the primary cause of his/her problems. Correct that problem then > see what transpires. Given the way they are sending mail, there is a > good chance that they will be blocked by more than just SpamCop. While this may be true, you're also missing the main point. SpamCop *does* list legitimate servers. To believe otherwise is delusional. Here's some offhand from the short period of time in which I was using spamcop as a greylist critera: ------- Yahoo groups: Nov 5 14:21:15 xanadu milter-greylist: Host 66.163.187.149 exists in DNSRBL "SPAMCOP" Nov 5 14:21:15 xanadu milter-greylist: Mail from==evi-inc.com@returns.groups.yahoo.com>, rcpt=<*MUNGED*@evi-inc.com>, addr=n6a.bullet.sc5.yahoo.com[66.163.187.149] is matched by entry acl 571 greylist dnsrbl "SPAMCOP" [delay 3600] Amazon: Nov 6 16:28:21 xanadu milter-greylist: Host 207.171.165.133 exists in DNSRBL "SPAMCOP" 133.165.171.207.in-addr.arpa domain name pointer mm-retail-out-1101.amazon.com. ------- And hundreds more in just a few days.. Spamcop used to be very reliable, however recently their FP rate is VERY VERY high.. Their FP rate is so bad that even Justin Mason (creator of SpamAssassin) has started to advocate not using it at the MTA layer because it so frequently lists Gmail and other legitimate sources: http://taint.org/2006/08/17/142116a.html From mark.fowle at alcatel.com Wed Nov 29 16:33:43 2006 From: mark.fowle at alcatel.com (Mark Fowle) Date: Wed Nov 29 16:33:58 2006 Subject: Files stuck in mqueue.in Message-ID: <456DB667.9080904@alcatel.com> I just installed 4.57.4-1 running on RHES 3, sendmail 8.13.x (with spamassassin) -- First I was getting duplicate mail messages in mailboxes, and after researching the problem found that I should add posix file locking to the Mailscanner.conf file -- this seemed to stop the duplicate email problem - suddenly I don't get any mail. So I changed the lock to flock, and it didn't make any difference - Is there something I'm missing to get the files out of the mqueue.in? Thanks, Mark From TGFurnish at herffjones.com Wed Nov 29 16:34:50 2006 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Wed Nov 29 16:34:53 2006 Subject: 70k mqueue.in but load under 1 ?? Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC49A@inex3.herffjones.hj-int> > Possibly you have already mentioned this, if so just shake > your head and ignore me. Are you running a DNS cache on your > server? I found that improved things a great deal. > > DAve Good point, but yes, already running a caching NameD. Thanks. -t. From TGFurnish at herffjones.com Wed Nov 29 16:48:26 2006 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Wed Nov 29 16:48:32 2006 Subject: sendmail question Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC49B@inex3.herffjones.hj-int> I don't have a solution for you, but that would be a very useful feature. I'd love to limit the domains my internal users can send from, to combat the problem of ignorant developers who, for example, set the envelope sender to an address we don't own in mail sent from web forms. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Matt Hampton > Sent: Wednesday, November 29, 2006 11:13 AM > To: MailScanner discussion > Subject: OT: sendmail question > > Evening > > Does anyone know how to configure sendmail to restrict which > domains an IP can send from? > > I.e. > > 123.123.123.123 is allowed to send email from domain.com, example.com > 123.123.123.124 is allowed to send email from domain.co.uk, > example.com > > (I could do this in a milter but would prefer to do this in > an database file like the access map) > > regards > > Matt > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From mkettler at evi-inc.com Wed Nov 29 16:54:21 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Nov 29 16:54:51 2006 Subject: sendmail question In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC49B@inex3.herffjones.hj-int> References: <57573D714A832C43B9D80EAFBDA48D0302BAC49B@inex3.herffjones.hj-int> Message-ID: <456DBB3D.7020201@evi-inc.com> Suggestion: Use SPF and a SPF milter. If you private IPs in use, and have split-dns you can have your SPF records be different when queried from the inside vs outside. That way only inside hosts (including your mailserver) will see the SPF records containing your private IPs. Furnish, Trever G wrote: > I don't have a solution for you, but that would be a very useful > feature. I'd love to limit the domains my internal users can send from, > to combat the problem of ignorant developers who, for example, set the > envelope sender to an address we don't own in mail sent from web forms. > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Matt Hampton >> Sent: Wednesday, November 29, 2006 11:13 AM >> To: MailScanner discussion >> Subject: OT: sendmail question >> >> Evening >> >> Does anyone know how to configure sendmail to restrict which >> domains an IP can send from? >> >> I.e. >> >> 123.123.123.123 is allowed to send email from domain.com, example.com >> 123.123.123.124 is allowed to send email from domain.co.uk, >> example.com >> >> (I could do this in a milter but would prefer to do this in >> an database file like the access map) >> >> regards >> >> Matt >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> From G.Pentland at soton.ac.uk Wed Nov 29 16:59:47 2006 From: G.Pentland at soton.ac.uk (Pentland G.) Date: Wed Nov 29 16:59:55 2006 Subject: OT sendmail question Message-ID: <71437982F5B13A4D9A5B2669BDB89EE40765C7A9@ISS-CL-EX-V1.soton.ac.uk> I've got this at hand which goes part way to Matt's issue SLocal_check_relay # Check if the connecting server is allowed to send mail or not # Anything local is allowed R$w $| $* $@ $w $| $1 R$j $| $* $@ $j $| $1 R$* $| 127 . 0 . 0 . 1 $@ $1 $| 127 . 0 . 0 . 1 # Now check the hostname against the allowed map R$* $| $* $: < $1 $| $2 > $(authhost $1 $: < NOTAUTH > $) # If we didn't match on host name try the IP address next R< $* $| $* > < NOTAUTH > $: < $1 $| $2 > $(authhost $2 $: < NOTAUTH > $) # If we still didn't match then return an error mailer R< $* $| $* > < NOTAUTH > $#error $@ 5.7.1 $: You are not authorised to mail directly to this server # Otherwise rewrite it back out and return R< $* $| $* > $* $: $1 $| $2 Which checks that mail is coming from an ip address in "Kauthhost -n /etc/mail/authhost" I'd guess you need to add a class for those domains $=custdomain and then call this conditionally on whether the domain in mail from is in that class... Might need some more thought if this is to be a more general map for multiple domains... I'm thinking about code like this that reads mailertable for example... "FEATURE ('Reverse Mailertable')"? I'll have a think and let you know what I come up with. For you Trever, something simpler should suffice, I'd have to double check but the feature "relay_based_on_MX" would probably do it, or something like it, only allowing relaying for domains that you are an MX server for. Hope that helps, Gary Furnish, Trever G wrote: > I don't have a solution for you, but that would be a very useful > feature. I'd love to limit the domains my internal users can send > from, to combat the problem of ignorant developers who, for example, > set the envelope sender to an address we don't own in mail sent from > web forms. > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Matt Hampton >> Sent: Wednesday, November 29, 2006 11:13 AM >> To: MailScanner discussion >> Subject: OT: sendmail question >> >> Evening >> >> Does anyone know how to configure sendmail to restrict which >> domains an IP can send from? >> >> I.e. >> >> 123.123.123.123 is allowed to send email from domain.com, example.com >> 123.123.123.124 is allowed to send email from domain.co.uk, >> example.com >> >> (I could do this in a milter but would prefer to do this in >> an database file like the access map) >> >> regards >> >> Matt >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Wed Nov 29 17:08:36 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 29 17:08:40 2006 Subject: sendmail question In-Reply-To: <456DBB3D.7020201@evi-inc.com> References: <57573D714A832C43B9D80EAFBDA48D0302BAC49B@inex3.herffjones.hj-int> <456DBB3D.7020201@evi-inc.com> Message-ID: <223f97700611290908g44e5ca2en7738ba23d4902464@mail.gmail.com> On 29/11/06, Matt Kettler wrote: > Suggestion: > > Use SPF and a SPF milter. > > If you private IPs in use, and have split-dns you can have your SPF records be > different when queried from the inside vs outside. That way only inside hosts > (including your mailserver) will see the SPF records containing your private IPs. > You could probably do something similar with a nicely formed sender_restriction in PF, but ... this idea would be at least as workable and elegant. Complemented with a reasonable amount of LARTing, it'd be downright useful:-) > Furnish, Trever G wrote: > > I don't have a solution for you, but that would be a very useful > > feature. I'd love to limit the domains my internal users can send from, > > to combat the problem of ignorant developers who, for example, set the > > envelope sender to an address we don't own in mail sent from web forms. > > > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info > >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > >> Of Matt Hampton > >> Sent: Wednesday, November 29, 2006 11:13 AM > >> To: MailScanner discussion > >> Subject: OT: sendmail question > >> > >> Evening > >> > >> Does anyone know how to configure sendmail to restrict which > >> domains an IP can send from? > >> > >> I.e. > >> > >> 123.123.123.123 is allowed to send email from domain.com, example.com > >> 123.123.123.124 is allowed to send email from domain.co.uk, > >> example.com > >> > >> (I could do this in a milter but would prefer to do this in > >> an database file like the access map) > >> > >> regards > >> > >> Matt > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From arturs at netvision.net.il Wed Nov 29 17:10:29 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Wed Nov 29 17:13:23 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <456DB2A2.9060001@evi-inc.com> Message-ID: <03ac01c713d9$45b0e3c0$3701a8c0@lapxp> > > Spamcop used to be very reliable, however recently their FP > rate is VERY VERY high.. > > Their FP rate is so bad that even Justin Mason (creator of > SpamAssassin) has > started to advocate not using it at the MTA layer because it > so frequently lists > Gmail and other legitimate sources: Well, actually, Justin was the guy that told me not to use Spamcop, after his server was blocked. Best, -- Arthur Sherman +972-52-4878851 CPTeam From arturs at netvision.net.il Wed Nov 29 17:10:29 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Wed Nov 29 17:13:27 2006 Subject: New Milter coming In-Reply-To: Message-ID: <03ab01c713d9$458d2f20$3701a8c0@lapxp> > >> I have been writing a milter I call milter-spamtrap. It allows an > >> active sendmail server to also be a spamtrap or honeypot. Sounds good. Thanks! Best, -- Arthur Sherman +972-52-4878851 CPTeam From nfeasey at utpress.utoronto.ca Wed Nov 29 17:49:40 2006 From: nfeasey at utpress.utoronto.ca (Feasey, Nicholas) Date: Wed Nov 29 17:49:46 2006 Subject: New Milter coming In-Reply-To: <03ab01c713d9$458d2f20$3701a8c0@lapxp> Message-ID: <4B7800CC946F56478051DD71855D6E6C03BE0C78@POSTALSTATION> I would be very interested in checking this out as well. Nicholas P. Feasey Systems Administrator T 416.640.5804 F 416.640.5336 E nfeasey@utpress.utoronto.ca UNIVERSITY OF TORONTO PRESS INC. www.utpress.utoronto.ca -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Arthur Sherman Sent: Wednesday, November 29, 2006 12:10 PM To: 'MailScanner discussion' Subject: RE: New Milter coming > >> I have been writing a milter I call milter-spamtrap. It allows an > >> active sendmail server to also be a spamtrap or honeypot. Sounds good. Thanks! Best, -- Arthur Sherman +972-52-4878851 CPTeam -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Nov 29 17:49:25 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Nov 29 17:52:43 2006 Subject: Edenhosting.net --- please contact me Message-ID: <456DC825.7020500@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am trying to get in touch with Please do get in touch with me. You know my address, please try contacting me from some other address, as I haven't heard from you, and am expecting to. Please do talk to me! Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.1 (Build 1557) Comment: Fetch my public key foot-print from www.mailscanner.info Charset: ISO-8859-1 wj8DBQFFbcjjEfZZRxQVtlQRAt6OAKCik38vlnmXkXs+joRcsfZLYxQyeACgr1Zf dYm1TN2Y1+6k2yd3hCI+LJc= =l2sg -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From gerard at seibercom.net Wed Nov 29 18:36:54 2006 From: gerard at seibercom.net (Gerard Seibert) Date: Wed Nov 29 18:36:48 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <456DB2A2.9060001@evi-inc.com> References: <20061129073454.601F.GERARD@seibercom.net> <456DB2A2.9060001@evi-inc.com> Message-ID: <20061129132708.78C3.GERARD@seibercom.net> On Wednesday November 29, 2006 at 11:17:38 (AM) Matt Kettler wrote: > While this may be true, you're also missing the main point. > > SpamCop *does* list legitimate servers. To believe otherwise is delusional. I concur with the basis of your analogy; however, that does not address the fact that the OP is using an improperly configured mailserver. That OP is just asking to be BL'd. I suspect that he does not possess a static IP and is attempting to send via his ISP's network while bypassing the ISP's servers. More than likely, the ISP has not blocked port 25. A mail server like Postfix can be configured to check for that and bounce the mail if it fails reverse DNS checking. I know that SpamCop loves to block YaHoo and HotMail. Thank God! A large portion of the SPAM I receive originates from those two sites. SORBS use to block 'gmail' because it was using incorrect mail headers. I don't know if they still are, and I don't care either since I block them at the door. -- Gerard From mkettler at evi-inc.com Wed Nov 29 18:47:11 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Nov 29 18:47:24 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <20061129132708.78C3.GERARD@seibercom.net> References: <20061129073454.601F.GERARD@seibercom.net> <456DB2A2.9060001@evi-inc.com> <20061129132708.78C3.GERARD@seibercom.net> Message-ID: <456DD5AF.2070803@evi-inc.com> Gerard Seibert wrote: > On Wednesday November 29, 2006 at 11:17:38 (AM) Matt Kettler wrote: > >> While this may be true, you're also missing the main point. >> >> SpamCop *does* list legitimate servers. To believe otherwise is delusional. > > I concur with the basis of your analogy; however, that does not address > the fact that the OP is using an improperly configured mailserver. That > OP is just asking to be BL'd. I suspect that he does not possess a > static IP and is attempting to send via his ISP's network while > bypassing the ISP's servers. Erm.. What OP are you talking about Gerard? The OP of this thread, Arthur Sherman, *DID* use his ISP's mailserver. It's even got proper RDNS and Ipwhois. Take a look and the Received: ----------------------------------- Received: from mxout5.netvision.net.il (mxout5.netvision.net.il [194.90.9.29]) by bkserver.blacknight.ie (8.13.1/8.13.1) with ESMTP id kATBOjou029305 for ; Wed, 29 Nov 2006 11:24:46 GMT Received: from lapxp ([212.143.91.125]) by mxout5.netvision.net.il (Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006)) with ESMTP id <0J9H00979P187L10@mxout5.netvision.net.il> for mailscanner@lists.mailscanner.info; Wed, 29 Nov 2006 13:24:45 +0200 (IST) ----------------------------------- And, the OP isn't even complaining about *HIS* mail being blocked, he's complaining about spamassassin.apache.org being blocked while trying to send TO him! From arturs at netvision.net.il Wed Nov 29 18:53:40 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Wed Nov 29 18:56:34 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <456DD5AF.2070803@evi-inc.com> Message-ID: <03db01c713e7$afc95950$3701a8c0@lapxp> > Erm.. What OP are you talking about Gerard? > > The OP of this thread, Arthur Sherman, *DID* use his ISP's > mailserver. It's even > got proper RDNS and Ipwhois. > > Take a look and the Received: > ----------------------------------- > > Received: from mxout5.netvision.net.il > (mxout5.netvision.net.il [194.90.9.29]) > by bkserver.blacknight.ie (8.13.1/8.13.1) with ESMTP id > kATBOjou029305 > for ; Wed, 29 Nov > 2006 11:24:46 GMT > Received: from lapxp ([212.143.91.125]) by mxout5.netvision.net.il > (Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006)) > with ESMTP id <0J9H00979P187L10@mxout5.netvision.net.il> for > mailscanner@lists.mailscanner.info; > Wed, 29 Nov 2006 13:24:45 +0200 (IST) > ----------------------------------- > > > And, the OP isn't even complaining about *HIS* mail being > blocked, he's > complaining about spamassassin.apache.org being blocked while > trying to send TO him! Matt, all, I am probably to blame for your confusion. Let me state this again: I'm subscribed to SpamAssassin ML with an address on my server (not the one I send to this list - this one is from my ISP) My server bounced the message coming from spamassassin.apache.org due to blocking in Spamcop. Justin told me to get rid of Spamcop. That's how all this started... Best, -- Arthur Sherman +972-52-4878851 CPTeam From gerard at seibercom.net Wed Nov 29 19:02:23 2006 From: gerard at seibercom.net (Gerard Seibert) Date: Wed Nov 29 19:02:18 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <039901c713cf$1c24cbc0$3701a8c0@lapxp> References: <20061129064650.794D.GERARD@seibercom.net> <039901c713cf$1c24cbc0$3701a8c0@lapxp> Message-ID: <20061129135035.78CD.GERARD@seibercom.net> On Wednesday November 29, 2006 at 10:57:45 (AM) Arthur Sherman wrote: > The address that was blocked belongs to spamassassin.apache.org, not to me. > > The address you mention (netvision.net.il) is my ISP, and has nothing to do > with my server, which is cpt.co.il My mistake; however, it might have been beneficial if you had stated the domain or IP that was causing you grief. I did some preliminary checking and all that I can deduce with a quick perusal is that your domain appears to be in violation of three RFC's. RFC1035 RFC2142 RFC2182 Nothing serious, just mostly BS crap. However, the one regarding mail delivery might be worth looking into. You were also listed under on blacklisting service when I initially checked; however, it was gone when I rechecked it a half hour later. I don't know what that means. You can get a record of who is reporting you from SpamCop if you are willing to take the time. I run a mailing list and have contacted them a few times over the past three years. I never had a serious problem. In two cases it was because a subscriber had forwarded a piece of mail to another individual who did not want to receive it. They then reported it as SPAM. For what its worth, I now only use 'VERP' when sending group mail. -- Gerard From gerard at seibercom.net Wed Nov 29 19:12:19 2006 From: gerard at seibercom.net (Gerard Seibert) Date: Wed Nov 29 19:12:13 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <456DD5AF.2070803@evi-inc.com> References: <20061129132708.78C3.GERARD@seibercom.net> <456DD5AF.2070803@evi-inc.com> Message-ID: <20061129140509.78D2.GERARD@seibercom.net> On Wednesday November 29, 2006 at 01:47:11 (PM) Matt Kettler wrote: > And, the OP isn't even complaining about *HIS* mail being blocked, he's > complaining about spamassassin.apache.org being blocked while trying to send TO him! I need more sleep. I though he was complaining about his inability to send. If he wants to post the entire bounce message or whatever, the addresses used, etc. I might like to look into it. Other than that, it is just a waste of time. BTW, I subscribe to httpd.apache.org and they are not being blacklisted. At least I have not seen any evidence of it. -- Gerard From mkettler at evi-inc.com Wed Nov 29 19:18:41 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Nov 29 19:18:56 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <03db01c713e7$afc95950$3701a8c0@lapxp> References: <03db01c713e7$afc95950$3701a8c0@lapxp> Message-ID: <456DDD11.4020107@evi-inc.com> Arthur Sherman wrote: >> And, the OP isn't even complaining about *HIS* mail being >> blocked, he's >> complaining about spamassassin.apache.org being blocked while >> trying to send TO him! > > > Matt, all, I am probably to blame for your confusion. > > Let me state this again: > > I'm subscribed to SpamAssassin ML with an address on my server (not the one > I send to this list - this one is from my ISP) > > My server bounced the message coming from spamassassin.apache.org due to > blocking in Spamcop. > > Justin told me to get rid of Spamcop. > > That's how all this started... That's exactly how I understood it. Apparently Gerard saw you as having an end-user account, and jumped to the conclusion you had a problem with being listed yourself. However, your original post is *quite* clear about this: "Sometimes I get a message from any of lists I'm subscribed to, that mail to my address bounces." I don't see anything in that which might lead to the conclusions Gerard came to. It's quite clear from that one sentence you're having problems receiving mail from legitimate senders. And yes, SpamCop is a false-positive prone system. And yes, it regularly lists the apache.org that hosts the SpamAssassin mailing list. Apparently some dimwits are subscribed to the spamassassin-users list that have their systems configured to auto-report to SpamCop anything that SA tags as spam. This is in flagrant violation of the terms of service for SpamCop, but they do it anyway. And the same dimwits do not have the list whitelisted. Therefore, anytime someone posts a sample of spam to the sa-users list, the list gets auto-reported to spamcop. SpamCop used to be good, but it's become polluted. Part of me wonders if it's user error, or deliberate malicious submissions. People are so aggressive about reporting ebay phishes that they're reporting real ebay servers too. Case in point: Right now 66.135.215.234 is listed in spamcop, and is in the SPF record for ebay.com, so it's a real ebay server. $dig txt ebay.com ebay.com. 3600 IN TXT "v=spf1 mx include:s._spf.ebay.com include:m._spf.ebay.com include:p._spf.ebay.com include:c._spf.ebay.com ~all" $dig txt m._spf.ebay.com m._spf.ebay.com. 1425 IN TXT "v=spf1 ip4:66.135.215.224/27 ip4:216.33.244.96/27 ip4:216.33.244.84 ~all" http://www.spamcop.net/w3m?action=checkblock&ip=66.135.215.234 ---- 66.135.215.234 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 15 hours. ---- Way to go spamcop submitters! You go get those ebay phishers at ebay.com! From mkettler at evi-inc.com Wed Nov 29 19:35:13 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Nov 29 19:35:27 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <20061129140509.78D2.GERARD@seibercom.net> References: <20061129132708.78C3.GERARD@seibercom.net> <456DD5AF.2070803@evi-inc.com> <20061129140509.78D2.GERARD@seibercom.net> Message-ID: <456DE0F1.7060404@evi-inc.com> Gerard Seibert wrote: > On Wednesday November 29, 2006 at 01:47:11 (PM) Matt Kettler wrote: > >> And, the OP isn't even complaining about *HIS* mail being blocked, he's >> complaining about spamassassin.apache.org being blocked while trying to send TO him! > > I need more sleep. I though he was complaining about his inability to > send. If he wants to post the entire bounce message or whatever, the > addresses used, etc. I might like to look into it. Other than that, it > is just a waste of time. > > BTW, I subscribe to httpd.apache.org and they are not being blacklisted. > At least I have not seen any evidence of it. It's been ongoing. hermes.apache.org (the ASF list server) keeps getting in and out of spamcop. Some sample reports of the problem on the SpamAssassin users's list: June 2004: http://thread.gmane.org/gmane.mail.spam.spamassassin.general/50723/focus=50736 November 2006: http://thread.gmane.org/gmane.mail.spam.spamassassin.general/90079/focus=90120 From mkettler at evi-inc.com Wed Nov 29 19:45:48 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Nov 29 19:45:58 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <456DAF3F.9070703@pixelhammer.com> References: <033f01c713a8$9301ca30$3701a8c0@lapxp> <20061129064650.794D.GERARD@seibercom.net> <456D78F8.6020302@blacknight.ie> <456D7DA0.1070900@ucsc.edu> <456DA763.10308@pixelhammer.com> <456DAADD.5020000@netmagicsolutions.com> <456DAF3F.9070703@pixelhammer.com> Message-ID: <456DE36C.8050305@evi-inc.com> DAve wrote: > I saw the announcement around the 15th. > > http://www.spamhaus.org/zen/ > > "ZEN is the combination of all Spamhaus DNSBLs into one single powerful > and comprehensive blocklist to make querying faster and simpler. It > contains the SBL, the XBL and the new PBL blocklist." > > I don't recall seeing the PBL notice on http://www.spamhaus.org/pbl the > day I turned it up. Using ZEN certainly raised my block rate over using > only sbl-xbl, mrtg shows the improvement. Interesting.. I use zen too, but I actually break it out by return code. Thus far, I've not seen anything match the new PBL part of the zone. Spamhaus SBL (127.0.0.2) 2190 Spamhaus XBL CBL (127.0.0.4) 10143 Spamhaus XBL NJABL (127.0.0.5) 81 SPAMHAUS XBL OTHER (127.0.0.6-8) 0 SPAMHAUS PBL (127.0.0.11) 0 And yes, the lists are applied in that order, so it is possible every PBL listing was in SBL, or XBL. However, I think your increase in hits since switching to zen probably has more to do with changes in the existing zones. From ssilva at sgvwater.com Wed Nov 29 19:52:03 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Nov 29 19:52:39 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <456DA763.10308@pixelhammer.com> References: <033f01c713a8$9301ca30$3701a8c0@lapxp> <20061129064650.794D.GERARD@seibercom.net> <456D78F8.6020302@blacknight.ie> <456D7DA0.1070900@ucsc.edu> <456DA763.10308@pixelhammer.com> Message-ID: DAve spake the following on 11/29/2006 7:29 AM: > John Rudd wrote: >> Paul Kelly :: Blacknight Solutions wrote: >>> Gerard Seibert wrote: >>>> On Wednesday November 29, 2006 at 06:21:54 (AM) Arthur Sherman wrote: >>>> >>>>> Sometimes I get a message from any of lists I'm subscribed to, that >>>>> mail to >>>>> my address bounces. >>>>> And as a reason I see Spamcop blocking sender's (legitimate) server. >>>>> >>>>> Here comes the question: >>>>> What would you use instead of Spamcop? >>>>> It gotta be free service, and the more lists the better: right now, >>>>> Spamcop >>>>> is #1 blocking BL in the logs. >>>>> I am afraid if I drop it, the blocking will be worse. >>>> >>>> SpamCop does not block legitimate servers. I use SpamCop myself. >>> >>> I'm sorry, but that is complete rubbish. SpamCop users blatantly report >>> every and any e-mail they receive even double opt-in mailing lists etc. >>> It is an extremely dangerous BL to use if you wish to get legitimate >>> e-mail. >>> >>> The only rbl of use (at smtp transaction time) is xbl. Anything else >>> will drop legitimate mail, that is a fact. >>> >> >> I'm with you up until this point. >> >> Spamcop is absolute trash when it comes to just about every aspect of >> their operations ... so I wouldn't trust their RBL at all. At most, I >> might use it in SpamAssassin with a _VERY_ low score. Even then, I >> would be suspicious of their reliability. >> >> However, I don't think XBL is the only valid RBL to use at SMTP time. >> I've found SBL to be useful, and spamhaus in general to be reliable >> and accurate (not just their XBL). I therefore expect that I'll also >> be using the PBL (and thus zen.spamhaus.org) in the near future. >> > > We have been using zen.spamhaus.org for about two weeks now with > excellent results, not one reported false positive. My users would let > me know in a heartbeat if there were. > > It's too new to recommend, but I would certainly suggest doing your own > testing as it is looking very promising. The big plus for us was PBL > replaced our dialup RBL with better results, and no FP. > > DAve > I am still waiting for Spamhaus to list the PBL on their frontpage. Until then I am going to have to consider it beta. If they don't list it, I have to think they are not ready for it to go "prime time". -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From dave.list at pixelhammer.com Wed Nov 29 19:55:28 2006 From: dave.list at pixelhammer.com (DAve) Date: Wed Nov 29 19:55:45 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <456DE36C.8050305@evi-inc.com> References: <033f01c713a8$9301ca30$3701a8c0@lapxp> <20061129064650.794D.GERARD@seibercom.net> <456D78F8.6020302@blacknight.ie> <456D7DA0.1070900@ucsc.edu> <456DA763.10308@pixelhammer.com> <456DAADD.5020000@netmagicsolutions.com> <456DAF3F.9070703@pixelhammer.com> <456DE36C.8050305@evi-inc.com> Message-ID: <456DE5B0.1060009@pixelhammer.com> Matt Kettler wrote: > DAve wrote: > >> I saw the announcement around the 15th. >> >> http://www.spamhaus.org/zen/ >> >> "ZEN is the combination of all Spamhaus DNSBLs into one single powerful >> and comprehensive blocklist to make querying faster and simpler. It >> contains the SBL, the XBL and the new PBL blocklist." >> >> I don't recall seeing the PBL notice on http://www.spamhaus.org/pbl the >> day I turned it up. Using ZEN certainly raised my block rate over using >> only sbl-xbl, mrtg shows the improvement. > > > Interesting.. I use zen too, but I actually break it out by return code. Thus > far, I've not seen anything match the new PBL part of the zone. > > Spamhaus SBL (127.0.0.2) > 2190 > Spamhaus XBL CBL (127.0.0.4) > 10143 > Spamhaus XBL NJABL (127.0.0.5) > 81 > SPAMHAUS XBL OTHER (127.0.0.6-8) > 0 > SPAMHAUS PBL (127.0.0.11) > 0 > > And yes, the lists are applied in that order, so it is possible every PBL > listing was in SBL, or XBL. However, I think your increase in hits since > switching to zen probably has more to do with changes in the existing zones. > > And as always, spam evolves constantly. So it could be nothing more than the email landscape shifted the weekend I made the change. But hey, I ain't complaining. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From binaryflow at gmail.com Wed Nov 29 19:58:47 2006 From: binaryflow at gmail.com (Douglas Ward) Date: Wed Nov 29 19:58:50 2006 Subject: Need replacement files Message-ID: I checked the contents of the /etc/MailScanner/rules folder and see that they are all zero byte files. What are they supposed to say? Would anyone happen to have copies of these files that they could send me off list? I am thinking this would be easier than reinstalling the rpm version. I didn't have anything to whitelist (until now) so I didn't catch this. I am running version 4.56.8-1. Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061129/8369e14e/attachment.html From binaryflow at gmail.com Wed Nov 29 20:02:51 2006 From: binaryflow at gmail.com (Douglas Ward) Date: Wed Nov 29 20:02:53 2006 Subject: Fwd: Need replacement files In-Reply-To: References: Message-ID: Please add the /etc/MailScanner/mcp directory to that request as well. Thanks! ---------- Forwarded message ---------- From: Douglas Ward Date: Nov 29, 2006 2:58 PM Subject: Need replacement files To: MailScanner discussion I checked the contents of the /etc/MailScanner/rules folder and see that they are all zero byte files. What are they supposed to say? Would anyone happen to have copies of these files that they could send me off list? I am thinking this would be easier than reinstalling the rpm version. I didn't have anything to whitelist (until now) so I didn't catch this. I am running version 4.56.8-1. Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061129/79545af5/attachment.html From mkettler at evi-inc.com Wed Nov 29 20:04:45 2006 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Nov 29 20:05:38 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: References: <033f01c713a8$9301ca30$3701a8c0@lapxp> <20061129064650.794D.GERARD@seibercom.net> <456D78F8.6020302@blacknight.ie> <456D7DA0.1070900@ucsc.edu> <456DA763.10308@pixelhammer.com> Message-ID: <456DE7DD.3010406@evi-inc.com> Scott Silva wrote: > DAve spake the following on 11/29/2006 7:29 AM: >> John Rudd wrote: >>> Paul Kelly :: Blacknight Solutions wrote: >>>> Gerard Seibert wrote: >>>>> On Wednesday November 29, 2006 at 06:21:54 (AM) Arthur Sherman wrote: >>>>> >>>>>> Sometimes I get a message from any of lists I'm subscribed to, that >>>>>> mail to >>>>>> my address bounces. >>>>>> And as a reason I see Spamcop blocking sender's (legitimate) server. >>>>>> >>>>>> Here comes the question: >>>>>> What would you use instead of Spamcop? >>>>>> It gotta be free service, and the more lists the better: right now, >>>>>> Spamcop >>>>>> is #1 blocking BL in the logs. >>>>>> I am afraid if I drop it, the blocking will be worse. >>>>> SpamCop does not block legitimate servers. I use SpamCop myself. >>>> I'm sorry, but that is complete rubbish. SpamCop users blatantly report >>>> every and any e-mail they receive even double opt-in mailing lists etc. >>>> It is an extremely dangerous BL to use if you wish to get legitimate >>>> e-mail. >>>> >>>> The only rbl of use (at smtp transaction time) is xbl. Anything else >>>> will drop legitimate mail, that is a fact. >>>> >>> I'm with you up until this point. >>> >>> Spamcop is absolute trash when it comes to just about every aspect of >>> their operations ... so I wouldn't trust their RBL at all. At most, I >>> might use it in SpamAssassin with a _VERY_ low score. Even then, I >>> would be suspicious of their reliability. >>> >>> However, I don't think XBL is the only valid RBL to use at SMTP time. >>> I've found SBL to be useful, and spamhaus in general to be reliable >>> and accurate (not just their XBL). I therefore expect that I'll also >>> be using the PBL (and thus zen.spamhaus.org) in the near future. >>> >> We have been using zen.spamhaus.org for about two weeks now with >> excellent results, not one reported false positive. My users would let >> me know in a heartbeat if there were. >> >> It's too new to recommend, but I would certainly suggest doing your own >> testing as it is looking very promising. The big plus for us was PBL >> replaced our dialup RBL with better results, and no FP. >> >> DAve >> > I am still waiting for Spamhaus to list the PBL on their frontpage. Until then > I am going to have to consider it beta. If they don't list it, I have to think > they are not ready for it to go "prime time". I'd agree.. However, if you're checking return-codes you *can* switch to using zen right now. As long as you're only acting on the SBL and XBL return codes, you should be fine with that. That said, I'm being "aggressive" and checking all the return codes, but right now PBL is returning nothing. That said, even if PBL did start returning things, all it will on my system do is cause mail to get greylisted. From res at ausics.net Wed Nov 29 20:28:23 2006 From: res at ausics.net (Res) Date: Wed Nov 29 20:28:31 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <456D78F8.6020302@blacknight.ie> References: <033f01c713a8$9301ca30$3701a8c0@lapxp> <20061129064650.794D.GERARD@seibercom.net> <456D78F8.6020302@blacknight.ie> Message-ID: On Wed, 29 Nov 2006, Paul Kelly :: Blacknight Solutions wrote: >> SpamCop does not block legitimate servers. I use SpamCop myself. > > I'm sorry, but that is complete rubbish. SpamCop users blatantly report > every and any e-mail they receive even double opt-in mailing lists etc. > It is an extremely dangerous BL to use if you wish to get legitimate e-mail. no ones ever complained here, and besides, if they get comemrcial shit from some wanker when they never asked for it, then thats spam = legit blocking and they do deserve to be there, also I dont recall ever using usernames like zyvvcvcx56@domain but i spose they are legit usersnames , right... > The only rbl of use (at smtp transaction time) is xbl. Anything else > will drop legitimate mail, that is a fact. wrong, you have no right to make blanket statements like this, no RBL is 100% perfect, but then again in a perfect world we wouldn't need RBL's > We host 16k domains, of which we're scanning around 5000 for spam and > other nasties. We see 200k mails a day through mailscanner with a factor > of 5 being rejected at smtp time by xbl. m16K is a small drop in the ocean here, and we scan everything (why you only scan 1/3rd ill never know maybe you have spammer customers), for hosting or our dialup/broadband customer base, a review (as we do when we use any new tool to stop these moronic pricks who think they have the right to send repeat opt in/out mails, once only deals, blah blah blah) shows NO more risk using SC then SH or SORBS or rfcignorant, njabl or any others -- Cheers Res "Just a world that we all must share, it's not enough just to stand and stare, is it only a dream that there'll be no more turning away" - Floyd From arturs at netvision.net.il Wed Nov 29 20:42:07 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Wed Nov 29 20:45:01 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <20061129140509.78D2.GERARD@seibercom.net> Message-ID: <040c01c713f6$d6156f40$3701a8c0@lapxp> > I need more sleep. I though he was complaining about his inability to > send. If he wants to post the entire bounce message or whatever, the > addresses used, etc. I might like to look into it. Other than that, it > is just a waste of time. > > BTW, I subscribe to httpd.apache.org and they are not being > blacklisted. > At least I have not seen any evidence of it. > > > -- > Gerard Sorry, Gerard, deleted the original message, so no headers here... Anyway, I include a part of the bounce message which gives some details: --- > > > > Return-Path: <> > > > > Received: (qmail 32717 invoked for bounce); 17 Nov 2006 > > > 00:41:45 -0000 > > > > Date: 17 Nov 2006 00:41:45 -0000 > > > > From: MAILER-DAEMON@apache.org > > > > To: users-return-50756-@spamassassin.apache.org > > > > Subject: failure notice > > > > > > > > Hi. This is the qmail-send program at apache.org. > > > > I'm afraid I wasn't able to deliver your message to the > > > following addresses. > > > > This is a permanent error; I've given up. Sorry it > didn't work out. > > > > > > > > : > > > > 212.179.113.183 does not like recipient. > > > > Remote host said: 553 5.3.0 ... Spam > blocked see: > > > > http://spamcop.net/bl.shtml?140.211.11.2 > > > > Giving up on 212.179.113.183. --- Thanks all for your time! Best, -- Arthur Sherman +972-52-4878851 CPTeam From dave.list at pixelhammer.com Wed Nov 29 20:52:09 2006 From: dave.list at pixelhammer.com (DAve) Date: Wed Nov 29 20:52:23 2006 Subject: Possibly stoopid feature request Message-ID: <456DF2F9.6070402@pixelhammer.com> I am getting a lot of spams learned by Bayes as ham this week. As we are an ISP, the hams go right through the system to the users. If I don't get a copy to one of my accounts I have no idea what the message looked like. It might be handy to have a mechanism to keep a quarantine of messages that SA autolearned, so I could easily undo the damage. Just a thought. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From ssilva at sgvwater.com Wed Nov 29 21:00:44 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Nov 29 21:03:02 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <456DE7DD.3010406@evi-inc.com> References: <033f01c713a8$9301ca30$3701a8c0@lapxp> <20061129064650.794D.GERARD@seibercom.net> <456D78F8.6020302@blacknight.ie> <456D7DA0.1070900@ucsc.edu> <456DA763.10308@pixelhammer.com> <456DE7DD.3010406@evi-inc.com> Message-ID: Matt Kettler spake the following on 11/29/2006 12:04 PM: > Scott Silva wrote: >> DAve spake the following on 11/29/2006 7:29 AM: >>> John Rudd wrote: >>>> Paul Kelly :: Blacknight Solutions wrote: >>>>> Gerard Seibert wrote: >>>>>> On Wednesday November 29, 2006 at 06:21:54 (AM) Arthur Sherman wrote: >>>>>> >>>>>>> Sometimes I get a message from any of lists I'm subscribed to, that >>>>>>> mail to >>>>>>> my address bounces. >>>>>>> And as a reason I see Spamcop blocking sender's (legitimate) server. >>>>>>> >>>>>>> Here comes the question: >>>>>>> What would you use instead of Spamcop? >>>>>>> It gotta be free service, and the more lists the better: right now, >>>>>>> Spamcop >>>>>>> is #1 blocking BL in the logs. >>>>>>> I am afraid if I drop it, the blocking will be worse. >>>>>> SpamCop does not block legitimate servers. I use SpamCop myself. >>>>> I'm sorry, but that is complete rubbish. SpamCop users blatantly report >>>>> every and any e-mail they receive even double opt-in mailing lists etc. >>>>> It is an extremely dangerous BL to use if you wish to get legitimate >>>>> e-mail. >>>>> >>>>> The only rbl of use (at smtp transaction time) is xbl. Anything else >>>>> will drop legitimate mail, that is a fact. >>>>> >>>> I'm with you up until this point. >>>> >>>> Spamcop is absolute trash when it comes to just about every aspect of >>>> their operations ... so I wouldn't trust their RBL at all. At most, I >>>> might use it in SpamAssassin with a _VERY_ low score. Even then, I >>>> would be suspicious of their reliability. >>>> >>>> However, I don't think XBL is the only valid RBL to use at SMTP time. >>>> I've found SBL to be useful, and spamhaus in general to be reliable >>>> and accurate (not just their XBL). I therefore expect that I'll also >>>> be using the PBL (and thus zen.spamhaus.org) in the near future. >>>> >>> We have been using zen.spamhaus.org for about two weeks now with >>> excellent results, not one reported false positive. My users would let >>> me know in a heartbeat if there were. >>> >>> It's too new to recommend, but I would certainly suggest doing your own >>> testing as it is looking very promising. The big plus for us was PBL >>> replaced our dialup RBL with better results, and no FP. >>> >>> DAve >>> >> I am still waiting for Spamhaus to list the PBL on their frontpage. Until then >> I am going to have to consider it beta. If they don't list it, I have to think >> they are not ready for it to go "prime time". > > I'd agree.. However, if you're checking return-codes you *can* switch to using > zen right now. As long as you're only acting on the SBL and XBL return codes, > you should be fine with that. > > That said, I'm being "aggressive" and checking all the return codes, but right > now PBL is returning nothing. That said, even if PBL did start returning things, > all it will on my system do is cause mail to get greylisted. > > > > Just looked again at www.spamhaus.org/pbl , and they seem to be shooting for a December startup. Not too far away :-D -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From campbell at cnpapers.com Wed Nov 29 21:15:10 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Nov 29 21:15:42 2006 Subject: OT - How does most people accomplish mail downloads Message-ID: <003b01c713fb$73ec3f10$0705000a@ddf5dw71> I apologize for the OT, but I see where a lot of people use MailScanner to scan mail they get from their ISP to a home computer. How do most people set the download from their ISP to their local sendmail/postfix/MTA? The scanning part is not the problem once I get it into sendmail, but is this a scheduled interval task and what is used? I'm just drawing a blank here. Thanks Steve Campbell campbell@cnpapers.com Charleston Newspapers From mikea at mikea.ath.cx Wed Nov 29 21:21:06 2006 From: mikea at mikea.ath.cx (mikea) Date: Wed Nov 29 21:21:09 2006 Subject: OT - How does most people accomplish mail downloads In-Reply-To: <003b01c713fb$73ec3f10$0705000a@ddf5dw71>; from campbell@cnpapers.com on Wed, Nov 29, 2006 at 04:15:10PM -0500 References: <003b01c713fb$73ec3f10$0705000a@ddf5dw71> Message-ID: <20061129152106.G53222@mikea.ath.cx> On Wed, Nov 29, 2006 at 04:15:10PM -0500, Steve Campbell wrote: > I apologize for the OT, but I see where a lot of people use MailScanner to > scan mail they get from their ISP to a home computer. How do most people set > the download from their ISP to their local sendmail/postfix/MTA? The > scanning part is not the problem once I get it into sendmail, but is this a > scheduled interval task and what is used? > > I'm just drawing a blank here. For the one case where mail doesn't come directly into my home box, I use fetchmail. Works pretty well for the most part, *but* spam on the external box stays there, gets rejected by my milters, and the admin gets mildly irritated. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From ugob at camo-route.com Wed Nov 29 21:38:30 2006 From: ugob at camo-route.com (Ugo Bellavance) Date: Wed Nov 29 21:39:26 2006 Subject: OT - How does most people accomplish mail downloads In-Reply-To: <20061129152106.G53222@mikea.ath.cx> References: <003b01c713fb$73ec3f10$0705000a@ddf5dw71> <20061129152106.G53222@mikea.ath.cx> Message-ID: mikea wrote: > On Wed, Nov 29, 2006 at 04:15:10PM -0500, Steve Campbell wrote: >> I apologize for the OT, but I see where a lot of people use MailScanner to >> scan mail they get from their ISP to a home computer. How do most people set >> the download from their ISP to their local sendmail/postfix/MTA? The >> scanning part is not the problem once I get it into sendmail, but is this a >> scheduled interval task and what is used? >> >> I'm just drawing a blank here. > > For the one case where mail doesn't come directly into my home box, > I use fetchmail. Works pretty well for the most part, *but* spam on > the external box stays there, gets rejected by my milters, and the > admin gets mildly irritated. > fetchmail here too. From arturs at netvision.net.il Wed Nov 29 21:39:14 2006 From: arturs at netvision.net.il (Arthur Sherman) Date: Wed Nov 29 21:42:10 2006 Subject: MailScanner --debug stucks Message-ID: <042101c713fe$d0cceba0$3701a8c0@lapxp> ...right after: --- [18942] dbg: bayes: untie-ing db_seen --- Could you people help me with this? Best, -- Arthur Sherman +972-52-4878851 CPTeam From campbell at cnpapers.com Wed Nov 29 21:45:06 2006 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Nov 29 21:45:27 2006 Subject: OT - How does most people accomplish mail downloads References: <003b01c713fb$73ec3f10$0705000a@ddf5dw71><20061129152106.G53222@mikea.ath.cx> Message-ID: <001801c713ff$a23096b0$0705000a@ddf5dw71> Thank you both, Steve ----- Original Message ----- From: "Ugo Bellavance" To: Sent: Wednesday, November 29, 2006 4:38 PM Subject: Re: OT - How does most people accomplish mail downloads > mikea wrote: >> On Wed, Nov 29, 2006 at 04:15:10PM -0500, Steve Campbell wrote: >>> I apologize for the OT, but I see where a lot of people use MailScanner >>> to scan mail they get from their ISP to a home computer. How do most >>> people set the download from their ISP to their local >>> sendmail/postfix/MTA? The scanning part is not the problem once I get it >>> into sendmail, but is this a scheduled interval task and what is used? >>> >>> I'm just drawing a blank here. >> >> For the one case where mail doesn't come directly into my home box, I use >> fetchmail. Works pretty well for the most part, *but* spam on the >> external box stays there, gets rejected by my milters, and the admin gets >> mildly irritated. > > fetchmail here too. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From brent.addis at pronet.co.nz Wed Nov 29 21:58:41 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Wed Nov 29 21:59:11 2006 Subject: Possibly stoopid feature request In-Reply-To: <456DF2F9.6070402@pixelhammer.com> References: <456DF2F9.6070402@pixelhammer.com> Message-ID: <456E0291.3000104@pronet.co.nz> Configure mailscanner to store everything for x days, and use mailwatch to unlearn/learn ? DAve wrote: > I am getting a lot of spams learned by Bayes as ham this week. As we > are an ISP, the hams go right through the system to the users. If I > don't get a copy to one of my accounts I have no idea what the message > looked like. > > It might be handy to have a mechanism to keep a quarantine of messages > that SA autolearned, so I could easily undo the damage. > > Just a thought. > > DAve ------------------------------------------------------------------------ From dave.list at pixelhammer.com Wed Nov 29 22:12:56 2006 From: dave.list at pixelhammer.com (DAve) Date: Wed Nov 29 22:13:10 2006 Subject: Possibly stoopid feature request In-Reply-To: <456E0291.3000104@pronet.co.nz> References: <456DF2F9.6070402@pixelhammer.com> <456E0291.3000104@pronet.co.nz> Message-ID: <456E05E8.8000400@pixelhammer.com> Brent Addis wrote: > Configure mailscanner to store everything for x days, and use mailwatch > to unlearn/learn ? > > DAve wrote: >> I am getting a lot of spams learned by Bayes as ham this week. As we >> are an ISP, the hams go right through the system to the users. If I >> don't get a copy to one of my accounts I have no idea what the message >> looked like. >> >> It might be handy to have a mechanism to keep a quarantine of messages >> that SA autolearned, so I could easily undo the damage. >> >> Just a thought. >> >> DAve Thought about it, but we keep all spam in quarantine and send a report each day to users. Keeping non spam in quarantine would just confuse them more than asking for a copy of the learned message with headers intact. Dave -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From brent.addis at pronet.co.nz Wed Nov 29 22:24:20 2006 From: brent.addis at pronet.co.nz (Brent Addis) Date: Wed Nov 29 22:24:48 2006 Subject: Possibly stoopid feature request In-Reply-To: <456E05E8.8000400@pixelhammer.com> References: <456DF2F9.6070402@pixelhammer.com> <456E0291.3000104@pronet.co.nz> <456E05E8.8000400@pixelhammer.com> Message-ID: <456E0894.9090800@pronet.co.nz> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061130/a5906dd1/attachment-0001.html From gmane at tippingmar.com Wed Nov 29 22:58:46 2006 From: gmane at tippingmar.com (Mark Nienberg) Date: Wed Nov 29 22:59:27 2006 Subject: Grep Patterns for MailScanner Statistics In-Reply-To: <456BF9D2.61A4.0000.0@caspercollege.edu> References: <456BF9D2.61A4.0000.0@caspercollege.edu> Message-ID: Daniel Straka wrote: > I've been trying to find a grep pattern to use with the mail log file to > get an accurate count of: > 1. Total Incoming Messages: (I'm using sendmail), been using (grep -c > "daemon=MTA" mail) > 2. Total Outgoing Messages: been using (grep -c "to=<" mail) > 3. Messages identified as spam by MailScanner: been using (grep -c > "actions are delete" mail) > 4. Total number of messages sent and received: help! > Does anyone have a list of grep patterns they use and would like to > share? Easiest thing would be to download the latest version of logwatch and look at the patterns in there. It is written in perl, so easy to understand. Or maybe you would be satisfied with the logwatch report for MailScanner and wouldn't even have to write your own. Mark Nienberg From taz at taz-mania.com Wed Nov 29 23:34:35 2006 From: taz at taz-mania.com (Dennis Willson) Date: Wed Nov 29 23:34:39 2006 Subject: Grep Patterns for MailScanner Statistics In-Reply-To: Message-ID: You could use MailWatch and then use its built-in report generator and if there's something you need that isn't there it's really easy to add since all the information is logged in an SQL database. On Wed, 29 Nov 2006 14:58:46 -0800 Mark Nienberg wrote: >Daniel Straka wrote: >>I've been trying to find a grep pattern to use with the mail log file >>to >>get an accurate count of: >>1. Total Incoming Messages: (I'm using sendmail), been using (grep -c >>"daemon=MTA" mail) >>2. Total Outgoing Messages: been using (grep -c "to=<" mail) >>3. Messages identified as spam by MailScanner: been using (grep -c >>"actions are delete" mail) >>4. Total number of messages sent and received: help! >>Does anyone have a list of grep patterns they use and would like to >>share? > >Easiest thing would be to download the latest version of logwatch and >look at the patterns in there. It is written in perl, so easy to >understand. Or maybe you would be satisfied with the logwatch report >for MailScanner and wouldn't even have to write your own. > >Mark Nienberg > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham (Extra Class): ka6lsw Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Owner: Kepnet Internet Services Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" From nerijus at users.sourceforge.net Thu Nov 30 01:39:29 2006 From: nerijus at users.sourceforge.net (Nerijus Baliunas) Date: Thu Nov 30 01:40:08 2006 Subject: corrupt messages when using Postfix with milter Message-ID: <20061130014246.3FD45FF0A@mx-a.vdnet.lt> Hello, I am using milter-greylist 3.0 with postfix 2.3.3. main.cf: milter_default_action = accept milter_connect_macros = j {client_addr} milter_protocol = 3 smtpd_milters = unix:/var/milter-greylist/milter-greylist.sock But there is one problem. New line and " 0" are added at the end of every message, and a number (pid?) is added after all the headers, but before MailScanner added ones: Message-Id: <20061127145914.674468019A@mail.xxx.lt> 3753 X-xxx-MailScanner-Information: Please contact the ISP for more information I asked in postfix list, Wietse said: Are you by any chance using a content filter? Mailscanner will surely screw up the queue file if Miltering is enabled. And right, if I disable MailScanner, messages are OK. Regards, Nerijus From TGFurnish at herffjones.com Thu Nov 30 02:47:07 2006 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Thu Nov 30 02:47:16 2006 Subject: OT sendmail question Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC4B0@inex3.herffjones.hj-int> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Pentland G. > Sent: Wednesday, November 29, 2006 12:00 PM > To: MailScanner discussion > Subject: RE: OT sendmail question > For you Trever, something simpler should suffice, I'd have to > double check but the feature "relay_based_on_MX" would > probably do it, or something like it, only allowing relaying > for domains that you are an MX server for. Doesn't relay_based_on_MX cause sendmail to relay for ***recipient*** domains that it's listed as an MX for? As in, "sure, I'll accept your message to bob@foo.com, because DNS says I'm an MX for foo.com"? If so, that's not what I meant - I meant having the ability to reject an outgoing message FROM bob@foo.com because foo.com isn't one of my domains. I hate when I see my internal relays being used to send a message to bob@foo.com FROM bob@foo.com, knowing that foo.com may very well reject the message because I'm not authorized to send mail from their domain. > Gary -- Trever > Furnish, Trever G wrote: > > I don't have a solution for you, but that would be a very useful > > feature. I'd love to limit the domains my internal users can send > > from, to combat the problem of ignorant developers who, for > example, > > set the envelope sender to an address we don't own in mail > sent from > > web forms. From TGFurnish at herffjones.com Thu Nov 30 02:52:23 2006 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Thu Nov 30 02:52:27 2006 Subject: Need replacement files Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC4B1@inex3.herffjones.hj-int> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: samplefiles.zip Type: application/x-zip-compressed Size: 2851 bytes Desc: samplefiles.zip Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061129/7ca98208/samplefiles.bin From glenn.steen at gmail.com Thu Nov 30 08:20:39 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 30 08:20:42 2006 Subject: corrupt messages when using Postfix with milter In-Reply-To: <20061130014246.3FD45FF0A@mx-a.vdnet.lt> References: <20061130014246.3FD45FF0A@mx-a.vdnet.lt> Message-ID: <223f97700611300020t42f0c6adraf1ea84a6b60c54f@mail.gmail.com> On 30/11/06, Nerijus Baliunas wrote: > Hello, > > I am using milter-greylist 3.0 with postfix 2.3.3. main.cf: > > milter_default_action = accept > milter_connect_macros = j {client_addr} > milter_protocol = 3 > smtpd_milters = unix:/var/milter-greylist/milter-greylist.sock > > But there is one problem. New line and " 0" are added at the end > of every message, and a number (pid?) is added after all the headers, > but before MailScanner added ones: > > Message-Id: <20061127145914.674468019A@mail.xxx.lt> > 3753 > X-xxx-MailScanner-Information: Please contact the ISP for more information > > I asked in postfix list, Wietse said: > Are you by any chance using a content filter? Mailscanner will > surely screw up the queue file if Miltering is enabled. > > And right, if I disable MailScanner, messages are OK. > > Regards, > Nerijus Try capturing a queue file _before_ MailScanner gets at it (just start postfix but not MailScanner, pass a message in, copy the queue file...) and send it, together with as much detail as you can give, directly to Jules (it's OK to CC the list, but he's the one that needs see what can be the problem, and fix it). He's a tad busy at the moment, but ... with that he should be able to decipher what gois bad. Is it every message, every time, or is it intermittent? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Nov 30 08:28:26 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 30 08:28:28 2006 Subject: corrupt messages when using Postfix with milter In-Reply-To: <223f97700611300020t42f0c6adraf1ea84a6b60c54f@mail.gmail.com> References: <20061130014246.3FD45FF0A@mx-a.vdnet.lt> <223f97700611300020t42f0c6adraf1ea84a6b60c54f@mail.gmail.com> Message-ID: <223f97700611300028n4878ed1do5830bfaf9d3e0781@mail.gmail.com> On 30/11/06, Glenn Steen wrote: > On 30/11/06, Nerijus Baliunas wrote: > > Hello, > > > > I am using milter-greylist 3.0 with postfix 2.3.3. main.cf: > > > > milter_default_action = accept > > milter_connect_macros = j {client_addr} > > milter_protocol = 3 > > smtpd_milters = unix:/var/milter-greylist/milter-greylist.sock > > > > But there is one problem. New line and " 0" are added at the end > > of every message, and a number (pid?) is added after all the headers, > > but before MailScanner added ones: > > > > Message-Id: <20061127145914.674468019A@mail.xxx.lt> > > 3753 > > X-xxx-MailScanner-Information: Please contact the ISP for more information > > > > I asked in postfix list, Wietse said: > > Are you by any chance using a content filter? Mailscanner will > > surely screw up the queue file if Miltering is enabled. > > > > And right, if I disable MailScanner, messages are OK. > > > > Regards, > > Nerijus > Try capturing a queue file _before_ MailScanner gets at it (just start > postfix but not MailScanner, pass a message in, copy the queue > file...) and send it, together with as much detail as you can give, > directly to Jules (it's OK to CC the list, but he's the one that needs > see what can be the problem, and fix it). He's a tad busy at the > moment, but ... with that he should be able to decipher what gois bad. > > Is it every message, every time, or is it intermittent? Oh, I see you say "every" already:-) ... Need more Java (!=prgming lang)...:) BTW, when you have the milter on, and look at a "pre-MailScanner queue-file" with postcat, how does it differ from a postcat of the same testmessage sent through without the milter? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From martinh at solidstatelogic.com Thu Nov 30 09:27:14 2006 From: martinh at solidstatelogic.com (Martin Hepworth) Date: Thu Nov 30 09:27:44 2006 Subject: Need replacement files In-Reply-To: References: Message-ID: <456EA3F2.60501@solidstatelogic.com> Douglas Ward wrote: > I checked the contents of the /etc/MailScanner/rules folder and see that > they are all zero byte files. What are they supposed to say? Would > anyone happen to have copies of these files that they could send me off > list? I am thinking this would be easier than reinstalling the rpm > version. I didn't have anything to whitelist (until now) so I didn't > catch this. I am running version 4.56.8-1. Thanks! > Douglas... once you've got this 'fixesd' as a 'note to self' - add mailScanner to backup routine ;-) -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. ********************************************************************** From jrudd at ucsc.edu Thu Nov 30 12:06:55 2006 From: jrudd at ucsc.edu (John Rudd) Date: Thu Nov 30 12:08:09 2006 Subject: new Botnet plugin version soon In-Reply-To: References: Message-ID: <456EC95F.5080209@ucsc.edu> Things I'm putting into the new Botnet version (which will be 0.5): 1) someone noticed that some MTA's (specifically CommuniGate Pro) don't put the relay's RDNS into the Received headers, and thus Botnet 0.4 always triggered "NORDNS" when run on that MTA. In the new version, if Botnet finds that the relay it's going to look at has no rdns in the pseudo-header, then the _first_ time it looks it will try to lookup the relay (and store it in the pseudo-header if it finds it; or store -1 if not). From then on, it will give the right answer for the other Botnet rules. This avoids the performance problem of "every Botnet rule does 1 or 2 DNS checks" that I tried to solve 1 or 2 versions ago, but does mean that at least 1 DNS check will be done (by the first Botnet rule that happens to get called) if the relay doesn't have RDNS. This might happen even if you have network checks turned off. If you're concerned about the small performance hit on this, then it might be a good idea to run a caching name server on the host where Botnet runs. (I had also considered only doing this if the user set a new config option, "botnet_lame_mta_rdns", to 1 ... but I thought I'd try this first) 2) As suggested, I've added "botnet_pass_domains" -- regular expressions, anchored to the end of the hostname string, that look for domains to exempt from Botnet checks. 3) I modifed the "IP in hostname" check slightly. It used to look for mixed deximal and hexidecimal octets in the hostname. This caused a small problem with the following Received header: Received: from badger07006.apple.com (badger07006.apple.com [17.254.6.173]) ("ad" is hexadecimal for "173", and you can see "006" right in there, therefore 2 octets are present in the hostname) To avoid this special case, I have made it so that it doesn't put the hexicecimal and decimal checks into the same regular expression. This could, however, slightly reduce Botnet's effectiveness. I'm going to re-evaluate it over time. (note: I have ALSO addressed this by putting apple\.com into the botnet_pass_domains example; using botnet_pass_domains or botnet_pass_ip might be the better way to address these special cases in the future, but I'm not sure yet) 4) I've added "mx" to the included botnet_serverwords. Technically this alone would exempt the ebay hosts that use "mxpool", so ebay wouldn't need a botnet_skip_domains entry ... but I also made such an entry for ebay. I'm not sure yet if "mx" is a good idea to have in botnet_serverwords though. 5) In the past, I only had the 127.* localhost IP address block, and the 10.* private IP address block in the example botnet_skip_ip config. From a suggestion I received, I've added the other two private IP blocks as well ( 192.168.* and 172.(16-31).* ). I have two questions: Question 1: Someone suggested that, for botnet_pass_domains, I not re-invent the wheel. SA already has several whitelist options (whitelist* and sare_whitelist* were specifically mentioned). They suggested that I leverage them. My first (two part) question is: a) do any of them have a small enough value that they wouldn't counter botnet's default score of 5? Meaning, if I "do nothing" with respect to those other whitelist mechanisms, they'll still "do the right thing" and let the botnet hosts through, right? b) clearly I've gone ahead and done botnet_pass_domains ... but part of me wants to "do both". So what is the right way to have Botnet recognize those other host/domain whitelisting mechanisms? I have no idea what the sare_whitelist entries look like, but I was thinking maybe I could do take the whitelist_from argument, the 2nd argument to whitelist_from_rcvd, and maybe the whitelist_from_spf argument, and munge them into a domain name to exempt. The catch is: if I do that, shouldn't I _also_ recognize the unwhitelist_* configs? That starts to get a bit hairy, IMO. For now, I'm not going to go down this path... but I'm interested in people's opinions about whether or not I should recognize whitelist*, sare_whitelist*, and unwhitelist* config options and somehow incorporate them into botnet_pass_domains. I'd also consider code snippets that would be compatible with the code I already have for Botnet::parse_config. My main hope, though, is that the scores for those mechanisms are already negative enough that they over-ride Botnet anyway. Given that the ones in the base SA are scored at -6, -15, or -100 ... I think that's a comfortable assumption on my part. I don't know if sare_whitelist fits into that or not, though. (for similar reasons I'm currently not going to look at making the BOTNET meta rule's expression more complicated with references to DK and DKIM; the DK scores in the base SA are scored at -100 and -7.5 ... that seems useful enough to me; but I might look at putting in alternate meta rule expressions that are commented out, if people really want me to; that way people could just choose to comment and uncomment whatever seems most appropriate for their situation) Question 2: someone asked why my module is "Botnet" instead of "Mail::SpamAssassin::Plugin::Botnet". The answer is: when I first started this (and this is/was my first SA Plugin authoring attempt), I tried that and it didn't work. If someone wants to look at it, and figure out how to make that work (but still have the files located in /etc/mail/spamassassin) I would happily incorporate it. Last, someone offered to host this if I needed to. I appreciate the offer. I may decide to bite the bullet and host this on sourceforge at some point (assuming, say, the SA team doesn't like it enough to include it in their standard examples) ... but for now my existing location is working fine. I expect to release the new version over the coming weekend. From Cornek at synaq.com Thu Nov 30 13:11:35 2006 From: Cornek at synaq.com (Corne Kotze) Date: Thu Nov 30 13:10:43 2006 Subject: Allow and block filenames on same domain In-Reply-To: <223f97700611290557o3486cf82laa800da2823dfff3@mail.gmail.com> References: <456D7A43.1070004@synaq.com> Message-ID: <456ED887.3040902@synaq.com> Hi, Maybe my question was bit vague. I should have said it like this: I have just under 500 email accounts on my system(mail server), all on one domain, and all incoming emails are being scanned by MailScanner. My Question: How can I allow certain file attachments in emails sent to 40 of the email accounts on the domain through, and then still block those attachments for all the other email accounts on that same domain? Example: pete@work.com is a director joe@work.com is a clerk Now a "movie.avi" is sent to both, pete@work.com should receive the file BUT That file must be blocked for joe@work.com Thanks Glenn Steen wrote: > On 29/11/06, Corne Kotze wrote: >> Hi all, >> >> I have MailScanner setup on Linux, all is working 100%, but now the >> company wants to allow all managers and directors to receive almost >> anything, while the rest of the users are blocked. >> In /etc/MailScanner/filename.rules.conf - I have made some changes to >> allow for zip files etc for the managers and directors. >> Then I copied the file to: >> /etc/MailScanner/filename.rules.users.conf - Here I made all the changes >> to block all files needed to be blocked for the users. >> >> In /etc/MailScanner/rules/filename.rules - I have a number of entries >> for the managers and directors looking like this: >> To: email addres@domain.com /etc/MailScanner/filename.rules.conf >> And for the rest of the users it looks like this: >> *@domain.com /etc/MailScanner/filename.rules.users.conf >> >> Now for some reason if an email is sent with a .ppt attachment to a >> director that is supposed to be allowed, that email is blocked by one of >> the custom rules, example: >> >> ################################################################# >> >> Our e-mail content detector has just been triggered by a message you >> sent: >> To: email address@domain.com >> Subject: test 123 >> Date: Wed Nov 29 14:07:51 2006 >> >> One or more of the attachments (Test.pps) are on >> the list of unacceptable attachments for this site and will not have >> been delivered. >> >> Consider renaming the files to avoid this constraint. >> >> The virus detector said this about the message: >> Report: Report: ScanSrv: Custom block (Test.pps) >> >> ########################################################################## >> >> >> But this attachment is allowed in: /etc/MailScanner/filename.rules.conf >> And the directors email address is pointing to this file. >> >> Any help please... >> >> Thank you >> > Your ruleset seems to be rather wrong. Take a look at the EXAMPLES in > the rules directory, and also look at the wiki... > http://wiki.mailscanner.info/doku.php?id=&idx=documentation:configuration:rulesets > > and more specifically > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:rulesets:overloading > > -- Regards, Corne Kotze Managed Services Support Engineer SYNAQ (Pty) Ltd Tel: 011 245 5888 Fax: 011 783 9275 Web: http://www.synaq.com From dave.list at pixelhammer.com Thu Nov 30 14:34:44 2006 From: dave.list at pixelhammer.com (DAve) Date: Thu Nov 30 14:35:06 2006 Subject: Possibly stoopid feature request In-Reply-To: <456E0894.9090800@pronet.co.nz> References: <456DF2F9.6070402@pixelhammer.com> <456E0291.3000104@pronet.co.nz> <456E05E8.8000400@pixelhammer.com> <456E0894.9090800@pronet.co.nz> Message-ID: <456EEC04.2090904@pixelhammer.com> Brent Addis wrote: > What about the archive feature then? Thought about it but we don't want to have 4gb of mail to keep and sort through each day. A separate quarantine of just learned mail would be easier to manage. There is also the thought that keeping a copy of learned mail for spam purposes could be justified if a recipient is subscribed to the spam filtering tool. Keeping all mail might not justified/legal, we don't know. We have lawyers to tell us should we decide to ask, please let's not start a thread on legalities of mail archives ;^) DAve > > DAve wrote: >> Brent Addis wrote: >>> Configure mailscanner to store everything for x days, and use >>> mailwatch to unlearn/learn ? >>> >>> DAve wrote: >>>> I am getting a lot of spams learned by Bayes as ham this week. As we >>>> are an ISP, the hams go right through the system to the users. If I >>>> don't get a copy to one of my accounts I have no idea what the >>>> message looked like. >>>> >>>> It might be handy to have a mechanism to keep a quarantine of >>>> messages that SA autolearned, so I could easily undo the damage. >>>> >>>> Just a thought. >>>> >>>> DAve >> >> Thought about it, but we keep all spam in quarantine and send a report >> each day to users. Keeping non spam in quarantine would just confuse >> them more than asking for a copy of the learned message with headers >> intact. >> >> Dave >> >> > > > -- > > *Brent Addis | *Technical Account Manager| Ph: + 64 9 827 9298\ > Mobile: + 64 21 723 612| Email: Brent.Addis@pronet.co.nz| > > > *PRONET Internet NZ Ltd* |Secure Network and Systems Infrastructure > Solutions| > > Tel: + 64 9 827 9298 (0800 482 871) |Fax: + 64 9 827 > 9291 |www.pronet.co.nz | Level 2, 2a McWhirter > Place, New Lynn, Auckland, New Zealand| PO Box 15352, New Lynn, > Auckland, New Zealand | > > Please Note: This electronic mail message may contain information that > is confidential, proprietary or the subject of legal privilege. If the > reader of this message is not the intended recipient you must delete > this e-mail. Any use, dissemination, distribution or reproduction of > this message is prohibited. If you have received this message in error, > please notify the sender immediately. Thank you. PRONET Internet NZ Ltd. > > > > ------------------------------------------------------------------------ > > > > > > > -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From Cornek at synaq.com Thu Nov 30 14:38:28 2006 From: Cornek at synaq.com (Corne Kotze) Date: Thu Nov 30 14:37:34 2006 Subject: Allow and block filenames on same domain - Take2 In-Reply-To: <456ED887.3040902@synaq.com> References: <456D7A43.1070004@synaq.com> Message-ID: <456EECE4.2070809@synaq.com> Sorry, slight amendment to email sent out earlier Please see ***** Corne Kotze wrote: > Hi, > > Maybe my question was bit vague. > I should have said it like this: > I have just under 500 email accounts on my system(mail server), all on > one domain, and all incoming emails are being scanned by MailScanner. > My Question: > How can I allow certain file attachments in emails sent to 40 of the > email accounts on the domain through, and then still block those > attachments for all the other email accounts on that same domain? > ***** > Example: > pete@work.com is a director > joe@work.com is a clerk > > Now a "movie.avi" is sent from hans@company.com TO pete@work.com and > he should receive the file > BUT > A "video.mov" is sent from trevor@gov.com TO joe@work.com and that > email should then be blocked > > Thanks > > > > Glenn Steen wrote: >> On 29/11/06, Corne Kotze wrote: >>> Hi all, >>> >>> I have MailScanner setup on Linux, all is working 100%, but now the >>> company wants to allow all managers and directors to receive almost >>> anything, while the rest of the users are blocked. >>> In /etc/MailScanner/filename.rules.conf - I have made some changes to >>> allow for zip files etc for the managers and directors. >>> Then I copied the file to: >>> /etc/MailScanner/filename.rules.users.conf - Here I made all the >>> changes >>> to block all files needed to be blocked for the users. >>> >>> In /etc/MailScanner/rules/filename.rules - I have a number of entries >>> for the managers and directors looking like this: >>> To: email addres@domain.com /etc/MailScanner/filename.rules.conf >>> And for the rest of the users it looks like this: >>> *@domain.com /etc/MailScanner/filename.rules.users.conf >>> >>> Now for some reason if an email is sent with a .ppt attachment to a >>> director that is supposed to be allowed, that email is blocked by >>> one of >>> the custom rules, example: >>> >>> ################################################################# >>> >>> Our e-mail content detector has just been triggered by a message you >>> sent: >>> To: email address@domain.com >>> Subject: test 123 >>> Date: Wed Nov 29 14:07:51 2006 >>> >>> One or more of the attachments (Test.pps) are on >>> the list of unacceptable attachments for this site and will not have >>> been delivered. >>> >>> Consider renaming the files to avoid this constraint. >>> >>> The virus detector said this about the message: >>> Report: Report: ScanSrv: Custom block (Test.pps) >>> >>> ########################################################################## >>> >>> >>> But this attachment is allowed in: /etc/MailScanner/filename.rules.conf >>> And the directors email address is pointing to this file. >>> >>> Any help please... >>> >>> Thank you >>> >> Your ruleset seems to be rather wrong. Take a look at the EXAMPLES in >> the rules directory, and also look at the wiki... >> http://wiki.mailscanner.info/doku.php?id=&idx=documentation:configuration:rulesets >> >> and more specifically >> http://wiki.mailscanner.info/doku.php?id=documentation:configuration:rulesets:overloading >> >> > -- Regards, Corne Kotze Managed Services Support Engineer SYNAQ (Pty) Ltd Tel: 011 245 5888 Fax: 011 783 9275 Web: http://www.synaq.com From sk at foundationcenter.org Thu Nov 30 14:42:03 2006 From: sk at foundationcenter.org (Sukh Khehra) Date: Thu Nov 30 14:40:28 2006 Subject: test Message-ID: <7B644D3DEEE2594981C2B8FFAC1737D1A86A0A@fcmail.nycnt1a.fdncenter.org> test Sukh Khehra System Services Manager The Foundation Center 79 Fifth Ave New York NY 10003 212-807-2478 http://foundationcenter.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061130/b0bcca65/attachment.html From MailScanner at ecs.soton.ac.uk Thu Nov 30 14:52:18 2006 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Nov 30 14:54:09 2006 Subject: Allow and block filenames on same domain - Take2 In-Reply-To: <456EECE4.2070809@synaq.com> References: <456D7A43.1070004@synaq.com> <456EECE4.2070809@synaq.com> Message-ID: <456EF022.80600@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is all documented on the wiki. Take a look at http://wiki.mailscanner.info/doku.php?id=documentation:configuration:rulesets:overloading Jules. Corne Kotze wrote: > Sorry, slight amendment to email sent out earlier > Please see ***** > > Corne Kotze wrote: >> Hi, >> >> Maybe my question was bit vague. >> I should have said it like this: >> I have just under 500 email accounts on my system(mail server), all >> on one domain, and all incoming emails are being scanned by MailScanner. >> My Question: >> How can I allow certain file attachments in emails sent to 40 of the >> email accounts on the domain through, and then still block those >> attachments for all the other email accounts on that same domain? >> > ***** >> Example: >> pete@work.com is a director >> joe@work.com is a clerk >> >> Now a "movie.avi" is sent from hans@company.com TO pete@work.com >> and he should receive the file >> BUT >> A "video.mov" is sent from trevor@gov.com TO joe@work.com and that >> email should then be blocked >> >> Thanks >> >> >> >> Glenn Steen wrote: >>> On 29/11/06, Corne Kotze wrote: >>>> Hi all, >>>> >>>> I have MailScanner setup on Linux, all is working 100%, but now the >>>> company wants to allow all managers and directors to receive almost >>>> anything, while the rest of the users are blocked. >>>> In /etc/MailScanner/filename.rules.conf - I have made some changes to >>>> allow for zip files etc for the managers and directors. >>>> Then I copied the file to: >>>> /etc/MailScanner/filename.rules.users.conf - Here I made all the >>>> changes >>>> to block all files needed to be blocked for the users. >>>> >>>> In /etc/MailScanner/rules/filename.rules - I have a number of entries >>>> for the managers and directors looking like this: >>>> To: email addres@domain.com /etc/MailScanner/filename.rules.conf >>>> And for the rest of the users it looks like this: >>>> *@domain.com /etc/MailScanner/filename.rules.users.conf >>>> >>>> Now for some reason if an email is sent with a .ppt attachment to a >>>> director that is supposed to be allowed, that email is blocked by >>>> one of >>>> the custom rules, example: >>>> >>>> ################################################################# >>>> >>>> Our e-mail content detector has just been triggered by a message >>>> you sent: >>>> To: email address@domain.com >>>> Subject: test 123 >>>> Date: Wed Nov 29 14:07:51 2006 >>>> >>>> One or more of the attachments (Test.pps) are on >>>> the list of unacceptable attachments for this site and will not have >>>> been delivered. >>>> >>>> Consider renaming the files to avoid this constraint. >>>> >>>> The virus detector said this about the message: >>>> Report: Report: ScanSrv: Custom block (Test.pps) >>>> >>>> ########################################################################## >>>> >>>> >>>> But this attachment is allowed in: >>>> /etc/MailScanner/filename.rules.conf >>>> And the directors email address is pointing to this file. >>>> >>>> Any help please... >>>> >>>> Thank you >>>> >>> Your ruleset seems to be rather wrong. Take a look at the EXAMPLES in >>> the rules directory, and also look at the wiki... >>> http://wiki.mailscanner.info/doku.php?id=&idx=documentation:configuration:rulesets >>> >>> and more specifically >>> http://wiki.mailscanner.info/doku.php?id=documentation:configuration:rulesets:overloading >>> >>> >> > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.1 (Build 1557) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFFbvBiEfZZRxQVtlQRAvKUAJ40cKq1xKx1+HUTWLG3s+Q8TpPRuwCg/bb3 uSZdsS6zZtURH8U5OGv/yeA= =KVYQ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From Denis.Beauchemin at USherbrooke.ca Thu Nov 30 16:17:19 2006 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Nov 30 16:17:37 2006 Subject: Allow and block filenames on same domain In-Reply-To: <456ED887.3040902@synaq.com> References: <456D7A43.1070004@synaq.com> <456ED887.3040902@synaq.com> Message-ID: <456F040F.4040500@USherbrooke.ca> Corne Kotze a ?crit : > Hi, > > Maybe my question was bit vague. > I should have said it like this: > I have just under 500 email accounts on my system(mail server), all on > one domain, and all incoming emails are being scanned by MailScanner. > My Question: > How can I allow certain file attachments in emails sent to 40 of the > email accounts on the domain through, and then still block those > attachments for all the other email accounts on that same domain? > > Example: > pete@work.com is a director > joe@work.com is a clerk > > Now a "movie.avi" is sent to both, pete@work.com should receive the file > BUT > That file must be blocked for joe@work.com > You will have to configure your MTA to split messages addressed to multiple addresses into separate messages. After that you will be able to configure MS to act differently for your users. Look in the wiki or the MAQ for that information. I'm pretty sure it's there. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061130/9f78f5b6/smime.bin From glenn.steen at gmail.com Thu Nov 30 16:38:13 2006 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 30 16:38:20 2006 Subject: Allow and block filenames on same domain In-Reply-To: <456ED887.3040902@synaq.com> References: <223f97700611290557o3486cf82laa800da2823dfff3@mail.gmail.com> <456ED887.3040902@synaq.com> Message-ID: <223f97700611300838j82f3c0ch624b1e991be32c25@mail.gmail.com> On 30/11/06, Corne Kotze wrote: > Hi, > > Maybe my question was bit vague. > I should have said it like this: > I have just under 500 email accounts on my system(mail server), all on > one domain, and all incoming emails are being scanned by MailScanner. > My Question: > How can I allow certain file attachments in emails sent to 40 of the > email accounts on the domain through, and then still block those > attachments for all the other email accounts on that same domain? > > Example: > pete@work.com is a director > joe@work.com is a clerk > > Now a "movie.avi" is sent to both, pete@work.com should receive the file > BUT > That file must be blocked for joe@work.com > > Thanks > > > > Glenn Steen wrote: (snip) > > Take a look at the EXAMPLES in > > the rules directory, and also look at the wiki... > > http://wiki.mailscanner.info/doku.php?id=&idx=documentation:configuration:rulesets > > > > and more specifically > > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:rulesets:overloading > > Afraid of reading are we:-). The above is still the answer to your question;-). But fair enough, I can mumble a bit and see if things clear up a bit... There are two distinct mechanisms in MailScanner you can use to block that AVI, and they in turn have two distinct configuration options... The link above gives you what you need to do this with the more ... flexible... method for filename and filetype blocking (which are the two distinct mechanisms). What you do is that you create a ruleset for each mechanism (a ruleset is a file that details different "behaviour", returning different results, that make sense in the context of the setting the ruleset is defined for... We'll get to an example below:-) depending on things like recipient, sender, sending server IP address etc). In that ruleset you define a default entry that will do the "most common" action, and then detail all the rest as "exceptions to the default rule". When it comes to the filename and filetype rule files, you have an added bonus by the overloading feature, making it possible to maintain the exceptions as a file with just the differences, instead of two separate sets of nearly identical rules. It also helps when you update, since the update will never touch your "overloading" files. So (if we stick with filenames for the moment), if you want the above, you would create a file /etc/MailScanner/rules/filename.rules which would look something like (watch out for linewrapping... I'll put comments between the lines) # Overload exceptions for directors FromOrTo: pete@work.com %etc-dir%/filename.exceptions.rules.conf %etc-dir%/filename.rules.conf # Default rules FromOrTo: default %etc-dir%/filename.rules.conf # End of file ... And you would create the file %etc-dir%/filename.exceptions.rules.conf with the exceptions you want (the file is very specifically formatted... It needs as column separator... Just copy the original, remove all lines you will not change, then change those to "allow"...). For AVI, the filename rule would be: allow \.avi$ - - ... and nothing more in /etc/MailScanner/filename.exceptions.rules.conf (I'm assuming an RPM install here:-). Doing the same for filetype rules doesn't really differ...;) Now, one final gotcha: Since mails addressed to more than one recipient will be acted upon as if they were sent only to the first recipient, the above will not be of much use... Unless you configure your MTA to split mails into one mail/recipient. Once you do that (it'll increase your resource use somewhat), the above rule would act exactly as you want it to. For information on how to split mails/recipient, gor read that section in the MAQ (it links to the relevant sections in other parts of the wiki): http://wiki.mailscanner.info/doku.php?id=maq:index#multiple_recipient_message_-_how_to_apply_different_rules Hope you find my rambling mumbles useful;-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ecasarero at gmail.com Thu Nov 30 17:35:24 2006 From: ecasarero at gmail.com (Eduardo Casarero) Date: Thu Nov 30 17:35:30 2006 Subject: New Milter coming In-Reply-To: <4B7800CC946F56478051DD71855D6E6C03BE0C78@POSTALSTATION> References: <03ab01c713d9$458d2f20$3701a8c0@lapxp> <4B7800CC946F56478051DD71855D6E6C03BE0C78@POSTALSTATION> Message-ID: <7d9b3cf20611300935k17a0469enf098d39df60ec822@mail.gmail.com> So do I, please keep us updated with your development status, i?d like to test it! Regards! 2006/11/29, Feasey, Nicholas : > > I would be very interested in checking this out as well. > > Nicholas P. Feasey > Systems Administrator > T 416.640.5804 > F 416.640.5336 > E nfeasey@utpress.utoronto.ca > UNIVERSITY OF TORONTO PRESS INC. > www.utpress.utoronto.ca > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Arthur > Sherman > Sent: Wednesday, November 29, 2006 12:10 PM > To: 'MailScanner discussion' > Subject: RE: New Milter coming > > > >> I have been writing a milter I call milter-spamtrap. It allows an > > >> active sendmail server to also be a spamtrap or honeypot. > > > Sounds good. > > Thanks! > > > > Best, > > -- > Arthur Sherman > > +972-52-4878851 > CPTeam > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061130/4a954a6b/attachment.html From mkellermann at net-com.de Thu Nov 30 17:57:03 2006 From: mkellermann at net-com.de (Matthias Kellermann) Date: Thu Nov 30 18:04:35 2006 Subject: Block Backscatter Mails? Message-ID: <456F1B6F.2090509@net-com.de> Hello, is ist possible to block Backscatter Mails with MailScanner? I've tried the VBounceRuleset for Spamassassin (http://wiki.apache.org/spamassassin/VBounceRuleset), but it didn't work well. The plugin doesn't seem to scan attached mails and so it makes a lot of false-positives... Are there any other possibilities to block such bounced mail with MailScanner? Best Regards Matthias From steve.freegard at fsl.com Thu Nov 30 18:29:49 2006 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Nov 30 18:29:56 2006 Subject: Block Backscatter Mails? In-Reply-To: <456F1B6F.2090509@net-com.de> References: <456F1B6F.2090509@net-com.de> Message-ID: <456F231D.3020509@fsl.com> Hi Matthias, Matthias Kellermann wrote: > Hello, > > is ist possible to block Backscatter Mails with MailScanner? > > I've tried the VBounceRuleset for Spamassassin > (http://wiki.apache.org/spamassassin/VBounceRuleset), but it didn't work > well. The plugin doesn't seem to scan attached mails and so it makes a > lot of false-positives... > > Are there any other possibilities to block such bounced mail with > MailScanner? If you are using Sendmail - check out milter-null: http://www.snertsoft.com/sendmail/milter-null/ Cheers, Steve. From alex at nkpanama.com Thu Nov 30 18:30:26 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Nov 30 18:35:09 2006 Subject: New Milter coming In-Reply-To: References: Message-ID: <456F2342.7050309@nkpanama.com> I'd love to test it; it would be excellent if combined efforts from several spamtraps could be combined in ONE dnsbl. I could create a country-specific DNSBL which I'd be willing to host myself for the Republic of Panama, although I *have* been getting a lot of Guatemalan spam for no apparent reason :-) Dennis Willson wrote: > I don't use postfix and I have not looked at their interface so probably > not. I will do some looking around for their interface information and > see what it would take to make it work there. > > > On Tue, 28 Nov 2006 15:14:01 -0500 > Gerard Seibert wrote: >> On Tuesday November 28, 2006 at 02:39:24 (PM) Dennis Willson wrote: >> >>> I have been writing a milter I call milter-spamtrap. It allows an >>> active sendmail server to also be a spamtrap or honeypot. >>> You can have email addresses within a domain that is actually used >>> for real users or dedicate entire domains or any combination of both >>> as your honeypots. >>> >>> Upon receiving an email for an email address defined as a >>> honeypot/SpamTrap, the milter will log the IP address and optionally >>> the headers and/or body of the email in either a text file or to a >>> MySQL database or both. It can cache in memory the IP addresses of >>> offending servers and from then on block them upon connection. >>> >>> A future enhancement will be to scan the database via a cron job and >>> create a DNSBL zone file for publishing a blacklist. The saved >>> headers/body can be used as evidence as to why a server was >>> blacklisted. Many, many configurable options including Whitelisting >>> via CIDR block so some servers will never be listed as an offending >>> server if you want. >>> >>> I believe I will have it ready for Beta (although I am testing/using >>> it myself right now) sometime next week. I'm 'pre-announceing' so >>> that if there is any interest I will package it for others to use and >>> make it available and I need to do additional documenation if others >>> are going to use it. If there's no interest I will just use it myself. >> >> >> Will this milter be compatible with Postfix. I presently have the >> development version -- 2.4 -- installed. I know that clamav-milter does >> not work correctly which is one of the reasons I abandoned it. >> >> >> -- >> Gerard > > > -------------------------------------------------- > Dennis Willson > > taz@taz-mania.com > http://www.taz-mania.com > > Ham (Extra Class): ka6lsw > Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, > Gas Blender > > Owner: Kepnet Internet Services > > Life should not be a journey to the grave with the intention of arriving > safely in a nice looking and well preserved body, but rather to skid in > broadside, thoroughly used up, totally worn out, and loudly proclaiming, > "WOW! WHAT A RIDE!" From alex at nkpanama.com Thu Nov 30 18:39:12 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Nov 30 18:40:12 2006 Subject: OT: Spamcop BL - good or dangerous? In-Reply-To: <456D78F8.6020302@blacknight.ie> References: <033f01c713a8$9301ca30$3701a8c0@lapxp> <20061129064650.794D.GERARD@seibercom.net> <456D78F8.6020302@blacknight.ie> Message-ID: <456F2550.3060004@nkpanama.com> Sorry to disagree, but I find the whole reporting process too troublesome to believe people will report double opt-in mailing lists (which sounds so much like spammerspeak ;-) ) as spam. I report spam to spamcop only when I *know for a fact* that it's actually spam, and take the whole 30-seconds-to-a-minute of my time because I believe it's worth it. It might be because noone has ever filed (to my knowledge) a report blaming me or servers in my care for spamming, so I haven't been a "victim" of a false positive yet. FP's I've had from people who can't send *me* e-mail because they're on spamcop's list have been a blessing so far; from companies with fast pipes whose employees were running a clandestine spamming business behind management's back to companies with compromised servers being used for spamming, it's always been a sign that something's not quite as it should be on the sending side. Paul Kelly :: Blacknight Solutions wrote: > > I'm sorry, but that is complete rubbish. SpamCop users blatantly report > every and any e-mail they receive even double opt-in mailing lists etc. > It is an extremely dangerous BL to use if you wish to get legitimate e-mail. > From ssilva at sgvwater.com Thu Nov 30 18:43:53 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 30 18:45:14 2006 Subject: test In-Reply-To: <7B644D3DEEE2594981C2B8FFAC1737D1A86A0A@fcmail.nycnt1a.fdncenter.org> References: <7B644D3DEEE2594981C2B8FFAC1737D1A86A0A@fcmail.nycnt1a.fdncenter.org> Message-ID: Sukh Khehra spake the following on 11/30/2006 6:42 AM: > test > You passed! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From alex at nkpanama.com Thu Nov 30 18:48:20 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Nov 30 18:49:00 2006 Subject: OT - How does most people accomplish mail downloads In-Reply-To: <20061129152106.G53222@mikea.ath.cx> References: <003b01c713fb$73ec3f10$0705000a@ddf5dw71> <20061129152106.G53222@mikea.ath.cx> Message-ID: <456F2774.7000907@nkpanama.com> You can tell fetchmail to dump messages that are blocked by your server so it deletes them from the original box. mikea wrote: > On Wed, Nov 29, 2006 at 04:15:10PM -0500, Steve Campbell wrote: >> I apologize for the OT, but I see where a lot of people use MailScanner to >> scan mail they get from their ISP to a home computer. How do most people set >> the download from their ISP to their local sendmail/postfix/MTA? The >> scanning part is not the problem once I get it into sendmail, but is this a >> scheduled interval task and what is used? >> >> I'm just drawing a blank here. > > For the one case where mail doesn't come directly into my home box, > I use fetchmail. Works pretty well for the most part, *but* spam on > the external box stays there, gets rejected by my milters, and the > admin gets mildly irritated. > From mkellermann at net-com.de Thu Nov 30 18:52:04 2006 From: mkellermann at net-com.de (Matthias Kellermann) Date: Thu Nov 30 18:52:24 2006 Subject: Block Backscatter Mails? In-Reply-To: <456F231D.3020509@fsl.com> References: <456F1B6F.2090509@net-com.de> <456F231D.3020509@fsl.com> Message-ID: <456F2854.70501@net-com.de> Hi Steve, Steve Freegard schrieb: > Hi Matthias, > > If you are using Sendmail - check out milter-null: > http://www.snertsoft.com/sendmail/milter-null/ > > Cheers, > Steve. Thanks for your answer. I'm using Postfix so I don't think I can use milter-null, can I? Are there other plugins I could use? Best Regards, Matthias From ssilva at sgvwater.com Thu Nov 30 18:57:44 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 30 18:58:36 2006 Subject: OT sendmail question In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC4B0@inex3.herffjones.hj-int> References: <57573D714A832C43B9D80EAFBDA48D0302BAC4B0@inex3.herffjones.hj-int> Message-ID: Furnish, Trever G spake the following on 11/29/2006 6:47 PM: > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Pentland G. >> Sent: Wednesday, November 29, 2006 12:00 PM >> To: MailScanner discussion >> Subject: RE: OT sendmail question > >> For you Trever, something simpler should suffice, I'd have to >> double check but the feature "relay_based_on_MX" would >> probably do it, or something like it, only allowing relaying >> for domains that you are an MX server for. > > Doesn't relay_based_on_MX cause sendmail to relay for ***recipient*** > domains that it's listed as an MX for? As in, "sure, I'll accept your > message to bob@foo.com, because DNS says I'm an MX for foo.com"? > > If so, that's not what I meant - I meant having the ability to reject an > outgoing message FROM bob@foo.com because foo.com isn't one of my > domains. I hate when I see my internal relays being used to send a > message to bob@foo.com FROM bob@foo.com, knowing that foo.com may very > well reject the message because I'm not authorized to send mail from > their domain. > >> Gary But your system should only relay for foo.com IF the messages come from one of the IP addresses that are in foo.com. If the ip address resolves to foobar.com, your system should say "no". You need to check your system, especially your sendmail.mc and .cf files for the proper settings. Your access file should only have relay lines for ip addresses under your control. Relay lines for your domain name will cause problems. Those should go into your relay-domains. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From kopels at english.fsu.edu Thu Nov 30 19:04:05 2006 From: kopels at english.fsu.edu (Scott Kopel) Date: Thu Nov 30 19:04:40 2006 Subject: filename and filetype checking not working Message-ID: <7.0.0.16.2.20061130135233.03bcbec0@english.fsu.edu> I can't seem to get my filename and filetype checking to work I think it's supposed block the emails with attachments that fit the filename/filetype rules right? I'm running a test trying to block .gif attachments /opt/MailScanner/etc/filetype.rules.conf contains: deny \.gif$ - - /opt/MailScanner/etc/filename.rules.conf contains: deny GIF - - relavent MailScanner.conf lines File Command = /usr/bin/file # I checked ... the file command is there File Timeout = 20 Filename Rules = %etc-dir%/filename.rules.conf Filetype Rules = %etc-dir%/filetype.rules.conf %etc-dir% = /opt/MailScanner/etc I ran check_mailscanner but it stops after a few moments because of a path problem in the mcafee_wrapper so I never get the info I need. thanks for whatever help you can give. Scott Kopel English Department - FSU 850 644 6177 From alex at nkpanama.com Thu Nov 30 19:03:59 2006 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Nov 30 19:05:16 2006 Subject: Block Backscatter Mails? In-Reply-To: <456F2854.70501@net-com.de> References: <456F1B6F.2090509@net-com.de> <456F231D.3020509@fsl.com> <456F2854.70501@net-com.de> Message-ID: <456F2B1F.4010201@nkpanama.com> Matthias Kellermann wrote: > I'm using Postfix so I don't think I can use milter-null, can I? No, but then again, technically, you shouldn't use MailScanner ... it "corrupts queues" and "causes swapping"! ;-) But seriously, didn't Postfix implement some sort of sendmail milter compatibility thingie a while back? From gerard at seibercom.net Thu Nov 30 19:05:58 2006 From: gerard at seibercom.net (Gerard Seibert) Date: Thu Nov 30 19:05:49 2006 Subject: Block Backscatter Mails? In-Reply-To: <456F2854.70501@net-com.de> References: <456F231D.3020509@fsl.com> <456F2854.70501@net-com.de> Message-ID: <20061130140343.6C4A.GERARD@seibercom.net> On Thursday November 30, 2006 at 01:52:04 (PM) Matthias Kellermann wrote: > I'm using Postfix so I don't think I can use milter-null, can I? Postfix-2.3.x has limited support for sendmail type milters. However, Postfix has a vast arsenal of anti backscatter functions build into it. Why don't you check with Victor on the postfix mail forum. I am sure he could assist you. -- Gerard From paul at vanbrouwershaven.com Thu Nov 30 20:13:27 2006 From: paul at vanbrouwershaven.com (Paul van Brouwershaven) Date: Thu Nov 30 20:13:44 2006 Subject: LookupByDomainList / X-Original-To / CustomConfig.pm Message-ID: <456F3B67.6020404@vanbrouwershaven.com> Hello, I configured multiple MailScanner servers as frontend in a cluster of client mailservers. The MailScanner scans the e-mail and forward the users e-mail to the client server on a virual domain aliassing list in postfix. Mail to: admin@domain1.com Delivered to: user123@server23.network.com The problem is that mailscanner looks for black and whitelists in the file "server23.network.com" and not in the domain "domain1.com" I want to change this function so MailScanner would also look in the X-Original-To header. Who can help me to rewrite this function? (tell me how to access $message->{X-Original-To} and $message->{X-Original-Todomain}; sub LookupByDomainList { my($message, $BlackWhite) = @_; return 0 unless $message; # Sanity check the input # Find the "from" address and the first "to" address my($from, $fromdomain, @todomain, $todomain, @to, $to, $ip); $from = $message->{from}; $fromdomain = $message->{fromdomain}; @todomain = @{$message->{todomain}}; $todomain = $todomain[0]; @to = @{$message->{to}}; $to = $to[0]; $ip = $message->{clientip}; # It is in the list if either the exact address is listed, # or the domain is listed return 1 if $BlackWhite->{$to}{$from}; return 1 if $BlackWhite->{$to}{$fromdomain}; return 1 if $BlackWhite->{$to}{$ip}; return 1 if $BlackWhite->{$todomain}{$from}; return 1 if $BlackWhite->{$todomain}{$fromdomain}; return 1 if $BlackWhite->{$todomain}{$ip}; return 1 if $BlackWhite->{'default'}{$from}; return 1 if $BlackWhite->{'default'}{$fromdomain}; return 1 if $BlackWhite->{'default'}{$ip}; # It is not in the list return 0; } From ssilva at sgvwater.com Thu Nov 30 20:14:22 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 30 20:16:28 2006 Subject: filename and filetype checking not working In-Reply-To: <7.0.0.16.2.20061130135233.03bcbec0@english.fsu.edu> References: <7.0.0.16.2.20061130135233.03bcbec0@english.fsu.edu> Message-ID: Scott Kopel spake the following on 11/30/2006 11:04 AM: > I can't seem to get my filename and filetype checking to work > I think it's supposed block the emails with attachments that fit the > filename/filetype rules right? > > I'm running a test trying to block .gif attachments > > /opt/MailScanner/etc/filetype.rules.conf contains: > deny \.gif$ - - > > /opt/MailScanner/etc/filename.rules.conf contains: > deny GIF - - > > relavent MailScanner.conf lines > File Command = /usr/bin/file # I checked ... the file command is there > File Timeout = 20 > Filename Rules = %etc-dir%/filename.rules.conf > Filetype Rules = %etc-dir%/filetype.rules.conf > %etc-dir% = /opt/MailScanner/etc > > > I ran check_mailscanner but it stops after a few moments because of a > path problem in the mcafee_wrapper > so I never get the info I need. > > thanks for whatever help you can give. You need to edit the virus.scanners.conf to fix the path of any virus scanners you use installed into non-default (for linux) locations. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From timb at vwg.com Thu Nov 30 20:39:19 2006 From: timb at vwg.com (Timothy Barhorst) Date: Thu Nov 30 20:39:30 2006 Subject: User unknown attack? Message-ID: Over the last three days, our Mailscanner e-mail server has received > 100K attempts to a single BOGUS username ( threateningmessage@vwg.com ) Sendmail always responds with a User unknown message ... but what is the logic of sending this many messages? All of them come from different source addresses so I'm pretty sure it's some kind of spamming technique.. but not the usual dictionary attack I see. Should I be concerned?? Tim Barhorst -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061130/502e4523/attachment-0001.html From kopels at english.fsu.edu Thu Nov 30 21:04:42 2006 From: kopels at english.fsu.edu (Scott Kopel) Date: Thu Nov 30 21:04:45 2006 Subject: filename and filetype checking not working In-Reply-To: References: <7.0.0.16.2.20061130135233.03bcbec0@english.fsu.edu> Message-ID: <7.0.0.16.2.20061130155109.03bd7c28@english.fsu.edu> here's the output of check_mailscanner with Debug = yes Starting MailScanner... In Debugging mode, not forking... Ignore errors about failing to find EOCD signature Stopping now as you are debugging me. /opt/MailScanner/etc# nothing about filetypes and filenames upgraded to 4.56.8 using included filename.rules.conf and filetype.rules.conf except added/changed lines filename.rules.conf deny \.gif$ - - filetype.rules.conf deny GIF - - can't stop gif files from being delivered bought the book thanks again s At 03:14 PM 11/30/2006, you wrote: >Scott Kopel spake the following on 11/30/2006 11:04 AM: > > I can't seem to get my filename and filetype checking to work > > I think it's supposed block the emails with attachments that fit the > > filename/filetype rules right? > > > > I'm running a test trying to block .gif attachments > > > > /opt/MailScanner/etc/filetype.rules.conf contains: > > deny \.gif$ - - > > > > /opt/MailScanner/etc/filename.rules.conf contains: > > deny GIF - - > > > > relavent MailScanner.conf lines > > File Command = /usr/bin/file # I checked ... the file command is there > > File Timeout = 20 > > Filename Rules = %etc-dir%/filename.rules.conf > > Filetype Rules = %etc-dir%/filetype.rules.conf > > %etc-dir% = /opt/MailScanner/etc > > > > > > I ran check_mailscanner but it stops after a few moments because of a > > path problem in the mcafee_wrapper > > so I never get the info I need. > > > > thanks for whatever help you can give. >You need to edit the virus.scanners.conf to fix the path of any virus scanners >you use installed into non-default (for linux) locations. > >-- > >MailScanner is like deodorant... >You hope everybody uses it, and >you notice quickly if they don't!!!! > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! Scott Kopel English Department - FSU 850 644 6177 From ssilva at sgvwater.com Thu Nov 30 21:12:18 2006 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Nov 30 21:13:48 2006 Subject: User unknown attack? In-Reply-To: References: Message-ID: Timothy Barhorst spake the following on 11/30/2006 12:39 PM: > Over the last three days, our Mailscanner e-mail server has received > > 100K attempts to a single BOGUS username ( threateningmessage@vwg.com ) > > Sendmail always responds with a User unknown message ? but what is the > logic of sending this many messages? > > All of them come from different source addresses so I?m pretty sure it?s > some kind of spamming technique.. but not the usual dictionary attack I see. > > > > Should I be concerned?? > > > > Tim Barhorst > > > It could be someones attempt at a denial of service attack using servers that bounce instead of reject. It would be directed at the vwg.com domain which is a wholesale grocery company. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From kopels at english.fsu.edu Thu Nov 30 23:11:56 2006 From: kopels at english.fsu.edu (Scott Kopel) Date: Thu Nov 30 23:12:02 2006 Subject: whitelisted where? Message-ID: <7.0.0.16.2.20061130181059.039cc988@english.fsu.edu> I'm noticing a bunch of obviously spam that is getting thru because it is "whitelisted" it appears that MailScanner is whitelisting it. I don't see anything in my MailScanner.conf that is whitelisting where is this whitelist? it's not something I created. it's not the auto_whitelist is it? wouldn't that say AWL is it the phishing whitelist? when I start MailScanner I see "Read 755 hostnames from the phishing whitelist" thanks for any help s Return-Path: Received: from 4C2B80B8 (computername.voip.canet.ne.jp [202.58.145.231] (may be forged)) by englishmail.fsu.edu (8.13.3/8.12.9) with SMTP id kAUJvfwn002997; Thu, 30 Nov 2006 14:57:48 -0500 Received: from cyberc79 (unverified [202.58.145.231]) by btcc.org (SurgeMail 3.1c) with ESMTP id 97935670 for ; Thu, 30 Nov 2006 11:57:22 -0800 Date: Thu, 30 Nov 2006 11:57:22 -0800 From: "YING FRAZIER" MIME-Version: 1.0 To: jorourke@english.fsu.edu Cc: jkimbrell@english.fsu.edu, ledwards@english.fsu.edu, lwideman@english.fsu.edu, jmcgregory@english.fsu.edu, jemcs@english.fsu.edu, kpadgett@english.fsu.edu, kpicart@english.fsu.edu Subject: re:You can't go wrong ... Message-Id: <2726D978.220118.66403@PYVR> X-Authentication-Warning: localhost.localdomain: apache set sender to iyaye@fix.net using -f X-Accept-Language: en-us, en Content-Type: multipart/related; boundary="------------MultiSham466971670361690949053174" X-English-FSU-MailScanner: Found to be clean X-English-FSU-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=41.052, required 4, autolearn=spam, BAYES_60 1.00, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.00, RCVD_IN_BL_SPAMCOP_NET 7.00, RCVD_IN_DSBL 2.60, RCVD_IN_SORBS_WEB 1.46, RCVD_IN_XBL 3.90, URIBL_AB_SURBL 3.81, URIBL_BLACK 3.00, URIBL_JP_SURBL 7.00, URIBL_OB_SURBL 3.01, URIBL_SBL 1.64, URIBL_SC_SURBL 4.50, URIBL_WS_SURBL 2.14) X-English-FSU-MailScanner-Envelope-From: iyaye@fix.net Scott Kopel English Department - FSU 850 644 6177 From kopels at english.fsu.edu Thu Nov 30 23:20:41 2006 From: kopels at english.fsu.edu (Scott Kopel) Date: Thu Nov 30 23:20:43 2006 Subject: whitelisted where? sorry to bother, I figured this out In-Reply-To: <7.0.0.16.2.20061130181059.039cc988@english.fsu.edu> References: <7.0.0.16.2.20061130181059.039cc988@english.fsu.edu> Message-ID: <7.0.0.16.2.20061130182009.039cbcd0@english.fsu.edu> sorry to bother, I figured this out thanks s At 06:11 PM 11/30/2006, you wrote: >I'm noticing a bunch of obviously spam that is getting thru because >it is "whitelisted" >it appears that MailScanner is whitelisting it. >I don't see anything in my MailScanner.conf that is whitelisting >where is this whitelist? it's not something I created. >it's not the auto_whitelist is it? wouldn't that say AWL >is it the phishing whitelist? when I start MailScanner I see "Read >755 hostnames from the phishing whitelist" >thanks for any help >s > > > >Return-Path: >Received: from 4C2B80B8 (computername.voip.canet.ne.jp >[202.58.145.231] (may be forged)) > by englishmail.fsu.edu (8.13.3/8.12.9) with SMTP id kAUJvfwn002997; > Thu, 30 Nov 2006 14:57:48 -0500 >Received: from cyberc79 (unverified [202.58.145.231]) > by btcc.org (SurgeMail 3.1c) with ESMTP id 97935670 > for ; Thu, 30 Nov 2006 11:57:22 -0800 >Date: Thu, 30 Nov 2006 11:57:22 -0800 >From: "YING FRAZIER" >MIME-Version: 1.0 >To: jorourke@english.fsu.edu >Cc: jkimbrell@english.fsu.edu, ledwards@english.fsu.edu, > lwideman@english.fsu.edu, jmcgregory@english.fsu.edu, > jemcs@english.fsu.edu, kpadgett@english.fsu.edu, > kpicart@english.fsu.edu >Subject: re:You can't go wrong ... >Message-Id: <2726D978.220118.66403@PYVR> >X-Authentication-Warning: localhost.localdomain: apache set sender >to iyaye@fix.net using -f >X-Accept-Language: en-us, en >Content-Type: multipart/related; > boundary="------------MultiSham466971670361690949053174" >X-English-FSU-MailScanner: Found to be clean >X-English-FSU-MailScanner-SpamCheck: not spam (whitelisted), > SpamAssassin (score=41.052, required 4, autolearn=spam, > BAYES_60 1.00, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.00, > RCVD_IN_BL_SPAMCOP_NET 7.00, RCVD_IN_DSBL 2.60, > RCVD_IN_SORBS_WEB 1.46, RCVD_IN_XBL 3.90, URIBL_AB_SURBL 3.81, > URIBL_BLACK 3.00, URIBL_JP_SURBL 7.00, URIBL_OB_SURBL 3.01, > URIBL_SBL 1.64, URIBL_SC_SURBL 4.50, URIBL_WS_SURBL 2.14) >X-English-FSU-MailScanner-Envelope-From: iyaye@fix.net > > > >Scott Kopel >English Department - FSU >850 644 6177 > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! Scott Kopel English Department - FSU 850 644 6177 From gmane at tippingmar.com Thu Nov 30 23:39:27 2006 From: gmane at tippingmar.com (Mark Nienberg) Date: Thu Nov 30 23:39:52 2006 Subject: tnef question Message-ID: In "MailScanner.conf", if I have Use TNEF Contents = replace does MailScanner log the fact that it replaced a winmail.dat with the individual attachments? I'm trying to troubleshoot a problem with attachments in messages we receive from an Outlook/Exchange user. How can I tell if the original message had a winmail.dat or if it always had separate attachments? The problem is that although the recipient can open and save the attachments, the attachments disappear if the recipient forwards the message. # MailScanner -v Running on Linux tesla.tippingmar.com 2.6.17-1.2139_FC5 #1 Fri Jun 23 12:40:16 EDT 2006 i686 athlon i386 GNU/Linux This is Fedora Core release 5 (Bordeaux) This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.56.8 We use the external tnef decoder v 1.4.3 Here are the headers from a bad message. Note the strange line concerning mail reader not understanding MIME. Received: from ph-svr-smtp1.wrtdesign.com (ph-svr-smtp1.wrtdesign.com [68.167.103.171]) by mail.tippingmar.com (8.13.7/8.13.7) with ESMTP id kAU00Dl2014806 for ; Wed, 29 Nov 2006 16:00:17 -0800 Received: from sf-svr-exch1.wrtdesign.com ([192.168.106.25]) by ph-svr-smtp1.wrtdesign.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 29 Nov 2006 19:00:10 -0500 Received: by sf-svr-exch1.wrtdesign.com with Internet Mail Service (5.5.2653.19) id ; Wed, 29 Nov 2006 16:00:08 -0800 From: Jennifer To: "'us'" Message-ID: <4AC4264EA86E3041A0909E6944D790CDB720@sf-svr-exch1.wrtdesign.com> X-Connecting-IP: 192.168.106.25 Subject: FW: DRAFT: Ameda Quals Date: Wed, 29 Nov 2006 15:59:39 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/related; boundary="----_=_NextPart_000_01C71412.6E07A4B0"; type="multipart/alternative" X-OriginalArrivalTime: 30 Nov 2006 00:00:10.0566 (UTC) FILETIME=[80C43E60:01C71412] X-tma-MailScanner: Found to be clean X-tma-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=0.591, required 5.5, BAYES_00 -0.50, EXTRA_MPART_TYPE 1.09, HTML_MESSAGE 0.00, SPF_PASS -0.00) This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C71412.6E07A4B0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C71412.6E07A4B0" ------_=_NextPart_001_01C71412.6E07A4B0 Content-Type: text/plain Mark